dcrat | 271df1427ca6985f867a1b6493884248f55b56c46d6db171a71e8b74f82ecb48

Analysis

max time kernel
80s
max time network
156s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
10/11/2023, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

271df1427ca6985f867a1b6493884248f55b56c46d6db171a71e8b74f82ecb48.exe
Size

692KB
MD5

b9b6dd74fb1d23ee754f4246e8077370
SHA1

cbeed938bde198d49e16ca61e39af8d7a60a0b58
SHA256

271df1427ca6985f867a1b6493884248f55b56c46d6db171a71e8b74f82ecb48
SHA512

99f25011c607f79677a92f19b331310b916c5592c3760a0f12fc82abae7974f99c521f4fc0d45bcc6814b33345a5dda72033fa57a0f3fa33e1750dd9e54a6c47
SSDEEP

12288:sMrOy905gAt/+0dNkJs/wXcJsY8rUF2BeNJeaaZdQn3os3O0yk:KyMgAtoEJsY6k2BeLxaZC373O07

Malware Config

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

http://kkudndkwatnfevcaqeefytqnh.top/index.php

http://whxzqkbbtzvdyxdeseoiyujzs.co/index.php

http://nnzqahmamqucusarjveovbuyt.cyou/index.php

http://uohhunkmnfhbimtagizqgwpmv.to/index.php

http://163.5.169.23/index.php

rc4.i32

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Extracted

Family

redline

Botnet

pixelnew2.0

194.49.94.11:80

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

195.10.205.17:24867

Extracted

Family

raccoon

Botnet

23545d68ee8b777ffd2f74f9eb99e145

http://91.103.252.114:80/

Attributes

user_agent
SunShineMoonLight

xor.plain

Signatures

DcRat 3 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""		271df1427ca6985f867a1b6493884248f55b56c46d6db171a71e8b74f82ecb48.exe
		2240	schtasks.exe
		2016	schtasks.exe

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4324-21-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4324-28-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4324-29-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4324-31-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 11 IoCs

resource	yara_rule
behavioral1/memory/316-247-0x0000000002D40000-0x000000000362B000-memory.dmp	family_glupteba
behavioral1/memory/316-249-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/316-326-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/316-564-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3700-578-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3700-885-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3700-1248-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3700-1503-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1676-1782-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1676-2283-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1676-2387-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Mystic
Mystic is an infostealer written in C++.
stealer mystic
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/2100-1514-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon
behavioral1/memory/2100-1517-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 9 IoCs

resource	yara_rule
behavioral1/memory/1980-39-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/files/0x000900000001ab88-77.dat	family_redline
behavioral1/memory/2056-79-0x0000000000640000-0x000000000067E000-memory.dmp	family_redline
behavioral1/memory/5076-84-0x0000000000470000-0x00000000004CA000-memory.dmp	family_redline
behavioral1/memory/4788-87-0x0000000000160000-0x000000000017E000-memory.dmp	family_redline
behavioral1/files/0x000900000001ab88-85.dat	family_redline
behavioral1/memory/2056-240-0x0000000000400000-0x0000000000447000-memory.dmp	family_redline
behavioral1/memory/5076-246-0x0000000000400000-0x0000000000469000-memory.dmp	family_redline
behavioral1/memory/536-1165-0x0000000000D00000-0x0000000000D3C000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000900000001ab88-77.dat	family_sectoprat
behavioral1/memory/4788-87-0x0000000000160000-0x000000000017E000-memory.dmp	family_sectoprat
behavioral1/files/0x000900000001ab88-85.dat	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 4920 created 3208	4920	latestX.exe	34
PID 4920 created 3208	4920	latestX.exe	34
PID 4920 created 3208	4920	latestX.exe	34
PID 4920 created 3208	4920	latestX.exe	34
PID 4920 created 3208	4920	latestX.exe	34

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4392	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\automrunsing2022.ini.lnk	C7F4.exe

Executes dropped EXE 21 IoCs

pid	Process
2492	sr2RI36.exe
4756	VR3tE93.exe
1884	1uq89LB6.exe
432	2yU1765.exe
4568	6Wv9mb4.exe
4844	7yx3XK74.exe
2056	34B7.exe
5076	3564.exe
4788	36CC.exe
4716	6456.exe
2652	InstallSetup5.exe
1920	toolspub2.exe
316	31839b57a4f11171d6abc8bbc4451ee4.exe
4244	Broom.exe
4920	latestX.exe
3188	toolspub2.exe
3700	31839b57a4f11171d6abc8bbc4451ee4.exe
2092	C003.exe
3884	C7F4.exe
4148	client32.exe
1348	updater.exe

Loads dropped DLL 9 IoCs

pid	Process
2056	34B7.exe
2056	34B7.exe
5076	3564.exe
5076	3564.exe
4148	client32.exe
4148	client32.exe
4148	client32.exe
4148	client32.exe
4148	client32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4684-2398-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	271df1427ca6985f867a1b6493884248f55b56c46d6db171a71e8b74f82ecb48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sr2RI36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	VR3tE93.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1884 set thread context of 4324	1884	1uq89LB6.exe	75
PID 4568 set thread context of 1980	4568	6Wv9mb4.exe	81
PID 1920 set thread context of 3188	1920	toolspub2.exe	101
PID 2092 set thread context of 536	2092	cmd.exe	135

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3920	sc.exe
2512	sc.exe
5936	sc.exe
4444	sc.exe
1484	sc.exe
2840	sc.exe
3536	sc.exe
308	sc.exe
4392	sc.exe
5380	sc.exe
5320	sc.exe
5404	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2836	4324	WerFault.exe	75
4036	2056	WerFault.exe	86
3572	5076	WerFault.exe	88

