isrstealer | d1abaee79cc284c622228a53081315d07bd81cfc1f06b3b7ddde9810d13477c9

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1abaee79cc284c622228a53081315d07bd81cfc1f06b3b7ddde9810d13477c9.exe
Size

1.1MB
MD5

104e3f305b7c3f64f888f5e62f865e40
SHA1

fee24350df3533f82849c5ee867e091a43649986
SHA256

d1abaee79cc284c622228a53081315d07bd81cfc1f06b3b7ddde9810d13477c9
SHA512

0eb7929fae7c91dfcdabd970ae98a2df2b6164b928706e8b325d9d98ea8b65d5d8326fd0d59b2d923b567d628c7ccf9be442cac6942e8a10e8296122551d4fe0
SSDEEP

24576:kt249Bnd2zADVkNSoc1xuzoVF5r5QAwFv0LbU:ezYMDVkNAfuw7B2Aw

Score

10^/10

isrstealer collection evasion persistence stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 26 IoCs

resource	yara_rule
behavioral2/memory/2772-139-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2772-140-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3876-163-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3876-172-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3876-185-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3876-186-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2608-198-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2608-205-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2540-212-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2540-220-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2540-226-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2540-227-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/852-243-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/852-252-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/852-253-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/760-265-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/760-272-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4752-288-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4752-297-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/1808-317-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/1808-326-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2044-342-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2044-351-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4980-367-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4980-376-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3432-400-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Modifies visiblity of hidden/system files in Explorer 2 TTPs 14 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	QIyyJZIbiA.com
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	QIyyJZIbiA.com
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	QIyyJZIbiA.com
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	QIyyJZIbiA.com
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	QIyyJZIbiA.com
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	QIyyJZIbiA.com
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	QIyyJZIbiA.com
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	QIyyJZIbiA.com
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	QIyyJZIbiA.com
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	QIyyJZIbiA.com
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	QIyyJZIbiA.com
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	QIyyJZIbiA.com
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	QIyyJZIbiA.com
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	QIyyJZIbiA.com

NirSoft MailPassView 13 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4628-154-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4628-155-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4832-183-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4832-184-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3148-203-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3148-204-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/5112-251-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4312-270-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4312-271-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4504-296-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3228-325-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/5108-350-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3896-375-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 13 IoCs

resource	yara_rule
behavioral2/memory/4628-154-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4628-155-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4832-183-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4832-184-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3148-203-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3148-204-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/5112-251-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4312-270-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4312-271-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4504-296-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3228-325-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/5108-350-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3896-375-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 14 IoCs

pid	Process
396	QIyyJZIbiA.com
784	QIyyJZIbiA.com
5076	QIyyJZIbiA.com
4268	QIyyJZIbiA.com
2076	QIyyJZIbiA.com
3472	QIyyJZIbiA.com
1116	QIyyJZIbiA.com
2452	QIyyJZIbiA.com
2996	QIyyJZIbiA.com
2724	QIyyJZIbiA.com
4984	QIyyJZIbiA.com
1760	QIyyJZIbiA.com
3700	QIyyJZIbiA.com
1772	QIyyJZIbiA.com

