ffdroider | 12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301

Analysis

max time kernel
153s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-06-2022 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe
Size

7.3MB
MD5

7e417916a06b96412460637eccb50d2e
SHA1

7b42594fc7ee768ae54cb422d9d0dc8f04d51655
SHA256

12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301
SHA512

ae66649e3c2084086c2587710e607715a37fc6f1eef08734b80a57671438464191e7338a90b6dfb9efbd5d14175161847db22384b7b5fe7a729bee30d7605301

Score

10^/10

ffdroider socelars aspackv2 evasion spyware stealer trojan upx

Malware Config

Extracted

Family

socelars

https://sa-us-bucket.s3.us-east-2.amazonaws.com/qwwgh/

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider Payload 5 IoCs

resource	yara_rule
behavioral2/memory/2844-154-0x0000000000A00000-0x0000000000E9A000-memory.dmp	family_ffdroider
behavioral2/memory/2844-161-0x0000000000A00000-0x0000000000E9A000-memory.dmp	family_ffdroider
behavioral2/memory/2844-152-0x0000000000A00000-0x0000000000E9A000-memory.dmp	family_ffdroider
behavioral2/memory/2844-149-0x0000000000A00000-0x0000000000E9A000-memory.dmp	family_ffdroider
behavioral2/memory/2844-354-0x0000000000A00000-0x0000000000E9A000-memory.dmp	family_ffdroider

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	1904	rundll32.exe	21

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023166-146.dat	family_socelars
behavioral2/files/0x0006000000023166-147.dat	family_socelars

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2676-206-0x0000000000400000-0x0000000000483000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

resource	yara_rule
behavioral2/memory/2676-206-0x0000000000400000-0x0000000000483000-memory.dmp	Nirsoft

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000023165-143.dat	aspack_v212_v242
behavioral2/files/0x0006000000023165-144.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 20 IoCs

pid	Process
3116	myfile.exe
2080	orignal.exe
3172	rtst1073.exe
2844	luc.exe
4780	tvstream10.exe
3960	yangwang.exe
4068	setup.exe
4876	SharkSoftSetup928578.exe
4820	anytime1.exe
4788	yangwang.exe
5044	anytime2.exe
3544	sihclient.exe
5008	anytime3.exe
4844	anytime4.exe
2676	11111.exe
2084	hadilog.exe
3408	setup.exe
852	setup.tmp
2680	LzmwAqmV.exe
1592	LzmwAqmV.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023167-193.dat	upx
behavioral2/memory/2676-206-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/files/0x0006000000023167-192.dat	upx

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	myfile.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	yangwang.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	anytime2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	anytime1.exe

Loads dropped DLL 3 IoCs

pid	Process
3544	sihclient.exe
852	setup.tmp
4688	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	luc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
2868	2084	WerFault.exe	82
1360	5008	WerFault.exe
4732	4844	WerFault.exe
744	4688	WerFault.exe
4776	2080	WerFault.exe	109
3924	3116	WerFault.exe	77

