blackmoon | 6e3416dc9b06a869909a9380db5503992ad20b5c3c8a5a7eb761e3c712928ec5

Analysis

max time kernel
162s
max time network
164s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
01-11-2023 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Line-.exe
Size

111.2MB
MD5

ecb4d3670188b70cd7ffbdebdcb25de8
SHA1

2dab4a0c63f2824eddf54c7df036e4a1bc3081a7
SHA256

6e3416dc9b06a869909a9380db5503992ad20b5c3c8a5a7eb761e3c712928ec5
SHA512

6e0e6fb42204edc8e5ddeb0121e0eaf2382cb8871ea52956016ee62fb4ddecf48b8b929c2839dc9c4d6829f653079b890d82391dc4a8a85d003d8ada813484b6
SSDEEP

3145728:dccerBmdtE+bQab//oYQQYVvsfI2RDhKcGEvFdV:6frQ70a8EYVaIGCEND

Score

10^/10

blackmoon gh0strat banker evasion rat trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/652-1464-0x0000000002090000-0x00000000020CC000-memory.dmp	family_blackmoon
behavioral2/memory/4800-1550-0x00000000030E0000-0x0000000003125000-memory.dmp	family_blackmoon

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4800-1550-0x00000000030E0000-0x0000000003125000-memory.dmp	family_gh0strat
behavioral2/memory/4800-1556-0x00000000032D0000-0x00000000032E5000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

MsiExec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	MsiExec.exe

Executes dropped EXE 5 IoCs

Processes:

588388456db280daIJE.exe588388456db280daIJE.exe588388456db280daIJE.exeBor32-update-flase.exeHaloonoroff.exe

pid process

356 588388456db280daIJE.exe
2748 588388456db280daIJE.exe
4844 588388456db280daIJE.exe
652 Bor32-update-flase.exe
4800 Haloonoroff.exe

pid	process
356	588388456db280daIJE.exe
2748	588388456db280daIJE.exe
4844	588388456db280daIJE.exe
652	Bor32-update-flase.exe
4800	Haloonoroff.exe

Loads dropped DLL 35 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe588388456db280daIJE.exe588388456db280daIJE.exe588388456db280daIJE.exeBor32-update-flase.exeHaloonoroff.exe

pid	process
4236	MsiExec.exe
4236	MsiExec.exe
4236	MsiExec.exe
4236	MsiExec.exe
4236	MsiExec.exe
4236	MsiExec.exe
4236	MsiExec.exe
4236	MsiExec.exe
4236	MsiExec.exe
528	MsiExec.exe
528	MsiExec.exe
528	MsiExec.exe
528	MsiExec.exe
528	MsiExec.exe
4544	MsiExec.exe
4544	MsiExec.exe
528	MsiExec.exe
528	MsiExec.exe
356	588388456db280daIJE.exe
2748	588388456db280daIJE.exe
4844	588388456db280daIJE.exe
4236	MsiExec.exe
4236	MsiExec.exe
652	Bor32-update-flase.exe
652	Bor32-update-flase.exe
652	Bor32-update-flase.exe
4800	Haloonoroff.exe
4800	Haloonoroff.exe
4800	Haloonoroff.exe
4800	Haloonoroff.exe
4800	Haloonoroff.exe
4800	Haloonoroff.exe
4800	Haloonoroff.exe
4800	Haloonoroff.exe
4800	Haloonoroff.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/652-1536-0x00000000020D0000-0x00000000020DB000-memory.dmp	upx
behavioral2/memory/652-1543-0x00000000020D0000-0x00000000020DB000-memory.dmp	upx
behavioral2/memory/4800-1554-0x0000000002650000-0x000000000265B000-memory.dmp	upx
behavioral2/memory/4800-1563-0x0000000002650000-0x000000000265B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Line-.exemsiexec.exeHaloonoroff.exeLine-.exe

description	ioc	process
File opened (read-only)	\??\X:	Line-.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	Haloonoroff.exe
File opened (read-only)	\??\Q:	Line-.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	Line-.exe
File opened (read-only)	\??\L:	Line-.exe
File opened (read-only)	\??\B:	Haloonoroff.exe
File opened (read-only)	\??\B:	Line-.exe
File opened (read-only)	\??\K:	Haloonoroff.exe
File opened (read-only)	\??\O:	Line-.exe
File opened (read-only)	\??\I:	Line-.exe
File opened (read-only)	\??\T:	Line-.exe
File opened (read-only)	\??\W:	Line-.exe
File opened (read-only)	\??\H:	Line-.exe
File opened (read-only)	\??\P:	Line-.exe
File opened (read-only)	\??\W:	Line-.exe
File opened (read-only)	\??\L:	Haloonoroff.exe
File opened (read-only)	\??\G:	Line-.exe
File opened (read-only)	\??\V:	Line-.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	Line-.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	Line-.exe
File opened (read-only)	\??\N:	Haloonoroff.exe
File opened (read-only)	\??\X:	Haloonoroff.exe
File opened (read-only)	\??\P:	Line-.exe
File opened (read-only)	\??\B:	Line-.exe
File opened (read-only)	\??\K:	Line-.exe
File opened (read-only)	\??\H:	Haloonoroff.exe
File opened (read-only)	\??\Z:	Line-.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	Line-.exe
File opened (read-only)	\??\I:	Line-.exe
File opened (read-only)	\??\Q:	Line-.exe
File opened (read-only)	\??\R:	Line-.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	Line-.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	Haloonoroff.exe
File opened (read-only)	\??\U:	Haloonoroff.exe
File opened (read-only)	\??\W:	Haloonoroff.exe
File opened (read-only)	\??\K:	Line-.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	Haloonoroff.exe
File opened (read-only)	\??\S:	Haloonoroff.exe
File opened (read-only)	\??\H:	Line-.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	Line-.exe
File opened (read-only)	\??\S:	Line-.exe
File opened (read-only)	\??\I:	Haloonoroff.exe
File opened (read-only)	\??\M:	Haloonoroff.exe
File opened (read-only)	\??\Y:	Haloonoroff.exe
File opened (read-only)	\??\A:	Line-.exe
File opened (read-only)	\??\Y:	Line-.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E2FE4F76-4B68-4D53-98BC-04491926AE77}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI76E2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7AAC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BE6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D9A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7625.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI79C1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D40.tmp	msiexec.exe
File created	C:\Windows\Installer\e58758b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6A3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA7D.tmp	msiexec.exe
File created	C:\Windows\Installer\e587589.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e587589.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Haloonoroff.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Haloonoroff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Haloonoroff.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2220 taskkill.exe

pid	process
2220	taskkill.exe

Modifies data under HKEY_USERS 12 IoCs

Processes:

svchost.exeMsiExec.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\XML Config\{E2FE4F76-4B68-4D53-98BC-04491926AE77}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\XML Config\{E2FE4F76-4B68-4D53-98BC-04491926AE77}\C:\ProgramData\regid.1995-09.com.example\regid.1995-09.com.example_e3f421a0-b402-4f1f-acef-05831d781ab5.swidtag = "*"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\XML Config\{E2FE4F76-4B68-4D53-98BC-04491926AE77}\C:\Users\Default\Desktop\LNKNEW\regid.1995-09.com.example_e3f421a0-b402-4f1f-acef-05831d781ab5.swidtag = "*"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\XML Config	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe