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3472-144-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3472-146-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3472-147-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3472-148-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4628-151-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4628-153-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4628-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4628-155-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2828-169-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2828-170-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2828-171-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4832-182-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4832-183-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4832-184-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3148-202-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3148-203-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3148-204-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5040-218-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/5040-219-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/5040-221-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4788-242-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/5112-251-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4312-269-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4312-270-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4312-271-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3508-287-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4504-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/532-316-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3228-325-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3084-341-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/5108-350-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3928-366-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3896-375-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4252-399-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Checks computer location settings 2 TTPs 27 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	QIyyJZIbiA.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	QIyyJZIbiA.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	QIyyJZIbiA.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	QIyyJZIbiA.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	QIyyJZIbiA.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	QIyyJZIbiA.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	QIyyJZIbiA.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	QIyyJZIbiA.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	QIyyJZIbiA.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	QIyyJZIbiA.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	QIyyJZIbiA.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	QIyyJZIbiA.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	QIyyJZIbiA.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	d1abaee79cc284c622228a53081315d07bd81cfc1f06b3b7ddde9810d13477c9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 10 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	QIyyJZIbiA.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	QIyyJZIbiA.com
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	QIyyJZIbiA.com
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	QIyyJZIbiA.com
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\m76w78zyfmuj273 = "C:\\Users\\Admin\\m76w78zyfmuj273\\45843.vbs"	QIyyJZIbiA.com
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\m76w78zyfmuj273 = "C:\\Users\\Admin\\m76w78zyfmuj273\\45843.vbs"	QIyyJZIbiA.com
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\m76w78zyfmuj273 = "C:\\Users\\Admin\\m76w78zyfmuj273\\45843.vbs"	QIyyJZIbiA.com
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\m76w78zyfmuj273 = "C:\\Users\\Admin\\m76w78zyfmuj273\\45843.vbs"	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	QIyyJZIbiA.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\m76w78zyfmuj273 = "C:\\Users\\Admin\\m76w78zyfmuj273\\45843.vbs"	QIyyJZIbiA.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	QIyyJZIbiA.com
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\m76w78zyfmuj273 = "C:\\Users\\Admin\\m76w78zyfmuj273\\45843.vbs"	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\m76w78zyfmuj273 = "C:\\Users\\Admin\\m76w78zyfmuj273\\45843.vbs"	QIyyJZIbiA.com
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\m76w78zyfmuj273 = "C:\\Users\\Admin\\m76w78zyfmuj273\\45843.vbs"	QIyyJZIbiA.com
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	QIyyJZIbiA.com
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	QIyyJZIbiA.com

Checks whether UAC is enabled 1 TTPs 14 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QIyyJZIbiA.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QIyyJZIbiA.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QIyyJZIbiA.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QIyyJZIbiA.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QIyyJZIbiA.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QIyyJZIbiA.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QIyyJZIbiA.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QIyyJZIbiA.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QIyyJZIbiA.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QIyyJZIbiA.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QIyyJZIbiA.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QIyyJZIbiA.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QIyyJZIbiA.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QIyyJZIbiA.com

Suspicious use of SetThreadContext 33 IoCs

description	pid	Process	procid_target
PID 396 set thread context of 2772	396	QIyyJZIbiA.com	82
PID 2772 set thread context of 3472	2772	RegSvcs.exe	83
PID 2772 set thread context of 4628	2772	RegSvcs.exe	84
PID 784 set thread context of 3876	784	QIyyJZIbiA.com	91
PID 3876 set thread context of 2828	3876	RegSvcs.exe	92
PID 3876 set thread context of 4832	3876	RegSvcs.exe	96
PID 5076 set thread context of 2608	5076	QIyyJZIbiA.com	99
PID 2608 set thread context of 4520	2608	RegSvcs.exe	100
PID 2608 set thread context of 3148	2608	RegSvcs.exe	106
PID 4268 set thread context of 2540	4268	QIyyJZIbiA.com	109
PID 2540 set thread context of 5040	2540	RegSvcs.exe	110
PID 2540 set thread context of 4048	2540	RegSvcs.exe	111
PID 2076 set thread context of 852	2076	QIyyJZIbiA.com	116
PID 852 set thread context of 4788	852	RegSvcs.exe	117
PID 852 set thread context of 5112	852	RegSvcs.exe	118
PID 3472 set thread context of 760	3472	QIyyJZIbiA.com	121
PID 760 set thread context of 3940	760	RegSvcs.exe	122
PID 760 set thread context of 4312	760	RegSvcs.exe	125
PID 1116 set thread context of 4752	1116	QIyyJZIbiA.com	128
PID 4752 set thread context of 3508	4752	RegSvcs.exe	129
PID 4752 set thread context of 4504	4752	RegSvcs.exe	130
PID 2996 set thread context of 1808	2996	QIyyJZIbiA.com	136
PID 1808 set thread context of 532	1808	RegSvcs.exe	137
PID 1808 set thread context of 3228	1808	RegSvcs.exe	138
PID 2724 set thread context of 2044	2724	QIyyJZIbiA.com	141
PID 2044 set thread context of 3084	2044	RegSvcs.exe	142
PID 2044 set thread context of 5108	2044	RegSvcs.exe	143
PID 4984 set thread context of 4980	4984	QIyyJZIbiA.com	146
PID 4980 set thread context of 3928	4980	RegSvcs.exe	147
PID 4980 set thread context of 3896	4980	RegSvcs.exe	148
PID 1772 set thread context of 3432	1772	QIyyJZIbiA.com	157
PID 3432 set thread context of 4252	3432	RegSvcs.exe	158
PID 3432 set thread context of 2100	3432	RegSvcs.exe	159

