amadey | b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65

Analysis

max time kernel
144s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2023 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

235KB
MD5

6779cd6f17fa7536c4490cc6d72a00a0
SHA1

2976ecc0ecc2800be22fa92868c2173a44e04ee0
SHA256

b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65
SHA512

88e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482
SSDEEP

6144:eLUoeyDABOdDubDXqgraG0JzSRuVyL+VYjQqgE:elu0LgwJ4uVyaV+J

Malware Config

Extracted

Family

amadey

Version

3.66

62.204.41.242/9vZbns/index.php

62.204.41.88/9vdVVVjsw/index.php

Extracted

Family

redline

Botnet

tanos

62.204.41.159:4062

Attributes

auth_value
bcb77cd67cf9918d25e4b6ae210a9305

Extracted

Family

redline

Botnet

re1

librchichelpai.shop:81

rniwondunuifac.shop:81

Attributes

auth_value
ed3efbb6da2413ddef90855eed83d6fa

Extracted

Family

redline

Botnet

temp999

82.115.223.9:15486

Attributes

auth_value
c12cdc1127b45350218306e5550c987e

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

151.80.89.233:13553

Attributes

auth_value
fbee175162920530e6bf470c8003fa1a

Extracted

Family

vidar

Version

2.1

Botnet

701

https://t.me/jetbim2

https://steamcommunity.com/profiles/76561199471266194

Attributes

profile_id
701

Extracted

Family

redline

Botnet

zaliv

82.115.223.140:1522

Attributes

auth_value
31e625b4714b3f30195e6ec4e8d9fba4

Extracted

Family

amadey

Version

3.65

hellomr.observer/7gjD0Vs3d/index.php

researchersgokick.rocks/7gjD0Vs3d/index.php

pleasetake.pictures/7gjD0Vs3d/index.php

Extracted

Family

redline

Botnet

HYPE

38.54.125.68:21137

Attributes

auth_value
997a647ef21cafae14b1b5f887bc6208

Extracted

Family

redline

Botnet

slava

81.161.229.143:26910

Attributes

auth_value
1fa3bcfe9f552d4efe7e265b42c3ebff

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

loda.exeloda1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	loda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	loda1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	loda1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	loda1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	loda1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	loda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	loda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	loda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	loda1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	loda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	loda.exe

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	4732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	4732	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Zingo stealer
Zingo is an info stealer first seen in March 2022.
stealer trojan zingo

Zingo stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2996-272-0x0000000000400000-0x0000000000414000-memory.dmp	family_zingo

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1000007000\love1.exe	dcrat
C:\Users\Admin\AppData\Roaming\1000007000\love1.exe	dcrat
C:\Users\Admin\AppData\Roaming\msMonitor\blockSurrogatePerf.exe	dcrat
C:\Users\Admin\AppData\Roaming\msMonitor\blockSurrogatePerf.exe	dcrat
behavioral2/memory/3768-190-0x0000000000310000-0x0000000000444000-memory.dmp	dcrat
C:\Users\Default User\RuntimeBroker.exe	dcrat
C:\Users\Default\RuntimeBroker.exe	dcrat

Downloads MZ/PE file

Executes dropped EXE 36 IoCs

Processes:

nbveek.exeloda.exeloda1.exenesto1.exetanos.exelove1.exestown.exenesto.exestown3.exeblockSurrogatePerf.exestown1.exelove.exelebro.exenbveek.exetanos1.exetanos.exenesto.exe700K.exeRuntimeBroker.exe6666.exefile.exeSkuasFussily_2023-01-22_06-26.exebuild.exeblackod.exeEngine.exezaliv.exeQueuing.exeAmadey.exenbveek.exeQueuing.exeHYPE.exeQueuing.exeNoNameProc.exeSRT.exeSRT.exenbveek.exe

pid	process
4944	nbveek.exe
2112	loda.exe
2016	loda1.exe
340	nesto1.exe
3484	tanos.exe
400	love1.exe
3068	stown.exe
4880	nesto.exe
1128	stown3.exe
3768	blockSurrogatePerf.exe
1436	stown1.exe
2936	love.exe
2484	lebro.exe
1616	nbveek.exe
4824	tanos1.exe
4724	tanos.exe
2000	nesto.exe
2600	700K.exe
1208	RuntimeBroker.exe
3000	6666.exe
4064	file.exe
3544	SkuasFussily_2023-01-22_06-26.exe
3584	build.exe
2532	blackod.exe
1248	Engine.exe
3620	zaliv.exe
4228	Queuing.exe
2404	Amadey.exe
4292	nbveek.exe
3520	Queuing.exe
1128	HYPE.exe
4364	Queuing.exe
3916	NoNameProc.exe
1752	SRT.exe
3116	SRT.exe
4912	nbveek.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SETUP_35864\Engine.exe	upx
C:\Users\Admin\AppData\Local\Temp\SETUP_35864\Engine.exe	upx
behavioral2/memory/1248-286-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/memory/1248-331-0x0000000000400000-0x0000000000558000-memory.dmp	upx

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000012001\stown1.exe	vmprotect
behavioral2/memory/1436-204-0x0000000000400000-0x0000000000920000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nbveek.exeSRT.exelove1.exeWScript.exenbveek.exeAmadey.exe6666.exebuild.exetmp.exenbveek.exeblockSurrogatePerf.exelebro.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SRT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	love1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Amadey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6666.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	build.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	blockSurrogatePerf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	lebro.exe

Loads dropped DLL 26 IoCs

Processes:

rundll32.exerundll32.exerundll32.exeAppLaunch.exebuild.exerundll32.exerundll32.exerundll32.exeMessenger.exe.pifrundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
1132	rundll32.exe
32	rundll32.exe
3288	rundll32.exe
2996	AppLaunch.exe
2996	AppLaunch.exe
3584	build.exe
3584	build.exe
2996	AppLaunch.exe
2996	AppLaunch.exe
2996	AppLaunch.exe
2996	AppLaunch.exe
2996	AppLaunch.exe
704	rundll32.exe
4164	rundll32.exe
4816	rundll32.exe
2940	Messenger.exe.pif
2940	Messenger.exe.pif
1268	rundll32.exe
1732	rundll32.exe
3772	rundll32.exe
3664	rundll32.exe
1372	rundll32.exe
2540	rundll32.exe
4496	rundll32.exe
4884	rundll32.exe
3104	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

loda.exeloda1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	loda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	loda1.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

Processes:

SRT.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	SRT.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	SRT.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	SRT.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	SRT.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	SRT.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	SRT.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	SRT.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	SRT.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

nbveek.exenbveek.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tanos.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000006051\\tanos.exe"	nbveek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nesto.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000010051\\nesto.exe"	nbveek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tanos1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000017051\\tanos1.exe"	nbveek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tanos.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000001050\\tanos.exe"	nbveek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nesto.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000002050\\nesto.exe"	nbveek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loda.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000003051\\loda.exe"	nbveek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nesto1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005051\\nesto1.exe"	nbveek.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

127 freegeoip.app
129 freegeoip.app

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

flow	ioc
127	freegeoip.app
129	freegeoip.app

Suspicious use of SetThreadContext 4 IoCs

Processes:

blackod.exeQueuing.exe6666.exeSRT.exe

description	pid	process	target process
PID 2532 set thread context of 2996	2532	blackod.exe	AppLaunch.exe
PID 4228 set thread context of 4364	4228	Queuing.exe	Queuing.exe
PID 3000 set thread context of 2104	3000	6666.exe	InstallUtil.exe
PID 1752 set thread context of 3116	1752	SRT.exe	SRT.exe

Drops file in Program Files directory 10 IoCs

Processes:

blockSurrogatePerf.exe

description	ioc	process
File created	C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe	blockSurrogatePerf.exe
File created	C:\Program Files (x86)\Windows Defender\9e8d7a4ca61bd9	blockSurrogatePerf.exe
File created	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\lsass.exe	blockSurrogatePerf.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\Registry.exe	blockSurrogatePerf.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\ee2ad38f3d4382	blockSurrogatePerf.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\9e8d7a4ca61bd9	blockSurrogatePerf.exe
File created	C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe	blockSurrogatePerf.exe
File created	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\6203df4a6bafc7	blockSurrogatePerf.exe
File created	C:\Program Files\Mozilla Firefox\csrss.exe	blockSurrogatePerf.exe
File created	C:\Program Files\Mozilla Firefox\886983d96e3d3e	blockSurrogatePerf.exe

Drops file in Windows directory 12 IoCs

Processes:

AppLaunch.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\x86	AppLaunch.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\x64	AppLaunch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\DotNetZip.dll	AppLaunch.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\DotNetZip.dll	AppLaunch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.SQLite.dll	AppLaunch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Newtonsoft.Json.dll	AppLaunch.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Newtonsoft.Json.dll	AppLaunch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\BouncyCastle.Crypto.dll	AppLaunch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\x64\SQLite.Interop.dll	AppLaunch.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.SQLite.dll	AppLaunch.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\BouncyCastle.Crypto.dll	AppLaunch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\x86\SQLite.Interop.dll	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4112	340	WerFault.exe	nesto1.exe
4892	4880	WerFault.exe	nesto.exe
4556	32	WerFault.exe	rundll32.exe
3768	2000	WerFault.exe	nesto.exe
4644	3544	WerFault.exe	SkuasFussily_2023-01-22_06-26.exe
1552	4164	WerFault.exe	rundll32.exe
4500	1372	WerFault.exe	rundll32.exe
4140	3664	WerFault.exe	rundll32.exe
1480	2540	WerFault.exe	rundll32.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exeMessenger.exe.pifsvchost.exebuild.exeAppLaunch.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Messenger.exe.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Messenger.exe.pif
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
820	schtasks.exe
8	schtasks.exe
5108	schtasks.exe
1872	schtasks.exe
4724	schtasks.exe
560	schtasks.exe
2400	schtasks.exe
2788	schtasks.exe
4444	schtasks.exe
4912	schtasks.exe
2324	schtasks.exe
484	schtasks.exe
1944	schtasks.exe
4644	schtasks.exe
2532	schtasks.exe
3736	schtasks.exe
1324	schtasks.exe
1100	schtasks.exe
2108	schtasks.exe
4500	schtasks.exe
2088	schtasks.exe
3524	schtasks.exe
2828	schtasks.exe
4980	schtasks.exe
3016	schtasks.exe
4892	schtasks.exe
5044	schtasks.exe
736	schtasks.exe
4740	schtasks.exe
4104	schtasks.exe
4392	schtasks.exe
2332	schtasks.exe
3248	schtasks.exe
4100	schtasks.exe
2268	schtasks.exe
3928	schtasks.exe
3396	schtasks.exe
4996	schtasks.exe
1272	schtasks.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3824 timeout.exe
4288 timeout.exe

pid	process
3824	timeout.exe
4288	timeout.exe

Modifies registry class 4 IoCs

Processes:

love1.exeblockSurrogatePerf.exesvchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	love1.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	blockSurrogatePerf.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{BF699E97-B83E-448A-A727-13AE66BC43AA}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{8D996AFE-C8A8-41CF-8936-A0D417796E30}	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

loda.exeloda1.exeblockSurrogatePerf.exenesto1.exetanos.exestown.exenesto.exestown3.exestown1.exelove.exeRuntimeBroker.exetanos.exetanos1.exe6666.exe700K.exenesto.exepowershell.exezaliv.exepowershell.exeSkuasFussily_2023-01-22_06-26.exe

pid	process
2112	loda.exe
2112	loda.exe
2016	loda1.exe
2016	loda1.exe
3768	blockSurrogatePerf.exe
3768	blockSurrogatePerf.exe
3768	blockSurrogatePerf.exe
340	nesto1.exe
3484	tanos.exe
3768	blockSurrogatePerf.exe
3768	blockSurrogatePerf.exe
3484	tanos.exe
3768	blockSurrogatePerf.exe
3768	blockSurrogatePerf.exe
3768	blockSurrogatePerf.exe
3768	blockSurrogatePerf.exe
3068	stown.exe
340	nesto1.exe
4880	nesto.exe
1128	stown3.exe
3068	stown.exe
1128	stown3.exe
4880	nesto.exe
1436	stown1.exe
2936	love.exe
1436	stown1.exe
2936	love.exe
1208	RuntimeBroker.exe
4724	tanos.exe
4824	tanos1.exe
3000	6666.exe
2600	700K.exe
3000	6666.exe
2600	700K.exe
4724	tanos.exe
4824	tanos1.exe
2000	nesto.exe
2000	nesto.exe
3000	6666.exe
3000	6666.exe
1208	RuntimeBroker.exe
1208	RuntimeBroker.exe
1208	RuntimeBroker.exe
1208	RuntimeBroker.exe
1208	RuntimeBroker.exe
1208	RuntimeBroker.exe
1208	RuntimeBroker.exe
1208	RuntimeBroker.exe
1208	RuntimeBroker.exe
1212	powershell.exe
1212	powershell.exe
1212	powershell.exe
2000	nesto.exe
2000	nesto.exe
3620	zaliv.exe
3620	zaliv.exe
3620	zaliv.exe
1212	powershell.exe
3316	powershell.exe
3316	powershell.exe
3316	powershell.exe
3316	powershell.exe
3544	SkuasFussily_2023-01-22_06-26.exe
3544	SkuasFussily_2023-01-22_06-26.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

loda.exeloda1.exenesto1.exeblockSurrogatePerf.exenesto.exestown.exetanos.exestown3.exestown1.exelove.exeRuntimeBroker.exenesto.exe6666.exetanos.exetanos1.exe700K.exeAppLaunch.exeSkuasFussily_2023-01-22_06-26.exepowershell.exezaliv.exeQueuing.exepowershell.exeSRT.exeHYPE.exepowershell.exeInstallUtil.exeSRT.exe

description	pid	process
Token: SeDebugPrivilege	2112	loda.exe
Token: SeDebugPrivilege	2016	loda1.exe
Token: SeDebugPrivilege	340	nesto1.exe
Token: SeDebugPrivilege	3768	blockSurrogatePerf.exe
Token: SeDebugPrivilege	4880	nesto.exe
Token: SeDebugPrivilege	3068	stown.exe
Token: SeDebugPrivilege	3484	tanos.exe
Token: SeDebugPrivilege	1128	stown3.exe
Token: SeDebugPrivilege	1436	stown1.exe
Token: SeDebugPrivilege	2936	love.exe
Token: SeDebugPrivilege	1208	RuntimeBroker.exe
Token: SeDebugPrivilege	2000	nesto.exe
Token: SeDebugPrivilege	3000	6666.exe
Token: SeDebugPrivilege	4724	tanos.exe
Token: SeDebugPrivilege	4824	tanos1.exe
Token: SeDebugPrivilege	2600	700K.exe
Token: SeDebugPrivilege	2996	AppLaunch.exe
Token: SeDebugPrivilege	3544	SkuasFussily_2023-01-22_06-26.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	3620	zaliv.exe
Token: SeDebugPrivilege	4364	Queuing.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	1752	SRT.exe
Token: SeDebugPrivilege	1128	HYPE.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	2104	InstallUtil.exe
Token: SeDebugPrivilege	3116	SRT.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Messenger.exe.pif

pid process

2940 Messenger.exe.pif
2940 Messenger.exe.pif
2940 Messenger.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Messenger.exe.pif

pid process

2940 Messenger.exe.pif
2940 Messenger.exe.pif
2940 Messenger.exe.pif
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

488 OpenWith.exe

pid	process
2940	Messenger.exe.pif
2940	Messenger.exe.pif
2940	Messenger.exe.pif

pid	process
2940	Messenger.exe.pif
2940	Messenger.exe.pif
2940	Messenger.exe.pif

pid	process
488	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exenbveek.execmd.exelove1.exeWScript.execmd.exeblockSurrogatePerf.execmd.exe

