a6dc6c9350b5c01ab00c4241cf233f9d69910f1c431fb25e1fda63e463c64642

Analysis

max time kernel
430s
max time network
442s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-05-2022 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mysetup.exe
Size

115.3MB
MD5

1c32da9a18b51af4ac59579322a8c5c7
SHA1

f09d16ee1822139e4bad3958bd46537c16552c30
SHA256

a6dc6c9350b5c01ab00c4241cf233f9d69910f1c431fb25e1fda63e463c64642
SHA512

62699c67e96808655cb3b20350e9b44fc8cb132c1153a3228a2a90c8be5dde445dc5113d7d765fda31e44c425d615b1622d497e1d54cb5890d7c402282081c57

Score

8^/10

bootkit discovery persistence upx vmprotect

Malware Config

Signatures

Executes dropped EXE 30 IoCs

Processes:

mysetup.tmpFirefox.exeFirefox-cleaned.exeFirefox.exeFurryfox (3).exeFurryfox (3).exeFurryfox.exeFurryfox2.exeFurryfox3.exeFurryfox4.exeGenericSetup.exeinstaller.exeLime-Miner v1.0.exeLime Crypter v3.exeNYAN W0rm v0.3.8.exeok.exePublic.exePublic.exewinfirefox.exewinfirefoxvmp.exeWinlocker.exeWinlocker_protected.exeWinlocker_protected.vmp.execcsetup592.execcsetup591.exeFirefox.exeFirefox.exeFirefox.exeFirefox.exeFirefox.exe

pid	process
4428	mysetup.tmp
3736	Firefox.exe
2256	Firefox-cleaned.exe
4416	Firefox.exe
3548	Furryfox (3).exe
4764	Furryfox (3).exe
964	Furryfox.exe
4168	Furryfox2.exe
5116	Furryfox3.exe
1040	Furryfox4.exe
2196	GenericSetup.exe
4504	installer.exe
2116	Lime-Miner v1.0.exe
4500	Lime Crypter v3.exe
1164	NYAN W0rm v0.3.8.exe
3368	ok.exe
2124	Public.exe
4496	Public.exe
4644	winfirefox.exe
1728	winfirefoxvmp.exe
4612	Winlocker.exe
5104	Winlocker_protected.exe
2640	Winlocker_protected.vmp.exe
3956	ccsetup592.exe
4032	ccsetup591.exe
916	Firefox.exe
2828	Firefox.exe
4320	Firefox.exe
1216	Firefox.exe
4164	Firefox.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files (x86)\My Program\Winlocker.exe	upx
C:\Program Files (x86)\My Program\winfirefox.exe	upx
C:\Program Files (x86)\My Program\winfirefox.exe	upx
C:\Program Files (x86)\My Program\Winlocker.exe	upx

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Program Files (x86)\My Program\Winlocker_protected.vmp.exe	vmprotect
C:\Program Files (x86)\My Program\winfirefoxvmp.exe	vmprotect
C:\Program Files (x86)\My Program\winfirefoxvmp.exe	vmprotect
behavioral3/memory/1728-210-0x0000000000400000-0x0000000000DF7000-memory.dmp	vmprotect
C:\Program Files (x86)\My Program\Winlocker_protected.vmp.exe	vmprotect
behavioral3/memory/2640-219-0x0000000000400000-0x000000000114A000-memory.dmp	vmprotect

Loads dropped DLL 16 IoCs

Processes:

ccsetup592.execcsetup591.exe

pid	process
3956	ccsetup592.exe
3956	ccsetup592.exe
4032	ccsetup591.exe
4032	ccsetup591.exe
4032	ccsetup591.exe
4032	ccsetup591.exe
4032	ccsetup591.exe
3956	ccsetup592.exe
3956	ccsetup592.exe
3956	ccsetup592.exe
4032	ccsetup591.exe
4032	ccsetup591.exe
3956	ccsetup592.exe
3956	ccsetup592.exe
4032	ccsetup591.exe
3956	ccsetup592.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

Furryfox2.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	Furryfox2.exe
File created	C:\Windows\assembly\Desktop.ini	Furryfox2.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

ccsetup591.execcsetup592.exe

description ioc process

File opened for modification \??\PhysicalDrive0 ccsetup591.exe
File opened for modification \??\PhysicalDrive0 ccsetup592.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ccsetup591.exe
File opened for modification	\??\PhysicalDrive0	ccsetup592.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Program Files (x86)\My Program\SGN Miner Builder 1.06.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

Furryfox (3).exeFurryfox (3).exeWinlocker_protected.exe

pid process

3548 Furryfox (3).exe
4764 Furryfox (3).exe
4764 Furryfox (3).exe
3548 Furryfox (3).exe
5104 Winlocker_protected.exe
5104 Winlocker_protected.exe

Drops file in Program Files directory 50 IoCs

Processes:

mysetup.tmpinstaller.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\My Program\seed.exe	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-NJILJ.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-AKGOM.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-2O0SJ.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\2022.05.19_04.27.38.669397_installer_pid=4504.txt	installer.exe
File opened for modification	C:\Program Files (x86)\My Program\Furryfox (3).exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\zm__Slayed.exe	mysetup.tmp
File created	C:\Program Files (x86)\My Program\unins000.dat	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-CSDGL.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-VDA92.tmp	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Lime-Miner v1.0.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\NYAN W0rm v0.3.8.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Winlocker_protected.vmp.exe	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-89GJF.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-3T15U.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-94V9H.tmp	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Furryfox2.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Winlocker_protected.exe	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-OR7KR.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-H998M.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-L94JT.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-9671I.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-0CD41.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-U153D.tmp	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\ok.exe	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-OSC0S.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-GELTT.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-ASJL9.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-6V7QO.tmp	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\unins000.dat	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\installer.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\winfirefoxvmp.exe	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-ONUE9.tmp	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Public.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\GenericSetup.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\SGN Miner Builder 1.06.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\zm_.exe	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-R2A5E.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-98H3B.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-SUOTP.tmp	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Furryfox3.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Firefox-cleaned.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Winlocker.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Lime Crypter v3.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Furryfox.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Furryfox4.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\winfirefox.exe	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-CBQM9.tmp	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Firefox.exe	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-HELGH.tmp	mysetup.tmp

Drops file in Windows directory 4 IoCs

Processes:

Furryfox2.exedw20.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	Furryfox2.exe
File created	C:\Windows\assembly\Desktop.ini	Furryfox2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Furryfox2.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2272	4612	WerFault.exe	Winlocker.exe
4580	5104	WerFault.exe	Winlocker_protected.exe
1284	2640	WerFault.exe	Winlocker_protected.vmp.exe

Checks processor information in registry 2 TTPs 30 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exedw20.exedw20.exedw20.execcsetup592.exedw20.exedw20.exedw20.execcsetup591.exedw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup592.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup592.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup591.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup591.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup591.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup592.exe

Enumerates system info in registry 2 TTPs 16 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Modifies registry class 16 IoCs