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1476	4520	WerFault.exe	100
2884	4520	WerFault.exe	100
4896	4048	WerFault.exe	111
1772	3940	WerFault.exe	122

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	QIyyJZIbiA.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	QIyyJZIbiA.com

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com
396	QIyyJZIbiA.com

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	396	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	784	QIyyJZIbiA.com
Token: SeDebugPrivilege	5076	QIyyJZIbiA.com
Token: SeDebugPrivilege	5076	QIyyJZIbiA.com
Token: SeDebugPrivilege	5076	QIyyJZIbiA.com
Token: SeDebugPrivilege	5076	QIyyJZIbiA.com
Token: SeDebugPrivilege	5076	QIyyJZIbiA.com
Token: SeDebugPrivilege	5076	QIyyJZIbiA.com
Token: SeDebugPrivilege	5076	QIyyJZIbiA.com
Token: SeDebugPrivilege	5076	QIyyJZIbiA.com
Token: SeDebugPrivilege	5076	QIyyJZIbiA.com
Token: SeDebugPrivilege	5076	QIyyJZIbiA.com
Token: SeDebugPrivilege	5076	QIyyJZIbiA.com
Token: SeDebugPrivilege	5076	QIyyJZIbiA.com
Token: SeDebugPrivilege	5076	QIyyJZIbiA.com
Token: SeDebugPrivilege	5076	QIyyJZIbiA.com
Token: SeDebugPrivilege	5076	QIyyJZIbiA.com
Token: SeDebugPrivilege	5076	QIyyJZIbiA.com