description	pid	process	target process
PID 2400 wrote to memory of 4944	2400	tmp.exe	nbveek.exe
PID 2400 wrote to memory of 4944	2400	tmp.exe	nbveek.exe
PID 2400 wrote to memory of 4944	2400	tmp.exe	nbveek.exe
PID 4944 wrote to memory of 5108	4944	nbveek.exe	schtasks.exe
PID 4944 wrote to memory of 5108	4944	nbveek.exe	schtasks.exe
PID 4944 wrote to memory of 5108	4944	nbveek.exe	schtasks.exe
PID 4944 wrote to memory of 736	4944	nbveek.exe	cmd.exe
PID 4944 wrote to memory of 736	4944	nbveek.exe	cmd.exe
PID 4944 wrote to memory of 736	4944	nbveek.exe	cmd.exe
PID 736 wrote to memory of 1080	736	cmd.exe	cmd.exe
PID 736 wrote to memory of 1080	736	cmd.exe	cmd.exe
PID 736 wrote to memory of 1080	736	cmd.exe	cmd.exe
PID 736 wrote to memory of 1712	736	cmd.exe	cacls.exe
PID 736 wrote to memory of 1712	736	cmd.exe	cacls.exe
PID 736 wrote to memory of 1712	736	cmd.exe	cacls.exe
PID 736 wrote to memory of 1100	736	cmd.exe	cacls.exe
PID 736 wrote to memory of 1100	736	cmd.exe	cacls.exe
PID 736 wrote to memory of 1100	736	cmd.exe	cacls.exe
PID 736 wrote to memory of 760	736	cmd.exe	cmd.exe
PID 736 wrote to memory of 760	736	cmd.exe	cmd.exe
PID 736 wrote to memory of 760	736	cmd.exe	cmd.exe
PID 736 wrote to memory of 1452	736	cmd.exe	cacls.exe
PID 736 wrote to memory of 1452	736	cmd.exe	cacls.exe
PID 736 wrote to memory of 1452	736	cmd.exe	cacls.exe
PID 736 wrote to memory of 1244	736	cmd.exe	cacls.exe
PID 736 wrote to memory of 1244	736	cmd.exe	cacls.exe
PID 736 wrote to memory of 1244	736	cmd.exe	cacls.exe
PID 4944 wrote to memory of 2112	4944	nbveek.exe	loda.exe
PID 4944 wrote to memory of 2112	4944	nbveek.exe	loda.exe
PID 4944 wrote to memory of 2016	4944	nbveek.exe	loda1.exe
PID 4944 wrote to memory of 2016	4944	nbveek.exe	loda1.exe
PID 4944 wrote to memory of 340	4944	nbveek.exe	nesto1.exe
PID 4944 wrote to memory of 340	4944	nbveek.exe	nesto1.exe
PID 4944 wrote to memory of 340	4944	nbveek.exe	nesto1.exe
PID 4944 wrote to memory of 3484	4944	nbveek.exe	tanos.exe
PID 4944 wrote to memory of 3484	4944	nbveek.exe	tanos.exe
PID 4944 wrote to memory of 3484	4944	nbveek.exe	tanos.exe
PID 4944 wrote to memory of 400	4944	nbveek.exe	love1.exe
PID 4944 wrote to memory of 400	4944	nbveek.exe	love1.exe
PID 4944 wrote to memory of 400	4944	nbveek.exe	love1.exe
PID 400 wrote to memory of 3108	400	love1.exe	WScript.exe
PID 400 wrote to memory of 3108	400	love1.exe	WScript.exe
PID 400 wrote to memory of 3108	400	love1.exe	WScript.exe
PID 4944 wrote to memory of 3068	4944	nbveek.exe	stown.exe
PID 4944 wrote to memory of 3068	4944	nbveek.exe	stown.exe
PID 4944 wrote to memory of 3068	4944	nbveek.exe	stown.exe
PID 4944 wrote to memory of 4880	4944	nbveek.exe	nesto.exe
PID 4944 wrote to memory of 4880	4944	nbveek.exe	nesto.exe
PID 4944 wrote to memory of 4880	4944	nbveek.exe	nesto.exe
PID 3108 wrote to memory of 1784	3108	WScript.exe	cmd.exe
PID 3108 wrote to memory of 1784	3108	WScript.exe	cmd.exe
PID 3108 wrote to memory of 1784	3108	WScript.exe	cmd.exe
PID 4944 wrote to memory of 1128	4944	nbveek.exe	stown3.exe
PID 4944 wrote to memory of 1128	4944	nbveek.exe	stown3.exe
PID 4944 wrote to memory of 1128	4944	nbveek.exe	stown3.exe
PID 1784 wrote to memory of 3768	1784	cmd.exe	blockSurrogatePerf.exe
PID 1784 wrote to memory of 3768	1784	cmd.exe	blockSurrogatePerf.exe
PID 4944 wrote to memory of 1436	4944	nbveek.exe	stown1.exe
PID 4944 wrote to memory of 1436	4944	nbveek.exe	stown1.exe
PID 4944 wrote to memory of 1436	4944	nbveek.exe	stown1.exe
PID 3768 wrote to memory of 4240	3768	blockSurrogatePerf.exe	cmd.exe
PID 3768 wrote to memory of 4240	3768	blockSurrogatePerf.exe	cmd.exe
PID 4240 wrote to memory of 4348	4240	cmd.exe	w32tm.exe
PID 4240 wrote to memory of 4348	4240	cmd.exe	w32tm.exe

outlook_office_path 1 IoCs

Processes:

SRT.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe

outlook_win_path 1 IoCs

Processes:

SRT.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SRT.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe
  "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "nbveek.exe" /P "Admin:N"
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "nbveek.exe" /P "Admin:R" /E
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\4b9a106e76" /P "Admin:N"
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\4b9a106e76" /P "Admin:R" /E
      4⤵
      PID:1244
- - C:\Users\Admin\AppData\Local\Temp\1000003051\loda.exe
    "C:\Users\Admin\AppData\Local\Temp\1000003051\loda.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\1000004001\loda1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\loda1.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\1000005051\nesto1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005051\nesto1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 1776
      4⤵
      Program crash
      PID:4112
- - C:\Users\Admin\AppData\Local\Temp\1000006051\tanos.exe
    "C:\Users\Admin\AppData\Local\Temp\1000006051\tanos.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3484
- - C:\Users\Admin\AppData\Roaming\1000007000\love1.exe
    "C:\Users\Admin\AppData\Roaming\1000007000\love1.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msMonitor\TiNJwSbj9xFjx5ES90J8DtcZF8KT.vbe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\msMonitor\u8AnLJCEqxCthiwBtq7.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Users\Admin\AppData\Roaming\msMonitor\blockSurrogatePerf.exe
        
        "C:\Users\Admin\AppData\Roaming\msMonitor\blockSurrogatePerf.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j39d0C3Ug4.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4348
        
        C:\Users\Default User\RuntimeBroker.exe
        
        "C:\Users\Default User\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
- - C:\Users\Admin\AppData\Local\Temp\1000009001\stown.exe
    "C:\Users\Admin\AppData\Local\Temp\1000009001\stown.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Users\Admin\AppData\Local\Temp\1000010051\nesto.exe
    "C:\Users\Admin\AppData\Local\Temp\1000010051\nesto.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1424
      4⤵
      Program crash
      PID:4892
- - C:\Users\Admin\AppData\Local\Temp\1000011001\stown3.exe
    "C:\Users\Admin\AppData\Local\Temp\1000011001\stown3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\1000012001\stown1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000012001\stown1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- - C:\Users\Admin\AppData\Local\Temp\1000014001\love.exe
    "C:\Users\Admin\AppData\Local\Temp\1000014001\love.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Users\Admin\AppData\Local\Temp\1000016001\lebro.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\lebro.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
      "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      PID:1616
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:8
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:4400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2772
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:N"
        6⤵
        
        PID:4916
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:R" /E
        6⤵
        
        PID:2796
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4964
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\9e0894bcc4" /P "Admin:N"
        6⤵
        
        PID:3128
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\9e0894bcc4" /P "Admin:R" /E
        6⤵
        
        PID:952
    - - C:\Users\Admin\AppData\Roaming\1000001050\tanos.exe
        
        "C:\Users\Admin\AppData\Roaming\1000001050\tanos.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724
    - - C:\Users\Admin\AppData\Roaming\1000002050\nesto.exe
        
        "C:\Users\Admin\AppData\Roaming\1000002050\nesto.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1404
        6⤵
        Program crash
        
        PID:3768
    - - C:\Users\Admin\AppData\Local\Temp\1000003001\700K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000003001\700K.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Users\Admin\AppData\Local\Temp\1000004001\6666.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\6666.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Checks processor information in registry
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe" & exit
        7⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:4288
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:1080
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Users\Admin\AppData\Local\Temp\1000008001\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000008001\file.exe"
        5⤵
        Executes dropped EXE
        
        PID:4064
      - C:\Users\Admin\AppData\Local\Temp\SETUP_35864\Engine.exe
        
        C:\Users\Admin\AppData\Local\Temp\SETUP_35864\Engine.exe /TH_ID=_3848 /OriginExe="C:\Users\Admin\AppData\Local\Temp\1000008001\file.exe"
        6⤵
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\CmD.exe
        
        C:\Windows\system32\CmD.exe /c cmd < 0
        7⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        8⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avgui
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
        
        C:\Windows\SysWOW64\certutil.exe
        
        certutil -decode 1 1ndOMtR
        9⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^qOigjsNdreTQUljPApYjtIwjrRFwQSdFnXSlDNjikSWiqqWczkiVuTtsNUlxLLmlLhsWawkMWQwjMTjeVlIELcmFSBbICSc$" 1ndOMtR
        9⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tpbfqs44.jif\16686\Messenger.exe.pif
        
        16686\\Messenger.exe.pif 16686\\b
        9⤵
        Loads dropped DLL
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\tpbfqs44.jif\16686\Messenger.exe.pif" & exit
        10⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        11⤵
        Delays execution with timeout.exe
        
        PID:3824
    - - C:\Users\Admin\AppData\Local\Temp\1000010001\SkuasFussily_2023-01-22_06-26.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000010001\SkuasFussily_2023-01-22_06-26.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 1444
        6⤵
        Program crash
        