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1752	schtasks.exe
4248	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5036	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2676	11111.exe
2676	11111.exe
2676	11111.exe
2676	11111.exe
1920	conhost.exe
4444	conhost.exe
4216	powershell.exe
4216	powershell.exe
3656	powershell.exe
3656	powershell.exe
4216	powershell.exe
3656	powershell.exe
2236	powershell.exe
2352	powershell.exe
2236	powershell.exe
2352	powershell.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeDebugPrivilege	3116	myfile.exe
Token: SeDebugPrivilege	2080	orignal.exe
Token: SeCreateTokenPrivilege	4780	tvstream10.exe
Token: SeAssignPrimaryTokenPrivilege	4780	tvstream10.exe
Token: SeLockMemoryPrivilege	4780	tvstream10.exe
Token: SeIncreaseQuotaPrivilege	4780	tvstream10.exe
Token: SeMachineAccountPrivilege	4780	tvstream10.exe
Token: SeTcbPrivilege	4780	tvstream10.exe
Token: SeSecurityPrivilege	4780	tvstream10.exe
Token: SeTakeOwnershipPrivilege	4780	tvstream10.exe
Token: SeLoadDriverPrivilege	4780	tvstream10.exe
Token: SeSystemProfilePrivilege	4780	tvstream10.exe
Token: SeSystemtimePrivilege	4780	tvstream10.exe
Token: SeProfSingleProcessPrivilege	4780	tvstream10.exe
Token: SeIncBasePriorityPrivilege	4780	tvstream10.exe
Token: SeCreatePagefilePrivilege	4780	tvstream10.exe
Token: SeCreatePermanentPrivilege	4780	tvstream10.exe
Token: SeBackupPrivilege	4780	tvstream10.exe
Token: SeRestorePrivilege	4780	tvstream10.exe
Token: SeShutdownPrivilege	4780	tvstream10.exe
Token: SeDebugPrivilege	4780	tvstream10.exe
Token: SeAuditPrivilege	4780	tvstream10.exe
Token: SeSystemEnvironmentPrivilege	4780	tvstream10.exe
Token: SeChangeNotifyPrivilege	4780	tvstream10.exe
Token: SeRemoteShutdownPrivilege	4780	tvstream10.exe
Token: SeUndockPrivilege	4780	tvstream10.exe
Token: SeSyncAgentPrivilege	4780	tvstream10.exe
Token: SeEnableDelegationPrivilege	4780	tvstream10.exe
Token: SeManageVolumePrivilege	4780	tvstream10.exe
Token: SeImpersonatePrivilege	4780	tvstream10.exe
Token: SeCreateGlobalPrivilege	4780	tvstream10.exe
Token: 31	4780	tvstream10.exe
Token: 32	4780	tvstream10.exe
Token: 33	4780	tvstream10.exe
Token: 34	4780	tvstream10.exe
Token: 35	4780	tvstream10.exe
Token: SeDebugPrivilege	4820	anytime1.exe
Token: SeDebugPrivilege	5044	anytime2.exe
Token: SeDebugPrivilege	5008	anytime3.exe
Token: SeDebugPrivilege	4876	SharkSoftSetup928578.exe
Token: SeDebugPrivilege	4844	anytime4.exe
Token: SeDebugPrivilege	2084	hadilog.exe
Token: SeDebugPrivilege	1920	conhost.exe
Token: SeDebugPrivilege	4444	conhost.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeManageVolumePrivilege	2844	luc.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeManageVolumePrivilege	2844	luc.exe
Token: SeManageVolumePrivilege	2844	luc.exe
Token: SeManageVolumePrivilege	2844	luc.exe
Token: SeManageVolumePrivilege	2844	luc.exe
Token: SeManageVolumePrivilege	2844	luc.exe
Token: SeManageVolumePrivilege	2844	luc.exe
Token: SeManageVolumePrivilege	2844	luc.exe
Token: SeManageVolumePrivilege	2844	luc.exe
Token: SeManageVolumePrivilege	2844	luc.exe
Token: SeManageVolumePrivilege	2844	luc.exe
Token: SeManageVolumePrivilege	2844	luc.exe
Token: SeManageVolumePrivilege	2844	luc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3960	yangwang.exe
3960	yangwang.exe
4788	yangwang.exe
4788	yangwang.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3116	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	77
PID 2360 wrote to memory of 3116	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	77
PID 2360 wrote to memory of 2080	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	109
PID 2360 wrote to memory of 2080	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	109
PID 2360 wrote to memory of 3172	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	108
PID 2360 wrote to memory of 3172	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	108
PID 2360 wrote to memory of 2844	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	107
PID 2360 wrote to memory of 2844	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	107
PID 2360 wrote to memory of 2844	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	107
PID 2360 wrote to memory of 4780	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	78
PID 2360 wrote to memory of 4780	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	78
PID 2360 wrote to memory of 4780	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	78
PID 2360 wrote to memory of 3960	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	79
PID 2360 wrote to memory of 3960	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	79
PID 2360 wrote to memory of 3960	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	79
PID 2360 wrote to memory of 4068	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	80
PID 2360 wrote to memory of 4068	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	80
PID 2360 wrote to memory of 4068	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	80
PID 2360 wrote to memory of 4876	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	106
PID 2360 wrote to memory of 4876	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	106
PID 2360 wrote to memory of 4876	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	106
PID 3960 wrote to memory of 4788	3960	yangwang.exe	81
PID 3960 wrote to memory of 4788	3960	yangwang.exe	81
PID 3960 wrote to memory of 4788	3960	yangwang.exe	81
PID 2360 wrote to memory of 4820	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	105
PID 2360 wrote to memory of 4820	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	105
PID 2360 wrote to memory of 5044	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	104
PID 2360 wrote to memory of 5044	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	104
PID 4068 wrote to memory of 3544	4068	setup.exe	111
PID 4068 wrote to memory of 3544	4068	setup.exe	111
PID 4068 wrote to memory of 3544	4068	setup.exe	111
PID 2360 wrote to memory of 5008	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	102
PID 2360 wrote to memory of 5008	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	102
PID 2360 wrote to memory of 4844	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	101
PID 2360 wrote to memory of 4844	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	101
PID 3172 wrote to memory of 2676	3172	rtst1073.exe	100
PID 3172 wrote to memory of 2676	3172	rtst1073.exe	100
PID 3172 wrote to memory of 2676	3172	rtst1073.exe	100
PID 2360 wrote to memory of 2084	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	82
PID 2360 wrote to memory of 2084	2360	12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe	82
PID 3544 wrote to memory of 3408	3544	sihclient.exe	99
PID 3544 wrote to memory of 3408	3544	sihclient.exe	99
PID 3544 wrote to memory of 3408	3544	sihclient.exe	99
PID 3408 wrote to memory of 852	3408	setup.exe	98
PID 3408 wrote to memory of 852	3408	setup.exe	98
PID 3408 wrote to memory of 852	3408	setup.exe	98
PID 5044 wrote to memory of 2680	5044	anytime2.exe	83
PID 5044 wrote to memory of 2680	5044	anytime2.exe	83
PID 4820 wrote to memory of 1592	4820	anytime1.exe	87
PID 4820 wrote to memory of 1592	4820	anytime1.exe	87
PID 3984 wrote to memory of 4688	3984	rundll32.exe	95
PID 3984 wrote to memory of 4688	3984	rundll32.exe	95
PID 3984 wrote to memory of 4688	3984	rundll32.exe	95
PID 2680 wrote to memory of 1920	2680	LzmwAqmV.exe	112
PID 2680 wrote to memory of 1920	2680	LzmwAqmV.exe	112
PID 2680 wrote to memory of 1920	2680	LzmwAqmV.exe	112
PID 1592 wrote to memory of 4444	1592	LzmwAqmV.exe	113
PID 1592 wrote to memory of 4444	1592	LzmwAqmV.exe	113
PID 1592 wrote to memory of 4444	1592	LzmwAqmV.exe	113
PID 4780 wrote to memory of 1472	4780	tvstream10.exe	114
PID 4780 wrote to memory of 1472	4780	tvstream10.exe	114
PID 4780 wrote to memory of 1472	4780	tvstream10.exe	114
PID 4444 wrote to memory of 828	4444	conhost.exe	122
PID 4444 wrote to memory of 828	4444	conhost.exe	122