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2yU1765.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2yU1765.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2yU1765.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2240	schtasks.exe
2016	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	sc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
432	2yU1765.exe
432	2yU1765.exe
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3208	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
432	2yU1765.exe
3188	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeDebugPrivilege	4788	36CC.exe
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4148	client32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4244	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 2492	5088	271df1427ca6985f867a1b6493884248f55b56c46d6db171a71e8b74f82ecb48.exe	71
PID 5088 wrote to memory of 2492	5088	271df1427ca6985f867a1b6493884248f55b56c46d6db171a71e8b74f82ecb48.exe	71
PID 5088 wrote to memory of 2492	5088	271df1427ca6985f867a1b6493884248f55b56c46d6db171a71e8b74f82ecb48.exe	71
PID 2492 wrote to memory of 4756	2492	sr2RI36.exe	72
PID 2492 wrote to memory of 4756	2492	sr2RI36.exe	72
PID 2492 wrote to memory of 4756	2492	sr2RI36.exe	72
PID 4756 wrote to memory of 1884	4756	VR3tE93.exe	73
PID 4756 wrote to memory of 1884	4756	VR3tE93.exe	73
PID 4756 wrote to memory of 1884	4756	VR3tE93.exe	73
PID 1884 wrote to memory of 4324	1884	1uq89LB6.exe	75
PID 1884 wrote to memory of 4324	1884	1uq89LB6.exe	75
PID 1884 wrote to memory of 4324	1884	1uq89LB6.exe	75
PID 1884 wrote to memory of 4324	1884	1uq89LB6.exe	75
PID 1884 wrote to memory of 4324	1884	1uq89LB6.exe	75
PID 1884 wrote to memory of 4324	1884	1uq89LB6.exe	75
PID 1884 wrote to memory of 4324	1884	1uq89LB6.exe	75
PID 1884 wrote to memory of 4324	1884	1uq89LB6.exe	75
PID 1884 wrote to memory of 4324	1884	1uq89LB6.exe	75
PID 1884 wrote to memory of 4324	1884	1uq89LB6.exe	75
PID 4756 wrote to memory of 432	4756	VR3tE93.exe	76
PID 4756 wrote to memory of 432	4756	VR3tE93.exe	76
PID 4756 wrote to memory of 432	4756	VR3tE93.exe	76
PID 2492 wrote to memory of 4568	2492	sr2RI36.exe	79
PID 2492 wrote to memory of 4568	2492	sr2RI36.exe	79
PID 2492 wrote to memory of 4568	2492	sr2RI36.exe	79
PID 4568 wrote to memory of 1980	4568	6Wv9mb4.exe	81
PID 4568 wrote to memory of 1980	4568	6Wv9mb4.exe	81
PID 4568 wrote to memory of 1980	4568	6Wv9mb4.exe	81
PID 4568 wrote to memory of 1980	4568	6Wv9mb4.exe	81
PID 4568 wrote to memory of 1980	4568	6Wv9mb4.exe	81
PID 4568 wrote to memory of 1980	4568	6Wv9mb4.exe	81
PID 4568 wrote to memory of 1980	4568	6Wv9mb4.exe	81
PID 4568 wrote to memory of 1980	4568	6Wv9mb4.exe	81
PID 5088 wrote to memory of 4844	5088	271df1427ca6985f867a1b6493884248f55b56c46d6db171a71e8b74f82ecb48.exe	82
PID 5088 wrote to memory of 4844	5088	271df1427ca6985f867a1b6493884248f55b56c46d6db171a71e8b74f82ecb48.exe	82
PID 5088 wrote to memory of 4844	5088	271df1427ca6985f867a1b6493884248f55b56c46d6db171a71e8b74f82ecb48.exe	82
PID 4844 wrote to memory of 3640	4844	7yx3XK74.exe	83
PID 4844 wrote to memory of 3640	4844	7yx3XK74.exe	83
PID 4844 wrote to memory of 3640	4844	7yx3XK74.exe	83
PID 3208 wrote to memory of 2056	3208	Explorer.EXE	86
PID 3208 wrote to memory of 2056	3208	Explorer.EXE	86
PID 3208 wrote to memory of 2056	3208	Explorer.EXE	86
PID 3208 wrote to memory of 5076	3208	Explorer.EXE	88
PID 3208 wrote to memory of 5076	3208	Explorer.EXE	88
PID 3208 wrote to memory of 5076	3208	Explorer.EXE	88
PID 3208 wrote to memory of 4788	3208	Explorer.EXE	90
PID 3208 wrote to memory of 4788	3208	Explorer.EXE	90
PID 3208 wrote to memory of 4788	3208	Explorer.EXE	90
PID 3208 wrote to memory of 4716	3208	Explorer.EXE	95
PID 3208 wrote to memory of 4716	3208	Explorer.EXE	95
PID 3208 wrote to memory of 4716	3208	Explorer.EXE	95
PID 4716 wrote to memory of 2652	4716	6456.exe	96
PID 4716 wrote to memory of 2652	4716	6456.exe	96
PID 4716 wrote to memory of 2652	4716	6456.exe	96
PID 4716 wrote to memory of 1920	4716	6456.exe	97
PID 4716 wrote to memory of 1920	4716	6456.exe	97
PID 4716 wrote to memory of 1920	4716	6456.exe	97
PID 4716 wrote to memory of 316	4716	6456.exe	98
PID 4716 wrote to memory of 316	4716	6456.exe	98
PID 4716 wrote to memory of 316	4716	6456.exe	98
PID 2652 wrote to memory of 4244	2652	InstallSetup5.exe	99
PID 2652 wrote to memory of 4244	2652	InstallSetup5.exe	99
PID 2652 wrote to memory of 4244	2652	InstallSetup5.exe	99
PID 4716 wrote to memory of 4920	4716	6456.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Users\Admin\AppData\Local\Temp\271df1427ca6985f867a1b6493884248f55b56c46d6db171a71e8b74f82ecb48.exe
  "C:\Users\Admin\AppData\Local\Temp\271df1427ca6985f867a1b6493884248f55b56c46d6db171a71e8b74f82ecb48.exe"
  2⤵
  - DcRat
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sr2RI36.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sr2RI36.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VR3tE93.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VR3tE93.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4756
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1uq89LB6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1uq89LB6.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1884
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 196
        7⤵
        Program crash
        
        PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2yU1765.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2yU1765.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:432
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Wv9mb4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Wv9mb4.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1980
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7yx3XK74.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7yx3XK74.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
      4⤵
      PID:3640
- C:\Users\Admin\AppData\Local\Temp\34B7.exe
  C:\Users\Admin\AppData\Local\Temp\34B7.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 756
    3⤵
    - Program crash
    PID:4036
- C:\Users\Admin\AppData\Local\Temp\3564.exe
  C:\Users\Admin\AppData\Local\Temp\3564.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 756
    3⤵
    - Program crash
    PID:3572
- C:\Users\Admin\AppData\Local\Temp\36CC.exe
  C:\Users\Admin\AppData\Local\Temp\36CC.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4788
- C:\Users\Admin\AppData\Local\Temp\6456.exe
  C:\Users\Admin\AppData\Local\Temp\6456.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
      C:\Users\Admin\AppData\Local\Temp\Broom.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4244
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:3188
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:316
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Modifies data under HKEY_USERS
      PID:3700
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3440
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:4528
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:4392
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4516
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Modifies data under HKEY_USERS
        
        PID:2084
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:1676
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4172
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2240
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:2792
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3576
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:1332
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:1480
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2016
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2092
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:308
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:5380
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4920
- C:\Users\Admin\AppData\Local\Temp\C003.exe
  C:\Users\Admin\AppData\Local\Temp\C003.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    3⤵
    PID:536
- C:\Users\Admin\AppData\Local\Temp\C7F4.exe
  C:\Users\Admin\AppData\Local\Temp\C7F4.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:3884
- - C:\Users\Admin\AppData\Roaming\fertyno12\client32.exe
    "C:\Users\Admin\AppData\Roaming\fertyno12\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:4148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:3464
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2128
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    - Modifies data under HKEY_USERS
    PID:4392
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4444
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1484
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2840
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:4856
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1012
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2072
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:4360
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:3672
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:2780
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3708
- C:\Users\Admin\AppData\Local\Temp\1DD5.exe
  C:\Users\Admin\AppData\Local\Temp\1DD5.exe
  2⤵
  PID:3696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2100
- C:\Users\Admin\AppData\Local\Temp\1EA1.exe
  C:\Users\Admin\AppData\Local\Temp\1EA1.exe
  2⤵
  PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\8E25.exe
  C:\Users\Admin\AppData\Local\Temp\8E25.exe
  2⤵
  PID:4904
- - C:\ProgramData\D661.tmp
    "C:\ProgramData\D661.tmp"
    3⤵
    PID:5604
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D661.tmp >> NUL
      4⤵
      PID:2872
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:7136
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3920
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2512
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5936
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5320
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5404
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2768
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:5908
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:5300
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:5852
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:5860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:5588
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:3472
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2104

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:1348

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
PID:164

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:6852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2184424523-918736138-622003966-1000\DDDDDDDDDDD

Filesize
129B

MD5
7abf94c51d69da5dd244ad05ae02d747

SHA1
9739d3d3d4e0db60644ed7b6c9ae5464f1d43897

SHA256
7636f62b113a44ef92de9a05110e89d6ee7b9471a280010b2cdd4cae5b333c27

SHA512
0888e2fc800b5b39476ec6f2010a471fb32bc40d261d7867207b649476e5632f81138ad05bad24c1d5b50d57da941e2c917e672abce3abff34f7ecb5c6bd9e0e

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\SYRWnZ0xS.README.txt

Filesize
2KB

MD5
707299f014c84f21604c5a7400a75d61

SHA1
786a029f23d6f5a65ae2076aa3bcd5771b07283c

SHA256
9801785375adad8a53f1e217c627f1e6c2508ab064ed9b7cae897f3908829d85

SHA512
9869ee9e69bbbb749019c94f34085ee0f24f6fd7446310b3f95457acedec3de2b74dc3b7316663dc2c8adb90d48d48594c5fb10cfd99545f957bf5cf9e75d8d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fffe0795b300536b03d85a9753085160

SHA1
7b2155bdd0cb03c169e5387e11223656cdabef15

SHA256
237da3312d3a636e65c3a138081b9b5a156951b8c1dbc57b06f7c9bad976459a

SHA512
45b023985782dc3fffa65491cf25f2b87fe23a30dfea6ab60b6431375b90852eced7fe0c1ad351ca693d908b80ae85578794bc3c2834860281904d7f1b842c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DD5.exe

Filesize
217KB

MD5
269de4b105b76b03cc3133db3b885f36

SHA1
00ac349f8f69d4996ed86bad5f9efd413e7415b8

SHA256
049e444061d1a50456602e8468908f518e2516db1727c6bfd22689b65be3fa73

SHA512
0af7b3fd713d5536953cb057231a745a123bc0ce6c0f606220fc565fe6fd353ec8544518705c456f62b8ef727ee8a41053399c095c7cef853df71c02658ed4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EA1.exe

Filesize
268KB

MD5
75c58aaab6b530b03c84c2f7fc17ad27

SHA1
4f029b285b2c87e57aa8995d968844f5a2b69e3f

SHA256
da597c3cb8dcf3d3d732ff6ead1b5478d5aad785e4a8d4c01501f91fb575751a

SHA512
ffc1774816144b85e356928a673ed35286ecbae39373b73f69b47a2245205dc6e3b1b40323ad746395aa072474e6826ebc28bb0fe94732635794ec198b88f23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
8e8b113c8ceae15aa65ca7bdbe9cb793

