snakekeylogger | d59e0227f0df4944cfa157554ef86a131e2b5d9a1d3983780e0022b98f1d42f4

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2023, 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nº 64494.pif.exe
Size

1.4MB
MD5

b80d0cbf82ce5e7e3ed00a0e671872bd
SHA1

c4bf9168ee8f5894d543d429dd5c5df0a3984bd6
SHA256

d59e0227f0df4944cfa157554ef86a131e2b5d9a1d3983780e0022b98f1d42f4
SHA512

e7459de3d39ae540615f163b6908cba8dcd1daf3981e70682a8a32ec4db83abae1b49be2095ab03379693523fbf2f0ae83ad79c4fde4050bb3fedb8a9dbc2681
SSDEEP

24576:DTbBv5rUDwcywHlqk0DfO4AJaFDKvMrBW4ey2Tygt90e+hoxk08:dB1cL09rOYovMr8Maygt+H08

Score

10^/10

snakekeylogger stormkitty keylogger persistence spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.rampelloelectricidad.com
Port:
587
Username:
[email protected]
Password:
raulruben55

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.rampelloelectricidad.com
Port:
587
Username:
[email protected]
Password:
raulruben55
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000600000002318c-187.dat	family_snakekeylogger
behavioral2/files/0x000600000002318c-193.dat	family_snakekeylogger
behavioral2/files/0x000600000002318c-194.dat	family_snakekeylogger
behavioral2/memory/1300-195-0x0000000000060000-0x000000000007E000-memory.dmp	family_snakekeylogger

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000600000002318c-187.dat	family_stormkitty
behavioral2/files/0x000600000002318c-193.dat	family_stormkitty
behavioral2/files/0x000600000002318c-194.dat	family_stormkitty
behavioral2/memory/1300-195-0x0000000000060000-0x000000000007E000-memory.dmp	family_stormkitty

Checks computer location settings 2 TTPs 60 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	qooleblui.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Nº 64494.pif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	QOOLEB~1.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 31 IoCs

pid	Process
1300	fineto.exe
4580	qooleblui.pif
4696	QOOLEB~1.PIF
5096	QOOLEB~1.PIF
4656	QOOLEB~1.PIF
3900	QOOLEB~1.PIF
4496	QOOLEB~1.PIF
3700	QOOLEB~1.PIF
3248	QOOLEB~1.PIF
2152	QOOLEB~1.PIF
2132	QOOLEB~1.PIF
1856	QOOLEB~1.PIF
3340	QOOLEB~1.PIF
1900	QOOLEB~1.PIF
3664	QOOLEB~1.PIF
2932	QOOLEB~1.PIF
4836	QOOLEB~1.PIF
1428	QOOLEB~1.PIF
3764	QOOLEB~1.PIF
1580	QOOLEB~1.PIF
4260	QOOLEB~1.PIF
1772	QOOLEB~1.PIF
3736	QOOLEB~1.PIF
4180	QOOLEB~1.PIF
1800	QOOLEB~1.PIF
5008	QOOLEB~1.PIF
1856	QOOLEB~1.PIF
4568	QOOLEB~1.PIF
1360	QOOLEB~1.PIF
716	QOOLEB~1.PIF
3632	QOOLEB~1.PIF

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	qooleblui.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	qooleblui.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\vikp\\QOOLEB~1.PIF c:\\vikp\\OHHGEE~1.XL"	QOOLEB~1.PIF

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	checkip.dyndns.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	qooleblui.pif
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	QOOLEB~1.PIF