C:\Users\Admin\AppData\Local\Temp\12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe
"C:\Users\Admin\AppData\Local\Temp\12d4e0dc6a5f9ec4ba6f58b0c5a8335515f72fba3429cd27c9213d681afe1301.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\myfile.exe
  "C:\Users\Admin\AppData\Local\Temp\myfile.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3116
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3116 -s 1924
    3⤵
    - Program crash
    PID:3924
- C:\Users\Admin\AppData\Local\Temp\tvstream10.exe
  "C:\Users\Admin\AppData\Local\Temp\tvstream10.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    PID:1472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5036
- C:\Users\Admin\AppData\Local\Temp\yangwang.exe
  "C:\Users\Admin\AppData\Local\Temp\yangwang.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Users\Admin\AppData\Local\Temp\yangwang.exe
    "C:\Users\Admin\AppData\Local\Temp\yangwang.exe" -h
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4788
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\is-LJ294.tmp\setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-LJ294.tmp\setup.tmp" /SL5="$50116,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    PID:3544
- C:\Users\Admin\AppData\Local\Temp\hadilog.exe
  "C:\Users\Admin\AppData\Local\Temp\hadilog.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2084 -s 1688
    3⤵
    - Program crash
    PID:2868
- C:\Users\Admin\AppData\Local\Temp\anytime4.exe
  "C:\Users\Admin\AppData\Local\Temp\anytime4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4844
- C:\Users\Admin\AppData\Local\Temp\anytime3.exe
  "C:\Users\Admin\AppData\Local\Temp\anytime3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Users\Admin\AppData\Local\Temp\anytime2.exe
  "C:\Users\Admin\AppData\Local\Temp\anytime2.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\anytime1.exe
  "C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4820
- C:\Users\Admin\AppData\Local\Temp\SharkSoftSetup928578.exe
  "C:\Users\Admin\AppData\Local\Temp\SharkSoftSetup928578.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Users\Admin\AppData\Local\Temp\luc.exe
  "C:\Users\Admin\AppData\Local\Temp\luc.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\rtst1073.exe
  "C:\Users\Admin\AppData\Local\Temp\rtst1073.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3172
- C:\Users\Admin\AppData\Local\Temp\orignal.exe
  "C:\Users\Admin\AppData\Local\Temp\orignal.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2080 -s 1668
    3⤵
    - Program crash
    PID:4776

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    PID:4868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2236
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
    3⤵
    PID:3108
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
      4⤵
      Creates scheduled task(s)
      PID:1752
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Windows\system32\services64.exe"
    3⤵
    PID:1328

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 2084 -ip 2084
1⤵
PID:3608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 4844 -ip 4844
1⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    PID:828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2352
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
    3⤵
    PID:2444
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
      4⤵
      Creates scheduled task(s)
      PID:4248
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Windows\system32\services64.exe"
    3⤵
    PID:1716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 5008 -ip 5008
1⤵
PID:1472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5008 -s 1688
1⤵
- Program crash
PID:1360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4844 -s 1688
1⤵
- Program crash
PID:4732

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
  2⤵
  - Loads dropped DLL
  PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4688 -ip 4688
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 600
1⤵
- Program crash
PID:744

C:\Users\Admin\AppData\Local\Temp\is-HR7O8.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HR7O8.tmp\setup.tmp" /SL5="$60116,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2676

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 1hTdkwpgLEmjvPbAEHRyDw.0.2
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 2080 -ip 2080
1⤵
PID:1852

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3116 -ip 3116
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
539B