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2772	RegSvcs.exe
3876	RegSvcs.exe
2608	RegSvcs.exe
2540	RegSvcs.exe
852	RegSvcs.exe
760	RegSvcs.exe
4752	RegSvcs.exe
1808	RegSvcs.exe
2044	RegSvcs.exe
4980	RegSvcs.exe
3432	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 396	2824	d1abaee79cc284c622228a53081315d07bd81cfc1f06b3b7ddde9810d13477c9.exe	80
PID 2824 wrote to memory of 396	2824	d1abaee79cc284c622228a53081315d07bd81cfc1f06b3b7ddde9810d13477c9.exe	80
PID 2824 wrote to memory of 396	2824	d1abaee79cc284c622228a53081315d07bd81cfc1f06b3b7ddde9810d13477c9.exe	80
PID 396 wrote to memory of 2772	396	QIyyJZIbiA.com	82
PID 396 wrote to memory of 2772	396	QIyyJZIbiA.com	82
PID 396 wrote to memory of 2772	396	QIyyJZIbiA.com	82
PID 396 wrote to memory of 2772	396	QIyyJZIbiA.com	82
PID 396 wrote to memory of 2772	396	QIyyJZIbiA.com	82
PID 2772 wrote to memory of 3472	2772	RegSvcs.exe	83
PID 2772 wrote to memory of 3472	2772	RegSvcs.exe	83
PID 2772 wrote to memory of 3472	2772	RegSvcs.exe	83
PID 2772 wrote to memory of 3472	2772	RegSvcs.exe	83
PID 2772 wrote to memory of 3472	2772	RegSvcs.exe	83
PID 2772 wrote to memory of 3472	2772	RegSvcs.exe	83
PID 2772 wrote to memory of 3472	2772	RegSvcs.exe	83
PID 2772 wrote to memory of 3472	2772	RegSvcs.exe	83
PID 2772 wrote to memory of 4628	2772	RegSvcs.exe	84
PID 2772 wrote to memory of 4628	2772	RegSvcs.exe	84
PID 2772 wrote to memory of 4628	2772	RegSvcs.exe	84
PID 2772 wrote to memory of 4628	2772	RegSvcs.exe	84
PID 2772 wrote to memory of 4628	2772	RegSvcs.exe	84
PID 2772 wrote to memory of 4628	2772	RegSvcs.exe	84
PID 2772 wrote to memory of 4628	2772	RegSvcs.exe	84
PID 2772 wrote to memory of 4628	2772	RegSvcs.exe	84
PID 396 wrote to memory of 4660	396	QIyyJZIbiA.com	88
PID 396 wrote to memory of 4660	396	QIyyJZIbiA.com	88
PID 396 wrote to memory of 4660	396	QIyyJZIbiA.com	88
PID 4660 wrote to memory of 784	4660	WScript.exe	90
PID 4660 wrote to memory of 784	4660	WScript.exe	90
PID 4660 wrote to memory of 784	4660	WScript.exe	90
PID 784 wrote to memory of 3876	784	QIyyJZIbiA.com	91
PID 784 wrote to memory of 3876	784	QIyyJZIbiA.com	91
PID 784 wrote to memory of 3876	784	QIyyJZIbiA.com	91
PID 784 wrote to memory of 3876	784	QIyyJZIbiA.com	91
PID 784 wrote to memory of 3876	784	QIyyJZIbiA.com	91
PID 3876 wrote to memory of 2828	3876	RegSvcs.exe	92
PID 3876 wrote to memory of 2828	3876	RegSvcs.exe	92
PID 3876 wrote to memory of 2828	3876	RegSvcs.exe	92
PID 3876 wrote to memory of 2828	3876	RegSvcs.exe	92
PID 3876 wrote to memory of 2828	3876	RegSvcs.exe	92
PID 3876 wrote to memory of 2828	3876	RegSvcs.exe	92
PID 3876 wrote to memory of 2828	3876	RegSvcs.exe	92
PID 3876 wrote to memory of 2828	3876	RegSvcs.exe	92
PID 3876 wrote to memory of 4832	3876	RegSvcs.exe	96
PID 3876 wrote to memory of 4832	3876	RegSvcs.exe	96
PID 3876 wrote to memory of 4832	3876	RegSvcs.exe	96
PID 3876 wrote to memory of 4832	3876	RegSvcs.exe	96
PID 3876 wrote to memory of 4832	3876	RegSvcs.exe	96
PID 3876 wrote to memory of 4832	3876	RegSvcs.exe	96
PID 3876 wrote to memory of 4832	3876	RegSvcs.exe	96
PID 3876 wrote to memory of 4832	3876	RegSvcs.exe	96
PID 784 wrote to memory of 4696	784	QIyyJZIbiA.com	97
PID 784 wrote to memory of 4696	784	QIyyJZIbiA.com	97
PID 784 wrote to memory of 4696	784	QIyyJZIbiA.com	97
PID 4696 wrote to memory of 5076	4696	WScript.exe	98
PID 4696 wrote to memory of 5076	4696	WScript.exe	98
PID 4696 wrote to memory of 5076	4696	WScript.exe	98
PID 5076 wrote to memory of 2608	5076	QIyyJZIbiA.com	99
PID 5076 wrote to memory of 2608	5076	QIyyJZIbiA.com	99
PID 5076 wrote to memory of 2608	5076	QIyyJZIbiA.com	99
PID 5076 wrote to memory of 2608	5076	QIyyJZIbiA.com	99
PID 5076 wrote to memory of 2608	5076	QIyyJZIbiA.com	99
PID 2608 wrote to memory of 4520	2608	RegSvcs.exe	100
PID 2608 wrote to memory of 4520	2608	RegSvcs.exe	100