SHA1
c5109c5158f0865ca59d645b48538665238348fa

SHA256
93ec6236b564de592261c56cac7f6adbfa051bb691cc4aad6def3bf3d0046924

SHA512
6d3dab940f5297afb03d311d6ca1ba5a6d6878010f8572190fe898215887e52fafc42e94f27e3c0c5a6b7825eb07e3c9775dad6dc1cae9144b43077715f09a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
8e8b113c8ceae15aa65ca7bdbe9cb793

SHA1
c5109c5158f0865ca59d645b48538665238348fa

SHA256
93ec6236b564de592261c56cac7f6adbfa051bb691cc4aad6def3bf3d0046924

SHA512
6d3dab940f5297afb03d311d6ca1ba5a6d6878010f8572190fe898215887e52fafc42e94f27e3c0c5a6b7825eb07e3c9775dad6dc1cae9144b43077715f09a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
8e8b113c8ceae15aa65ca7bdbe9cb793

SHA1
c5109c5158f0865ca59d645b48538665238348fa

SHA256
93ec6236b564de592261c56cac7f6adbfa051bb691cc4aad6def3bf3d0046924

SHA512
6d3dab940f5297afb03d311d6ca1ba5a6d6878010f8572190fe898215887e52fafc42e94f27e3c0c5a6b7825eb07e3c9775dad6dc1cae9144b43077715f09a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\34B7.exe

Filesize
270KB

MD5
08d14f9715fe88fe5260096942b4dd51

SHA1
a686291dfff855a8502cfd8a8f99effce3186101

SHA256
dab0e67f3eff66cbdc1b3d12e26b50a5e76c736935f755dfbea422b6e3976f88

SHA512
0f64a260cf95f8ed619b6cb9b18929e43f8569effe2389a14dea9bc1fd534a49b67a6e55973223740192ea7fa46dfa82b7f9cf0d5f036e9db7c2ce084942ada2

Download Submit
C:\Users\Admin\AppData\Local\Temp\34B7.exe

Filesize
270KB

MD5
08d14f9715fe88fe5260096942b4dd51

SHA1
a686291dfff855a8502cfd8a8f99effce3186101

SHA256
dab0e67f3eff66cbdc1b3d12e26b50a5e76c736935f755dfbea422b6e3976f88

SHA512
0f64a260cf95f8ed619b6cb9b18929e43f8569effe2389a14dea9bc1fd534a49b67a6e55973223740192ea7fa46dfa82b7f9cf0d5f036e9db7c2ce084942ada2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3564.exe

Filesize
406KB

MD5
a8c9a333b36c8e75d8bddcb764b57ad5

SHA1
2a177564696110d0b6784312374111bf15d9804f

SHA256
5efdfa9a381962ab18fe88c5256b0b931fbcc4879b19ad20cf9f349d404ca49c

SHA512
2eea34fc923f89cd15e5c371ffef8bdee870c851a424b0ae4b49c4ec81bfede124ee5df8012d0bd1a8c90273fa61180a7dba4df18b1392fe9d1ff3c0e78aa5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3564.exe

Filesize
406KB

MD5
a8c9a333b36c8e75d8bddcb764b57ad5

SHA1
2a177564696110d0b6784312374111bf15d9804f

SHA256
5efdfa9a381962ab18fe88c5256b0b931fbcc4879b19ad20cf9f349d404ca49c

SHA512
2eea34fc923f89cd15e5c371ffef8bdee870c851a424b0ae4b49c4ec81bfede124ee5df8012d0bd1a8c90273fa61180a7dba4df18b1392fe9d1ff3c0e78aa5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\36CC.exe

Filesize
95KB

MD5
0592c6d7674c77b053080c5b6e79fdcb

SHA1
693339ede19093e2b4593fda93be0b140be69141

SHA256
fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14

SHA512
37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\36CC.exe

Filesize
95KB

MD5
0592c6d7674c77b053080c5b6e79fdcb

SHA1
693339ede19093e2b4593fda93be0b140be69141

SHA256
fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14

SHA512
37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6456.exe

Filesize
12.6MB

MD5
adac8c8e9cfb346c8c4f67979b28081c

SHA1
15bd3f97d431e2346182a3235087521d16ce4b3e

SHA256
72abf8c3fb6a8203fb09cc25458d00eaf0c09b243530cddeb1cebdd110a5f607

SHA512
34d47532dbe2b8333abde9fb0a2312ca79f130fc768dc3f77c01c4bb98eff5487711df9358412201206a33b41be6be2903f158e60abdf7c13af1de8965819b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\6456.exe

Filesize
12.6MB

MD5
adac8c8e9cfb346c8c4f67979b28081c

SHA1
15bd3f97d431e2346182a3235087521d16ce4b3e

SHA256
72abf8c3fb6a8203fb09cc25458d00eaf0c09b243530cddeb1cebdd110a5f607

SHA512
34d47532dbe2b8333abde9fb0a2312ca79f130fc768dc3f77c01c4bb98eff5487711df9358412201206a33b41be6be2903f158e60abdf7c13af1de8965819b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\C003.exe

Filesize
15.0MB

MD5
8210c61dc906154922ffffda017e67cd

SHA1
9b554c77bd8aedd700bea47fcf9debe2069942a3

SHA256
6d8d1cf3edb69a33ccf6231a554be1936787f3fb150064504db94fcf46c58914

SHA512
e94818a61864a6e700ecaea8779f745bb2e2f05db7bc46406de5696aecbfb589b245d861bf89fcafa5360c2e49e76ecdef4542455c1c19be7e67ac024468b284