Modifies registry class 23 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\67F4EF2E86B435D489CB40949162EA77	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\Version = "117506056"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\67F4EF2E86B435D489CB40949162EA77\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\PackageCode = "D9CE4A28659D9FA4E9CEE870BD5C467D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EF49538C4A3D5A6438BB35089AC938DA\67F4EF2E86B435D489CB40949162EA77	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\SourceList\PackageName = "LINK.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\SourceList\Net\1 = "C:\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\SourceList\LastUsedSource = "n;1;C:\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\ProductName = "Life on Line"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\Language = "2052"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67F4EF2E86B435D489CB40949162EA77\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EF49538C4A3D5A6438BB35089AC938DA	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exeHaloonoroff.exe

pid process

3468 msiexec.exe
3468 msiexec.exe
4800 Haloonoroff.exe
4800 Haloonoroff.exe

pid	process
3468	msiexec.exe
3468	msiexec.exe
4800	Haloonoroff.exe
4800	Haloonoroff.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeLine-.exe

description	pid	process
Token: SeSecurityPrivilege	3468	msiexec.exe
Token: SeCreateTokenPrivilege	3084	Line-.exe
Token: SeAssignPrimaryTokenPrivilege	3084	Line-.exe
Token: SeLockMemoryPrivilege	3084	Line-.exe
Token: SeIncreaseQuotaPrivilege	3084	Line-.exe
Token: SeMachineAccountPrivilege	3084	Line-.exe
Token: SeTcbPrivilege	3084	Line-.exe
Token: SeSecurityPrivilege	3084	Line-.exe
Token: SeTakeOwnershipPrivilege	3084	Line-.exe
Token: SeLoadDriverPrivilege	3084	Line-.exe
Token: SeSystemProfilePrivilege	3084	Line-.exe
Token: SeSystemtimePrivilege	3084	Line-.exe
Token: SeProfSingleProcessPrivilege	3084	Line-.exe
Token: SeIncBasePriorityPrivilege	3084	Line-.exe
Token: SeCreatePagefilePrivilege	3084	Line-.exe
Token: SeCreatePermanentPrivilege	3084	Line-.exe
Token: SeBackupPrivilege	3084	Line-.exe
Token: SeRestorePrivilege	3084	Line-.exe
Token: SeShutdownPrivilege	3084	Line-.exe
Token: SeDebugPrivilege	3084	Line-.exe
Token: SeAuditPrivilege	3084	Line-.exe
Token: SeSystemEnvironmentPrivilege	3084	Line-.exe
Token: SeChangeNotifyPrivilege	3084	Line-.exe
Token: SeRemoteShutdownPrivilege	3084	Line-.exe
Token: SeUndockPrivilege	3084	Line-.exe
Token: SeSyncAgentPrivilege	3084	Line-.exe
Token: SeEnableDelegationPrivilege	3084	Line-.exe
Token: SeManageVolumePrivilege	3084	Line-.exe
Token: SeImpersonatePrivilege	3084	Line-.exe
Token: SeCreateGlobalPrivilege	3084	Line-.exe
Token: SeCreateTokenPrivilege	3084	Line-.exe
Token: SeAssignPrimaryTokenPrivilege	3084	Line-.exe
Token: SeLockMemoryPrivilege	3084	Line-.exe
Token: SeIncreaseQuotaPrivilege	3084	Line-.exe
Token: SeMachineAccountPrivilege	3084	Line-.exe
Token: SeTcbPrivilege	3084	Line-.exe
Token: SeSecurityPrivilege	3084	Line-.exe
Token: SeTakeOwnershipPrivilege	3084	Line-.exe
Token: SeLoadDriverPrivilege	3084	Line-.exe
Token: SeSystemProfilePrivilege	3084	Line-.exe
Token: SeSystemtimePrivilege	3084	Line-.exe
Token: SeProfSingleProcessPrivilege	3084	Line-.exe
Token: SeIncBasePriorityPrivilege	3084	Line-.exe
Token: SeCreatePagefilePrivilege	3084	Line-.exe
Token: SeCreatePermanentPrivilege	3084	Line-.exe
Token: SeBackupPrivilege	3084	Line-.exe
Token: SeRestorePrivilege	3084	Line-.exe
Token: SeShutdownPrivilege	3084	Line-.exe
Token: SeDebugPrivilege	3084	Line-.exe
Token: SeAuditPrivilege	3084	Line-.exe
Token: SeSystemEnvironmentPrivilege	3084	Line-.exe
Token: SeChangeNotifyPrivilege	3084	Line-.exe
Token: SeRemoteShutdownPrivilege	3084	Line-.exe
Token: SeUndockPrivilege	3084	Line-.exe
Token: SeSyncAgentPrivilege	3084	Line-.exe
Token: SeEnableDelegationPrivilege	3084	Line-.exe
Token: SeManageVolumePrivilege	3084	Line-.exe
Token: SeImpersonatePrivilege	3084	Line-.exe
Token: SeCreateGlobalPrivilege	3084	Line-.exe
Token: SeCreateTokenPrivilege	3084	Line-.exe
Token: SeAssignPrimaryTokenPrivilege	3084	Line-.exe
Token: SeLockMemoryPrivilege	3084	Line-.exe
Token: SeIncreaseQuotaPrivilege	3084	Line-.exe
Token: SeMachineAccountPrivilege	3084	Line-.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Line-.exe

pid process

3084 Line-.exe
3084 Line-.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Bor32-update-flase.exeHaloonoroff.exe

pid process

652 Bor32-update-flase.exe
4800 Haloonoroff.exe

pid	process
3084	Line-.exe
3084	Line-.exe

pid	process
652	Bor32-update-flase.exe
4800	Haloonoroff.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

msiexec.exeLine-.exeMsiExec.exeBor32-update-flase.exeHaloonoroff.exe

description	pid	process	target process
PID 3468 wrote to memory of 4236	3468	msiexec.exe	MsiExec.exe
PID 3468 wrote to memory of 4236	3468	msiexec.exe	MsiExec.exe
PID 3468 wrote to memory of 4236	3468	msiexec.exe	MsiExec.exe
PID 3084 wrote to memory of 372	3084	Line-.exe	Line-.exe
PID 3084 wrote to memory of 372	3084	Line-.exe	Line-.exe
PID 3084 wrote to memory of 372	3084	Line-.exe	Line-.exe
PID 3468 wrote to memory of 2456	3468	msiexec.exe	srtasks.exe
PID 3468 wrote to memory of 2456	3468	msiexec.exe	srtasks.exe
PID 3468 wrote to memory of 528	3468	msiexec.exe	MsiExec.exe
PID 3468 wrote to memory of 528	3468	msiexec.exe	MsiExec.exe
PID 3468 wrote to memory of 528	3468	msiexec.exe	MsiExec.exe
PID 3468 wrote to memory of 4544	3468	msiexec.exe	MsiExec.exe
PID 3468 wrote to memory of 4544	3468	msiexec.exe	MsiExec.exe
PID 3468 wrote to memory of 4544	3468	msiexec.exe	MsiExec.exe
PID 528 wrote to memory of 356	528	MsiExec.exe	588388456db280daIJE.exe
PID 528 wrote to memory of 356	528	MsiExec.exe	588388456db280daIJE.exe
PID 528 wrote to memory of 356	528	MsiExec.exe	588388456db280daIJE.exe
PID 528 wrote to memory of 2748	528	MsiExec.exe	588388456db280daIJE.exe
PID 528 wrote to memory of 2748	528	MsiExec.exe	588388456db280daIJE.exe
PID 528 wrote to memory of 2748	528	MsiExec.exe	588388456db280daIJE.exe
PID 528 wrote to memory of 4844	528	MsiExec.exe	588388456db280daIJE.exe
PID 528 wrote to memory of 4844	528	MsiExec.exe	588388456db280daIJE.exe
PID 528 wrote to memory of 4844	528	MsiExec.exe	588388456db280daIJE.exe
PID 652 wrote to memory of 4800	652	Bor32-update-flase.exe	Haloonoroff.exe
PID 652 wrote to memory of 4800	652	Bor32-update-flase.exe	Haloonoroff.exe
PID 652 wrote to memory of 4800	652	Bor32-update-flase.exe	Haloonoroff.exe
PID 4800 wrote to memory of 2220	4800	Haloonoroff.exe	taskkill.exe
PID 4800 wrote to memory of 2220	4800	Haloonoroff.exe	taskkill.exe
PID 4800 wrote to memory of 2220	4800	Haloonoroff.exe	taskkill.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Line-.exe
"C:\Users\Admin\AppData\Local\Temp\Line-.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3084