MD5
b245679121623b152bea5562c173ba11

SHA1
47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

SHA256
73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

SHA512
75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
207KB

MD5
d0527733abcc5c58735e11d43061b431

SHA1
28de9d191826192721e325787b8a50a84328cffd

SHA256
b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45

SHA512
7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
207KB

MD5
d0527733abcc5c58735e11d43061b431

SHA1
28de9d191826192721e325787b8a50a84328cffd

SHA256
b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45

SHA512
7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
48KB

MD5
0564e300edc8a089097603608d9dbea1

SHA1
9dc8141eaccbb97a31822009fb629f2b5803c529

SHA256
ad10be3d0f6e4bdecba261aff28a3e24095d739d8192a5e35b435d460599b0ff

SHA512
5b55b78a63d83f51e9982d18acb7a185b2fea84a8fba910ca1c8f07b03f98d05e72eb037ca0df0d2e80ff113f2791b7f246679923d9a9128de53a22dd3b77b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\SharkSoftSetup928578.exe

Filesize
154KB

MD5
0f364c49aaf66c2c14736de6a758072c

SHA1
fc31441866b2b31b8caa1b2c0c88f8e34e447404

SHA256
e45d182e1c758f3f4402cde7f871ee22abb39ca429251518d702a2993c8120a6

SHA512
c7fa072fc4a4857c0cbcc0efda099afc69662e34f96c0b569b408739e2403506f793853cf609ebe9c0c70310442513471aea42bb898e55721ebe1c9ce94e871f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SharkSoftSetup928578.exe

Filesize
154KB

MD5
0f364c49aaf66c2c14736de6a758072c

SHA1
fc31441866b2b31b8caa1b2c0c88f8e34e447404

SHA256
e45d182e1c758f3f4402cde7f871ee22abb39ca429251518d702a2993c8120a6

SHA512
c7fa072fc4a4857c0cbcc0efda099afc69662e34f96c0b569b408739e2403506f793853cf609ebe9c0c70310442513471aea42bb898e55721ebe1c9ce94e871f

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime1.exe

Filesize
8KB

MD5
81b7ab5b9ccd62ef999148c1b510dba7

SHA1
a56ac65cf0095b6d304e38b1abce4ef12355aac5

SHA256
713828c733af9219619b852c4d5421803be95591dc7afaf425554bd40f7b0e4f

SHA512
14d3364c65e8769a7d014daa7518703a24e88ddb96014c4f7d7ea29ab53b555e6164ceb33afae639c81c01c04de7e8f29cdb369e60d8b201b6123b6b7c208a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime1.exe

Filesize
8KB

MD5
81b7ab5b9ccd62ef999148c1b510dba7

SHA1
a56ac65cf0095b6d304e38b1abce4ef12355aac5

SHA256
713828c733af9219619b852c4d5421803be95591dc7afaf425554bd40f7b0e4f

SHA512
14d3364c65e8769a7d014daa7518703a24e88ddb96014c4f7d7ea29ab53b555e6164ceb33afae639c81c01c04de7e8f29cdb369e60d8b201b6123b6b7c208a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime2.exe

Filesize
8KB

MD5
f78b50c5e55af5074d43904a0cfdd51a

SHA1
739b95150a1cd19373a5771d1ed3dc5ebc9ec3f6

SHA256
502b72351144db4beab498c3d6b54cb00f033bec52e87346f78889b0124c50b1

SHA512
a4f7df81ae25c64cb8eef1ab4407c08ab04e19941ee8e23360624c3f6b82c64a7d26278e23ed98e643f02373c68cb9ffc54f4c409c0ed7c280dfa130f63bed30

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime2.exe

Filesize
8KB

MD5
f78b50c5e55af5074d43904a0cfdd51a

SHA1
739b95150a1cd19373a5771d1ed3dc5ebc9ec3f6

SHA256
502b72351144db4beab498c3d6b54cb00f033bec52e87346f78889b0124c50b1

SHA512
a4f7df81ae25c64cb8eef1ab4407c08ab04e19941ee8e23360624c3f6b82c64a7d26278e23ed98e643f02373c68cb9ffc54f4c409c0ed7c280dfa130f63bed30

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime3.exe

Filesize
8KB

MD5
6261def6a0f48693ee03d6e3b78d3e1e

SHA1
1a40200f9246f9015be7056bf8b70cfe53a4f685

SHA256
553ed0af8d0b2207aa760880fcc3723f13c5ec7782a5198d964e1ab65e939c95

SHA512
b73357f6e0b7450e10e717d745a4542fcd27d45914147f6ac521d51695cba1c569c3ea7d97c08d3e091b3d41a009b45b5a164ead1f5e286c6fa0dc5592448459

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime3.exe

Filesize
8KB

MD5
6261def6a0f48693ee03d6e3b78d3e1e

SHA1
1a40200f9246f9015be7056bf8b70cfe53a4f685

SHA256
553ed0af8d0b2207aa760880fcc3723f13c5ec7782a5198d964e1ab65e939c95

SHA512
b73357f6e0b7450e10e717d745a4542fcd27d45914147f6ac521d51695cba1c569c3ea7d97c08d3e091b3d41a009b45b5a164ead1f5e286c6fa0dc5592448459