Processes:

mysetup.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\.myp\OpenWithProgids	mysetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids	mysetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\Firefox.exe\SupportedTypes	mysetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp	mysetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyProgramFile.myp\ = "My Program File"	mysetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyProgramFile.myp	mysetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyProgramFile.myp\shell\open\command\ = "\"C:\\Program Files (x86)\\My Program\\Firefox.exe\" \"%1\""	mysetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\firefox.exe\SupportedTypes\.myp	mysetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids\MyProgramFile.myp	mysetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\MyProgramFile.myp	mysetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\MyProgramFile.myp\shell\open\command	mysetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyProgramFile.myp\shell	mysetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\MyProgramFile.myp\DefaultIcon	mysetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyProgramFile.myp\DefaultIcon\ = "C:\\Program Files (x86)\\My Program\\Firefox.exe,0"	mysetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyProgramFile.myp\shell\open	mysetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyProgramFile.myp\shell\open\command	mysetup.tmp

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

GenericSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	GenericSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	GenericSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	GenericSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	GenericSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	GenericSetup.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

mysetup.tmpwinfirefoxvmp.exeWinlocker_protected.vmp.execcsetup591.execcsetup592.exe

pid	process
4428	mysetup.tmp
4428	mysetup.tmp
1728	winfirefoxvmp.exe
1728	winfirefoxvmp.exe
1728	winfirefoxvmp.exe
1728	winfirefoxvmp.exe
2640	Winlocker_protected.vmp.exe
2640	Winlocker_protected.vmp.exe
2640	Winlocker_protected.vmp.exe
2640	Winlocker_protected.vmp.exe
4032	ccsetup591.exe
4032	ccsetup591.exe
3956	ccsetup592.exe
3956	ccsetup592.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

Furryfox (3).exeFurryfox (3).exeFurryfox4.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.execcsetup591.exe

description	pid	process
Token: SeDebugPrivilege	3548	Furryfox (3).exe
Token: SeDebugPrivilege	4764	Furryfox (3).exe
Token: SeDebugPrivilege	1040	Furryfox4.exe
Token: SeRestorePrivilege	2336	dw20.exe
Token: SeBackupPrivilege	2336	dw20.exe
Token: SeRestorePrivilege	2532	dw20.exe
Token: SeBackupPrivilege	2532	dw20.exe
Token: SeBackupPrivilege	2336	dw20.exe
Token: SeBackupPrivilege	2532	dw20.exe
Token: SeBackupPrivilege	648	dw20.exe
Token: SeBackupPrivilege	3976	dw20.exe
Token: SeBackupPrivilege	4860	dw20.exe
Token: SeBackupPrivilege	2532	dw20.exe
Token: SeBackupPrivilege	648	dw20.exe
Token: SeBackupPrivilege	2532	dw20.exe
Token: SeBackupPrivilege	4860	dw20.exe
Token: SeBackupPrivilege	3976	dw20.exe
Token: SeBackupPrivilege	2336	dw20.exe
Token: SeBackupPrivilege	2336	dw20.exe
Token: SeBackupPrivilege	2064	dw20.exe
Token: SeBackupPrivilege	2064	dw20.exe
Token: SeBackupPrivilege	4592	dw20.exe
Token: SeBackupPrivilege	3476	dw20.exe
Token: SeBackupPrivilege	3476	dw20.exe
Token: SeBackupPrivilege	4592	dw20.exe
Token: SeShutdownPrivilege	4032	ccsetup591.exe
Token: SeCreatePagefilePrivilege	4032	ccsetup591.exe
Token: SeShutdownPrivilege	4032	ccsetup591.exe
Token: SeCreatePagefilePrivilege	4032	ccsetup591.exe

Suspicious use of FindShellTrayWindow 59 IoCs

Processes:

mysetup.tmpFurryfox2.exeNYAN W0rm v0.3.8.exeLime-Miner v1.0.exe

pid	process
4428	mysetup.tmp
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
4168	Furryfox2.exe
1164	NYAN W0rm v0.3.8.exe
2116	Lime-Miner v1.0.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

Furryfox (3).exeFurryfox (3).exedw20.exedw20.exedw20.exeWinlocker_protected.exeWinlocker_protected.vmp.execcsetup592.execcsetup591.exe

pid	process
3548	Furryfox (3).exe
4764	Furryfox (3).exe
4764	Furryfox (3).exe
3548	Furryfox (3).exe
3976	dw20.exe
2336	dw20.exe
648	dw20.exe
5104	Winlocker_protected.exe
2640	Winlocker_protected.vmp.exe
3956	ccsetup592.exe
4032	ccsetup591.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

mysetup.exemysetup.tmpFurryfox.exeFurryfox3.exeFurryfox (3).exeFurryfox4.exeFurryfox (3).exeGenericSetup.exePublic.exePublic.exe

description	pid	process	target process
PID 4760 wrote to memory of 4428	4760	mysetup.exe	mysetup.tmp
PID 4760 wrote to memory of 4428	4760	mysetup.exe	mysetup.tmp
PID 4760 wrote to memory of 4428	4760	mysetup.exe	mysetup.tmp
PID 4428 wrote to memory of 3736	4428	mysetup.tmp	Firefox.exe
PID 4428 wrote to memory of 3736	4428	mysetup.tmp	Firefox.exe
PID 4428 wrote to memory of 3736	4428	mysetup.tmp	Firefox.exe
PID 964 wrote to memory of 4860	964	Furryfox.exe	dw20.exe
PID 964 wrote to memory of 4860	964	Furryfox.exe	dw20.exe
PID 964 wrote to memory of 4860	964	Furryfox.exe	dw20.exe
PID 5116 wrote to memory of 2532	5116	Furryfox3.exe	dw20.exe
PID 5116 wrote to memory of 2532	5116	Furryfox3.exe	dw20.exe
PID 5116 wrote to memory of 2532	5116	Furryfox3.exe	dw20.exe
PID 4764 wrote to memory of 3976	4764	Furryfox (3).exe	dw20.exe
PID 4764 wrote to memory of 3976	4764	Furryfox (3).exe	dw20.exe
PID 4764 wrote to memory of 3976	4764	Furryfox (3).exe	dw20.exe
PID 1040 wrote to memory of 2336	1040	Furryfox4.exe	dw20.exe
PID 1040 wrote to memory of 2336	1040	Furryfox4.exe	dw20.exe
PID 1040 wrote to memory of 2336	1040	Furryfox4.exe	dw20.exe
PID 3548 wrote to memory of 648	3548	Furryfox (3).exe	dw20.exe
PID 3548 wrote to memory of 648	3548	Furryfox (3).exe	dw20.exe
PID 3548 wrote to memory of 648	3548	Furryfox (3).exe	dw20.exe
PID 2196 wrote to memory of 2064	2196	GenericSetup.exe	dw20.exe
PID 2196 wrote to memory of 2064	2196	GenericSetup.exe	dw20.exe
PID 2196 wrote to memory of 2064	2196	GenericSetup.exe	dw20.exe
PID 4496 wrote to memory of 4592	4496	Public.exe	dw20.exe
PID 4496 wrote to memory of 4592	4496	Public.exe	dw20.exe
PID 4496 wrote to memory of 4592	4496	Public.exe	dw20.exe
PID 2124 wrote to memory of 3476	2124	Public.exe	dw20.exe
PID 2124 wrote to memory of 3476	2124	Public.exe	dw20.exe
PID 2124 wrote to memory of 3476	2124	Public.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\mysetup.exe
"C:\Users\Admin\AppData\Local\Temp\mysetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Local\Temp\is-RM0VE.tmp\mysetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RM0VE.tmp\mysetup.tmp" /SL5="$60062,120034821,831488,C:\Users\Admin\AppData\Local\Temp\mysetup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Program Files (x86)\My Program\Firefox.exe
    "C:\Program Files (x86)\My Program\Firefox.exe"
    3⤵
    - Executes dropped EXE
    PID:3736