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7F4.exe

Filesize
2.2MB

MD5
8938df5af0d41e8100b61d8ffdeca3ad

SHA1
abdefc86717bbb1715ba31f254c0ed955bdaca1b

SHA256
2e94304ab31f334eaf7ebc0f15f7e923c0a59354bd820b26665f0a9d3d69e812

SHA512
21e25ac9af0df50daa75101b64d3ce6a76d73bc11f515bba24a729be6be9fb89ad45558c2ee4269f79726b749aaf9941ba271b39b0dc660d8bc7858403126536

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7F4.exe

Filesize
2.2MB

MD5
8938df5af0d41e8100b61d8ffdeca3ad

SHA1
abdefc86717bbb1715ba31f254c0ed955bdaca1b

SHA256
2e94304ab31f334eaf7ebc0f15f7e923c0a59354bd820b26665f0a9d3d69e812

SHA512
21e25ac9af0df50daa75101b64d3ce6a76d73bc11f515bba24a729be6be9fb89ad45558c2ee4269f79726b749aaf9941ba271b39b0dc660d8bc7858403126536

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEEEEEEE

Filesize
5.5MB

MD5
dd994120efc28fccc30a335989a4fb5f

SHA1
590544656f392fba5968fe3d8e522c08334e2a05

SHA256
a01081387bd3cdb8b8f15a0b87d64339d1cfca99aa698fc68a27b4679e567631

SHA512
0a1dd68d6d39900d4c0292caebb098f573098df4947f7b0c862ecc90b8ec70ed3c62582bd1677fd3f8fd4672c8794a94ebcb75832c1b83b78c35b10c629f10e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7yx3XK74.exe

Filesize
73KB

MD5
99e3a9fd004eaf49ffd6364b986a7f3d

SHA1
a7671377b224821f176280ce23302913e268bd01

SHA256
c32fd9b1e9f800c00b10319f0bc889a025fc558fe8f4eb9c4af1a30db3af4bf8

SHA512
93565636d2d464ef2b6805630fbff2312a3825d5aed0ca79db6af79007e2363d5d0b8ba99785b1ac4348cccdea6cd66d37fbfa1cdca3ee2ba479d000013668bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7yx3XK74.exe

Filesize
73KB

MD5
99e3a9fd004eaf49ffd6364b986a7f3d

SHA1
a7671377b224821f176280ce23302913e268bd01

SHA256
c32fd9b1e9f800c00b10319f0bc889a025fc558fe8f4eb9c4af1a30db3af4bf8

SHA512
93565636d2d464ef2b6805630fbff2312a3825d5aed0ca79db6af79007e2363d5d0b8ba99785b1ac4348cccdea6cd66d37fbfa1cdca3ee2ba479d000013668bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sr2RI36.exe

Filesize
570KB

MD5
f8d780b43172d75e63c9f9e61784932c

SHA1
60e69b05cac11be77bb5e5ea75b426a8f7cd7510

SHA256
e985be8b32fe16b550beb220621f6409e830326d96ee4ebc9d05e3377d73875f

SHA512
2ab6292fd1a4f59ba7b6cd15bc2752f4f85051ced66b279123d09454dcb9c14ccc89a6c40a0371ef433e4b7c668973b043396d311da0cf8055ce0d976fd98a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sr2RI36.exe

Filesize
570KB

MD5
f8d780b43172d75e63c9f9e61784932c

SHA1
60e69b05cac11be77bb5e5ea75b426a8f7cd7510

SHA256
e985be8b32fe16b550beb220621f6409e830326d96ee4ebc9d05e3377d73875f

SHA512
2ab6292fd1a4f59ba7b6cd15bc2752f4f85051ced66b279123d09454dcb9c14ccc89a6c40a0371ef433e4b7c668973b043396d311da0cf8055ce0d976fd98a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Wv9mb4.exe

Filesize
339KB

MD5
14d9834611ad581afcfea061652ff6cb

SHA1
802f964d0be7858eb2f1e7c6fcda03501fd1b71c

SHA256
e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60

SHA512
cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Wv9mb4.exe

Filesize
339KB

MD5
14d9834611ad581afcfea061652ff6cb

SHA1
802f964d0be7858eb2f1e7c6fcda03501fd1b71c

SHA256
e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60

SHA512
cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VR3tE93.exe

Filesize
334KB

MD5
a8ece3c519a5304ad5d099475683a10f

SHA1
b67adfd7a46a6ef45fcbe2c9afca038b5897cd81

SHA256
9d63b39b733f6a06ee3d6b194b2f92df3ff4c52a8e99c7f6cfed00b85072c222

SHA512
23d2f53d8bd3f6cc2d78e8d4b853084fd363d004aa6dce2448e6fbb8a83838bc62992b77e7d4413e722d0aadcbe0ea3beb0ac6681b7cfa6dd80dc2e603998571

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VR3tE93.exe

Filesize
334KB

MD5
a8ece3c519a5304ad5d099475683a10f

SHA1
b67adfd7a46a6ef45fcbe2c9afca038b5897cd81

SHA256
9d63b39b733f6a06ee3d6b194b2f92df3ff4c52a8e99c7f6cfed00b85072c222

SHA512
23d2f53d8bd3f6cc2d78e8d4b853084fd363d004aa6dce2448e6fbb8a83838bc62992b77e7d4413e722d0aadcbe0ea3beb0ac6681b7cfa6dd80dc2e603998571

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1uq89LB6.exe

Filesize
300KB

MD5
784667bb96ccb30c4cf44f2c5f493769

SHA1
28185165ab4dbbb4a139ae1af0bb6934ebe05c04

SHA256
1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9

SHA512
62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1uq89LB6.exe

Filesize
300KB

MD5
784667bb96ccb30c4cf44f2c5f493769

SHA1
28185165ab4dbbb4a139ae1af0bb6934ebe05c04

SHA256
1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9

SHA512
62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2yU1765.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2yU1765.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
bc3354a4cd405a2f2f98e8b343a7d08d