C:\Users\Admin\AppData\Local\Temp\Line-.exe
"C:\Users\Admin\AppData\Local\Temp\Line-.exe" /i C:\LINK.msi AI_EUIMSI=1 APPDIR="C:\Users\Default\Desktop\LNKNEW" CLIENTPROCESSID="3084" SECONDSEQUENCE="1" CHAINERUIPROCESSID="3084Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Line-.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates " AI_CONTROL_VISUAL_STYLE="15925239;15138798;10395294;4108658" TARGETDIR="F:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\Line-.exe" AI_INSTALL="1"
2⤵
- Enumerates connected drives
PID:372

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 43699C47F192E9E1A04519E4AD4BE644 C
2⤵
- Loads dropped DLL
PID:4236

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2456

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E9C96442B7AD2C2D0D0BD1F6107545A9
2⤵
- UAC bypass
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:528

C:\Users\Default\Desktop\LNKNEW\588388456db280daIJE.exe
C:\Users\Default\Desktop\LNKNEW\588388456db280daIJE.exe x C:\Users\Default\Desktop\LNKNEW\d0437f784fad.LLL -oC:\Users\Admin\AppData\ -p0795ea6f59475671GHB -aos
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:356

C:\Users\Default\Desktop\LNKNEW\588388456db280daIJE.exe
C:\Users\Default\Desktop\LNKNEW\588388456db280daIJE.exe x C:\Users\Default\Desktop\LNKNEW\34dd5c0d72bf.SIJ -oC:\Users\Default\Desktop\LNKNEW\ -p93e483ad0d353ccbQKA -aos
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748

C:\Users\Default\Desktop\LNKNEW\588388456db280daIJE.exe
C:\Users\Default\Desktop\LNKNEW\588388456db280daIJE.exe x C:\Users\Default\Desktop\LNKNEW\85b1b86e6fd9.OIL -oC:\Users\Admin\AppData\Roaming\ -p398f20ec3180317dCEL -aos
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4844

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5F40CA1C0D0717F1676A1859A4B6ED86 E Global\MSI0000
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4744

C:\Users\Default\Desktop\LNKNEW\yybob\Bor32-update-flase.exe
"C:\Users\Default\Desktop\LNKNEW\yybob\Bor32-update-flase.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\Haloonoroff.exe
C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\Haloonoroff.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ipaip2.exe
3⤵
- Kills process with taskkill
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58758a.rbs

Filesize
891KB

MD5
2ade14ef30a17672545c1561443d5fb4

SHA1
fb817d24341d3e18dc71c6741ee6abb273559c71

SHA256
a54459da92313598465c13d73476b3a5f8476496f8064b872c2ec26b39991de8

SHA512
1729c3cca11f740cec822ff1fb6ce52f963b0c22b0bd411ff2b56b205d619c8fe7e422c373f834d829f4345d3db88290635439d80e87b01093fe4b45be2fe28c

Download Submit
C:\GKAMSMDV

Filesize
1KB

MD5
8e75c12533594a0aef76d41a2e305ecb

SHA1
c477b25313520b28dc62cebe10dc031b248864ed

SHA256
f6be6ecb0e8b119c663c10657d464e9d2a79911f8898004155d24389fec35408

SHA512
f8216d2d7cf120d8f227923ba2a41c7a2e2216bf792237adf6270a58c695b7b4b56c88f7066778803fd51cb29216ed250be0f69c1d445571a786533c39ab7394

Download Submit
C:\LINK.msi

Filesize
1.5MB

MD5
a0e7b7c3618d69353792de0983e65de8

SHA1
d7baf01ac0755fefec4f97aeabc8b12e99cda0a9

SHA256
7ef478dd6291dc05873e280994e3ca757663ea77c7fca08aa186a63f5f4a1e45

SHA512
f5110b3e783c8b7107f715cf61fa6a1dd52f0b47122b0c85560310da022dd031ab526c381420bd939b6ab1ff06413e683ad29478a59b1c0bc64e012000e22b56

Download Submit
C:\LINK.msi

Filesize
1.5MB

MD5
a0e7b7c3618d69353792de0983e65de8

SHA1
d7baf01ac0755fefec4f97aeabc8b12e99cda0a9

SHA256
7ef478dd6291dc05873e280994e3ca757663ea77c7fca08aa186a63f5f4a1e45

SHA512
f5110b3e783c8b7107f715cf61fa6a1dd52f0b47122b0c85560310da022dd031ab526c381420bd939b6ab1ff06413e683ad29478a59b1c0bc64e012000e22b56

Download Submit
C:\LINK1.cab

Filesize
108.1MB

MD5
68d1fa12ad45f66e9c00382844f56963

SHA1
8a8b42294f825677d91406a9c46520beb79200fc

SHA256
4bf0c5894c5f0ddb9e9ea913bc2293c360a3f07a11a2966b2ef57e3b9287d223

SHA512
75a728333154aa8f3f158a4a989c97225ebd548b5e4d7c62588885a273734e3ec6d7f9c600b6d3ca4ae06ec5660ae02cfbe88472ab10f1c6e683e180c4e3d809

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\PrepareDlgProgress.gif

Filesize
27KB

MD5
ec1cedb4691c438162ac62e58ddc6b76

SHA1
fb35e429bad1577f51391abe13fd402e8251a968

SHA256
fd488abbdc8fee0339b679324332a3af29db00f782d635e2a6593a4140a60ec6

SHA512
1cfe104262958f48ef677251ed3704d22ca6a7f8230119a789492867ba762720ae7023c9cbb194de9c6305bab92c1d511311dd251cca37147cb1b4b3376e25a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\ProgressImage.png

Filesize
174B

MD5
0c18af08390365ed36c605f34273c4a5

SHA1
bbbb19bc789dba1ad031c1d4e9ff644096ac11f6

SHA256
1ae6b5eccea17a126b5edeb49b8469013b4bcb022110dbd9e35b365be088fa1e

SHA512
1b69db94dfa3929d4651ea98e65d0495fbe7b72da15364e88ba13bd1c4547aa81673dd9dec34e5ed7915805a8c938b1bc8bde55dcef2f8fffa4b5dfb0241cc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\applogoicon

Filesize
3KB

MD5
2d701ba950b9ea2097eafa15b331c208

SHA1
51a7c00fa58e0a5d0d633ace0f8c6a509cd4024b

SHA256
729efca2d8e6963a8bf56b28f1c3235107ffde8485dbace799684d3b06f92143

SHA512
daa833845c98c2abc49295e2bdf0315a0fb3e82428e010839a3f39f8aed8fb436c477351a290deed60e352be54d712273a4dd7b842ccde2f805cbe743d9104a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\backbutton