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2084

C:\Program Files (x86)\My Program\Firefox.exe
"C:\Program Files (x86)\My Program\Firefox.exe"
1⤵
- Executes dropped EXE
PID:4416

C:\Program Files (x86)\My Program\Firefox-cleaned.exe
"C:\Program Files (x86)\My Program\Firefox-cleaned.exe"
1⤵
- Executes dropped EXE
PID:2256

C:\Program Files (x86)\My Program\Furryfox (3).exe
"C:\Program Files (x86)\My Program\Furryfox (3).exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1028
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3976

C:\Program Files (x86)\My Program\Furryfox (3).exe
"C:\Program Files (x86)\My Program\Furryfox (3).exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1020
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:648

C:\Program Files (x86)\My Program\Furryfox2.exe
"C:\Program Files (x86)\My Program\Furryfox2.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:4168

C:\Program Files (x86)\My Program\Furryfox4.exe
"C:\Program Files (x86)\My Program\Furryfox4.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 944
  2⤵
  - Drops file in Windows directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2336

C:\Program Files (x86)\My Program\Furryfox3.exe
"C:\Program Files (x86)\My Program\Furryfox3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 844
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2532

C:\Program Files (x86)\My Program\Furryfox.exe
"C:\Program Files (x86)\My Program\Furryfox.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 848
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4860

C:\Program Files (x86)\My Program\GenericSetup.exe
"C:\Program Files (x86)\My Program\GenericSetup.exe"
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1440
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2064

C:\Program Files (x86)\My Program\installer.exe
"C:\Program Files (x86)\My Program\installer.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4504

C:\Program Files (x86)\My Program\Lime Crypter v3.exe
"C:\Program Files (x86)\My Program\Lime Crypter v3.exe"
1⤵
- Executes dropped EXE
PID:4500

C:\Program Files (x86)\My Program\Lime-Miner v1.0.exe
"C:\Program Files (x86)\My Program\Lime-Miner v1.0.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2116

C:\Program Files (x86)\My Program\NYAN W0rm v0.3.8.exe
"C:\Program Files (x86)\My Program\NYAN W0rm v0.3.8.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1164

C:\Program Files (x86)\My Program\ok.exe
"C:\Program Files (x86)\My Program\ok.exe"
1⤵
- Executes dropped EXE
PID:3368

C:\Program Files (x86)\My Program\Public.exe
"C:\Program Files (x86)\My Program\Public.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 800
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3476

C:\Program Files (x86)\My Program\Public.exe
"C:\Program Files (x86)\My Program\Public.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 760
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4592

C:\Program Files (x86)\My Program\winfirefox.exe
"C:\Program Files (x86)\My Program\winfirefox.exe"
1⤵
- Executes dropped EXE
PID:4644

C:\Program Files (x86)\My Program\winfirefoxvmp.exe
"C:\Program Files (x86)\My Program\winfirefoxvmp.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Program Files (x86)\My Program\Winlocker.exe
"C:\Program Files (x86)\My Program\Winlocker.exe"
1⤵
- Executes dropped EXE
PID:4612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 444
  2⤵
  - Program crash
  PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4612 -ip 4612
1⤵
PID:808

C:\Program Files (x86)\My Program\Winlocker_protected.exe
"C:\Program Files (x86)\My Program\Winlocker_protected.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 680
  2⤵
  - Program crash
  PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5104 -ip 5104
1⤵
PID:3716

C:\Program Files (x86)\My Program\Winlocker_protected.vmp.exe
"C:\Program Files (x86)\My Program\Winlocker_protected.vmp.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 620
  2⤵
  - Program crash
  PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2640 -ip 2640
1⤵
PID:1452

C:\Users\Admin\Desktop\ccsetup592.exe
"C:\Users\Admin\Desktop\ccsetup592.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3956

C:\Users\Admin\Desktop\ccsetup591.exe
"C:\Users\Admin\Desktop\ccsetup591.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4032

C:\Program Files (x86)\My Program\Firefox.exe
"C:\Program Files (x86)\My Program\Firefox.exe"
1⤵
- Executes dropped EXE
PID:916

C:\Program Files (x86)\My Program\Firefox.exe
"C:\Program Files (x86)\My Program\Firefox.exe"
1⤵
- Executes dropped EXE
PID:2828

C:\Program Files (x86)\My Program\Firefox.exe
"C:\Program Files (x86)\My Program\Firefox.exe"
1⤵
- Executes dropped EXE
PID:1216

C:\Program Files (x86)\My Program\Firefox.exe
"C:\Program Files (x86)\My Program\Firefox.exe"
1⤵
- Executes dropped EXE
PID:4320

C:\Program Files (x86)\My Program\Firefox.exe
"C:\Program Files (x86)\My Program\Firefox.exe"
1⤵
- Executes dropped EXE
PID:4164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\My Program\Firefox-cleaned.exe

Filesize
738KB

MD5
52022371d76c92445515c83991887542

SHA1
e34fd42bdecefa0eae06e8717d891dac51b155bc

SHA256
bd74f052247e9b174bc35d6d03e1658e979e6c7d10da4a598a3083db86beba53

SHA512
0f06e570534a5b2dd5a8f93eb4815ed4426238d9989399896db94c775c80cff6a7c6d98d3821f981b1005ed9fd8713034bde656eef72264c1d8ca1807f2ba737

Download Submit
C:\Program Files (x86)\My Program\Firefox-cleaned.exe

Filesize
738KB

MD5
52022371d76c92445515c83991887542

SHA1
e34fd42bdecefa0eae06e8717d891dac51b155bc

SHA256
bd74f052247e9b174bc35d6d03e1658e979e6c7d10da4a598a3083db86beba53

SHA512
0f06e570534a5b2dd5a8f93eb4815ed4426238d9989399896db94c775c80cff6a7c6d98d3821f981b1005ed9fd8713034bde656eef72264c1d8ca1807f2ba737