SHA1
4880d2a987354a3163461fddd2422e905976c5b2

SHA256
fffc160a4c555057143383fec606841cd2c319f79f52596e0d27322a677dca0b

SHA512
fe349af0497e2aa6933b1acfea9fecd2c1f16da009a06ac7d7f638353283da3ef04e9c3520d33bae6e15ea6190420a27be97f46e5553a538b661af226c241c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
bc3354a4cd405a2f2f98e8b343a7d08d

SHA1
4880d2a987354a3163461fddd2422e905976c5b2

SHA256
fffc160a4c555057143383fec606841cd2c319f79f52596e0d27322a677dca0b

SHA512
fe349af0497e2aa6933b1acfea9fecd2c1f16da009a06ac7d7f638353283da3ef04e9c3520d33bae6e15ea6190420a27be97f46e5553a538b661af226c241c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bvgdnzy5.roh.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdesc-consensus.tmp

Filesize
2.9MB

MD5
99847108235134ad7b83643d38fcf00b

SHA1
39d7269eccc404807f897db8b8ac3baf2e66d214

SHA256
425405d0d96b08ea95238840d4e0bc050687bcf05abd79f3b47ff3f01a779777

SHA512
8663bcf79b2e9313e36797e982e3843a46e1ac46a84136082afbbe5653b6bb952f1ef80ce237f88f52fa01d61cb366cf191896edf4faacc7569127e1a9e03cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdescs.new

Filesize
12.3MB

MD5
526f632622d32c87691fe60ca067f93e

SHA1
96a07e6e0f9c7d850e2aa5e4f41cdbc2ffae5961

SHA256
a33bb8eab2e44a890743621f37e83b9b72cbc608ea6e40d1f0db64323aa290a2

SHA512
1f9991b69fa3d64fd703a2f667134be9c8d595c6db964f9f87d754a388ffce2253f1c4025c2f28d30f654d4c5a43f3d07b13881617296e128833d98458f291ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.bat

Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp61A4.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp61C9.tmp

Filesize
92KB

MD5
90a4e3db168e5bdc6b5e562ce7f41a06

SHA1
2bf235c33b3395caefc1b9f1a280f83422f94d40

SHA256
fdd37b06f981e619d6690edeaa17ba8d86c66cec9331632f3d9922bb2c6eabf5

SHA512
e30f0a67bbdc6507ac5babaa5fe1e0db7cde6b62812f6365fe83293e5fbba3f62db43c80c635a43b3b0ffb2e08ac2faf79eff0d3bea8e2aaaca6c55fb0833c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6214.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
261KB

MD5
a32062da6b35029d6ca39c0dc056d0fa

SHA1
c41d980ce3fde0250e1aaefc7a5a044068c36fce

SHA256
2e8b2c2dc3720340cf0c4639d80e2a23cbea493f94e3f06c180bb6470b5ee804

SHA512
9d5ba2530e4221901cf4c4c5c0e2e395d022c570cc95491abf11a675fb2f1613d078fa6fb33cd4c37d06ddc3a04220601fdb8fcec46d26fa0e1ff61526aa8d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
261KB

MD5
a32062da6b35029d6ca39c0dc056d0fa

SHA1
c41d980ce3fde0250e1aaefc7a5a044068c36fce

SHA256
2e8b2c2dc3720340cf0c4639d80e2a23cbea493f94e3f06c180bb6470b5ee804

SHA512
9d5ba2530e4221901cf4c4c5c0e2e395d022c570cc95491abf11a675fb2f1613d078fa6fb33cd4c37d06ddc3a04220601fdb8fcec46d26fa0e1ff61526aa8d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
261KB

MD5
a32062da6b35029d6ca39c0dc056d0fa

SHA1
c41d980ce3fde0250e1aaefc7a5a044068c36fce

SHA256
2e8b2c2dc3720340cf0c4639d80e2a23cbea493f94e3f06c180bb6470b5ee804

SHA512
9d5ba2530e4221901cf4c4c5c0e2e395d022c570cc95491abf11a675fb2f1613d078fa6fb33cd4c37d06ddc3a04220601fdb8fcec46d26fa0e1ff61526aa8d19

Download Submit
C:\Users\Admin\AppData\Roaming\aaibbdr

Filesize
268KB

MD5
75c58aaab6b530b03c84c2f7fc17ad27

SHA1
4f029b285b2c87e57aa8995d968844f5a2b69e3f

SHA256
da597c3cb8dcf3d3d732ff6ead1b5478d5aad785e4a8d4c01501f91fb575751a

SHA512
ffc1774816144b85e356928a673ed35286ecbae39373b73f69b47a2245205dc6e3b1b40323ad746395aa072474e6826ebc28bb0fe94732635794ec198b88f23a

Download Submit
C:\Users\Admin\AppData\Roaming\fertyno12\HTCTL32.DLL

Filesize
316KB

MD5
051cdb6ac8e168d178e35489b6da4c74

SHA1
38c171457d160f8a6f26baa668f5c302f6c29cd1

SHA256
6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269

SHA512
602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36

Download Submit
C:\Users\Admin\AppData\Roaming\fertyno12\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\fertyno12\NSM.LIC

Filesize
260B

MD5
b03cdfa1a574db380c6285383d486208

SHA1
f671f79271ac46bf2cbc3905b67ef7d805e2f1ff

SHA256
7b4830e9191bf4d788f1ad64264be54296a870e96464126b885c057245ee0dc9

SHA512
9ea62686dc9493a1507da481a9e79a469e619b1c1924c5b0c8f534d33a3b4bafb0315c362701b942de5a5ab88d1b6d1a9efe442e7e0ed657f4e6d49b55a74ddf