        PID:4644
    - - C:\Users\Admin\AppData\Local\Temp\1000011001\blackod.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000011001\blackod.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2532
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\1000012001\zaliv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000012001\zaliv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3620
    - - C:\Users\Admin\AppData\Local\Temp\1000014001\Queuing.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000014001\Queuing.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4228
      - C:\Users\Admin\AppData\Local\Temp\1000014001\Queuing.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000014001\Queuing.exe
        6⤵
        Executes dropped EXE
        
        PID:3520
      - C:\Users\Admin\AppData\Local\Temp\1000014001\Queuing.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000014001\Queuing.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
    - - C:\Users\Admin\AppData\Local\Temp\1000015001\Amadey.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000015001\Amadey.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:2404
      - C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4292
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c1e3594748" /P "Admin:N"&&CACLS "..\c1e3594748" /P "Admin:R" /E&&Exit
        7⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:N"
        8⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:R" /E
        8⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c1e3594748" /P "Admin:N"
        8⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c1e3594748" /P "Admin:R" /E
        8⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\1000020001\NoNameProc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000020001\NoNameProc.exe"
        7⤵
        Executes dropped EXE
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\1000026001\SRT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000026001\SRT.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\1000026001\SRT.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000026001\SRT.exe
        8⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:3116
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:1268
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main
        8⤵
        Loads dropped DLL
        
        PID:3664
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3664 -s 688
        9⤵
        Program crash
        
        PID:4140
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:1732
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main
        8⤵
        Loads dropped DLL
        
        PID:1372
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1372 -s 680
        9⤵
        Program crash
        
        PID:4500
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:3772
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main
        8⤵
        Loads dropped DLL
        
        PID:2540
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2540 -s 680
        9⤵
        Program crash
        
        PID:1480
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:4496
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:3104
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:4884
    - - C:\Users\Admin\AppData\Local\Temp\1000016001\HYPE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000016001\HYPE.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:704
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:4164
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4164 -s 680
        7⤵
        Program crash
        
        PID:1552
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:4816
- - C:\Users\Admin\AppData\Local\Temp\1000017051\tanos1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017051\tanos1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4824
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:1132
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:32
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 32 -s 680
        5⤵
        Program crash
        
        PID:4556
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Local Settings\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "stowns" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\stown.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "stown" /sc ONLOGON /tr "'C:\Users\Public\Libraries\stown.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "stowns" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\stown.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "nbveekn" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\nbveek.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "nbveek" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\nbveek.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "nbveekn" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\nbveek.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 340 -ip 340
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4880 -ip 4880
1⤵
PID:4924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4892

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 508 -p 32 -ip 32
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2000 -ip 2000
1⤵
PID:3908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3544 -ip 3544
1⤵
PID:4412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 4164 -ip 4164
1⤵
PID:3488

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 1372 -ip 1372
1⤵
PID:1324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3664 -ip 3664
1⤵
PID:3168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 360 -p 2540 -ip 2540
1⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe
1⤵
- Executes dropped EXE
PID:4912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nesto.exe.log

Filesize
2KB

MD5
454585c01f02a638f91f17093d80f595

SHA1
222ae17940da3f48360ca391e2d0d23e762d207d

SHA256
cb76f24c65f25d5dda9b4c000a4f4223205b32a5ea0571aab5233192d7e4a47c

SHA512
f4cc62375b04dfc6abc6265a2cc7dc88883b57a508f882b46080fcae7b1a4339be145d7983dd297b4ef6d77065ec6ede86c9b64a7f39254c562cb204151cf4b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tanos.exe.log

Filesize
2KB

MD5
c89455577734b863a447e44a57dd60ea

SHA1
82530ad7e337b4c866beb8e9f1d0e2e0011ed8bc

SHA256
bfa39bf8f525794b4bd761834f5e475752a899f7d707932ec4561d656dcbdd70

SHA512
bdc2adacc8c447129bd5ad9d4e3cd965ad7e1fd1d7ed6d1e4d92159761c6e1e83a5b30226002dedbacfcd0ccca48d49a1be895c6b2ce73dadf0d89118be72de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\700K.exe

Filesize
175KB

MD5
10fc0e201418375882eeef47dba6b6d8

SHA1
bbdc696eb27fb2367e251db9b0fae64a0a58b0d0

SHA256
b6dcda3b84e6561d582db25fdbdbcd6ddb350579899817122d08dfdb6c8fd2a3

SHA512
746b1f7c7f6e841bdbe308c34ed20e2cf48a757a70f97e6f37903f3ec0aa0c8d944cc75648109a6594839df0e3858ba84177d2fa3cc6398f39656c6421df2ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\700K.exe

Filesize
175KB

MD5
10fc0e201418375882eeef47dba6b6d8

SHA1
bbdc696eb27fb2367e251db9b0fae64a0a58b0d0

SHA256
b6dcda3b84e6561d582db25fdbdbcd6ddb350579899817122d08dfdb6c8fd2a3

SHA512
746b1f7c7f6e841bdbe308c34ed20e2cf48a757a70f97e6f37903f3ec0aa0c8d944cc75648109a6594839df0e3858ba84177d2fa3cc6398f39656c6421df2ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003051\loda.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003051\loda.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\6666.exe

Filesize
1.4MB

MD5
5e2be23afdb89522040e8c773feaa086

SHA1
901060646e2bcc9ee98ca35b3489026f08bf1c2e

SHA256
ac36e4bd21762b111edf4758873dfb1697462e7b08f19f27c0b43fb1186a93d1

SHA512
1554b7660f6a5c9992f2924b8f71456e6e1895b1adc5faebe07921e33fdd139eb437e840926ad1d385e1470a6c2fe9462fef0aa5cceecde1cbae5fe4be3a9f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\6666.exe

Filesize
1.4MB

MD5
5e2be23afdb89522040e8c773feaa086

SHA1
901060646e2bcc9ee98ca35b3489026f08bf1c2e

SHA256
ac36e4bd21762b111edf4758873dfb1697462e7b08f19f27c0b43fb1186a93d1

SHA512
1554b7660f6a5c9992f2924b8f71456e6e1895b1adc5faebe07921e33fdd139eb437e840926ad1d385e1470a6c2fe9462fef0aa5cceecde1cbae5fe4be3a9f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\loda1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\loda1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005051\nesto1.exe

Filesize
304KB

MD5
f6f68bdd7a636e4c31cb802431c3625a

SHA1
ca371f3a8a949fd8e908875428099dffa0861b0c

SHA256
8baccea3ec81ad831a664be31237602a918799791c947f648eb38d440ff36ca1

SHA512
7f26576728571c8f6317005430b121af4f253f9bfb5bd22da39f5a3a5c5b0eca24cc364527ef9db050cc7882e56f655913a3d9cf32cae6076aa7b9ec1d3033a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005051\nesto1.exe

Filesize
304KB

MD5
f6f68bdd7a636e4c31cb802431c3625a

SHA1
ca371f3a8a949fd8e908875428099dffa0861b0c

SHA256
8baccea3ec81ad831a664be31237602a918799791c947f648eb38d440ff36ca1

SHA512
7f26576728571c8f6317005430b121af4f253f9bfb5bd22da39f5a3a5c5b0eca24cc364527ef9db050cc7882e56f655913a3d9cf32cae6076aa7b9ec1d3033a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006051\tanos.exe

Filesize
175KB

MD5
1d71ce85fb4517119a51fc33910f1975

SHA1
de346e455b4435dc9b9b8dbc506bd5f2b3e84052

SHA256
f3bba4b243aafa14e55ebea622e10b30591d46538f9bd88f7360f45f7b2f4bf2

SHA512
77e5ebd54456473001116641a9a663c2a75087d096e2d1d3c0a6a93b06c1a15a45dd1731339cd7a2746acedfc87137c95ffc9812e6bd82030b43398d817bd673

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006051\tanos.exe

Filesize
175KB

MD5
1d71ce85fb4517119a51fc33910f1975

SHA1
de346e455b4435dc9b9b8dbc506bd5f2b3e84052

SHA256
f3bba4b243aafa14e55ebea622e10b30591d46538f9bd88f7360f45f7b2f4bf2

SHA512
77e5ebd54456473001116641a9a663c2a75087d096e2d1d3c0a6a93b06c1a15a45dd1731339cd7a2746acedfc87137c95ffc9812e6bd82030b43398d817bd673

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\file.exe

Filesize
1.6MB

MD5
03a38a4f7028eed8a98ff55c5f8371f4

SHA1
3c2742e3859fc39fcdd24b15ccd1640ea46eae7c

SHA256
8afcb3f3285302dd4626c554fcc060d5caf828f2b86f5914eb91e7b2d27141c2

SHA512
2f1f98d81371eb909693481166ed8d9eaa31a1db860266019f9af403714b633c78f2c0bb84e1283a813d1e92b376ff75de24175056694d7eeae00f8893a86eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\file.exe