Download Submit
C:\Program Files (x86)\My Program\Firefox.exe

Filesize
738KB

MD5
21950db214fe165cf82abaf660e26ea5

SHA1
1f753330518edea341e4c888444747c9b243930f

SHA256
66c9a8ab912581867515f14afc52fdd964cff273c850f3b0452852a511ea114b

SHA512
57ae0d579e8fc8155bb5759aa492645a102b2f12628669b78df2d9847e6236f85bfcb1cd80cbcf94420f68c7f53cbb3b0f9e1db36470e6cdb58ec04cb323b68d

Download Submit
C:\Program Files (x86)\My Program\Firefox.exe

Filesize
738KB

MD5
21950db214fe165cf82abaf660e26ea5

SHA1
1f753330518edea341e4c888444747c9b243930f

SHA256
66c9a8ab912581867515f14afc52fdd964cff273c850f3b0452852a511ea114b

SHA512
57ae0d579e8fc8155bb5759aa492645a102b2f12628669b78df2d9847e6236f85bfcb1cd80cbcf94420f68c7f53cbb3b0f9e1db36470e6cdb58ec04cb323b68d

Download Submit
C:\Program Files (x86)\My Program\Firefox.exe

Filesize
738KB

MD5
21950db214fe165cf82abaf660e26ea5

SHA1
1f753330518edea341e4c888444747c9b243930f

SHA256
66c9a8ab912581867515f14afc52fdd964cff273c850f3b0452852a511ea114b

SHA512
57ae0d579e8fc8155bb5759aa492645a102b2f12628669b78df2d9847e6236f85bfcb1cd80cbcf94420f68c7f53cbb3b0f9e1db36470e6cdb58ec04cb323b68d

Download Submit
C:\Program Files (x86)\My Program\Firefox.exe

Filesize
738KB

MD5
21950db214fe165cf82abaf660e26ea5

SHA1
1f753330518edea341e4c888444747c9b243930f

SHA256
66c9a8ab912581867515f14afc52fdd964cff273c850f3b0452852a511ea114b

SHA512
57ae0d579e8fc8155bb5759aa492645a102b2f12628669b78df2d9847e6236f85bfcb1cd80cbcf94420f68c7f53cbb3b0f9e1db36470e6cdb58ec04cb323b68d

Download Submit
C:\Program Files (x86)\My Program\Furryfox (3).exe

Filesize
2.5MB

MD5
3b756930d5b39b23764b37f502667130

SHA1
18791c89ff2e8fc41a9d014756ecdf3a67e4b495

SHA256
76892892094a82689c13907b1de8ce2fabc0184e9cc439d5eab7bee8bba25ff9

SHA512
f702ab6f426976769c8cf9a3cfe9a59274936db5ebf0621554bade7ed4de65d227ab01d4c88bd29a12e5cf9ab0df0aef096e1c533950fb7a79fbfa796a0ee1a9

Download Submit
C:\Program Files (x86)\My Program\Furryfox (3).exe

Filesize
2.5MB

MD5
3b756930d5b39b23764b37f502667130

SHA1
18791c89ff2e8fc41a9d014756ecdf3a67e4b495

SHA256
76892892094a82689c13907b1de8ce2fabc0184e9cc439d5eab7bee8bba25ff9

SHA512
f702ab6f426976769c8cf9a3cfe9a59274936db5ebf0621554bade7ed4de65d227ab01d4c88bd29a12e5cf9ab0df0aef096e1c533950fb7a79fbfa796a0ee1a9

Download Submit
C:\Program Files (x86)\My Program\Furryfox (3).exe

Filesize
2.5MB

MD5
3b756930d5b39b23764b37f502667130

SHA1
18791c89ff2e8fc41a9d014756ecdf3a67e4b495

SHA256
76892892094a82689c13907b1de8ce2fabc0184e9cc439d5eab7bee8bba25ff9

SHA512
f702ab6f426976769c8cf9a3cfe9a59274936db5ebf0621554bade7ed4de65d227ab01d4c88bd29a12e5cf9ab0df0aef096e1c533950fb7a79fbfa796a0ee1a9

Download Submit
C:\Program Files (x86)\My Program\Furryfox.exe

Filesize
1.2MB

MD5
a35c1e2201d63b0f3d1051ac3ef7f66d

SHA1
cf5f77b12d0fc851128b1db918f51512007d9b67

SHA256
d8b7c095bfd4b8ea3d1f2e1a3cfc70499323226ce1b43c830d5e8d8100399bc5

SHA512
3d2a42e27435c3580b6d69ea8516a4cbc907f39a336ea2d7a49239a84273870ca474b31b92d863d95898c8198e5407f5240e266651ca4f95f67c79d99d9280c3

Download Submit
C:\Program Files (x86)\My Program\Furryfox.exe

Filesize
1.2MB

MD5
a35c1e2201d63b0f3d1051ac3ef7f66d

SHA1
cf5f77b12d0fc851128b1db918f51512007d9b67

SHA256
d8b7c095bfd4b8ea3d1f2e1a3cfc70499323226ce1b43c830d5e8d8100399bc5

SHA512
3d2a42e27435c3580b6d69ea8516a4cbc907f39a336ea2d7a49239a84273870ca474b31b92d863d95898c8198e5407f5240e266651ca4f95f67c79d99d9280c3

Download Submit
C:\Program Files (x86)\My Program\Furryfox2.exe

Filesize
1.3MB

MD5
002e76b8ae88ec3f53205592d027642c

SHA1
d31a0e2dca9751e13145f3a3f488ff7bca6420d8

SHA256
4b6782d75c3736c7922b9083d7321ecbce65698ca599271d929ab1116daf5acb

SHA512
9de538d6b44fed8d571ba78c60d9f3b273a1a34658baf8a19ce5598969918a53bb27b6ec1de0ed2a74a29642dece547c8bcec427fbd78f412d3041d57a5bce6f

Download Submit
C:\Program Files (x86)\My Program\Furryfox2.exe

Filesize
1.3MB

MD5
002e76b8ae88ec3f53205592d027642c

SHA1
d31a0e2dca9751e13145f3a3f488ff7bca6420d8

SHA256
4b6782d75c3736c7922b9083d7321ecbce65698ca599271d929ab1116daf5acb

SHA512
9de538d6b44fed8d571ba78c60d9f3b273a1a34658baf8a19ce5598969918a53bb27b6ec1de0ed2a74a29642dece547c8bcec427fbd78f412d3041d57a5bce6f

Download Submit
C:\Program Files (x86)\My Program\Furryfox3.exe

Filesize
1.2MB

MD5
20c006abf2e9107a6c118d3b37f66cb1

SHA1
b8042b4fd763e6e4bffbdc502f9de53479a478a6

SHA256
37d249984928935104d547af9253158738ccce54f447cb121ec129d41bc97270

SHA512
747a13153f03b9c36bbcb7442f07cd54ffb53abfa4b04b4499c84f1aa1f390a81d198e2a9a1e47e3a937b9a007b8b846188ba1e2c8d0cf9f374c6abef6a84a4d