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1300	fineto.exe
4580	qooleblui.pif
4580	qooleblui.pif
4580	qooleblui.pif
4580	qooleblui.pif
4580	qooleblui.pif
4580	qooleblui.pif
4580	qooleblui.pif
4580	qooleblui.pif
4580	qooleblui.pif
4580	qooleblui.pif
4580	qooleblui.pif
4580	qooleblui.pif
4696	QOOLEB~1.PIF
4696	QOOLEB~1.PIF
4696	QOOLEB~1.PIF
4696	QOOLEB~1.PIF
4696	QOOLEB~1.PIF
4696	QOOLEB~1.PIF
4696	QOOLEB~1.PIF
4696	QOOLEB~1.PIF
4696	QOOLEB~1.PIF
4696	QOOLEB~1.PIF
4696	QOOLEB~1.PIF
4696	QOOLEB~1.PIF
5096	QOOLEB~1.PIF
5096	QOOLEB~1.PIF
5096	QOOLEB~1.PIF
5096	QOOLEB~1.PIF
5096	QOOLEB~1.PIF
5096	QOOLEB~1.PIF
5096	QOOLEB~1.PIF
5096	QOOLEB~1.PIF
5096	QOOLEB~1.PIF
5096	QOOLEB~1.PIF
5096	QOOLEB~1.PIF
5096	QOOLEB~1.PIF
4656	QOOLEB~1.PIF
4656	QOOLEB~1.PIF
4656	QOOLEB~1.PIF
4656	QOOLEB~1.PIF
4656	QOOLEB~1.PIF
4656	QOOLEB~1.PIF
4656	QOOLEB~1.PIF
4656	QOOLEB~1.PIF
4656	QOOLEB~1.PIF
4656	QOOLEB~1.PIF
4656	QOOLEB~1.PIF
4656	QOOLEB~1.PIF
3900	QOOLEB~1.PIF
3900	QOOLEB~1.PIF
3900	QOOLEB~1.PIF
3900	QOOLEB~1.PIF
3900	QOOLEB~1.PIF
3900	QOOLEB~1.PIF
3900	QOOLEB~1.PIF
3900	QOOLEB~1.PIF
3900	QOOLEB~1.PIF
3900	QOOLEB~1.PIF
3900	QOOLEB~1.PIF
3900	QOOLEB~1.PIF
4496	QOOLEB~1.PIF
4496	QOOLEB~1.PIF
4496	QOOLEB~1.PIF

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	fineto.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 1300	2580	Nº 64494.pif.exe	84
PID 2580 wrote to memory of 1300	2580	Nº 64494.pif.exe	84
PID 2580 wrote to memory of 3512	2580	Nº 64494.pif.exe	86
PID 2580 wrote to memory of 3512	2580	Nº 64494.pif.exe	86
PID 2580 wrote to memory of 3512	2580	Nº 64494.pif.exe	86
PID 3512 wrote to memory of 4580	3512	wscript.exe	87
PID 3512 wrote to memory of 4580	3512	wscript.exe	87
PID 3512 wrote to memory of 4580	3512	wscript.exe	87
PID 4580 wrote to memory of 2852	4580	qooleblui.pif	91
PID 4580 wrote to memory of 2852	4580	qooleblui.pif	91
PID 4580 wrote to memory of 2852	4580	qooleblui.pif	91
PID 2852 wrote to memory of 4696	2852	WScript.exe	93
PID 2852 wrote to memory of 4696	2852	WScript.exe	93
PID 2852 wrote to memory of 4696	2852	WScript.exe	93
PID 4696 wrote to memory of 1584	4696	QOOLEB~1.PIF	96
PID 4696 wrote to memory of 1584	4696	QOOLEB~1.PIF	96
PID 4696 wrote to memory of 1584	4696	QOOLEB~1.PIF	96
PID 1584 wrote to memory of 5096	1584	WScript.exe	97
PID 1584 wrote to memory of 5096	1584	WScript.exe	97
PID 1584 wrote to memory of 5096	1584	WScript.exe	97
PID 5096 wrote to memory of 4392	5096	QOOLEB~1.PIF	98
PID 5096 wrote to memory of 4392	5096	QOOLEB~1.PIF	98
PID 5096 wrote to memory of 4392	5096	QOOLEB~1.PIF	98
PID 4392 wrote to memory of 4656	4392	WScript.exe	99
PID 4392 wrote to memory of 4656	4392	WScript.exe	99
PID 4392 wrote to memory of 4656	4392	WScript.exe	99
PID 4656 wrote to memory of 5060	4656	QOOLEB~1.PIF	100
PID 4656 wrote to memory of 5060	4656	QOOLEB~1.PIF	100
PID 4656 wrote to memory of 5060	4656	QOOLEB~1.PIF	100
PID 5060 wrote to memory of 3900	5060	WScript.exe	101
PID 5060 wrote to memory of 3900	5060	WScript.exe	101
PID 5060 wrote to memory of 3900	5060	WScript.exe	101
PID 3900 wrote to memory of 4864	3900	QOOLEB~1.PIF	103
PID 3900 wrote to memory of 4864	3900	QOOLEB~1.PIF	103
PID 3900 wrote to memory of 4864	3900	QOOLEB~1.PIF	103
PID 4864 wrote to memory of 4496	4864	WScript.exe	104
PID 4864 wrote to memory of 4496	4864	WScript.exe	104
PID 4864 wrote to memory of 4496	4864	WScript.exe	104
PID 4496 wrote to memory of 4280	4496	QOOLEB~1.PIF	105
PID 4496 wrote to memory of 4280	4496	QOOLEB~1.PIF	105
PID 4496 wrote to memory of 4280	4496	QOOLEB~1.PIF	105
PID 4280 wrote to memory of 3700	4280	WScript.exe	106
PID 4280 wrote to memory of 3700	4280	WScript.exe	106
PID 4280 wrote to memory of 3700	4280	WScript.exe	106
PID 3700 wrote to memory of 1780	3700	QOOLEB~1.PIF	107
PID 3700 wrote to memory of 1780	3700	QOOLEB~1.PIF	107
PID 3700 wrote to memory of 1780	3700	QOOLEB~1.PIF	107
PID 1780 wrote to memory of 3248	1780	WScript.exe	108
PID 1780 wrote to memory of 3248	1780	WScript.exe	108
PID 1780 wrote to memory of 3248	1780	WScript.exe	108
PID 3248 wrote to memory of 4376	3248	QOOLEB~1.PIF	109
PID 3248 wrote to memory of 4376	3248	QOOLEB~1.PIF	109
PID 3248 wrote to memory of 4376	3248	QOOLEB~1.PIF	109
PID 4376 wrote to memory of 2152	4376	WScript.exe	110
PID 4376 wrote to memory of 2152	4376	WScript.exe	110
PID 4376 wrote to memory of 2152	4376	WScript.exe	110
PID 2152 wrote to memory of 4608	2152	QOOLEB~1.PIF	111
PID 2152 wrote to memory of 4608	2152	QOOLEB~1.PIF	111
PID 2152 wrote to memory of 4608	2152	QOOLEB~1.PIF	111
PID 4608 wrote to memory of 2132	4608	WScript.exe	112
PID 4608 wrote to memory of 2132	4608	WScript.exe	112
PID 4608 wrote to memory of 2132	4608	WScript.exe	112
PID 2132 wrote to memory of 368	2132	QOOLEB~1.PIF	113
PID 2132 wrote to memory of 368	2132	QOOLEB~1.PIF	113