C:\Users\Admin\AppData\Local\Temp\d1abaee79cc284c622228a53081315d07bd81cfc1f06b3b7ddde9810d13477c9.exe
"C:\Users\Admin\AppData\Local\Temp\d1abaee79cc284c622228a53081315d07bd81cfc1f06b3b7ddde9810d13477c9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com
  "C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com" vIxpVdLCLMDS.OCR
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\ovuLWYuuVp.ini"
      4⤵
      PID:3472
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\G1pAzNMqMO.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:4628
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\M76W78~1\run.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com
      "C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com" vIxpVdLCLMDS.OCR
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of SetThreadContext
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:784
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3876
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\jkZzgfgBoV.ini"
        6⤵
        
        PID:2828
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\NlN4cWkFQF.ini"
        6⤵
        Accesses Microsoft Outlook accounts
        
        PID:4832
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\M76W78~1\run.vbs"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4696
      - C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com
        
        "C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com" vIxpVdLCLMDS.OCR
        6⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\KXVEl1xQss.ini"
        8⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 88
        9⤵
        Program crash
        
        PID:1476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 108
        9⤵
        Program crash
        
        PID:2884
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\wbAmH9CwAb.ini"
        8⤵
        Accesses Microsoft Outlook accounts
        
        PID:3148
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\M76W78~1\run.vbs"
        7⤵
        Checks computer location settings
        
        PID:5052
        
        C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com
        
        "C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com" vIxpVdLCLMDS.OCR
        8⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:4268
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\pKB2vpcGv4.ini"
        10⤵
        
        PID:5040
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\PjIrZlsRA4.ini"
        10⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 80
        11⤵
        Program crash
        
        PID:4896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\M76W78~1\run.vbs"
        9⤵
        Checks computer location settings
        
        PID:4960
        
        C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com
        
        "C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com" vIxpVdLCLMDS.OCR
        10⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2076
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        11⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\7VgYOQniZ6.ini"
        12⤵
        
        PID:4788
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\QO3LqgqINC.ini"
        12⤵
        Accesses Microsoft Outlook accounts
        
        PID:5112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\M76W78~1\run.vbs"
        11⤵
        Checks computer location settings
        
        PID:3548
        
        C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com
        
        "C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com" vIxpVdLCLMDS.OCR
        12⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:3472
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        13⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:760
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\luKy0z0SEW.ini"
        14⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 80
        15⤵
        Program crash
        
        PID:1772
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\TXs8iK9cef.ini"
        14⤵
        Accesses Microsoft Outlook accounts
        
        PID:4312
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\M76W78~1\run.vbs"
        13⤵
        Checks computer location settings
        
        PID:3944
        
        C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com
        
        "C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com" vIxpVdLCLMDS.OCR
        14⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:1116
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        15⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4752
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\7kBIPcTvBY.ini"
        16⤵
        
        PID:3508
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\YtvbSi7Jh6.ini"
        16⤵
        Accesses Microsoft Outlook accounts
        
        PID:4504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\M76W78~1\run.vbs"
        15⤵
        Checks computer location settings
        
        PID:2828
        
        C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com
        
        "C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com" vIxpVdLCLMDS.OCR
        16⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies registry class
        
        PID:2452
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        17⤵
        
        PID:996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\M76W78~1\run.vbs"
        17⤵
        Checks computer location settings
        