Download Submit
C:\Program Files (x86)\My Program\Furryfox3.exe

Filesize
1.2MB

MD5
20c006abf2e9107a6c118d3b37f66cb1

SHA1
b8042b4fd763e6e4bffbdc502f9de53479a478a6

SHA256
37d249984928935104d547af9253158738ccce54f447cb121ec129d41bc97270

SHA512
747a13153f03b9c36bbcb7442f07cd54ffb53abfa4b04b4499c84f1aa1f390a81d198e2a9a1e47e3a937b9a007b8b846188ba1e2c8d0cf9f374c6abef6a84a4d

Download Submit
C:\Program Files (x86)\My Program\Furryfox4.exe

Filesize
1.4MB

MD5
5b0987aeb0fc04d0b8923a689d0a04a5

SHA1
a2326c9623ae5818e3775512dc321a5f9f8dac28

SHA256
246e0b8fcfb08951ef9da18cbcb270c79090410fdab7ed4826c34ac52d7db495

SHA512
5838a082a40e95e87e9539a0cf120c98e15ce2c0d041a5b5001dbe919f1f06d34a27b30bbd3a8f098670837b3ce39641138bd10f846c513058fc19e65a5da258

Download Submit
C:\Program Files (x86)\My Program\Furryfox4.exe

Filesize
1.4MB

MD5
5b0987aeb0fc04d0b8923a689d0a04a5

SHA1
a2326c9623ae5818e3775512dc321a5f9f8dac28

SHA256
246e0b8fcfb08951ef9da18cbcb270c79090410fdab7ed4826c34ac52d7db495

SHA512
5838a082a40e95e87e9539a0cf120c98e15ce2c0d041a5b5001dbe919f1f06d34a27b30bbd3a8f098670837b3ce39641138bd10f846c513058fc19e65a5da258

Download Submit
C:\Program Files (x86)\My Program\GenericSetup.exe

Filesize
26KB

MD5
e8e42c3cdf76d03e068b4d1ecf6bb317

SHA1
3df2b679b90cad81e73b10ad7e4d074da4a415da

SHA256
fa22ac38e305fa6031ad5b7f95970190f5ba4ba9e1ec385e192323c9daa46d6a

SHA512
bdbd16a8950914e7339ff608b3ba7e5cecb2b01296042b28c8240650bc08b820494280be0e3de839a65b2429ba4e17e041e6194183d19306ba90a7c3cc6c959a

Download Submit
C:\Program Files (x86)\My Program\GenericSetup.exe

Filesize
26KB

MD5
e8e42c3cdf76d03e068b4d1ecf6bb317

SHA1
3df2b679b90cad81e73b10ad7e4d074da4a415da

SHA256
fa22ac38e305fa6031ad5b7f95970190f5ba4ba9e1ec385e192323c9daa46d6a

SHA512
bdbd16a8950914e7339ff608b3ba7e5cecb2b01296042b28c8240650bc08b820494280be0e3de839a65b2429ba4e17e041e6194183d19306ba90a7c3cc6c959a

Download Submit
C:\Program Files (x86)\My Program\Lime Crypter v3.exe

Filesize
377KB

MD5
ced45f6998154c48d72f053029ecbfc7

SHA1
8f98b757653674f7744484bb6c36604214b6a04a

SHA256
a7496cca2e47de0672548076a7e892844b50cf72b8f624eba4f0b3ddbf53ca21

SHA512
839119702307d9f3852a1af85b2574391673e8cbb380b054f1f6fa8e75ab4e4f1dc9ff5d32440ef25721cd17a7af5c37e1c94ea683d49564e3845fde494b2f25

Download Submit
C:\Program Files (x86)\My Program\Lime Crypter v3.exe

Filesize
377KB

MD5
ced45f6998154c48d72f053029ecbfc7

SHA1
8f98b757653674f7744484bb6c36604214b6a04a

SHA256
a7496cca2e47de0672548076a7e892844b50cf72b8f624eba4f0b3ddbf53ca21

SHA512
839119702307d9f3852a1af85b2574391673e8cbb380b054f1f6fa8e75ab4e4f1dc9ff5d32440ef25721cd17a7af5c37e1c94ea683d49564e3845fde494b2f25

Download Submit
C:\Program Files (x86)\My Program\Lime-Miner v1.0.exe

Filesize
1.1MB

MD5
695ef3e346df92ecc7390d78fecf7800

SHA1
cfd8522f9d29a7130f6482e1cc802af313d3f4bc

SHA256
f1ff99e447b9de819775d95e7d454e15f171c2c69d6f6584b6e78612911e402c

SHA512
c2bbdb4cd2fff60f4fcfda3b129802d30c630476cb456b7b5361459cb5bf66ae68f5fb3d639b8f1fa4ec8945e9dda7c9dd84d532e1f4491243b8459bab3d0317

Download Submit
C:\Program Files (x86)\My Program\Lime-Miner v1.0.exe

Filesize
1.1MB

MD5
695ef3e346df92ecc7390d78fecf7800

SHA1
cfd8522f9d29a7130f6482e1cc802af313d3f4bc

SHA256
f1ff99e447b9de819775d95e7d454e15f171c2c69d6f6584b6e78612911e402c

SHA512
c2bbdb4cd2fff60f4fcfda3b129802d30c630476cb456b7b5361459cb5bf66ae68f5fb3d639b8f1fa4ec8945e9dda7c9dd84d532e1f4491243b8459bab3d0317

Download Submit
C:\Program Files (x86)\My Program\NYAN W0rm v0.3.8.exe

Filesize
2.3MB

MD5
31e57be84107bc0024147d0277973341

SHA1
7e4db48111b10884f3679788fbbae0639fa85904

SHA256
da6a731cb158ddf7e20f96a87e68624a34ffaa4b85d987fed68dd8beabd83e83

SHA512
15d0dfb9ef1b9494b952d92819db7f447763c6ec74f4f6f4154d21baa5b44ca82e3efb566ecd8ecef25cf84216f6623687e2c8ac38314ae9af3038abbb490274

Download Submit
C:\Program Files (x86)\My Program\NYAN W0rm v0.3.8.exe

Filesize
2.3MB

MD5
31e57be84107bc0024147d0277973341

SHA1
7e4db48111b10884f3679788fbbae0639fa85904

SHA256
da6a731cb158ddf7e20f96a87e68624a34ffaa4b85d987fed68dd8beabd83e83

SHA512
15d0dfb9ef1b9494b952d92819db7f447763c6ec74f4f6f4154d21baa5b44ca82e3efb566ecd8ecef25cf84216f6623687e2c8ac38314ae9af3038abbb490274

Download Submit
C:\Program Files (x86)\My Program\Public.exe

Filesize
889KB

MD5
c65a1d390521997619951edaa95202ae

SHA1
97e70ae6b763813e4379f324f89a25b3f46ca259

SHA256
dbd31f073dbd669aacb03f7d9f92045f8238ac95625dd97ed280e40b6d684251

SHA512
da9b4df3ff9c0a7fd8621a1bbaeba33c9b71b62c81d0de1a34b625aafc7aa4eb1d33b5cff032a1f51e1c206cdd9643c2d71c8988b17aa47079c37278115429bd