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime4.exe

Filesize
8KB

MD5
2c9dff39d65d1f574e8a26d0c28aae7e

SHA1
b416fb8e4c5ace6152f347f09bb93d7f0fb4a488

SHA256
967a8adf0624d2000266b0cf67684aff7dc49fcfacf40105cbe875d89f580050

SHA512
8ecdbb4f62a5da3cb0331df4c4e193b083f254b64aac91c5a29998d5022ab36d84c11abfd58d2a287cc5b8078adf8e3a0b610e3977909d17c0118d05371b18be

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime4.exe

Filesize
8KB

MD5
2c9dff39d65d1f574e8a26d0c28aae7e

SHA1
b416fb8e4c5ace6152f347f09bb93d7f0fb4a488

SHA256
967a8adf0624d2000266b0cf67684aff7dc49fcfacf40105cbe875d89f580050

SHA512
8ecdbb4f62a5da3cb0331df4c4e193b083f254b64aac91c5a29998d5022ab36d84c11abfd58d2a287cc5b8078adf8e3a0b610e3977909d17c0118d05371b18be

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
9fc88bda9ad986f37361fa9c61e3c85d

SHA1
83ab45cd99f87c9eb4559f53b79572c172a71541

SHA256
0d1880ff4c07d864bf56d992c0e17f3396f4bbbe9d1a65539a4397ca9b4f6c91

SHA512
491c49c33047d9186e269d180088088557c341602ae3e34a36f53774df0ad60097e31dd02e91140d866c428a3625d8e8fa353ce8f708f06daf698dd1685d12f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
7ffef7319bb7963fa71d05c0b3026f02

SHA1
e1f2ef0b151923e4312d5e958ff438beb6ba1d5b

SHA256
4f17ad05d7ed000195571c44a080d188f2309b92773fab60ca4e569864fa6fa4

SHA512
dea9e5627032ed95d34baa6677e64b3b8ffd12e512aee7b2db9ee6509357ec74366eb005379a327cb600a6c597479d7e48102b4c60bc57ba54b612ece30d3ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
7ffef7319bb7963fa71d05c0b3026f02

SHA1
e1f2ef0b151923e4312d5e958ff438beb6ba1d5b

SHA256
4f17ad05d7ed000195571c44a080d188f2309b92773fab60ca4e569864fa6fa4

SHA512
dea9e5627032ed95d34baa6677e64b3b8ffd12e512aee7b2db9ee6509357ec74366eb005379a327cb600a6c597479d7e48102b4c60bc57ba54b612ece30d3ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
1KB

MD5
3f9e0b155d4a8313b0f497305e696ce9

SHA1
96694f5ea600e6d6d1ae85bf8fdec026e06b812a

SHA256
62b6c84ca8a68326d3243d1ab1c334622bd6ed7cf4b26085670277ce0068f991

SHA512
4722159d226a250236043bc9709d28b002ed9960d2b52c7a6243875b03e913e8c9a4bd4ff9521927e55b0121b4e23e68bd0b96ccdcada15c207d298c0148e750

Download Submit
C:\Users\Admin\AppData\Local\Temp\hadilog.exe

Filesize
8KB

MD5
f237c1d97486075cd87ca4b60d86d2f2

SHA1
a35e3e83472d2f6fbd1c825e794d8760598e430e

SHA256
76407101e2ef8f186579d6110316460234e252d30a407dd990dfe3ae432a14e2

SHA512
30b6fb9781ca25b39438c1d193d7b108f61f9d1d6bbd423f31d3b8178ff061d1b0f6d1354e98a176cf1dcbaf17f8c77bfd7fa5cb5e32ac1a7aafcdf98cd6c456

Download Submit
C:\Users\Admin\AppData\Local\Temp\hadilog.exe

Filesize
8KB

MD5
f237c1d97486075cd87ca4b60d86d2f2

SHA1
a35e3e83472d2f6fbd1c825e794d8760598e430e

SHA256
76407101e2ef8f186579d6110316460234e252d30a407dd990dfe3ae432a14e2

SHA512
30b6fb9781ca25b39438c1d193d7b108f61f9d1d6bbd423f31d3b8178ff061d1b0f6d1354e98a176cf1dcbaf17f8c77bfd7fa5cb5e32ac1a7aafcdf98cd6c456

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D1KIM.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HR7O8.tmp\setup.tmp

Filesize
2.5MB

MD5
83b531c1515044f8241cd9627fbfbe86

SHA1
d2f7096e18531abb963fc9af7ecc543641570ac8

SHA256
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c

SHA512
9f7304ecb7573c0b8b4d7a2f49bcb9902499523b84502609f81b6f1b84faa1152a46ea13813987567ce574bd7b9d7b3f44b2b76389d8135487dc3c7f5e314f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LJ294.tmp\setup.tmp