Filesize
405B

MD5
76e5bdd88ceeb272820cd597f7556fc6

SHA1
9089831330d067ade6d8ee6a4c7c4728ed1ac558

SHA256
52d4ecf8625c8e606c31370544f7a31f126581350628fd7caefe51bccaac1626

SHA512
bdf4236e57dc53f81cf20be5194de4b45337dbec50a1c54ef5710b384404bd4f33e7d200605bdd4a9a21dc5c7ab8f1a2889c8352e7f8f023aae9617ab1e79481

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\backgroundprepare

Filesize
154B

MD5
8fd875cdc559ad66e0a94c64fdb762c3

SHA1
79111743f1ef8da31688f1644f9568a42fbd3ed5

SHA256
fe7c2d4c244139591b0b716a410a1d8af38084cdc560a2beb265bdb8578e4eb3

SHA512
0985a7456bd94e21d62428368c8e52ef7021fe78966dd967b96ecbbf05542abba4f8c85ef3d56bc0f5f9500e0d0828d4b54feaeef9768f85ff754ca8a1b5af3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\browsebutton

Filesize
254B

MD5
1894f43a854b0f3466870e25601d2b3c

SHA1
48140dd46be41e079cdba4b4d9795fe3bcc1991c

SHA256
04885afdfcf1c5e5dbeab7e827be79d34f46e403061c87c98572edc3247aec6e

SHA512
bb53c8a51a54b32a676d820df577ec24e26a08cb9b7c7ff52cc9d8a5becf78bb63df89e510dd99468b67c7e52077f4ee5b9a8a4e88f071a622df4d68eb57af34

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\checkbox

Filesize
1KB

MD5
da8beba2ef0e06af7986b00a19024750

SHA1
0e10988e3b5a42b1becfb0fc8de59ec23ee26fa1

SHA256
c84fefa639bfffeb385fdff9cad8484a77a0256a91ace1c204e6445f6530ce47

SHA512
c36336c7983a0da7c34f9f1afefd2f6d9fd192c43759cb8ce6386ecbaebae5e1858b5830e02a5c4a37e455bde41abd8a939fbaeb1bdf71c050da944ab3cebc48

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\frame_bottom_right_inactive.bmp

Filesize
66B

MD5
0e1ab770f8d8f8768b66e7de087087c9

SHA1
36ad69f719f035d0c040db6d611611552a387b41

SHA256
3e57878d7e1c0d2fe4db1dd47b803a363188114520ff5d7a4f50fab47c0ee992

SHA512
2c5a627fba9ce1b35397d1dc4ae7b6954bd7b39a402689f3c12f2dc314ca5133f553da0411cad0a6d556f1787f2b2fce585f76d4b73bb2cff98732aaf808fdc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\frame_caption.bmp

Filesize
206B

MD5
d4a94f93002037ca552d4478c8c701ed

SHA1
3b3974bcd813a88eae8d24bb3ba7b30c08ca26bb

SHA256
6328e3b060d86158d6a22085013c97cc8857b284a65673c4a367b9190a876a6a

SHA512
06bccb7066ba3b9f09fdfe1b23ceab28e169c664d5d462044f57103214f2b72ed49feab41311c2960501924d26dc0ba74d9a79b52de91666a36a639195916ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\frame_top_left.bmp

Filesize
154B

MD5
c07e50413d643b1119eb4ff5f9f8a6cf

SHA1
4dcbf7bb589cf2d34c0faa112728412cae9755eb

SHA256
a7d431d251af68b816cb7e94e05b2201f24ebce1ccc01a39fcd5c0efcc0d03c4

SHA512
50cd65afe7d5820f301855a283223949c62e4aae0d9fce6feb53af5f90a1e547bae4f6400f7b25391b53b8c3621b15175ea1a462d813475d2551983db0af124d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\frame_top_mid.bmp

Filesize
66B

MD5
f623cb070f63adadf31212d6564805b9

SHA1
d1c283eeba4b784cd731ce5179b0b44d9d8874cb

SHA256
e4ab79b964317d20d8e15d8723cadca3691878520cfe498eb62674fd8e4a3dc2

SHA512
1836786f6a5eb61dc179135b136ec014c7ea0fb3c87e1c96349b31b91884a55044b12c292623a52b7b20346cf6ee21fef06cff28411bb3c4fe76e14ee1580e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\metrobuttonimage

Filesize
405B

MD5
5fbc69a793959afb968d1b5292be3b09

SHA1
375889283a20c675a844e5a9a38e4feb55f55d05

SHA256
53a1486b8a86c60fbdcb74057d2f9606749cdaf3c845ede40f48d869ac553d23

SHA512
1451ce6ce864821b6f3d6072c6b557a04c802c5c1d715ec3723f4cc3958ea35306b8a9bed8b025cce5f2f62bb7cd1d2070c43f2a63aaccdee29061dfb753cfd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\metroinstallbutton

Filesize
557B

MD5
2d014fefb6a22313e7e14a8daf31ce28

SHA1
fe1b72bbe1daa3a0d7874de20e8290d34015dcec

SHA256
f47ac424ed22efeb451214cd21b5096563bcbc4356ba0060278082410bb6d149

SHA512
73254f3a3b46d1bb0c4b29066dd3c35dad4fcf79e4a62e503ea22ebb69adbbee7263cb92fdb3445dedfe7d1fd51faf8f57ef55acee7b086b1fb40ab073a4d3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\nextcancelbuttons

Filesize
405B

MD5
69ae8e816a1cc20d5ae0021cf3539399

SHA1
998b8394109a0bb59c2ee216548bd56bff5f66c5

SHA256
8d9aa1ddf1b98a6fac56d878fc1bee87bf6eeefd291fc849e3efc5242bc19016

SHA512
3a38e28aedc2dd99b6ecb0784f67077b6ed8502060bb57e841263c3510d87cc106596c1d809c2edc75b4e00105c98408aa64f41c871de0e8cffb30b56864609f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\png

Filesize
8KB

MD5
4116697cbd98222984fcece94b08ac71

SHA1
3fd94cea1c5b5d7e58eb0ba018a5b5369ff32ba3

SHA256
f553057dd78cf32b900c1e3cae4d1346ed620cb5769d7c798eafa0eb47a3e70b

SHA512
20e8525671184c40f1ba23fe92629b6f9459aa26a443cb10d94acb0fbc9e129f7a7735ad6ef9060279552f629ab31406dfab14a0072b23c86e1fd720911ba89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\sys_close_down.png

Filesize
254B

MD5
e0040a9dbb89f5a5a1b2c2c34bd52a52

SHA1
e85d76a72041c8775f3e810273ef4f7e85035d32

SHA256
d817ae7a97229df819521483ce4018a05b1eab6930a877cb30f4e2bc79a4d42a

SHA512
dbb2a6ee6a51d8b3cc327bf5624410471dfedc9ee4e9a53963881c7af2326ce1bf036d3c4d6ed35f226e654fce905a1ae982a5e79a4921cfd553e427eddf4197

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\sys_close_hot.png

Filesize
290B

MD5
089ed99675e574a5cebba2c5e395ab1e

SHA1
b4bb865a7ecffd8f6f2551d7d5c23ac6f9f3345f

SHA256
c1ec4222cf1b3afaf5a160914c6ddb82794236d350683d9a282c9bc4541d1315

SHA512
f579bd9598f5616d20f9d6cc74d7d900415127fe5629574d76d24badfa65104dfb5ea57574d584d8b9d10a93f4d76c5dd29b0803535cf6b5bc54a1ee1cc694dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\sys_close_normal.png