Download Submit
C:\Program Files (x86)\My Program\Public.exe

Filesize
889KB

MD5
c65a1d390521997619951edaa95202ae

SHA1
97e70ae6b763813e4379f324f89a25b3f46ca259

SHA256
dbd31f073dbd669aacb03f7d9f92045f8238ac95625dd97ed280e40b6d684251

SHA512
da9b4df3ff9c0a7fd8621a1bbaeba33c9b71b62c81d0de1a34b625aafc7aa4eb1d33b5cff032a1f51e1c206cdd9643c2d71c8988b17aa47079c37278115429bd

Download Submit
C:\Program Files (x86)\My Program\Public.exe

Filesize
889KB

MD5
c65a1d390521997619951edaa95202ae

SHA1
97e70ae6b763813e4379f324f89a25b3f46ca259

SHA256
dbd31f073dbd669aacb03f7d9f92045f8238ac95625dd97ed280e40b6d684251

SHA512
da9b4df3ff9c0a7fd8621a1bbaeba33c9b71b62c81d0de1a34b625aafc7aa4eb1d33b5cff032a1f51e1c206cdd9643c2d71c8988b17aa47079c37278115429bd

Download Submit
C:\Program Files (x86)\My Program\SGN Miner Builder 1.06.exe

Filesize
8.0MB

MD5
73320bf0560cfc66774e9942be2a81a4

SHA1
ffa07e7084b235721151fa6408429025506fdb3d

SHA256
259047329383a7d72c83171d8b179082be8f4c8f878b25eec8e910632f0249a4

SHA512
cd37ac57afb942cbd76ef48dce7b936e745cf2917f3b7d254b17f0d2c45b53b0aaa4bad7522d4d10ffcbff1132923ec4e0c164edb8f3bf0c6d47b983f9da575b

Download Submit
C:\Program Files (x86)\My Program\Winlocker.exe

Filesize
192KB

MD5
200359966b995d0b2e449dab1c82c5f7

SHA1
6247e1ebaf105b50796078ec27623e21c93d0e02

SHA256
62375022bc3f1416f0b84dc1ace17ad9dfc16c260aa073c4b0e9bb8a9de0af28

SHA512
e03ece30cf5ddbeb39e007fc67cef4b183a48295967c2bea3ab9e0a12b4f27b2dbc47ec01e3c182209f7ded790d232066b680f36d3254dffd3c995fab6d022a4

Download Submit
C:\Program Files (x86)\My Program\Winlocker.exe

Filesize
192KB

MD5
200359966b995d0b2e449dab1c82c5f7

SHA1
6247e1ebaf105b50796078ec27623e21c93d0e02

SHA256
62375022bc3f1416f0b84dc1ace17ad9dfc16c260aa073c4b0e9bb8a9de0af28

SHA512
e03ece30cf5ddbeb39e007fc67cef4b183a48295967c2bea3ab9e0a12b4f27b2dbc47ec01e3c182209f7ded790d232066b680f36d3254dffd3c995fab6d022a4

Download Submit
C:\Program Files (x86)\My Program\Winlocker_protected.exe

Filesize
1.3MB

MD5
1937d3b787291a073e1a751cedff062f

SHA1
703656e086a090ab5d3e58be8887d6da5cb1923e

SHA256
5591256bba2e4afe923ac77bcf993e7c3c8b99ec2bf378fce705a667a1a6134e

SHA512
b600dc18ecf7e5dd3626f545022291cece6262d59ff6d92106c6e749fb75256a9220f3373d06bc5de8f4507b3adb7a0707f0d30c5b6b833b7ba55bf19bf41fc8

Download Submit
C:\Program Files (x86)\My Program\Winlocker_protected.exe

Filesize
1.3MB

MD5
1937d3b787291a073e1a751cedff062f

SHA1
703656e086a090ab5d3e58be8887d6da5cb1923e

SHA256
5591256bba2e4afe923ac77bcf993e7c3c8b99ec2bf378fce705a667a1a6134e

SHA512
b600dc18ecf7e5dd3626f545022291cece6262d59ff6d92106c6e749fb75256a9220f3373d06bc5de8f4507b3adb7a0707f0d30c5b6b833b7ba55bf19bf41fc8

Download Submit
C:\Program Files (x86)\My Program\Winlocker_protected.vmp.exe

Filesize
6.3MB

MD5
19404909d93979ecbc4395dd22b15098

SHA1
c557e8e91c420a9981b2d46585621589bded33d2

SHA256
c4131a9180bab1915765e0fdc7d65e46cba6e9474fea0e3286290e76603646a4

SHA512
43657b49e82251fa7c851d1046dd64404c30ab2fd23bed79617b8085a67a18bb9758091f9b5f57ebed76c28c1c34907422baef0ab301967d77618d44836c4369

Download Submit
C:\Program Files (x86)\My Program\Winlocker_protected.vmp.exe

Filesize
6.3MB

MD5
19404909d93979ecbc4395dd22b15098

SHA1
c557e8e91c420a9981b2d46585621589bded33d2

SHA256
c4131a9180bab1915765e0fdc7d65e46cba6e9474fea0e3286290e76603646a4

SHA512
43657b49e82251fa7c851d1046dd64404c30ab2fd23bed79617b8085a67a18bb9758091f9b5f57ebed76c28c1c34907422baef0ab301967d77618d44836c4369

Download Submit
C:\Program Files (x86)\My Program\installer.exe

Filesize
1.6MB

MD5
60071cb7b99510995ded0e47f8cca187

SHA1
e8934517f63c911045df6c4cffee7c08b6023a71

SHA256
2dab64718b242e1f818d52cf2f3363908a73774822d4ee004301fd746ca5e9df

SHA512
daa4b5dba88fc4a9df39921bbff4f97074c3414f2807371421d4c9a9944a7d79c28b452c42bd1c138fb13be14987099f1a3218ac2b230c99be24f4525ca9f668

Download Submit
C:\Program Files (x86)\My Program\installer.exe

Filesize
1.6MB

MD5
60071cb7b99510995ded0e47f8cca187

SHA1
e8934517f63c911045df6c4cffee7c08b6023a71

SHA256
2dab64718b242e1f818d52cf2f3363908a73774822d4ee004301fd746ca5e9df

SHA512
daa4b5dba88fc4a9df39921bbff4f97074c3414f2807371421d4c9a9944a7d79c28b452c42bd1c138fb13be14987099f1a3218ac2b230c99be24f4525ca9f668

Download Submit
C:\Program Files (x86)\My Program\ok.exe

Filesize
82.8MB

MD5
b867a1db94d0c503f2dfd6894d0161ea

SHA1
942f0ab8a35969ad5d730c7d12c8cb61cf0b86f4

SHA256
7dd60d767642b792a8f93b26af0ccc17337cb6f70eab7fcca860c817a609c652

SHA512
c8fe26d2e88687c7a580252a7ce3a54a8b42dcd68cb6c5e90bd528cc645768db70cfe2f0e159232d47dd05d6cfa65518166d2bbe11b7eec6faafe9331b5e955c