Filesize
2.5MB

MD5
83b531c1515044f8241cd9627fbfbe86

SHA1
d2f7096e18531abb963fc9af7ecc543641570ac8

SHA256
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c

SHA512
9f7304ecb7573c0b8b4d7a2f49bcb9902499523b84502609f81b6f1b84faa1152a46ea13813987567ce574bd7b9d7b3f44b2b76389d8135487dc3c7f5e314f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MG1FJ.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\luc.exe

Filesize
1.9MB

MD5
beb93a48eefd9be5e5664754e9c6f175

SHA1
d007e52aa93034a54b2f8167e3bcdcff8a65a63d

SHA256
94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474

SHA512
7b7ca6a538eed77f8a10aa9628466a2d41d3133510663d065594ee83dfec5e432d8a0bd206b7383e014f8bad282c736662d22c9b9e5705436ec235e8c384cb2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\luc.exe

Filesize
1.9MB

MD5
beb93a48eefd9be5e5664754e9c6f175

SHA1
d007e52aa93034a54b2f8167e3bcdcff8a65a63d

SHA256
94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474

SHA512
7b7ca6a538eed77f8a10aa9628466a2d41d3133510663d065594ee83dfec5e432d8a0bd206b7383e014f8bad282c736662d22c9b9e5705436ec235e8c384cb2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\myfile.exe

Filesize
8KB

MD5
e1f8319f9fbf085fb2efdb1a78d4d1fb

SHA1
5f7563559b1e9a72f7f3b8a4f95b6275d19ad830

SHA256
9d34e5340f93311955f332ac5a8fa9fc2d0f4f314d3339587efd3949a6d72b28

SHA512
5fa1f191f4c63f42b659ab0a4a122e3194d0cba838bbef39bc7c73bc9db66ec19b50ee59765192eff72189d8257e30e396b52eaa82647931472c9d2eb2934c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\myfile.exe

Filesize
8KB

MD5
e1f8319f9fbf085fb2efdb1a78d4d1fb

SHA1
5f7563559b1e9a72f7f3b8a4f95b6275d19ad830

SHA256
9d34e5340f93311955f332ac5a8fa9fc2d0f4f314d3339587efd3949a6d72b28

SHA512
5fa1f191f4c63f42b659ab0a4a122e3194d0cba838bbef39bc7c73bc9db66ec19b50ee59765192eff72189d8257e30e396b52eaa82647931472c9d2eb2934c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\orignal.exe

Filesize
8KB

MD5
059beb0e5d100738dea69a42b642b87a

SHA1
f257c38b7e0b5d9eb148a7c701f5fd8e076d78d6

SHA256
a6bd6d4a6ec993685c85569883bcc9506877b2cdd03be9d1a0f15e74bfcf9619

SHA512
1b8967fe0b88fb3e8198feef729d58d333dbaced07779fa575cd3f6242b8edb48aa1fc514b044cada3cd28d63de128dbc99176e4642268a314082fe12d31ac97

Download Submit
C:\Users\Admin\AppData\Local\Temp\orignal.exe

Filesize
8KB

MD5
059beb0e5d100738dea69a42b642b87a

SHA1
f257c38b7e0b5d9eb148a7c701f5fd8e076d78d6

SHA256
a6bd6d4a6ec993685c85569883bcc9506877b2cdd03be9d1a0f15e74bfcf9619

SHA512
1b8967fe0b88fb3e8198feef729d58d333dbaced07779fa575cd3f6242b8edb48aa1fc514b044cada3cd28d63de128dbc99176e4642268a314082fe12d31ac97

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtst1073.exe

Filesize
1.6MB

MD5
935f2e66c8570c16521580e4616a1bfd

SHA1
385ce23624f0de2eae7fced58f6af437619b1908

SHA256
169f22914f727e82a79d42d49bdec1bff170788ae91084b08956574b90050527

SHA512
140521115b7e79e5e73ac041a1f07cb5caede2d2ba4c872260f2738bac99314ece52d90563e85ec9afc2388d27ff01f4dd657d5329d81d5f7f24b8e9787b2dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtst1073.exe

Filesize
1.6MB

MD5
935f2e66c8570c16521580e4616a1bfd

SHA1
385ce23624f0de2eae7fced58f6af437619b1908

SHA256
169f22914f727e82a79d42d49bdec1bff170788ae91084b08956574b90050527

SHA512
140521115b7e79e5e73ac041a1f07cb5caede2d2ba4c872260f2738bac99314ece52d90563e85ec9afc2388d27ff01f4dd657d5329d81d5f7f24b8e9787b2dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
1.5MB

MD5
3d8893ab0c5b2313c2bbc9e2179c8b6c

SHA1
869d66a84d776794f49e56386f76aaf1102245f0

SHA256
fb052c6c88620d9f19bfe30e9ba9aaa6d1afda3d39f37e1cc4b6f42a7ca4f347

SHA512
2106b78ed1bf4c4bee2a64be49322ee3a9ce09cf4b6e448c6fd942968da5daeb72a52698ff80824e0c8e97c5b9450f6a250971549cf46bc1e0a1251f6c597ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
1.5MB