Filesize
1.6MB

MD5
03a38a4f7028eed8a98ff55c5f8371f4

SHA1
3c2742e3859fc39fcdd24b15ccd1640ea46eae7c

SHA256
8afcb3f3285302dd4626c554fcc060d5caf828f2b86f5914eb91e7b2d27141c2

SHA512
2f1f98d81371eb909693481166ed8d9eaa31a1db860266019f9af403714b633c78f2c0bb84e1283a813d1e92b376ff75de24175056694d7eeae00f8893a86eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\stown.exe

Filesize
175KB

MD5
380c7f5b9f380e12d091c0f3a45b7499

SHA1
b4c56c293ef9cba73b0451457a3e6689e9981e10

SHA256
f2c8e305017b517b148ab331202abb26fe518779f2630926ceaf48ccf7c4d795

SHA512
d962e284d546730f60f3f2d3b94a4654cd0ad6b7ba7edc08b5f8f4a3c5f6b183dc64c713484a83c905d3209e1ee1468ff3e19d2fbc021bee8d30e90a2f7bfce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\stown.exe

Filesize
175KB

MD5
380c7f5b9f380e12d091c0f3a45b7499

SHA1
b4c56c293ef9cba73b0451457a3e6689e9981e10

SHA256
f2c8e305017b517b148ab331202abb26fe518779f2630926ceaf48ccf7c4d795

SHA512
d962e284d546730f60f3f2d3b94a4654cd0ad6b7ba7edc08b5f8f4a3c5f6b183dc64c713484a83c905d3209e1ee1468ff3e19d2fbc021bee8d30e90a2f7bfce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\SkuasFussily_2023-01-22_06-26.exe

Filesize
306KB

MD5
7a02cac061509ebec49b26f72dc7ec3c

SHA1
ba8f67519eb7e0d1a19234868318d06408007c91

SHA256
99d52a78f89b007e3c0f91390ec6f48ca16e0f8e1fa3e9ef61a98539e6511fdf

SHA512
739ec4da0828770e944a40fd2e22bb27c1f6858d8e68d169375e60129008a7cc038aa0634697022b4a9154c72efad8ba2e6c8c98e1b2def94c033a6927adb246

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\SkuasFussily_2023-01-22_06-26.exe

Filesize
306KB

MD5
7a02cac061509ebec49b26f72dc7ec3c

SHA1
ba8f67519eb7e0d1a19234868318d06408007c91

SHA256
99d52a78f89b007e3c0f91390ec6f48ca16e0f8e1fa3e9ef61a98539e6511fdf

SHA512
739ec4da0828770e944a40fd2e22bb27c1f6858d8e68d169375e60129008a7cc038aa0634697022b4a9154c72efad8ba2e6c8c98e1b2def94c033a6927adb246

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010051\nesto.exe

Filesize
304KB

MD5
f6f68bdd7a636e4c31cb802431c3625a

SHA1
ca371f3a8a949fd8e908875428099dffa0861b0c

SHA256
8baccea3ec81ad831a664be31237602a918799791c947f648eb38d440ff36ca1

SHA512
7f26576728571c8f6317005430b121af4f253f9bfb5bd22da39f5a3a5c5b0eca24cc364527ef9db050cc7882e56f655913a3d9cf32cae6076aa7b9ec1d3033a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010051\nesto.exe

Filesize
304KB

MD5
f6f68bdd7a636e4c31cb802431c3625a

SHA1
ca371f3a8a949fd8e908875428099dffa0861b0c

SHA256
8baccea3ec81ad831a664be31237602a918799791c947f648eb38d440ff36ca1

SHA512
7f26576728571c8f6317005430b121af4f253f9bfb5bd22da39f5a3a5c5b0eca24cc364527ef9db050cc7882e56f655913a3d9cf32cae6076aa7b9ec1d3033a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\blackod.exe

Filesize
656KB

MD5
9e293c7f0e106f4398b5e90904ed7b80

SHA1
0d37fda9b04dcc51ffcb64acdfb1c511040afd15

SHA256
a7104ec424527d1262563b0d62d935fdaec4a1b47e7f0c10d4263e28421cb211

SHA512
5ba4c5ddc72c0bf24c4312642168dad9f46ef01e559a0f607e9eb5091bc2fdb471948b78b428fd5bc2c14e0a1e5603757563fc9e4540a366567ae4647b73d42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\blackod.exe

Filesize
656KB

MD5
9e293c7f0e106f4398b5e90904ed7b80

SHA1
0d37fda9b04dcc51ffcb64acdfb1c511040afd15

SHA256
a7104ec424527d1262563b0d62d935fdaec4a1b47e7f0c10d4263e28421cb211

SHA512
5ba4c5ddc72c0bf24c4312642168dad9f46ef01e559a0f607e9eb5091bc2fdb471948b78b428fd5bc2c14e0a1e5603757563fc9e4540a366567ae4647b73d42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\stown3.exe

Filesize
175KB

MD5
97956e63f5d77b8ddcbed50c7765b4cd

SHA1
8ee827295bc46f51acf4c3e6472cb86b71ddb9c7

SHA256
22363b9b60f638b72c1f6b12d9ee1d8046fc208247fbde7ab7ac144bf489e415

SHA512
6683249d040803e1d0b21c3e8b097081a38aa16ab05343657f6164e4ed45ace28d328f3055e15c95881b3a39899f0e27e886dedfdae2bec505f00b3c9bc6719c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\stown3.exe

Filesize
175KB

MD5
97956e63f5d77b8ddcbed50c7765b4cd

SHA1
8ee827295bc46f51acf4c3e6472cb86b71ddb9c7

SHA256
22363b9b60f638b72c1f6b12d9ee1d8046fc208247fbde7ab7ac144bf489e415

SHA512
6683249d040803e1d0b21c3e8b097081a38aa16ab05343657f6164e4ed45ace28d328f3055e15c95881b3a39899f0e27e886dedfdae2bec505f00b3c9bc6719c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\stown1.exe

Filesize
3.4MB

MD5
b00fe17fccad1c5f877029217da5c175

SHA1
344bf3f57c4742d789df1df6c0f89a8bfef93a1a

SHA256
960adba1385780365bed7eded36309aba3f0fa281f304900abd1e381a3f78fbe

SHA512
fe536d67ab141e735912ab6fd2e5bc02cefd003b1144fcffd8a277573d96e13bae672857044dcd6902178408a0f0abae081aa02b7c851b5de2c61daea02f2f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\zaliv.exe

Filesize
175KB

MD5
d9afb5ed2af021b28d6f170c4e55f5d3

SHA1
1de9f1e4da3c4ebae2cf6530c64aef85a6387b83

SHA256
dc2dc27d81ef9cb77360636ef4eb3f9c25908b7d310e66462cf4f44fe988d3e9

SHA512
6089221ef80a0a73d7f8009487a0bf9d71cba92b09c908447758cb5cc0458cbbc7ae64145e413d300e917b757917815a29597714f9d03b41e9c93fa757c1bc48

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\zaliv.exe

Filesize
175KB

MD5
d9afb5ed2af021b28d6f170c4e55f5d3

SHA1
1de9f1e4da3c4ebae2cf6530c64aef85a6387b83

SHA256
dc2dc27d81ef9cb77360636ef4eb3f9c25908b7d310e66462cf4f44fe988d3e9

SHA512
6089221ef80a0a73d7f8009487a0bf9d71cba92b09c908447758cb5cc0458cbbc7ae64145e413d300e917b757917815a29597714f9d03b41e9c93fa757c1bc48

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\Queuing.exe

Filesize
1.1MB

MD5
40a81e2582d0f0cd16d825e8c6987d41

SHA1
3314490e813da670bb7fc8cf597a7cc1f788a0ad

SHA256
6b1a578029ffe5eaf8260fdefc54426eebb6218ec12c3af5ed74227e312f85e2

SHA512
eaaf320ca020da01f4f41bb632fc6083abceafe68925167310c12275bdfef8877cd45a2c6d37ddbb6d803d931b64126869d6e366efcd1f50128f2cfb9abc3878

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\Queuing.exe

Filesize
1.1MB

MD5
40a81e2582d0f0cd16d825e8c6987d41

SHA1
3314490e813da670bb7fc8cf597a7cc1f788a0ad

SHA256
6b1a578029ffe5eaf8260fdefc54426eebb6218ec12c3af5ed74227e312f85e2

SHA512
eaaf320ca020da01f4f41bb632fc6083abceafe68925167310c12275bdfef8877cd45a2c6d37ddbb6d803d931b64126869d6e366efcd1f50128f2cfb9abc3878