Download Submit
C:\Program Files (x86)\My Program\ok.exe

Filesize
82.8MB

MD5
b867a1db94d0c503f2dfd6894d0161ea

SHA1
942f0ab8a35969ad5d730c7d12c8cb61cf0b86f4

SHA256
7dd60d767642b792a8f93b26af0ccc17337cb6f70eab7fcca860c817a609c652

SHA512
c8fe26d2e88687c7a580252a7ce3a54a8b42dcd68cb6c5e90bd528cc645768db70cfe2f0e159232d47dd05d6cfa65518166d2bbe11b7eec6faafe9331b5e955c

Download Submit
C:\Program Files (x86)\My Program\seed.exe

Filesize
1.9MB

MD5
9462fc0f63c2f95bc2e6796189ef18b5

SHA1
6bb4282414f3fddef31debe396a5264371ab1e3d

SHA256
80063f3e9fee6ced4f159714bd00ba61d757fd185621d82330bed16d4c2eb495

SHA512
c0b542784f681aec31899235e425c482b43da038f1ca847b428e34a4677f1da30c773f43183c3d287f64bb7271fffcea873ca03136de77f54c1bf614cccec297

Download Submit
C:\Program Files (x86)\My Program\unins000.dat

Filesize
5KB

MD5
75b7bc9e2f75fe6f25c4756e5240c10c

SHA1
3c9daf2e957430a5c4191f5710fd58983cc72717

SHA256
c34ce96ec6ed7d287cc05184bc00cc328cf25666d104ca72ad0b46825f03ca2e

SHA512
b30ebbccc222b4389cd83ce7bd94a4e91858d9f4f18ef68e1b96f0006719520fec66bb9fc51068bd4682c30bb6e4b19f7cbce310b27d3ee39355e23296735698

Download Submit
C:\Program Files (x86)\My Program\unins000.exe

Filesize
3.1MB

MD5
6fc2b1fa03ffd953c8506da78b72de0a

SHA1
747da5df8496f4b69e7f88d691e7892f8ec1b4cb

SHA256
9462e9d5a59830d0d17a102154a3f854b69309cfb657e78b555124ff3cc544d6

SHA512
66b785eb82c6c834d3e6fd0b2d94961f2a25b097b640b7f7dc1845931865a649704b3b9cda43bc12a2cb1ed2c31ccff61d4581e8393fa47b0c70f3aa6f21683c

Download Submit
C:\Program Files (x86)\My Program\winfirefox.exe

Filesize
485KB

MD5
7d7a120e76029cb9e2b7555983bf567e

SHA1
dda4e7408cfc79d798540a8434811ed6b6f3fff2

SHA256
74a746bdb78b6ce10db26e331d5b40295cf4a59518fc752828ea54e606cb5c2c

SHA512
6dde1410c9859662f18592bedabd7f6fe2124234635d60b6d0c6466f9ac235981823187bcda72db114814ff5a09434d5ad790bf4d3014134d3b52734d9444209

Download Submit
C:\Program Files (x86)\My Program\winfirefox.exe

Filesize
485KB

MD5
7d7a120e76029cb9e2b7555983bf567e

SHA1
dda4e7408cfc79d798540a8434811ed6b6f3fff2

SHA256
74a746bdb78b6ce10db26e331d5b40295cf4a59518fc752828ea54e606cb5c2c

SHA512
6dde1410c9859662f18592bedabd7f6fe2124234635d60b6d0c6466f9ac235981823187bcda72db114814ff5a09434d5ad790bf4d3014134d3b52734d9444209

Download Submit
C:\Program Files (x86)\My Program\winfirefoxvmp.exe

Filesize
6.1MB

MD5
2069b674d08f35c112d67172d64aa289

SHA1
31ed2b0c7a7b994c2650b27754733898081c1458

SHA256
863bba97df380b8ab61ee30c3c0315b57026b187b2a2bcd2f3739c5b142e6e2a

SHA512
7bf35c009fa9bd2f70fa138524620064fae3c26ad21bda74bcef14e62db46f72b4d880adb6a1c7e7ea8751714a4dc0b8903ed354d24f5aa2b33ceb669155d585

Download Submit
C:\Program Files (x86)\My Program\winfirefoxvmp.exe

Filesize
6.1MB

MD5
2069b674d08f35c112d67172d64aa289

SHA1
31ed2b0c7a7b994c2650b27754733898081c1458

SHA256
863bba97df380b8ab61ee30c3c0315b57026b187b2a2bcd2f3739c5b142e6e2a

SHA512
7bf35c009fa9bd2f70fa138524620064fae3c26ad21bda74bcef14e62db46f72b4d880adb6a1c7e7ea8751714a4dc0b8903ed354d24f5aa2b33ceb669155d585

Download Submit
C:\Program Files (x86)\My Program\zm_.exe

Filesize
917KB

MD5
b587205bfbe19372d72e90d77e27dbac

SHA1
96eb4e47df3ad0df7d0be7fad3bd2fa880703983

SHA256
3afc9cecbe6b3fbeb4ffefebf3bd1ae455342f7867962e3c24413ec0055c0673

SHA512
975ff722e1f4aec52fd9b2ef3f0434c7eef6c7150c1a5ff6f68789888dcc420b58d5cf74ae5c400dc5ffd326370ee61956bb4ababbabeebdff82a7995643edac

Download Submit
C:\Program Files (x86)\My Program\zm__Slayed.exe

Filesize
904KB

MD5
f612846f6805097ee44ada63660e899e

SHA1
19689443e7e8f640d6dfb144a0bcf3b0f2f177af

SHA256
8ad01d5d37dead0fd2f9a2a728d2d705f8593988c7baa24e9263db671da50d01

SHA512
55466cda550608075c3f4a0dcd962f8500aa502cb3a37aefa2296fcec09ea42e75b889661fb09bdddbb56e1d8b0482a655405ced56f8f174121e2f86ceb22928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Firefox.exe.log

Filesize
499B

MD5
7b240e88f7a3e95208c1805c0a9e257b

SHA1
023f770e696b5f4eaab952714c8d2e450fe09c08

SHA256
fd2bfcd7590671d4718f75c879e96fa83e3028092d7a7a14b405a197f8c5f688

SHA512
33d67df23232674bb47f832a092420ec226e391b712d924b476a585577461573332d8678208277bc52a5ee088d2385f613958b8d2f10c976f7dd16473e4ae03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RM0VE.tmp\mysetup.tmp

Filesize
3.0MB

MD5
266673b16ab08a498deb528139dc7213

SHA1
f4f91f8056dbedc155b3965f19eeac7d185f1c9c

SHA256
c6fa242b88805720daf185db905717ff44f23086bb89f3409f100d4f80d95d3f

SHA512
c7fce8e4144f3b484726b6e0202cf4c911091ab04d5ea90ae445e9b5adba56f0e7f4f76f6f01917fccb8a566ddb6b3c4440fee5cf81fd56dee17f7bec984f908