Filesize
225B

MD5
8ba33e929eb0c016036968b6f137c5fa

SHA1
b563d786bddd6f1c30924da25b71891696346e15

SHA256
bbcac1632131b21d40c80ff9e14156d36366d2e7bb05eed584e9d448497152d5

SHA512
ba3a70757bd0db308e689a56e2f359c4356c5a7dd9e2831f4162ea04381d4bbdbef6335d97a2c55f588c7172e1c2ebf7a3bd481d30871f05e61eea17246a958e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\sys_min_down.png

Filesize
219B

MD5
38375b1dd82d4ba1a3a8c12eef4aded6

SHA1
db968d4a666c0401acbd2cf0535f8ef80316ecc9

SHA256
eaed9874836dae7ea6c5d6bf914ebd34263880d745ad61d24d215767a4e355cf

SHA512
bb27752d979afc1e6ee835dbd1a952800cb5a013c14ec70abf213021a3532865f29888a95832a716fc557f9807f04504da16d17d44b16a38eb513a020e079b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\sys_min_hot.png

Filesize
181B

MD5
9f400ca36f8629670facd21639cddc0d

SHA1
00cc682a8332269b01db832db29cbed20e932558

SHA256
6d13e15f83b06a9758833e2cf47310479f7ab834ea06b310fefb3ba859f1fccc

SHA512
a84e4bad25e401331a5b90f0d31c30e62a43b064289e89d3946b2dc06669c7543b6a9b49d8e28208a3644b684529aea765078fb281f4ef1ffb6ca4254446fca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\sys_min_inactive.png

Filesize
175B

MD5
a2c4802002bb61994faabda60334a695

SHA1
0a2b6b0ceb09425080c5ba4b9cbdef533cf69eba

SHA256
a3b59dbc5a39d551455ff838e71b5820560ca3484c6411b9d69df33d8113619c

SHA512
34e130edc650c3de6020f2d2b5dc1404b7aee0105eb7e315c15c5aa61398d174377e9b6a2aecc55f79f54c04812b8745c6739a201539e291538979e6b024da31

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3084\sys_min_normal.png

Filesize
238B

MD5
516172d0ebf941237cef32fcee8cdf43

SHA1
6bee117996c16c7413be876dfc15978d14813091

SHA256
56e64eaf6349ece08005e6f7299de413ed00112d53518215d90690be2b2a4f1a

SHA512
46477a58aa7e9eeae29e1c1d826bf045422709b7c8f428985c617b366012c58121d4404523a75efe77fc6d8e061a6bb209743d0a2af81545898f51c8855728ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICFE8.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID056.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF185.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF290.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF2CF.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF2CF.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF2FF.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF32F.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF36E.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF3CD.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF555.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF611.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiDE6.tmp

Filesize
3.2MB

MD5
032bb369103dac02606fb919f6658f3c

SHA1
60b39428ab3493aab7babf3a1c5f2a951ae853bd

SHA256
daa61c42d53be45c7709a0b0f66a51a0a47ca84eab787e0627f6da255c96ddff

SHA512
0f1fb9bb34e699ee6d4a1dc58f99514fb1df81ad0cf37b3ffe938295a70d832a5702cec3df16d30d400c77014d09228e6d02d3e65d5d6d0f1c5e34f39d55e313

Download Submit
C:\Users\Admin\AppData\Roaming\CAS_Lineglc\LINE\bin\6.7.4.2508\translations\linguist_en.qm

Filesize
16B

MD5
bcebcf42735c6849bdecbb77451021dd

SHA1
4884fd9af6890647b7af1aefa57f38cca49ad899

SHA256
9959b510b15d18937848ad13007e30459d2e993c67e564badbfc18f935695c85

SHA512
f951b511ffb1a6b94b1bcae9df26b41b2ff829560583d7c83e70279d1b5304bde299b3679d863cad6bb79d0beda524fc195b7f054ecf11d2090037526b451b78

Download Submit
C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\Haloonoroff.exe

Filesize
665KB

MD5
ff1799df96e1250fa7c27e4e533a0885

SHA1
ac3f2e816535b463f35efae79018f65991d8834c

SHA256
7cfd01d80cac85f2853afff5af5319b8eef677dd754917a2961861e48b88f366

SHA512
1202e1d521a7e977f54df84aaffb44ec5d253161421fb329c6c6f4051a667fb4618b611bd9e025e3052fe765c4d803d30c474491c8a2d393cd233f7b8655f346

Download Submit
C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\plugins\Microsoft.VC80.ATL.manifest

Filesize
376B

MD5
0bc6649277383985213ae31dbf1f031c

SHA1
7095f33dd568291d75284f1f8e48c45c14974588

SHA256
c06fa0f404df8b4bb365d864e613a151d0f86deef03e86019a068ed89fd05158

SHA512
6cb2008b46efef5af8dd2b2efcf203917a6738354a9a925b9593406192e635c84c6d0bea5d68bde324c421d2eba79b891538f6f2f2514846b9db70c312421d06

Download Submit
C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\plugins\Microsoft.VC80.CRT.manifest

Filesize
314B

MD5
710c54c37d7ec902a5d3cdd5a4cf6ab5

SHA1
9e291d80a8707c81e644354a1e378aeca295d4c7

SHA256
ef893cb48c0ebe25465fbc05c055a42554452139b4ec78e25ec43237d0b53f80

SHA512
4d2ec03ff54a3bf129fb762fc64a910d0e104cd826acd4ab84ed191e6cc6a0fec3627e494c44d91b09feba5539ad7725f18158755d6b0016a50de9d29891c7e5

Download Submit
C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\plugins\version

Filesize
4B

MD5
f1d3ff8443297732862df21dc4e57262

SHA1
9069ca78e7450a285173431b3e52c5c25299e473

SHA256
df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119

SHA512
ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

Download Submit
C:\Users\Default\Desktop\LNKNEW\34dd5c0d72bf.SIJ

Filesize
220KB

MD5
03c177b3c985a6725ab6f2e639063938

SHA1
263d79c5abae74d020d1cc72c558dadd019a20fe

SHA256
7c7f2dcbb5127958fd58f4e37d5f7ea43543061975c8c59658430703f3609d09

SHA512
96fb5d506404c6a86bda6395cbb942558d244fa698d718d5404e7d09d013e45443f76217007ce5b226ea26e870934c29b5fec5b541d8cc6f6a29111e10acd1c8

Download Submit
C:\Users\Default\Desktop\LNKNEW\588388456db280daIJE.exe

Filesize
694KB

MD5
fae7d0a530279838c8a5731b086a081b

SHA1
6ee61ea6e44bc43a9ed78b0d92f0dbe2c91fc48b

SHA256
eea393bc31ae7a7da3dba99a60d8c3ffccbc5b9063cc2a70111de5a6c7113439

SHA512
e75c8592137edd3b74b6d8388a446d5d2739559b707c9f3db0c78e5c30312f9fccd9bbb727b7334114e8edcbb2418bdc3b4c00a3a634af339c9d4156c47314b4

Download Submit
C:\Users\Default\Desktop\LNKNEW\588388456db280daIJE.exe

Filesize
694KB

MD5
fae7d0a530279838c8a5731b086a081b

SHA1
6ee61ea6e44bc43a9ed78b0d92f0dbe2c91fc48b

SHA256
eea393bc31ae7a7da3dba99a60d8c3ffccbc5b9063cc2a70111de5a6c7113439

SHA512
e75c8592137edd3b74b6d8388a446d5d2739559b707c9f3db0c78e5c30312f9fccd9bbb727b7334114e8edcbb2418bdc3b4c00a3a634af339c9d4156c47314b4