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\love.exe

Filesize
175KB

MD5
68e8e72cf791f738b1574ae25bcbd45b

SHA1
47b58f095e0beefa1caaba7ec7e8d609ee7e3d1f

SHA256
3aa8e492247c9bc7c9a3dec184e09cc407bbc98683d9646ed984a372fd0958a9

SHA512
5f002166f3bb935dd3bfc5c604104d0249b0e378ec370e49efa313b95ff9ba910389448e6c3e124d539aa563af4d727d9e31a4542b9a610fb07fdb4bded10e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\love.exe

Filesize
175KB

MD5
68e8e72cf791f738b1574ae25bcbd45b

SHA1
47b58f095e0beefa1caaba7ec7e8d609ee7e3d1f

SHA256
3aa8e492247c9bc7c9a3dec184e09cc407bbc98683d9646ed984a372fd0958a9

SHA512
5f002166f3bb935dd3bfc5c604104d0249b0e378ec370e49efa313b95ff9ba910389448e6c3e124d539aa563af4d727d9e31a4542b9a610fb07fdb4bded10e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\Amadey.exe

Filesize
246KB

MD5
9adcb26071e8018dc0b576b39acb980e

SHA1
d0f48a5761efbb38a4d195c69d6382b9e9748ed6

SHA256
083108736f1e4d0fae4243cd285903a9335865bef6623254b808b8e1cbe8f5cf

SHA512
679044773e02c6fff42387da8ba252058eb1462015011a455cc147952598e9df3a4a47af31fa71daa3f31175fa14f34d4b56d01740c8c38a7d09fb007779280f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\lebro.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\lebro.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017051\tanos1.exe

Filesize
175KB

MD5
1d71ce85fb4517119a51fc33910f1975

SHA1
de346e455b4435dc9b9b8dbc506bd5f2b3e84052

SHA256
f3bba4b243aafa14e55ebea622e10b30591d46538f9bd88f7360f45f7b2f4bf2

SHA512
77e5ebd54456473001116641a9a663c2a75087d096e2d1d3c0a6a93b06c1a15a45dd1731339cd7a2746acedfc87137c95ffc9812e6bd82030b43398d817bd673

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017051\tanos1.exe

Filesize
175KB

MD5
1d71ce85fb4517119a51fc33910f1975

SHA1
de346e455b4435dc9b9b8dbc506bd5f2b3e84052

SHA256
f3bba4b243aafa14e55ebea622e10b30591d46538f9bd88f7360f45f7b2f4bf2

SHA512
77e5ebd54456473001116641a9a663c2a75087d096e2d1d3c0a6a93b06c1a15a45dd1731339cd7a2746acedfc87137c95ffc9812e6bd82030b43398d817bd673

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
6779cd6f17fa7536c4490cc6d72a00a0

SHA1
2976ecc0ecc2800be22fa92868c2173a44e04ee0

SHA256
b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65

SHA512
88e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
6779cd6f17fa7536c4490cc6d72a00a0

SHA1
2976ecc0ecc2800be22fa92868c2173a44e04ee0

SHA256
b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65

SHA512
88e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_35864\00000#0

Filesize
14KB

MD5
7f1c97ca56aa248490a4e7532acf54a0

SHA1
153a8cfd487f389912bc021118c43ae0b27592c7

SHA256
d784d251df25d1435cdf61066add17c6d3975def83824c364f6100e8b5b29da5

SHA512
7b52e7a2cf46bf4dc181b1d5d99af5050b572bdf7d11bccbbc00f114d60bea5bd5a69a480344eff67305a67ce37c35c06b906afca06ba805d56dd05237c68c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_35864\00001#1

Filesize
1.2MB

MD5
b45943e138c555a60c0363306a8cf2c0

SHA1
d59c9085b9b51b167ea85ee5fffcc5573835433e

SHA256
20c0d9cd3dbe8511d9ae3052702a5632dc848ff61e0cd46e78f63c77b4968a15

SHA512
1b19e0bc504181633400b717680cc1cdad71740494f9112d914c718a207e041ddecd016c6d99b07350db67596488a52f36a8ddb04e4188b6e8a492fb3fa3b35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_35864\00002#45

Filesize
1.1MB

MD5
2c9b535b241734427abad8f3ac90d3a1

SHA1
de1f286e42cbed66cb2ad2b79dee8a99952a6e91

SHA256
1d3faea0e1197f3f00f0db56f7a64873cc9cb62ebf242443bb8eb110bfed0a26

SHA512
e0c7dba0ba83583991168b3d68aa9c73ac491c1bb53f2d339f622837cfaafe0020f63679de9dd72479f549553f0f1c215ebb30a51b9fd5cc24330cdc53336044

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_35864\Engine.exe

Filesize
392KB

MD5
debfb007af59891f08aaa75bff0e0df0

SHA1
cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87

SHA256
e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7

SHA512
1bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_35864\Engine.exe

Filesize
392KB

MD5
debfb007af59891f08aaa75bff0e0df0

SHA1
cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87

SHA256
e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7

SHA512
1bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_35864\Modern_Icon.bmp

Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_35864\Setup.txt

Filesize
2KB

MD5
6033f45a5030bd4dd1c228cef5b4aebb

SHA1
c930d9d298dcba91ee2216b8e4f7f39c20e06a8a

SHA256
8b160584f97c0fd3536589af296341ffdf88c5b67da7f2cae20d81ffb67b2128

SHA512
cc64939e746e1e5714957d42a15caabe309d9e213e33100d91956c1fed68a57981b9a2893e7080ca281f21dbb121051220e09a0358a0bbabf9fbab20eec4a848

Download Submit
C:\Users\Admin\AppData\Local\Temp\j39d0C3Ug4.bat

Filesize
204B

MD5
562eecbd7e5a76a9f7fafa90326bdf8c

SHA1
e686e5877e679f923d14473f7a9d095ff87ab754

SHA256
2d7e3677eab63d939674a3b0086a2d609f1f40b8ca930fa75efce97a26efa832

SHA512
cfb77c039e0d495178347a57a25cdd9617537ea10625305095069812a24d7f51c51f1d7a7b096b3ce245ce82dc043d8fa90be94e1aafeecedf93621b2a417317

Download Submit
C:\Users\Admin\AppData\Roaming\1000001050\tanos.exe

Filesize
175KB

MD5
1d71ce85fb4517119a51fc33910f1975

SHA1
de346e455b4435dc9b9b8dbc506bd5f2b3e84052

SHA256
f3bba4b243aafa14e55ebea622e10b30591d46538f9bd88f7360f45f7b2f4bf2

SHA512
77e5ebd54456473001116641a9a663c2a75087d096e2d1d3c0a6a93b06c1a15a45dd1731339cd7a2746acedfc87137c95ffc9812e6bd82030b43398d817bd673

Download Submit
C:\Users\Admin\AppData\Roaming\1000001050\tanos.exe

Filesize
175KB

MD5
1d71ce85fb4517119a51fc33910f1975

SHA1
de346e455b4435dc9b9b8dbc506bd5f2b3e84052

SHA256
f3bba4b243aafa14e55ebea622e10b30591d46538f9bd88f7360f45f7b2f4bf2

SHA512
77e5ebd54456473001116641a9a663c2a75087d096e2d1d3c0a6a93b06c1a15a45dd1731339cd7a2746acedfc87137c95ffc9812e6bd82030b43398d817bd673

Download Submit
C:\Users\Admin\AppData\Roaming\1000002050\nesto.exe

Filesize
304KB

MD5
f6f68bdd7a636e4c31cb802431c3625a

SHA1
ca371f3a8a949fd8e908875428099dffa0861b0c

SHA256
8baccea3ec81ad831a664be31237602a918799791c947f648eb38d440ff36ca1

SHA512
7f26576728571c8f6317005430b121af4f253f9bfb5bd22da39f5a3a5c5b0eca24cc364527ef9db050cc7882e56f655913a3d9cf32cae6076aa7b9ec1d3033a1

Download Submit
C:\Users\Admin\AppData\Roaming\1000002050\nesto.exe

Filesize
304KB

MD5
f6f68bdd7a636e4c31cb802431c3625a

SHA1
ca371f3a8a949fd8e908875428099dffa0861b0c

SHA256
8baccea3ec81ad831a664be31237602a918799791c947f648eb38d440ff36ca1

SHA512
7f26576728571c8f6317005430b121af4f253f9bfb5bd22da39f5a3a5c5b0eca24cc364527ef9db050cc7882e56f655913a3d9cf32cae6076aa7b9ec1d3033a1