C:\Users\Admin\AppData\Local\Temp\Nº 64494.pif.exe
"C:\Users\Admin\AppData\Local\Temp\Nº 64494.pif.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2580
- C:\vikp\fineto.exe
  "C:\vikp\fineto.exe" z35cA41RKhmI40o4n8To40h3RKUAl
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" Update-cg.x.vbe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\vikp\qooleblui.pif
    "C:\vikp\qooleblui.pif" ohhgeeloj.xl
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4696
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        10⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        12⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        14⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        16⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        18⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        20⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        22⤵
        Checks computer location settings
        
        PID:368
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        24⤵
        Checks computer location settings
        
        PID:3184
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        26⤵
        Checks computer location settings
        
        PID:2896
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        28⤵
        Checks computer location settings
        
        PID:4112
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        30⤵
        Checks computer location settings
        
        PID:2788
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        32⤵
        Checks computer location settings
        
        PID:4188
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        34⤵
        Checks computer location settings
        
        PID:4392
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        36⤵
        Checks computer location settings
        
        PID:4324
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        38⤵
        Checks computer location settings
        
        PID:2604
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        40⤵
        Checks computer location settings
        
        PID:1512
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        42⤵
        Checks computer location settings
        
        PID:548
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        44⤵
        Checks computer location settings
        
        PID:2492
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        46⤵
        Checks computer location settings
        
        PID:4616
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        48⤵
        Checks computer location settings
        
        PID:1956
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        50⤵
        Checks computer location settings
        
        PID:1032
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        52⤵
        Checks computer location settings
        
        PID:3040
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        54⤵
        Checks computer location settings
        
        PID:212
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        56⤵
        Checks computer location settings
        
        PID:3460
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        58⤵
        Checks computer location settings
        
        PID:5000
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\vikp\run.vbs"
        60⤵
        Checks computer location settings
        
        PID:1236
        
        C:\vikp\QOOLEB~1.PIF
        
        "C:\vikp\QOOLEB~1.PIF" OHHGEE~1.XL
        61⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\vikp\Update-cg.x.vbe

Filesize
69KB

MD5
fdfd8ae6b6510985b57707669217fd53

SHA1
e34b2bba78f6d474812a95a3e2b5b94da4a29881

SHA256
2701be89b9cdaf6f2a4509e29e7ab23013f9af706cb5f43179f999703e4e9e56

SHA512
c40aa266674111df3bf39038a842161f207d6615782d57db220f29be00269949d89e6bb1f21d4765849c30f1eda3b255662d03528e496e81e077408e10dd8355