Download Submit
C:\Users\Default\Desktop\LNKNEW\588388456db280daIJE.exe

Filesize
694KB

MD5
fae7d0a530279838c8a5731b086a081b

SHA1
6ee61ea6e44bc43a9ed78b0d92f0dbe2c91fc48b

SHA256
eea393bc31ae7a7da3dba99a60d8c3ffccbc5b9063cc2a70111de5a6c7113439

SHA512
e75c8592137edd3b74b6d8388a446d5d2739559b707c9f3db0c78e5c30312f9fccd9bbb727b7334114e8edcbb2418bdc3b4c00a3a634af339c9d4156c47314b4

Download Submit
C:\Users\Default\Desktop\LNKNEW\7z.dll

Filesize
1.3MB

MD5
292575b19c7e7db6f1dbc8e4d6fdfedb

SHA1
7dbcd6d0483adb804ade8b2d23748a3e69197a5b

SHA256
9036b502b65379d0fe2c3204d6954e2bb322427edeefab85ecf8e98019cbc590

SHA512
d4af90688d412bd497b8885e154ee428af66119d62faf73d90adffc3eef086cf3a25b0380ec6fdc8a3d2f7c7048050ef57fcea33229a615c5dcda8b7022fa237

Download Submit
C:\Users\Default\Desktop\LNKNEW\85b1b86e6fd9.OIL

Filesize
95.3MB

MD5
00bd7f073f5eb3e8cace45fb914a1623

SHA1
2cd47407dd208ff995d37c93ff71467c3bb81695

SHA256
184256d6de103584741e9b60203b4db91c2017f8029365c05539808ccd474d3f

SHA512
3f0ebd25ba28e3735c6b27ae89edbc7839d636cfd8d70d895050e457495e646c125c01f7e3d0d331ce3508b5359a3340784e908e0383069fe79dbc0ac008fb2f

Download Submit
C:\Users\Default\Desktop\LNKNEW\GKAMSMDV

Filesize
1KB

MD5
8e75c12533594a0aef76d41a2e305ecb

SHA1
c477b25313520b28dc62cebe10dc031b248864ed

SHA256
f6be6ecb0e8b119c663c10657d464e9d2a79911f8898004155d24389fec35408

SHA512
f8216d2d7cf120d8f227923ba2a41c7a2e2216bf792237adf6270a58c695b7b4b56c88f7066778803fd51cb29216ed250be0f69c1d445571a786533c39ab7394

Download Submit
C:\Users\Default\Desktop\LNKNEW\WEB.dll

Filesize
60KB

MD5
05a2255873f29aed3a029a0ce07eda62

SHA1
05b4920c1add973b0f93ffe4086971eb9d1c7f43

SHA256
723112883a2b5cb747b66a61d93200f57e2752115005c2bb776e7ce1aae03ee6

SHA512
aab78ca5ba4078fc407c108fdfcfca16ec6f0888baedb761ebf6a754d979dc9240055305ff586d22f89f9912a270a7d39663ffc3351762759957ad137e0d8b42

Download Submit
C:\Users\Default\Desktop\LNKNEW\d0437f784fad.LLL

Filesize
11.5MB

MD5
c6c8739562f5b961d4d77f9535b8c975

SHA1
d37c396e6017d09c8daedf2edce19aae586b5d5c

SHA256
1d8045657b97d8793dd946e226f402a06014a99b7d568b18d4062148e2203561

SHA512
c7ae0b98e94557a81baf2fabc3bc00329b017632ad47b3a6321f3c8e911b35921baec812a05d6d85fab842c4841baac5a9d632f34988bce800b644c2d1f805e2

Download Submit
C:\Users\Default\Desktop\LNKNEW\yybob\Anyc

Filesize
164KB

MD5
03b5725530985100c9c4b6d8fac7127d

SHA1
f8dcbe012ab33851aa0d1e9e2b0d363786ecd649

SHA256
39de4aadd1181f462caaad70bee0a2584e08b2c34d19a12f8724a0b50ee76998

SHA512
b4ef74a5cd5f627c93479aac2e8a8c2cae700594808b240579c3dbd0ad78a68aa92163870269e379945539dc067f615b7e1be5fde2098309132e6ad4a60012de

Download Submit
C:\Users\Default\Desktop\LNKNEW\yybob\Bor32-update-flase.exe

Filesize
314KB

MD5
dfee4c679663ffb566a7150bbc1768c7

SHA1
8f8144d26b141d097df742e4ef4d5c85bba685a3

SHA256
f0a82dba182ef5d8fe32bd358473cc7e9ec0d07e0f4a33f50c49d7cccbb5bc7a

SHA512
23ff4b55e4d01d7712a3313f9aecd69331cb4fb5fce8b2d8610332a1e7b3ced19bdab64ef37ab2d335179844e176e6bd5a2f5c6562c61451c02b37cb2e58da52

Download Submit
C:\Users\Default\Desktop\LNKNEW\yybob\Bor32-update-flase.exe

Filesize
314KB

MD5
dfee4c679663ffb566a7150bbc1768c7

SHA1
8f8144d26b141d097df742e4ef4d5c85bba685a3

SHA256
f0a82dba182ef5d8fe32bd358473cc7e9ec0d07e0f4a33f50c49d7cccbb5bc7a

SHA512
23ff4b55e4d01d7712a3313f9aecd69331cb4fb5fce8b2d8610332a1e7b3ced19bdab64ef37ab2d335179844e176e6bd5a2f5c6562c61451c02b37cb2e58da52

Download Submit
C:\Users\Default\Desktop\LNKNEW\yybob\Plugins\qvlnk.dll

Filesize
44KB

MD5
3098d4447c720f2b38a362e352ebf6ea

SHA1
ce516dc6130e47402da7795922246da433408d82

SHA256
3c2960185ee1f69f593f943c876ffe7cbcd378266990bff48c4687b4cf810dd6

SHA512
80148bb2322811385f902ad39e04d1dba388fd6adc7e031a2821d292ee8cf269dacb5e68ef5f83cc2211da71d0c9773e1ae6a600d7ce02d9dbad6fa950c362b9

Download Submit
C:\Users\Default\Desktop\LNKNEW\yybob\eliminate.dll

Filesize
56KB

MD5
213d0de6bba1e16a570ed58ce9b1c405

SHA1
517bed3165bcf981d2d224299a5c814b2f38eae7

SHA256
de93b9267ecb3d78b5aa6feb90c93fa9ac6f0fc2d022a8c63014f2026a516eae

SHA512
3ba4cf073ae04ea06d066c4597bf6489a940420410b41ae6921c57cdd958a532f3dc66e3a0d956052d9aee7ae287d8f9660843b5304c34a23058a317e3ea58fd

Download Submit
C:\Windows\Installer\MSI7625.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Windows\Installer\MSI76E2.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Windows\Installer\MSI7AAC.tmp

Filesize
381KB

MD5
85cb050d57d631fbed862aef48c50d8b

SHA1
fe15e935e871c640196d20db1d4681bb60d55add

SHA256
8b190f2dd956572773f4c9927e3137227e46f5907651d00103bcea09e50c3bef

SHA512
d09e3b09d7a66833693f12dfee844ba0db85132b8da3499dc0e0c7ab9c3d8221bf8cb5a97bc0190544670bdaf4e4e3917c0cefd75cbbca8ff0e0f11e5619f38e