Download Submit
C:\Users\Admin\AppData\Roaming\1000007000\love1.exe

Filesize
1.5MB

MD5
2c289507bcd526b692b833e345b0a3b9

SHA1
648c51af0d0e85f9fd4fa30f2266c2b1dedf37b2

SHA256
5c9ffd0729ab591fcdb1d14462c4ae42f3740e5a432fa0e7d8fd71055bdfc459

SHA512
46433a563526e7213b6d1cb0d8c8e441bc762c3acaff22a976a8c9463ee3f2ffa5a387b200fa9cfc2fbab234cc6f934508754e5f4cc5ba3a0c3dee2ab1d925ad

Download Submit
C:\Users\Admin\AppData\Roaming\1000007000\love1.exe

Filesize
1.5MB

MD5
2c289507bcd526b692b833e345b0a3b9

SHA1
648c51af0d0e85f9fd4fa30f2266c2b1dedf37b2

SHA256
5c9ffd0729ab591fcdb1d14462c4ae42f3740e5a432fa0e7d8fd71055bdfc459

SHA512
46433a563526e7213b6d1cb0d8c8e441bc762c3acaff22a976a8c9463ee3f2ffa5a387b200fa9cfc2fbab234cc6f934508754e5f4cc5ba3a0c3dee2ab1d925ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe

Filesize
337KB

MD5
9c45dcc78f46652a09a7848f603d63cb

SHA1
890904897ac3821288e794d985f66a3ed8c655af

SHA256
92ef1c4559871dd4b3741302675ea3095e6e9e699ad6b3868ffb4564c402b4a9

SHA512
51ad2c60af240aae0c809f6ea6cf79c9e0ae31944596e3cda0b4e94b997e4f07b4d39d3569ff6274266d345017910d1695c2032903c66b79812ed9dbcf946314

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe

Filesize
337KB

MD5
9c45dcc78f46652a09a7848f603d63cb

SHA1
890904897ac3821288e794d985f66a3ed8c655af

SHA256
92ef1c4559871dd4b3741302675ea3095e6e9e699ad6b3868ffb4564c402b4a9

SHA512
51ad2c60af240aae0c809f6ea6cf79c9e0ae31944596e3cda0b4e94b997e4f07b4d39d3569ff6274266d345017910d1695c2032903c66b79812ed9dbcf946314

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitor\TiNJwSbj9xFjx5ES90J8DtcZF8KT.vbe

Filesize
212B

MD5
d357375a914faa460a20062143ad0f94

SHA1
6693d198b165b8229cdf540d8f9dc13ea51e7da2

SHA256
8bb53e94a27426cf4be6cbbdaf8e31e4d50f9f652f8d6d44be0a272d40e47ecb

SHA512
c0835de7030400d54932273ceb04aca0d993b719b47696e4cab9db05b72e396a46cb9113aa6f36057fc11f5816fe5ab01674b15200dc292dde49884fb0fdb191

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitor\blockSurrogatePerf.exe

Filesize
1.2MB

MD5
4d24e0b64f19d79260fe43bbc7726069

SHA1
42e113fd0e001b7231a92a43f4af6f9de02c0696

SHA256
54580b519b82e21da0010ce80fb64223bb6e467a4414219f029d5d7f2152014c

SHA512
31485cbe88be88f9297fe08c85c77d6c59c2a8ed5396edd5f7feb20673d5fd15218b15778c8ee60cbcab473b8e3889254c4baf9b62cff0b05ebdb79b17757592

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitor\blockSurrogatePerf.exe

Filesize
1.2MB

MD5
4d24e0b64f19d79260fe43bbc7726069

SHA1
42e113fd0e001b7231a92a43f4af6f9de02c0696

SHA256
54580b519b82e21da0010ce80fb64223bb6e467a4414219f029d5d7f2152014c

SHA512
31485cbe88be88f9297fe08c85c77d6c59c2a8ed5396edd5f7feb20673d5fd15218b15778c8ee60cbcab473b8e3889254c4baf9b62cff0b05ebdb79b17757592

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitor\u8AnLJCEqxCthiwBtq7.bat

Filesize
44B

MD5
246308a337932eb9ec6667a0550af40d

SHA1
39f0c6c527ba808983284b892a60ec56eff06dc3

SHA256
9d4f20be2fa692acc95bad7ec641ec73f71e61ccc92496acf82daa464eee2442

SHA512
44d55057db867db7bb5cf3e5616d339835f95d995bd40caffd17454bd9855a27801eda487569da02c8542a6b263d3f8be57b841c3bbf31ed908fb822f7135d95

Download Submit
C:\Users\Default User\RuntimeBroker.exe

Filesize
1.2MB

MD5
4d24e0b64f19d79260fe43bbc7726069

SHA1
42e113fd0e001b7231a92a43f4af6f9de02c0696

SHA256
54580b519b82e21da0010ce80fb64223bb6e467a4414219f029d5d7f2152014c

SHA512
31485cbe88be88f9297fe08c85c77d6c59c2a8ed5396edd5f7feb20673d5fd15218b15778c8ee60cbcab473b8e3889254c4baf9b62cff0b05ebdb79b17757592

Download Submit
C:\Users\Default\RuntimeBroker.exe

Filesize
1.2MB

MD5
4d24e0b64f19d79260fe43bbc7726069

SHA1
42e113fd0e001b7231a92a43f4af6f9de02c0696

SHA256
54580b519b82e21da0010ce80fb64223bb6e467a4414219f029d5d7f2152014c

SHA512
31485cbe88be88f9297fe08c85c77d6c59c2a8ed5396edd5f7feb20673d5fd15218b15778c8ee60cbcab473b8e3889254c4baf9b62cff0b05ebdb79b17757592

Download Submit
memory/8-221-0x0000000000000000-mapping.dmp

Download
memory/32-318-0x0000000000000000-mapping.dmp

Download
memory/340-167-0x0000000000400000-0x0000000002BB6000-memory.dmp

Filesize
39.7MB

Download
memory/340-199-0x0000000002FAB000-0x0000000002FD9000-memory.dmp

Filesize
184KB

Download
memory/340-200-0x0000000008C90000-0x0000000008E52000-memory.dmp

Filesize
1.8MB

Download
memory/340-201-0x0000000008E70000-0x000000000939C000-memory.dmp

Filesize
5.2MB

Download
memory/340-165-0x0000000007430000-0x00000000079D4000-memory.dmp

Filesize
5.6MB

Download
memory/340-164-0x0000000002F10000-0x0000000002F5B000-memory.dmp

Filesize
300KB

Download
memory/340-240-0x0000000000400000-0x0000000002BB6000-memory.dmp

Filesize
39.7MB

Download
memory/340-192-0x00000000082A0000-0x0000000008306000-memory.dmp

Filesize
408KB

Download
memory/340-163-0x0000000002FAB000-0x0000000002FD9000-memory.dmp

Filesize
184KB

Download
memory/340-152-0x0000000000000000-mapping.dmp

Download
memory/340-236-0x0000000002FAB000-0x0000000002FD9000-memory.dmp

Filesize
184KB

Download
memory/400-166-0x0000000000000000-mapping.dmp

Download
memory/736-136-0x0000000000000000-mapping.dmp

Download
memory/760-140-0x0000000000000000-mapping.dmp

Download
memory/952-228-0x0000000000000000-mapping.dmp

Download
memory/1080-137-0x0000000000000000-mapping.dmp

Download
memory/1080-277-0x0000000000000000-mapping.dmp

Download
memory/1100-139-0x0000000000000000-mapping.dmp

Download
memory/1128-312-0x00000000000E0000-0x0000000000112000-memory.dmp

Filesize
200KB

Download
memory/1128-311-0x0000000000000000-mapping.dmp

Download
memory/1128-183-0x0000000000000000-mapping.dmp

Download
memory/1128-186-0x00000000002F0000-0x0000000000322000-memory.dmp

Filesize
200KB

Download
memory/1132-316-0x0000000000000000-mapping.dmp

Download
memory/1208-246-0x0000000000000000-mapping.dmp

Download
memory/1208-249-0x00007FFFCEA40000-0x00007FFFCF501000-memory.dmp

Filesize
10.8MB

Download
memory/1208-305-0x00007FFFCEA40000-0x00007FFFCF501000-memory.dmp

Filesize
10.8MB

Download
memory/1212-301-0x0000000002250000-0x0000000002286000-memory.dmp

Filesize
216KB

Download
memory/1212-323-0x0000000006110000-0x00000000061A6000-memory.dmp

Filesize
600KB

Download
memory/1212-324-0x0000000006090000-0x00000000060AA000-memory.dmp

Filesize
104KB

Download
memory/1212-306-0x0000000004DE0000-0x0000000004E02000-memory.dmp

Filesize
136KB

Download
memory/1212-328-0x00000000060E0000-0x0000000006102000-memory.dmp

Filesize
136KB

Download
memory/1212-308-0x0000000005650000-0x00000000056B6000-memory.dmp

Filesize
408KB

Download
memory/1212-302-0x0000000004F30000-0x0000000005558000-memory.dmp

Filesize
6.2MB

Download
memory/1212-314-0x0000000005A90000-0x0000000005AAE000-memory.dmp

Filesize
120KB

Download
memory/1244-142-0x0000000000000000-mapping.dmp

Download
memory/1248-286-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1248-278-0x0000000000000000-mapping.dmp