        PID:388
        
        C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com
        
        "C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com" vIxpVdLCLMDS.OCR
        18⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2996
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        19⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\XbFDFEHci4.ini"
        20⤵
        
        PID:532
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\MV735qlPPz.ini"
        20⤵
        Accesses Microsoft Outlook accounts
        
        PID:3228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\M76W78~1\run.vbs"
        19⤵
        Checks computer location settings
        
        PID:4212
        
        C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com
        
        "C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com" vIxpVdLCLMDS.OCR
        20⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2724
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        21⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\V9Iz75NHxn.ini"
        22⤵
        
        PID:3084
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\wn4lHK6x51.ini"
        22⤵
        Accesses Microsoft Outlook accounts
        
        PID:5108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\M76W78~1\run.vbs"
        21⤵
        Checks computer location settings
        
        PID:5040
        
        C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com
        
        "C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com" vIxpVdLCLMDS.OCR
        22⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:4984
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        23⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4980
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\azOqDuZrqE.ini"
        24⤵
        
        PID:3928
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\ndO74Jzdvs.ini"
        24⤵
        Accesses Microsoft Outlook accounts
        
        PID:3896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\M76W78~1\run.vbs"
        23⤵
        Checks computer location settings
        
        PID:4348
        
        C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com
        
        "C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com" vIxpVdLCLMDS.OCR
        24⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies registry class
        
        PID:1760
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        25⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\M76W78~1\run.vbs"
        25⤵
        Checks computer location settings
        
        PID:3572
        
        C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com
        
        "C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com" vIxpVdLCLMDS.OCR
        26⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies registry class
        
        PID:3700
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        27⤵
        
        PID:228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\M76W78~1\run.vbs"
        27⤵
        Checks computer location settings
        
        PID:4572
        
        C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com
        
        "C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com" vIxpVdLCLMDS.OCR
        28⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1772
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        29⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3432
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\uyeWp0Rf6O.ini"
        30⤵
        
        PID:4252
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\bBl1MSasB6.ini"
        30⤵
        Accesses Microsoft Outlook accounts
        
        PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4520 -ip 4520
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4520 -ip 4520
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4048 -ip 4048
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3940 -ip 3940
1⤵
PID:3828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
bf72e427cb37a9eea765a22bd913f4a9

SHA1
65472f30a9b5e73ab656b220200c08d80aa102f5

SHA256
0bb3634c75731c7e50568ec1b894ce832b3a3b42990909c2bb6230c34756b1cc

SHA512
681d5f0ef428c2dcb175ac1f4f1c6f944401fbee2eb5932973e47ab05f9a9c55fbbfa8dd6a57ec623cc6c759a743f4c532195eaf9561e6b1e536e7181bf9d140

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
38bc9052d67fb7ff388671b512e76cb2

SHA1
097e30ab48d6130317a71cd53bd998c662d79171

SHA256
427acbd4b71e76709af64c7e94e63649ef51518d632afa3d24f06e5aebf95b9b

SHA512
a440c0983bbd454d421458d3203688b119bd56d7942fb6839868e183dcf9a838516aaa05295bf818149c39ce65509297ff8608241f62f82f289c35b17cc2043e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
96ac40d2a8beed266989f8cf7401a0d9

SHA1
178f2a6f62f158f952753fe40a7c0e4f3bb0f97b

SHA256
6ab4c147afee2074b2b7ac9fd4677b38218fb99d768fa3fe0f4aced5f0747395

SHA512
887a731013b7ac14a4b67c53514015b12974963843c48e9de12d81b6a594ace32292c6c90c5bdb37439febb7df3b11477640c328af9116439782f9bb637aa61a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
03e5f6e2caf056a3c9150ec545233d5b