Download Submit
C:\Windows\Installer\MSI7BE6.tmp

Filesize
428KB

MD5
fcb30c9f760deed9b191f5f1dfcae90e

SHA1
dcfce73f0f7bec7c5da9a07a851d4f6f04e79a15

SHA256
8eeedf2905b80b6d2d1bc7bb947aa649a5330630a96b536e2e419e883779c882

SHA512
b4f9979a2cd0e1c80d740151a98418f469ebc19c0564e4deafe33316f76413c724b2465134e12dad98f73870f36e80dae64b7e7162b756387104c89fa7ce2553

Download Submit
C:\Windows\Installer\MSI7D40.tmp

Filesize
381KB

MD5
85cb050d57d631fbed862aef48c50d8b

SHA1
fe15e935e871c640196d20db1d4681bb60d55add

SHA256
8b190f2dd956572773f4c9927e3137227e46f5907651d00103bcea09e50c3bef

SHA512
d09e3b09d7a66833693f12dfee844ba0db85132b8da3499dc0e0c7ab9c3d8221bf8cb5a97bc0190544670bdaf4e4e3917c0cefd75cbbca8ff0e0f11e5619f38e

Download Submit
C:\Windows\Installer\MSI7D40.tmp

Filesize
381KB

MD5
85cb050d57d631fbed862aef48c50d8b

SHA1
fe15e935e871c640196d20db1d4681bb60d55add

SHA256
8b190f2dd956572773f4c9927e3137227e46f5907651d00103bcea09e50c3bef

SHA512
d09e3b09d7a66833693f12dfee844ba0db85132b8da3499dc0e0c7ab9c3d8221bf8cb5a97bc0190544670bdaf4e4e3917c0cefd75cbbca8ff0e0f11e5619f38e

Download Submit
C:\Windows\Installer\MSI9D9A.tmp

Filesize
428KB

MD5
fcb30c9f760deed9b191f5f1dfcae90e

SHA1
dcfce73f0f7bec7c5da9a07a851d4f6f04e79a15

SHA256
8eeedf2905b80b6d2d1bc7bb947aa649a5330630a96b536e2e419e883779c882

SHA512
b4f9979a2cd0e1c80d740151a98418f469ebc19c0564e4deafe33316f76413c724b2465134e12dad98f73870f36e80dae64b7e7162b756387104c89fa7ce2553

Download Submit
C:\Windows\Installer\MSI9D9A.tmp

Filesize
428KB

MD5
fcb30c9f760deed9b191f5f1dfcae90e

SHA1
dcfce73f0f7bec7c5da9a07a851d4f6f04e79a15

SHA256
8eeedf2905b80b6d2d1bc7bb947aa649a5330630a96b536e2e419e883779c882

SHA512
b4f9979a2cd0e1c80d740151a98418f469ebc19c0564e4deafe33316f76413c724b2465134e12dad98f73870f36e80dae64b7e7162b756387104c89fa7ce2553

Download Submit
C:\Windows\Installer\MSIA6A3.tmp

Filesize
428KB

MD5
fcb30c9f760deed9b191f5f1dfcae90e

SHA1
dcfce73f0f7bec7c5da9a07a851d4f6f04e79a15

SHA256
8eeedf2905b80b6d2d1bc7bb947aa649a5330630a96b536e2e419e883779c882

SHA512
b4f9979a2cd0e1c80d740151a98418f469ebc19c0564e4deafe33316f76413c724b2465134e12dad98f73870f36e80dae64b7e7162b756387104c89fa7ce2553

Download Submit
C:\Windows\Installer\MSIAA7D.tmp

Filesize
16KB

MD5
57554e63856f91cc3b19c1781a62bd49

SHA1
4bf74f032d68eded08537f241f4ef6dec5fdbf69

SHA256
96eb9e482ae504f18ec06c2dadccb12b17237f47ccd7d43ca3b8903973cf0bdb

SHA512
7fc5b37e5c0da16494251b1e6c633d79b0f1d7c64b402d2dfa59d5325bb2eeaa11d8a35ad6d1fd60a5462268f4a53616223d1a539dff6073a4e01e96dfc3df68

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
25.0MB

MD5
97ee7eac793b6ee6062e92b98983755a

SHA1
ad3a5c36261e58c947cbe8533a12d21bb4f1a2e4

SHA256
30fe3b82885109286a046faf84ba072d2e6de0daf5e5b905d6fd1aa35169ebf0

SHA512
1cc321f5f95c24687776555471e7f21d4e00b3f533b1333a3b20bfc30d76360eb43af8d23f92929f20fad5cd8c087f7b4144bce24cc34033f7a6b17bcc2a66fb

Download Submit
\??\Volume{626007f7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1ed3ddb9-e260-4fb6-8e10-8478786aca2d}_OnDiskSnapshotProp

Filesize
5KB

MD5
b911c14bbb232876ae9f6c96b525d2d3

SHA1
a91fa27fb1328843a516a2ef82e920559b25e9ad

SHA256
06656b8e46b8c68a685df8a99987b0e2d30717a82e5ac4d54991b325b147b888

SHA512
3863be87c1745035d7ca56f37db6f1c484c7133e8ec75205457d63163edd087dfd40b607b3653698e50075171ca99b88d3c5f3645b50049a5ce94cda485a7c22

Download Submit
\Users\Admin\AppData\Local\Temp\MSICFE8.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\Local\Temp\MSID056.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF185.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF290.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF2CF.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF2FF.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF32F.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF36E.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF3CD.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF555.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF611.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Default\Desktop\LNKNEW\7z.dll

Filesize
1.3MB

MD5
292575b19c7e7db6f1dbc8e4d6fdfedb

SHA1
7dbcd6d0483adb804ade8b2d23748a3e69197a5b

SHA256
9036b502b65379d0fe2c3204d6954e2bb322427edeefab85ecf8e98019cbc590

SHA512
d4af90688d412bd497b8885e154ee428af66119d62faf73d90adffc3eef086cf3a25b0380ec6fdc8a3d2f7c7048050ef57fcea33229a615c5dcda8b7022fa237

Download Submit
\Users\Default\Desktop\LNKNEW\7z.dll

Filesize
1.3MB

MD5
292575b19c7e7db6f1dbc8e4d6fdfedb

SHA1
7dbcd6d0483adb804ade8b2d23748a3e69197a5b

SHA256
9036b502b65379d0fe2c3204d6954e2bb322427edeefab85ecf8e98019cbc590

SHA512
d4af90688d412bd497b8885e154ee428af66119d62faf73d90adffc3eef086cf3a25b0380ec6fdc8a3d2f7c7048050ef57fcea33229a615c5dcda8b7022fa237

Download Submit
\Users\Default\Desktop\LNKNEW\7z.dll

Filesize
1.3MB

MD5
292575b19c7e7db6f1dbc8e4d6fdfedb

SHA1
7dbcd6d0483adb804ade8b2d23748a3e69197a5b

SHA256
9036b502b65379d0fe2c3204d6954e2bb322427edeefab85ecf8e98019cbc590

SHA512
d4af90688d412bd497b8885e154ee428af66119d62faf73d90adffc3eef086cf3a25b0380ec6fdc8a3d2f7c7048050ef57fcea33229a615c5dcda8b7022fa237