Download
memory/1248-331-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1436-204-0x0000000000400000-0x0000000000920000-memory.dmp

Filesize
5.1MB

Download
memory/1436-202-0x0000000000000000-mapping.dmp

Download
memory/1452-141-0x0000000000000000-mapping.dmp

Download
memory/1616-218-0x0000000000000000-mapping.dmp

Download
memory/1712-138-0x0000000000000000-mapping.dmp

Download
memory/1784-182-0x0000000000000000-mapping.dmp

Download
memory/2000-237-0x0000000000000000-mapping.dmp

Download
memory/2000-257-0x0000000000400000-0x0000000002BB6000-memory.dmp

Filesize
39.7MB

Download
memory/2000-333-0x0000000000400000-0x0000000002BB6000-memory.dmp

Filesize
39.7MB

Download
memory/2000-330-0x0000000002DAA000-0x0000000002DD8000-memory.dmp

Filesize
184KB

Download
memory/2000-315-0x0000000000400000-0x0000000002BB6000-memory.dmp

Filesize
39.7MB

Download
memory/2000-309-0x0000000002DAA000-0x0000000002DD8000-memory.dmp

Filesize
184KB

Download
memory/2000-251-0x0000000002DAA000-0x0000000002DD8000-memory.dmp

Filesize
184KB

Download
memory/2016-151-0x00007FFFCEB80000-0x00007FFFCF641000-memory.dmp

Filesize
10.8MB

Download
memory/2016-180-0x00007FFFCEB80000-0x00007FFFCF641000-memory.dmp

Filesize
10.8MB

Download
memory/2016-147-0x0000000000000000-mapping.dmp

Download
memory/2104-362-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2104-295-0x0000000000000000-mapping.dmp

Download
memory/2112-150-0x00007FFFCEB80000-0x00007FFFCF641000-memory.dmp

Filesize
10.8MB

Download
memory/2112-143-0x0000000000000000-mapping.dmp

Download
memory/2112-146-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2112-179-0x00007FFFCEB80000-0x00007FFFCF641000-memory.dmp

Filesize
10.8MB

Download
memory/2404-303-0x0000000000000000-mapping.dmp

Download
memory/2432-320-0x0000000000000000-mapping.dmp

Download
memory/2484-215-0x0000000000000000-mapping.dmp

Download
memory/2532-268-0x0000000000000000-mapping.dmp

Download
memory/2600-242-0x0000000000000000-mapping.dmp

Download
memory/2600-245-0x0000000000D90000-0x0000000000DC2000-memory.dmp

Filesize
200KB

Download
memory/2636-322-0x0000000000000000-mapping.dmp

Download
memory/2772-223-0x0000000000000000-mapping.dmp

Download
memory/2796-225-0x0000000000000000-mapping.dmp

Download
memory/2936-211-0x0000000000000000-mapping.dmp

Download
memory/2936-214-0x0000000000F80000-0x0000000000FB2000-memory.dmp

Filesize
200KB

Download
memory/2996-271-0x0000000000000000-mapping.dmp

Download
memory/2996-272-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2996-352-0x0000000006F00000-0x0000000006FB0000-memory.dmp

Filesize
704KB

Download
memory/3000-255-0x00000000000C0000-0x0000000000230000-memory.dmp

Filesize
1.4MB

Download
memory/3000-262-0x00000000065C0000-0x00000000065CA000-memory.dmp

Filesize
40KB

Download
memory/3000-250-0x0000000000000000-mapping.dmp

Download
memory/3000-256-0x0000000005240000-0x00000000052DC000-memory.dmp

Filesize
624KB

Download
memory/3068-174-0x0000000000F30000-0x0000000000F62000-memory.dmp

Filesize
200KB

Download
memory/3068-170-0x0000000000000000-mapping.dmp

Download
memory/3108-171-0x0000000000000000-mapping.dmp

Download
memory/3116-372-0x0000000140000000-0x0000000140098000-memory.dmp

Filesize
608KB

Download
memory/3128-227-0x0000000000000000-mapping.dmp

Download
memory/3288-319-0x0000000000000000-mapping.dmp

Download
memory/3296-291-0x0000000000000000-mapping.dmp

Download
memory/3484-198-0x00000000067E0000-0x0000000006830000-memory.dmp

Filesize
320KB

Download
memory/3484-159-0x0000000005CA0000-0x00000000062B8000-memory.dmp

Filesize
6.1MB

Download
memory/3484-155-0x0000000000000000-mapping.dmp

Download
memory/3484-158-0x0000000000D50000-0x0000000000D82000-memory.dmp

Filesize
200KB

Download
memory/3484-191-0x0000000005AB0000-0x0000000005B42000-memory.dmp

Filesize
584KB

Download
memory/3484-197-0x0000000006760000-0x00000000067D6000-memory.dmp

Filesize
472KB

Download
memory/3484-160-0x00000000057E0000-0x00000000058EA000-memory.dmp

Filesize
1.0MB

Download
memory/3484-161-0x0000000005720000-0x0000000005732000-memory.dmp

Filesize
72KB

Download
memory/3484-162-0x0000000005780000-0x00000000057BC000-memory.dmp

Filesize
240KB

Download
memory/3544-261-0x0000000000000000-mapping.dmp

Download
memory/3544-293-0x0000000004810000-0x000000000485B000-memory.dmp

Filesize
300KB

Download
memory/3544-296-0x0000000000400000-0x0000000002BB6000-memory.dmp

Filesize
39.7MB

Download
memory/3544-292-0x0000000002CBE000-0x0000000002CEC000-memory.dmp

Filesize
184KB

Download
memory/3544-347-0x0000000002CBE000-0x0000000002CEC000-memory.dmp

Filesize
184KB

Download
memory/3584-332-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/3584-265-0x0000000000000000-mapping.dmp

Download
memory/3620-284-0x00000000002C0000-0x00000000002F2000-memory.dmp

Filesize
200KB

Download
memory/3620-281-0x0000000000000000-mapping.dmp

Download
memory/3768-190-0x0000000000310000-0x0000000000444000-memory.dmp

Filesize
1.2MB

Download
memory/3768-193-0x00007FFFCEC30000-0x00007FFFCF6F1000-memory.dmp

Filesize
10.8MB

Download
memory/3768-194-0x000000001C7B0000-0x000000001C800000-memory.dmp

Filesize
320KB

Download
memory/3768-187-0x0000000000000000-mapping.dmp

Download
memory/3768-208-0x00007FFFCEC30000-0x00007FFFCF6F1000-memory.dmp

Filesize
10.8MB

Download
memory/3936-294-0x0000000000000000-mapping.dmp

Download
memory/4064-258-0x0000000000000000-mapping.dmp

Download
memory/4228-300-0x0000000000040000-0x0000000000158000-memory.dmp

Filesize
1.1MB

Download
memory/4228-297-0x0000000000000000-mapping.dmp

Download
memory/4240-207-0x0000000000000000-mapping.dmp

Download
memory/4292-307-0x0000000000000000-mapping.dmp

Download
memory/4348-210-0x0000000000000000-mapping.dmp

Download
memory/4364-329-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4364-325-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4364-326-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4364-327-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4400-222-0x0000000000000000-mapping.dmp

Download
memory/4644-310-0x0000000000000000-mapping.dmp

Download
memory/4660-313-0x0000000000000000-mapping.dmp

Download
memory/4668-321-0x0000000000000000-mapping.dmp

Download
memory/4724-232-0x0000000000000000-mapping.dmp

Download
memory/4824-229-0x0000000000000000-mapping.dmp

Download
memory/4880-196-0x0000000000400000-0x0000000002BB6000-memory.dmp

Filesize
39.7MB

Download
memory/4880-176-0x0000000000000000-mapping.dmp

Download
memory/4880-195-0x0000000002CFA000-0x0000000002D28000-memory.dmp

Filesize
184KB

Download
memory/4880-241-0x0000000000400000-0x0000000002BB6000-memory.dmp

Filesize
39.7MB

Download
memory/4916-224-0x0000000000000000-mapping.dmp

Download
memory/4944-132-0x0000000000000000-mapping.dmp

Download
memory/4964-226-0x0000000000000000-mapping.dmp

Download
memory/4992-317-0x0000000000000000-mapping.dmp

Download
memory/5108-135-0x0000000000000000-mapping.dmp

Download