SHA1
4f2a27fd2c2dd760b00359f1335ad4b39b8cd121

SHA256
d6fb8c7d846ae0b3b42184ff93262e324dd655371d5ed68150e2d071cad07f0f

SHA512
278abec21e35cbf5521be3afda1b1247c7f812efc245a84d9b2d8d2aa54d3054fbc1481eeb6cb8b572862e32d3ed0d8c907965c053ae36c66cd58fc513fe4ce1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MBR7CLLA\index[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MBR7CLLA\index[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MBR7CLLA\index[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MBR7CLLA\index[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PREIF6EH\index[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PREIF6EH\index[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PREIF6EH\index[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PREIF6EH\index[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7VgYOQniZ6.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7kBIPcTvBY.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\V9Iz75NHxn.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XbFDFEHci4.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\azOqDuZrqE.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkZzgfgBoV.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovuLWYuuVp.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pKB2vpcGv4.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyeWp0Rf6O.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\M76W78~1\LcEm.LSQ

Filesize
260KB

MD5
249f33cb758c025c11d25949fe4aff99

SHA1
311dd530c7e7c908967975c84ef97afdc3ec32ef

SHA256
282155a10f09aca3106de4fd411d4fbad97a19c418840707a593f8d5cca90118

SHA512
1797ff0dcfb237750bf0225bc1bba5dbedbd87be81965fecc823ddda386db975806c56858f9b6b118e9fb8fdbc1a27dc4a0afe1e8c1dc0e62c4f3df12a0a0ed5

Download Submit
C:\Users\Admin\M76W78~1\PRrQoZZbRM.RNH

Filesize
176B

MD5
4f59fd363d2a7943209a308591cd4135

SHA1
d49b22b3660a8e7b69fd194741852e437f08d008

SHA256
b228c2a04b3596afab9929725b2ef708a59426e029326acd4de34acc4968976c

SHA512
dcfe06d5532a2ee29957cfda1c08cc0dfc530cd2eda1bd34a26b72719fb3bb012cad836ed162084883c4d823b3d2684b4b821168667ca1adbc29a16a8ebd3f6f

Download Submit
C:\Users\Admin\M76W78~1\run.vbs

Filesize
99B

MD5
b3bf48dc4d5943b4e08e6555acd7b4cd

SHA1
9d982e5a171fd8df68a62cc88be5514fbe5ed489

SHA256
afd737ab983280173dd9a80c52011852a0fc7da9ae59cd223e661117a2ba6a5c

SHA512
46e2834248dcd89dc76fd31df07fbd94c6983d00e0ce65351c009de0ed12db52b9fd5139312afe5d5def3fe7377dd4024eec718413577833abb6f7052791eb6b

Download Submit
C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\m76w78zyfmuj273\QIyyJZIbiA.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\m76w78zyfmuj273\vIxpVdLCLMDS.OCR

Filesize
30.9MB

MD5
99471a6b948e4696a6e500b6a087b6b9

SHA1
ff5854d1d60513b243123825eb13176b2f2974f1

SHA256
efd5019cf2bf14df0763f56790ba66137dc20cf3e6a83f6091b88fcd60c00b25

SHA512
405f8c30eab6626a5126367f3a76146409d287ac786870e3fb67b4f3385df088b519143e9fdce89b11ba39d82136d2e1ab544b66293668cfab92071e1baa3a98

Download Submit
memory/532-316-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/760-265-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/760-272-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/852-253-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/852-243-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/852-252-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1808-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1808-317-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2044-342-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2044-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2540-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2540-226-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2540-227-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2540-212-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2608-198-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2608-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-140-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2828-171-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2828-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2828-170-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3084-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3148-202-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3148-203-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3148-204-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3228-325-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3432-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3472-146-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3472-147-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3472-148-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3472-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3508-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3876-163-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3876-172-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3876-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3876-186-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3896-375-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3928-366-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4252-399-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4312-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4312-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4312-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4504-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4628-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4628-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4628-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4628-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4752-288-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4752-297-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4788-242-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4832-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4832-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4832-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4980-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4980-367-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5040-218-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5040-219-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5040-221-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5108-350-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5112-251-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download