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RM0VE.tmp\mysetup.tmp

Filesize
3.0MB

MD5
266673b16ab08a498deb528139dc7213

SHA1
f4f91f8056dbedc155b3965f19eeac7d185f1c9c

SHA256
c6fa242b88805720daf185db905717ff44f23086bb89f3409f100d4f80d95d3f

SHA512
c7fce8e4144f3b484726b6e0202cf4c911091ab04d5ea90ae445e9b5adba56f0e7f4f76f6f01917fccb8a566ddb6b3c4440fee5cf81fd56dee17f7bec984f908

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr1997.tmp\System.dll

Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr1997.tmp\System.dll

Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr1997.tmp\UserInfo.dll

Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr1997.tmp\UserInfo.dll

Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr1997.tmp\p\pfBL.dll

Filesize
3.5MB

MD5
3b09b6e92e96a709713c432b8ff5500e

SHA1
68e1fde0702966cd14e8ab270d17c21a3ece5fbc

SHA256
4c5df798f61ef0fdf745ae5c03281c18c0a0b472b31a1598785d22d67c13b54a

SHA512
29f5f30ce2741e2b99fdd9307301f98d00a316744f74cec9ab0f17ead22a49129af7de0cd16f83acdac3c96e64b3c4646a9d36a6f09ea83343c0a55566f0d22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxE8B.tmp\System.dll

Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxE8B.tmp\System.dll

Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxE8B.tmp\UserInfo.dll

Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxE8B.tmp\UserInfo.dll

Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
C:\Users\Admin\Desktop\ccsetup591.exe

Filesize
36.1MB

MD5
6b8efd59fd306eb35d5bfc962400dd10

SHA1
a7706c0e83dbbefbe29b7513d85ff1a4282a3118

SHA256
dcce30f16aa8ff42ba7d38925f5953f891395958416625f15554fe8ba5adc597

SHA512
0e525149dc818b372837ae59aef9496b83b39651febd47b6c620a0f63957a98367416505028856d06a1712043b40fcb5c606acaecee0da411677d5b63a799be5

Download Submit
C:\Users\Admin\Desktop\ccsetup591.exe

Filesize
36.1MB

MD5
6b8efd59fd306eb35d5bfc962400dd10

SHA1
a7706c0e83dbbefbe29b7513d85ff1a4282a3118

SHA256
dcce30f16aa8ff42ba7d38925f5953f891395958416625f15554fe8ba5adc597

SHA512
0e525149dc818b372837ae59aef9496b83b39651febd47b6c620a0f63957a98367416505028856d06a1712043b40fcb5c606acaecee0da411677d5b63a799be5

Download Submit
C:\Users\Admin\Desktop\ccsetup592.exe

Filesize
46.5MB

MD5
7f235471b975f3e4e5f58ee0a9cfa3f1

SHA1
8d82ef38f57be1d91fafe1767be535ab40b3d6a4

SHA256
b4e3273ed12ea0552f56e0899f3b06fc823b758e9dd409619bcf8788ee514798

SHA512
3d57fde50dfc219e7cb07186010cdfa691ae89e42cce4a4cdb91c571277141c6edb4a76bccc5939b1ce39dcb2d7751c2b7e352ef6adff0c4c79a6aa184c94952

Download Submit
C:\Users\Admin\Desktop\ccsetup592.exe

Filesize
46.5MB

MD5
7f235471b975f3e4e5f58ee0a9cfa3f1

SHA1
8d82ef38f57be1d91fafe1767be535ab40b3d6a4

SHA256
b4e3273ed12ea0552f56e0899f3b06fc823b758e9dd409619bcf8788ee514798

SHA512
3d57fde50dfc219e7cb07186010cdfa691ae89e42cce4a4cdb91c571277141c6edb4a76bccc5939b1ce39dcb2d7751c2b7e352ef6adff0c4c79a6aa184c94952

Download Submit
memory/648-165-0x0000000000000000-mapping.dmp

Download
memory/916-231-0x0000000073ED0000-0x0000000074481000-memory.dmp

Filesize
5.7MB

Download
memory/964-157-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/1040-167-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/1164-200-0x0000000000270000-0x00000000004C0000-memory.dmp

Filesize
2.3MB

Download
memory/1164-201-0x00007FF9694D0000-0x00007FF969F91000-memory.dmp

Filesize
10.8MB

Download
memory/1216-239-0x0000000073260000-0x0000000073811000-memory.dmp

Filesize
5.7MB

Download
memory/1728-210-0x0000000000400000-0x0000000000DF7000-memory.dmp

Filesize
10.0MB

Download
memory/2064-192-0x0000000000000000-mapping.dmp

Download
memory/2116-203-0x00000000009D0000-0x0000000000AE6000-memory.dmp

Filesize
1.1MB

Download
memory/2116-205-0x0000000005A40000-0x0000000005FE4000-memory.dmp

Filesize
5.6MB

Download
memory/2116-206-0x0000000005530000-0x00000000055C2000-memory.dmp

Filesize
584KB

Download
memory/2124-198-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/2196-170-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/2256-147-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/2336-162-0x0000000000000000-mapping.dmp

Download
memory/2532-159-0x0000000000000000-mapping.dmp

Download
memory/2640-219-0x0000000000400000-0x000000000114A000-memory.dmp

Filesize
13.3MB

Download
memory/2828-237-0x0000000073390000-0x0000000073941000-memory.dmp

Filesize
5.7MB

Download
memory/3476-197-0x0000000000000000-mapping.dmp

Download
memory/3548-163-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/3736-136-0x0000000000000000-mapping.dmp

Download
memory/3736-139-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/3976-161-0x0000000000000000-mapping.dmp

Download
memory/4164-240-0x0000000073260000-0x0000000073811000-memory.dmp

Filesize
5.7MB

Download
memory/4168-160-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/4320-238-0x0000000073260000-0x0000000073811000-memory.dmp

Filesize
5.7MB

Download
memory/4416-148-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/4428-132-0x0000000000000000-mapping.dmp

Download
memory/4496-199-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/4500-204-0x0000000004E20000-0x0000000004EBC000-memory.dmp

Filesize
624KB

Download
memory/4500-202-0x00000000003A0000-0x0000000000404000-memory.dmp

Filesize
400KB

Download
memory/4500-221-0x0000000004F60000-0x0000000004FB6000-memory.dmp

Filesize
344KB

Download
memory/4500-217-0x0000000004DA0000-0x0000000004DAA000-memory.dmp

Filesize
40KB

Download
memory/4592-196-0x0000000000000000-mapping.dmp

Download
memory/4760-130-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4760-134-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4764-164-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/4860-158-0x0000000000000000-mapping.dmp

Download
memory/5104-215-0x0000000000400000-0x00000000007EE000-memory.dmp

Filesize
3.9MB

Download
memory/5104-214-0x0000000000400000-0x00000000007EE000-memory.dmp

Filesize
3.9MB

Download
memory/5116-166-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download