Download Submit
C:\Users\Admin\AppData\Roaming\fertyno12\PCICAPI.dll

Filesize
106KB

MD5
67c53a770390e8c038060a1921c20da9

SHA1
49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a

SHA256
2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689

SHA512
201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

Download Submit
C:\Users\Admin\AppData\Roaming\fertyno12\PCICL32.dll

Filesize
3.3MB

MD5
e7b92529ea10176fe35ba73fa4edef74

SHA1
fc5b325d433cde797f6ad0d8b1305d6fb16d4e34

SHA256
b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80

SHA512
fb3a70e87772c1fb386ad8def6c7bdf325b8d525355d4386102649eb2d61f09ce101fce37ccc1f44d5878e604e2e426d96618e836367ab460cae01f627833517

Download Submit
C:\Users\Admin\AppData\Roaming\fertyno12\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\fertyno12\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\fertyno12\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\fertyno12\client32.ini

Filesize
922B

MD5
5cc880ffdc6913ae7ca952b239650564

SHA1
25e94c34cec7341972fe5379348afafcdb46550d

SHA256
338bcf728f3ceb7b3e4f1dd308b2b834394b9441008a23d6fd84aa8adb2395c3

SHA512
b127aca5bd351c310f5aa609406c78d71928c98b6f2806c246dcab711d33229cdae5044c2fe5dd7c1c3442965bc33a8951bc54341d07fb06c34d0f73fa8ac101

Download Submit
C:\Users\Admin\AppData\Roaming\fertyno12\pcichek.dll

Filesize
14KB

MD5
3aabcd7c81425b3b9327a2bf643251c6

SHA1
ea841199baa7307280fc9e4688ac75e5624f2181

SHA256
0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f

SHA512
97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

Download Submit
C:\Users\Admin\AppData\Roaming\twibbdr

Filesize
261KB

MD5
a32062da6b35029d6ca39c0dc056d0fa

SHA1
c41d980ce3fde0250e1aaefc7a5a044068c36fce

SHA256
2e8b2c2dc3720340cf0c4639d80e2a23cbea493f94e3f06c180bb6470b5ee804

SHA512
9d5ba2530e4221901cf4c4c5c0e2e395d022c570cc95491abf11a675fb2f1613d078fa6fb33cd4c37d06ddc3a04220601fdb8fcec46d26fa0e1ff61526aa8d19

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
85587aec4760b45e6fc83192847065f3

SHA1
eba3bb6cebbea794048783a9e8a720fbee8431c0

SHA256
6ce3eea1aeab1a1b1d2bc0cebf8c1926b304090d6af370776d84a0c9779ecaad

SHA512
b59918b8d5e33ad70075d296b2d5bd7416e65a05779f1d5b42913ce40fd9a3234a2ea3573402fc2f4c944dcdefc83541d4b1b2dbcbb848cfe0748f9e24edb9a5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
3203532dd46b8a4d6195806695a82887

SHA1
88566c6f49a4267039276253caaa3c90958e14c0

SHA256
503f2d4e2066f88b4d6c6b0d0623481a253a7f9e31cee59f36345afde6a18e3d

SHA512
cf57492989514be48c3a573d7ed431239989d0e776d5cc5850da768b876e6e520d83df4d51a20e4c6519955aec7b62ba9090c06b239dc0681a2fd1ceccaa2dfc

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
8e8b113c8ceae15aa65ca7bdbe9cb793

SHA1
c5109c5158f0865ca59d645b48538665238348fa

SHA256
93ec6236b564de592261c56cac7f6adbfa051bb691cc4aad6def3bf3d0046924

SHA512
6d3dab940f5297afb03d311d6ca1ba5a6d6878010f8572190fe898215887e52fafc42e94f27e3c0c5a6b7825eb07e3c9775dad6dc1cae9144b43077715f09a1b

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
8e8b113c8ceae15aa65ca7bdbe9cb793

SHA1
c5109c5158f0865ca59d645b48538665238348fa

SHA256
93ec6236b564de592261c56cac7f6adbfa051bb691cc4aad6def3bf3d0046924

SHA512
6d3dab940f5297afb03d311d6ca1ba5a6d6878010f8572190fe898215887e52fafc42e94f27e3c0c5a6b7825eb07e3c9775dad6dc1cae9144b43077715f09a1b

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
8e8b113c8ceae15aa65ca7bdbe9cb793

SHA1
c5109c5158f0865ca59d645b48538665238348fa

SHA256
93ec6236b564de592261c56cac7f6adbfa051bb691cc4aad6def3bf3d0046924

SHA512
6d3dab940f5297afb03d311d6ca1ba5a6d6878010f8572190fe898215887e52fafc42e94f27e3c0c5a6b7825eb07e3c9775dad6dc1cae9144b43077715f09a1b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2184424523-918736138-622003966-1000\DDDDDDDDDDD

Filesize
129B

MD5
51f715b006802617896007e95465ed63

SHA1
9e6f27151246ba62f59e52fc5b1c4bde011ee61d

SHA256
d32ba1edb4593a41be3dbac55ce2b7439263d453795656dddfbbced5a4e158c8

SHA512
35004cc990a820a08689acff522bfdcf170065fa752d9fbb3dd9b3b3c2d14ba91d8bb93dcb17162ae7ade459bb754de1e539907385c019439a0eeb95f28c7f55