Download Submit
C:\vikp\fineto.exe

Filesize
96KB

MD5
98b3380a8927b93c08d1eab0d07103cc

SHA1
37253b0ca3725c4275c240cfea229c8e0db58195

SHA256
8eb017ece8a897d9c94a2afb605f341a435b30723ceaea2c79ee2662dcb6a89c

SHA512
7b3f01d6808304647aef785d1bdbe8ed5d97a09aa280ff4933f5052cc2389ce7c57643842d43941154e777a46423b6247b3f598fe68bc512ea59ac197b7824fa

Download Submit
C:\vikp\fineto.exe

Filesize
96KB

MD5
98b3380a8927b93c08d1eab0d07103cc

SHA1
37253b0ca3725c4275c240cfea229c8e0db58195

SHA256
8eb017ece8a897d9c94a2afb605f341a435b30723ceaea2c79ee2662dcb6a89c

SHA512
7b3f01d6808304647aef785d1bdbe8ed5d97a09aa280ff4933f5052cc2389ce7c57643842d43941154e777a46423b6247b3f598fe68bc512ea59ac197b7824fa

Download Submit
C:\vikp\fineto.exe

Filesize
96KB

MD5
98b3380a8927b93c08d1eab0d07103cc

SHA1
37253b0ca3725c4275c240cfea229c8e0db58195

SHA256
8eb017ece8a897d9c94a2afb605f341a435b30723ceaea2c79ee2662dcb6a89c

SHA512
7b3f01d6808304647aef785d1bdbe8ed5d97a09aa280ff4933f5052cc2389ce7c57643842d43941154e777a46423b6247b3f598fe68bc512ea59ac197b7824fa

Download Submit
C:\vikp\ohhgeeloj.xl

Filesize
107.6MB

MD5
cc13705e98b17e2ebc78a0400026ba7a

SHA1
ae3735af0876667400a098949d33327c645ce775

SHA256
a211d26edd51a86bead753fea271481e5994f6b06dddfb79e2ecf10ba0cc9afb

SHA512
5d5b24f8e1c7e6c38d620892a02e7287175b4b524992656aa51eb79fe1a0c9290d1848ccce227a934a06291a418187eca1a462dc13b48f19bc259d3ca94e72f7

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qooleblui.pif

Filesize
1.6MB

MD5
48775c27080729922b22c85cf7158874

SHA1
320a361221921eb1d31809700cf325ac1b4dadda

SHA256
eb3240062c133a015757991bc7f62af205ab424cc1761a7d1ea6a8821398a3f3

SHA512
c0054e41d7484b6454e9aa41b4780c436f89ee77ee9faf22272ea3d86bdf4132390d195a1bed26a6899cefd6e1bc50cd414cdb7218a5fdd99ff75580c4c65c94

Download Submit
C:\vikp\qutlg.bin

Filesize
32KB

MD5
8a969dc0efc019bae2c1b14f49fd3407

SHA1
cd7da232bd1261e619ff7a8cd9229c457ffba7f7

SHA256
0affa6879dd64068a284ef6fe722b7dd30c27689aac457c61dad4d0c3fd7aa50

SHA512
33899a4ba3fdbfd2523ddf77ae2ef376456745fe36d8627fb868c4da12f661571c526cb21222e34dcd2350871caec785a57997d31ff33a88d6c514201d5e0bd3

Download Submit
C:\vikp\run.vbs

Filesize
100B

MD5
90606c8ff93188b5c89bef50b5bb2684

SHA1
e62d18dc9de0f8af5d4d32f5e671bd2e75a1c1a4

SHA256
a75d5aff4ff4850f5393aa01a754ab6bf72206f13fbe2d438fd5ef2f6634a003

SHA512
3bcdd221eb6fdc9eed59e6eb5b1c8669421cc8f14f4956d54c482647aec9bdd6c08a338b8d1287a2106e775416fd37e90e7d2bbf7d1904c26eb44c8700cb73a0

Download Submit
C:\vikp\vovwbn.rai

Filesize
166KB

MD5
c386868d50c19f2e7a14a7051e9ef3ab

SHA1
0447d3a48a50e827e28e647b91d8baabb234dc50

SHA256
1c35572a1ff387ae9878b8d4e83b7193f08a18cae8f16f3e62b05a7cce214c6a

SHA512
30e5e1ff0311cea322025b517eaa692dc14053920cd82590bb5e2fc0e1d76f222d7f00a5802db37806b31120e7adf821065fc1bfe20ddccdff2ad291322d6be5

Download Submit
memory/1300-199-0x000000001AE80000-0x000000001AE90000-memory.dmp

Filesize
64KB

Download
memory/1300-195-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1300-213-0x000000001AE80000-0x000000001AE90000-memory.dmp

Filesize
64KB

Download