MD5
3d8893ab0c5b2313c2bbc9e2179c8b6c

SHA1
869d66a84d776794f49e56386f76aaf1102245f0

SHA256
fb052c6c88620d9f19bfe30e9ba9aaa6d1afda3d39f37e1cc4b6f42a7ca4f347

SHA512
2106b78ed1bf4c4bee2a64be49322ee3a9ce09cf4b6e448c6fd942968da5daeb72a52698ff80824e0c8e97c5b9450f6a250971549cf46bc1e0a1251f6c597ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
1.5MB

MD5
3d8893ab0c5b2313c2bbc9e2179c8b6c

SHA1
869d66a84d776794f49e56386f76aaf1102245f0

SHA256
fb052c6c88620d9f19bfe30e9ba9aaa6d1afda3d39f37e1cc4b6f42a7ca4f347

SHA512
2106b78ed1bf4c4bee2a64be49322ee3a9ce09cf4b6e448c6fd942968da5daeb72a52698ff80824e0c8e97c5b9450f6a250971549cf46bc1e0a1251f6c597ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvstream10.exe

Filesize
1.7MB

MD5
3f1c095579d444e8775e60c68b4f83e3

SHA1
368387d6b00037c448b2da27537b91027de79f54

SHA256
87506e3cf85c1db7b9455bea87ebf36673345c8dfffefe388fd7cfb0d4f44c8e

SHA512
76641e85c02c7868175c505e9676d77d4680eb618f91bdd9eb8d4646eb019409d10c85820c2c3958f157712cb08341454396b3a60789bf964c2eae40815a9aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvstream10.exe

Filesize
1.7MB

MD5
3f1c095579d444e8775e60c68b4f83e3

SHA1
368387d6b00037c448b2da27537b91027de79f54

SHA256
87506e3cf85c1db7b9455bea87ebf36673345c8dfffefe388fd7cfb0d4f44c8e

SHA512
76641e85c02c7868175c505e9676d77d4680eb618f91bdd9eb8d4646eb019409d10c85820c2c3958f157712cb08341454396b3a60789bf964c2eae40815a9aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yangwang.exe

Filesize
372KB

MD5
18fcf8edd34820224042aca0817c72d8

SHA1
2113d384c1bd239d73266c18884e0d98da9bab48

SHA256
9f4e4b623673bddd8b7e14c5476ee7c417c46b5bc68cb8ab2f8b5ed0b160268d

SHA512
0f762e85ce7f4a739dfe5dfa8db8dede8aab21acc24525aa2d73a959b39c1147f9be61e29a6c5126fdff16b5fb4c8342980f32a312f8c82ba6ff8884a97b9101

Download Submit
C:\Users\Admin\AppData\Local\Temp\yangwang.exe

Filesize
372KB

MD5
18fcf8edd34820224042aca0817c72d8

SHA1
2113d384c1bd239d73266c18884e0d98da9bab48

SHA256
9f4e4b623673bddd8b7e14c5476ee7c417c46b5bc68cb8ab2f8b5ed0b160268d

SHA512
0f762e85ce7f4a739dfe5dfa8db8dede8aab21acc24525aa2d73a959b39c1147f9be61e29a6c5126fdff16b5fb4c8342980f32a312f8c82ba6ff8884a97b9101

Download Submit
C:\Users\Admin\AppData\Local\Temp\yangwang.exe

Filesize
372KB

MD5
18fcf8edd34820224042aca0817c72d8

SHA1
2113d384c1bd239d73266c18884e0d98da9bab48

SHA256
9f4e4b623673bddd8b7e14c5476ee7c417c46b5bc68cb8ab2f8b5ed0b160268d

SHA512
0f762e85ce7f4a739dfe5dfa8db8dede8aab21acc24525aa2d73a959b39c1147f9be61e29a6c5126fdff16b5fb4c8342980f32a312f8c82ba6ff8884a97b9101

Download Submit
C:\Windows\system32\services64.exe

Filesize
48KB

MD5
0564e300edc8a089097603608d9dbea1

SHA1
9dc8141eaccbb97a31822009fb629f2b5803c529

SHA256
ad10be3d0f6e4bdecba261aff28a3e24095d739d8192a5e35b435d460599b0ff

SHA512
5b55b78a63d83f51e9982d18acb7a185b2fea84a8fba910ca1c8f07b03f98d05e72eb037ca0df0d2e80ff113f2791b7f246679923d9a9128de53a22dd3b77b44

Download Submit
C:\Windows\system32\services64.exe

Filesize
48KB

MD5
0564e300edc8a089097603608d9dbea1

SHA1
9dc8141eaccbb97a31822009fb629f2b5803c529

SHA256
ad10be3d0f6e4bdecba261aff28a3e24095d739d8192a5e35b435d460599b0ff

SHA512
5b55b78a63d83f51e9982d18acb7a185b2fea84a8fba910ca1c8f07b03f98d05e72eb037ca0df0d2e80ff113f2791b7f246679923d9a9128de53a22dd3b77b44