Download Submit
\Users\Default\Desktop\LNKNEW\WEB.dll

Filesize
60KB

MD5
05a2255873f29aed3a029a0ce07eda62

SHA1
05b4920c1add973b0f93ffe4086971eb9d1c7f43

SHA256
723112883a2b5cb747b66a61d93200f57e2752115005c2bb776e7ce1aae03ee6

SHA512
aab78ca5ba4078fc407c108fdfcfca16ec6f0888baedb761ebf6a754d979dc9240055305ff586d22f89f9912a270a7d39663ffc3351762759957ad137e0d8b42

Download Submit
\Users\Default\Desktop\LNKNEW\yybob\eliminate.dll

Filesize
56KB

MD5
213d0de6bba1e16a570ed58ce9b1c405

SHA1
517bed3165bcf981d2d224299a5c814b2f38eae7

SHA256
de93b9267ecb3d78b5aa6feb90c93fa9ac6f0fc2d022a8c63014f2026a516eae

SHA512
3ba4cf073ae04ea06d066c4597bf6489a940420410b41ae6921c57cdd958a532f3dc66e3a0d956052d9aee7ae287d8f9660843b5304c34a23058a317e3ea58fd

Download Submit
\Users\Default\Desktop\LNKNEW\yybob\eliminate.dll

Filesize
56KB

MD5
213d0de6bba1e16a570ed58ce9b1c405

SHA1
517bed3165bcf981d2d224299a5c814b2f38eae7

SHA256
de93b9267ecb3d78b5aa6feb90c93fa9ac6f0fc2d022a8c63014f2026a516eae

SHA512
3ba4cf073ae04ea06d066c4597bf6489a940420410b41ae6921c57cdd958a532f3dc66e3a0d956052d9aee7ae287d8f9660843b5304c34a23058a317e3ea58fd

Download Submit
\Users\Default\Desktop\LNKNEW\yybob\plugins\qvlnk.dll

Filesize
44KB

MD5
3098d4447c720f2b38a362e352ebf6ea

SHA1
ce516dc6130e47402da7795922246da433408d82

SHA256
3c2960185ee1f69f593f943c876ffe7cbcd378266990bff48c4687b4cf810dd6

SHA512
80148bb2322811385f902ad39e04d1dba388fd6adc7e031a2821d292ee8cf269dacb5e68ef5f83cc2211da71d0c9773e1ae6a600d7ce02d9dbad6fa950c362b9

Download Submit
\Windows\Installer\MSI7625.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Windows\Installer\MSI76E2.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Windows\Installer\MSI7AAC.tmp

Filesize
381KB

MD5
85cb050d57d631fbed862aef48c50d8b

SHA1
fe15e935e871c640196d20db1d4681bb60d55add

SHA256
8b190f2dd956572773f4c9927e3137227e46f5907651d00103bcea09e50c3bef

SHA512
d09e3b09d7a66833693f12dfee844ba0db85132b8da3499dc0e0c7ab9c3d8221bf8cb5a97bc0190544670bdaf4e4e3917c0cefd75cbbca8ff0e0f11e5619f38e

Download Submit
\Windows\Installer\MSI7BE6.tmp

Filesize
428KB

MD5
fcb30c9f760deed9b191f5f1dfcae90e

SHA1
dcfce73f0f7bec7c5da9a07a851d4f6f04e79a15

SHA256
8eeedf2905b80b6d2d1bc7bb947aa649a5330630a96b536e2e419e883779c882

SHA512
b4f9979a2cd0e1c80d740151a98418f469ebc19c0564e4deafe33316f76413c724b2465134e12dad98f73870f36e80dae64b7e7162b756387104c89fa7ce2553

Download Submit
\Windows\Installer\MSI7D40.tmp

Filesize
381KB

MD5
85cb050d57d631fbed862aef48c50d8b

SHA1
fe15e935e871c640196d20db1d4681bb60d55add

SHA256
8b190f2dd956572773f4c9927e3137227e46f5907651d00103bcea09e50c3bef

SHA512
d09e3b09d7a66833693f12dfee844ba0db85132b8da3499dc0e0c7ab9c3d8221bf8cb5a97bc0190544670bdaf4e4e3917c0cefd75cbbca8ff0e0f11e5619f38e

Download Submit
\Windows\Installer\MSI9D9A.tmp

Filesize
428KB

MD5
fcb30c9f760deed9b191f5f1dfcae90e

SHA1
dcfce73f0f7bec7c5da9a07a851d4f6f04e79a15

SHA256
8eeedf2905b80b6d2d1bc7bb947aa649a5330630a96b536e2e419e883779c882

SHA512
b4f9979a2cd0e1c80d740151a98418f469ebc19c0564e4deafe33316f76413c724b2465134e12dad98f73870f36e80dae64b7e7162b756387104c89fa7ce2553

Download Submit
\Windows\Installer\MSIA6A3.tmp

Filesize
428KB

MD5
fcb30c9f760deed9b191f5f1dfcae90e

SHA1
dcfce73f0f7bec7c5da9a07a851d4f6f04e79a15

SHA256
8eeedf2905b80b6d2d1bc7bb947aa649a5330630a96b536e2e419e883779c882

SHA512
b4f9979a2cd0e1c80d740151a98418f469ebc19c0564e4deafe33316f76413c724b2465134e12dad98f73870f36e80dae64b7e7162b756387104c89fa7ce2553

Download Submit
\Windows\Installer\MSIAA7D.tmp

Filesize
16KB

MD5
57554e63856f91cc3b19c1781a62bd49

SHA1
4bf74f032d68eded08537f241f4ef6dec5fdbf69

SHA256
96eb9e482ae504f18ec06c2dadccb12b17237f47ccd7d43ca3b8903973cf0bdb

SHA512
7fc5b37e5c0da16494251b1e6c633d79b0f1d7c64b402d2dfa59d5325bb2eeaa11d8a35ad6d1fd60a5462268f4a53616223d1a539dff6073a4e01e96dfc3df68

Download Submit
memory/652-1543-0x00000000020D0000-0x00000000020DB000-memory.dmp

Filesize
44KB

Download
memory/652-1464-0x0000000002090000-0x00000000020CC000-memory.dmp

Filesize
240KB

Download
memory/652-1436-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/652-1536-0x00000000020D0000-0x00000000020DB000-memory.dmp

Filesize
44KB

Download
memory/4800-1550-0x00000000030E0000-0x0000000003125000-memory.dmp

Filesize
276KB

Download
memory/4800-1556-0x00000000032D0000-0x00000000032E5000-memory.dmp

Filesize
84KB

Download
memory/4800-1540-0x0000000000940000-0x0000000000A62000-memory.dmp

Filesize
1.1MB

Download
memory/4800-1545-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4800-1542-0x0000000000AE0000-0x0000000000B43000-memory.dmp

Filesize
396KB

Download
memory/4800-1554-0x0000000002650000-0x000000000265B000-memory.dmp

Filesize
44KB

Download
memory/4800-1555-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/4800-1541-0x0000000000A70000-0x0000000000AD5000-memory.dmp

Filesize
404KB

Download
memory/4800-1562-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4800-1563-0x0000000002650000-0x000000000265B000-memory.dmp

Filesize
44KB

Download
memory/4800-1565-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4800-1566-0x000000006B240000-0x000000006B29A000-memory.dmp

Filesize
360KB

Download
memory/4800-1567-0x0000000000940000-0x0000000000A62000-memory.dmp

Filesize
1.1MB

Download
memory/4800-1568-0x0000000000A70000-0x0000000000AD5000-memory.dmp

Filesize
404KB

Download
memory/4800-1569-0x0000000000AE0000-0x0000000000B43000-memory.dmp

Filesize
396KB

Download