Download Submit
memory/1920-285-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/1920-233-0x000001FF07F50000-0x000001FF07F62000-memory.dmp

Filesize
72KB

Download
memory/1920-254-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/1920-294-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/1920-252-0x000001FF05F60000-0x000001FF06181000-memory.dmp

Filesize
2.1MB

Download
memory/2080-158-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/2080-138-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/2080-269-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/2080-228-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/2084-226-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/2084-216-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/2084-198-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

Filesize
32KB

Download
memory/2236-277-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/2352-278-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/2360-130-0x0000000000BC0000-0x000000000130C000-memory.dmp

Filesize
7.3MB

Download
memory/2676-206-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2844-287-0x0000000004D40000-0x0000000004D48000-memory.dmp

Filesize
32KB

Download
memory/2844-281-0x0000000005140000-0x0000000005148000-memory.dmp

Filesize
32KB

Download
memory/2844-288-0x0000000004F60000-0x0000000004F68000-memory.dmp

Filesize
32KB

Download
memory/2844-152-0x0000000000A00000-0x0000000000E9A000-memory.dmp

Filesize
4.6MB

Download
memory/2844-354-0x0000000000A00000-0x0000000000E9A000-memory.dmp

Filesize
4.6MB

Download
memory/2844-268-0x0000000004F50000-0x0000000004F58000-memory.dmp

Filesize
32KB

Download
memory/2844-284-0x0000000004F60000-0x0000000004F68000-memory.dmp

Filesize
32KB

Download
memory/2844-275-0x00000000051F0000-0x00000000051F8000-memory.dmp

Filesize
32KB

Download
memory/2844-265-0x0000000004F30000-0x0000000004F38000-memory.dmp

Filesize
32KB

Download
memory/2844-154-0x0000000000A00000-0x0000000000E9A000-memory.dmp

Filesize
4.6MB

Download
memory/2844-326-0x0000000001050000-0x0000000001058000-memory.dmp

Filesize
32KB

Download
memory/2844-149-0x0000000000A00000-0x0000000000E9A000-memory.dmp

Filesize
4.6MB

Download
memory/2844-299-0x0000000004F60000-0x0000000004F68000-memory.dmp

Filesize
32KB

Download
memory/2844-290-0x0000000005090000-0x0000000005098000-memory.dmp

Filesize
32KB

Download
memory/2844-243-0x0000000004430000-0x0000000004440000-memory.dmp

Filesize
64KB

Download
memory/2844-279-0x0000000005120000-0x0000000005128000-memory.dmp

Filesize
32KB

Download
memory/2844-262-0x0000000004D20000-0x0000000004D28000-memory.dmp

Filesize
32KB

Download
memory/2844-280-0x0000000005190000-0x0000000005198000-memory.dmp

Filesize
32KB

Download
memory/2844-298-0x0000000005090000-0x0000000005098000-memory.dmp

Filesize
32KB

Download
memory/2844-264-0x0000000004DE0000-0x0000000004DE8000-memory.dmp

Filesize
32KB

Download
memory/2844-296-0x0000000004D40000-0x0000000004D48000-memory.dmp

Filesize
32KB

Download
memory/2844-161-0x0000000000A00000-0x0000000000E9A000-memory.dmp

Filesize
4.6MB

Download
memory/2844-235-0x0000000004110000-0x0000000004120000-memory.dmp

Filesize
64KB

Download
memory/2844-263-0x0000000004D40000-0x0000000004D48000-memory.dmp

Filesize
32KB

Download
memory/3116-134-0x0000000000C60000-0x0000000000C68000-memory.dmp

Filesize
32KB

Download
memory/3116-229-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/3116-289-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/3116-153-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/3408-202-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3408-218-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3656-270-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-258-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-259-0x00000209C0D50000-0x00000209C0D72000-memory.dmp

Filesize
136KB

Download
memory/4068-205-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4068-159-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4068-186-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4216-257-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/4216-272-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/4444-295-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/4444-256-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/4444-286-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/4820-195-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/4820-220-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/4820-171-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/4844-227-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/4844-189-0x0000000000070000-0x0000000000078000-memory.dmp

Filesize
32KB

Download
memory/4844-215-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/4876-190-0x0000000000840000-0x000000000086E000-memory.dmp

Filesize
184KB

Download
memory/4876-180-0x00000000075F0000-0x0000000007682000-memory.dmp

Filesize
584KB

Download
memory/4876-178-0x0000000007B00000-0x00000000080A4000-memory.dmp

Filesize
5.6MB

Download
memory/4876-231-0x0000000000840000-0x000000000086E000-memory.dmp

Filesize
184KB

Download
memory/4876-167-0x0000000000840000-0x000000000086E000-memory.dmp

Filesize
184KB

Download
memory/5008-203-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/5008-183-0x0000000000A90000-0x0000000000A98000-memory.dmp

Filesize
32KB

Download
memory/5008-230-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/5008-232-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/5044-199-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/5044-214-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp

Filesize
10.8MB

Download
memory/5044-176-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download