Download Submit
\Users\Admin\AppData\Local\Temp\34B7.exe

Filesize
270KB

MD5
08d14f9715fe88fe5260096942b4dd51

SHA1
a686291dfff855a8502cfd8a8f99effce3186101

SHA256
dab0e67f3eff66cbdc1b3d12e26b50a5e76c736935f755dfbea422b6e3976f88

SHA512
0f64a260cf95f8ed619b6cb9b18929e43f8569effe2389a14dea9bc1fd534a49b67a6e55973223740192ea7fa46dfa82b7f9cf0d5f036e9db7c2ce084942ada2

Download Submit
\Users\Admin\AppData\Local\Temp\34B7.exe

Filesize
270KB

MD5
08d14f9715fe88fe5260096942b4dd51

SHA1
a686291dfff855a8502cfd8a8f99effce3186101

SHA256
dab0e67f3eff66cbdc1b3d12e26b50a5e76c736935f755dfbea422b6e3976f88

SHA512
0f64a260cf95f8ed619b6cb9b18929e43f8569effe2389a14dea9bc1fd534a49b67a6e55973223740192ea7fa46dfa82b7f9cf0d5f036e9db7c2ce084942ada2

Download Submit
\Users\Admin\AppData\Local\Temp\3564.exe

Filesize
406KB

MD5
a8c9a333b36c8e75d8bddcb764b57ad5

SHA1
2a177564696110d0b6784312374111bf15d9804f

SHA256
5efdfa9a381962ab18fe88c5256b0b931fbcc4879b19ad20cf9f349d404ca49c

SHA512
2eea34fc923f89cd15e5c371ffef8bdee870c851a424b0ae4b49c4ec81bfede124ee5df8012d0bd1a8c90273fa61180a7dba4df18b1392fe9d1ff3c0e78aa5cf

Download Submit
\Users\Admin\AppData\Local\Temp\3564.exe

Filesize
406KB

MD5
a8c9a333b36c8e75d8bddcb764b57ad5

SHA1
2a177564696110d0b6784312374111bf15d9804f

SHA256
5efdfa9a381962ab18fe88c5256b0b931fbcc4879b19ad20cf9f349d404ca49c

SHA512
2eea34fc923f89cd15e5c371ffef8bdee870c851a424b0ae4b49c4ec81bfede124ee5df8012d0bd1a8c90273fa61180a7dba4df18b1392fe9d1ff3c0e78aa5cf

Download Submit
\Users\Admin\AppData\Roaming\fertyno12\HTCTL32.DLL

Filesize
316KB

MD5
051cdb6ac8e168d178e35489b6da4c74

SHA1
38c171457d160f8a6f26baa668f5c302f6c29cd1

SHA256
6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269

SHA512
602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36

Download Submit
\Users\Admin\AppData\Roaming\fertyno12\PCICHEK.DLL

Filesize
14KB

MD5
3aabcd7c81425b3b9327a2bf643251c6

SHA1
ea841199baa7307280fc9e4688ac75e5624f2181

SHA256
0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f

SHA512
97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

Download Submit
\Users\Admin\AppData\Roaming\fertyno12\PCICL32.DLL

Filesize
3.3MB

MD5
e7b92529ea10176fe35ba73fa4edef74

SHA1
fc5b325d433cde797f6ad0d8b1305d6fb16d4e34

SHA256
b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80

SHA512
fb3a70e87772c1fb386ad8def6c7bdf325b8d525355d4386102649eb2d61f09ce101fce37ccc1f44d5878e604e2e426d96618e836367ab460cae01f627833517

Download Submit
\Users\Admin\AppData\Roaming\fertyno12\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
\Users\Admin\AppData\Roaming\fertyno12\pcicapi.dll

Filesize
106KB

MD5
67c53a770390e8c038060a1921c20da9

SHA1
49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a

SHA256
2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689

SHA512
201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

Download Submit
memory/316-560-0x0000000002940000-0x0000000002D3E000-memory.dmp

Filesize
4.0MB

Download
memory/316-326-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/316-245-0x0000000002940000-0x0000000002D3E000-memory.dmp

Filesize
4.0MB

Download
memory/316-247-0x0000000002D40000-0x000000000362B000-memory.dmp

Filesize
8.9MB

Download
memory/316-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/316-564-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/432-26-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/432-34-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/536-1165-0x0000000000D00000-0x0000000000D3C000-memory.dmp

Filesize
240KB

Download
memory/1348-1534-0x00007FF646FF0000-0x00007FF647591000-memory.dmp

Filesize
5.6MB

Download
memory/1676-2387-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1676-2283-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1676-1782-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1820-1789-0x0000000000400000-0x00000000007CC000-memory.dmp

Filesize
3.8MB

Download
memory/1920-242-0x00000000007F0000-0x00000000007F9000-memory.dmp

Filesize
36KB

Download
memory/1920-241-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/1980-96-0x0000000072C80000-0x000000007336E000-memory.dmp

Filesize
6.9MB

Download
memory/1980-57-0x000000000BBD0000-0x000000000BBDA000-memory.dmp

Filesize
40KB

Download
memory/1980-52-0x000000000BC40000-0x000000000BCD2000-memory.dmp

Filesize
584KB

Download
memory/1980-51-0x000000000C0A0000-0x000000000C59E000-memory.dmp

Filesize
5.0MB

Download
memory/1980-48-0x0000000072C80000-0x000000007336E000-memory.dmp

Filesize
6.9MB

Download
memory/1980-58-0x000000000CBB0000-0x000000000D1B6000-memory.dmp

Filesize
6.0MB

Download
memory/1980-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1980-59-0x000000000BF00000-0x000000000C00A000-memory.dmp

Filesize
1.0MB

Download
memory/1980-60-0x000000000BE30000-0x000000000BE42000-memory.dmp

Filesize
72KB

Download
memory/1980-61-0x000000000BE90000-0x000000000BECE000-memory.dmp

Filesize
248KB

Download
memory/1980-62-0x000000000C010000-0x000000000C05B000-memory.dmp

Filesize
300KB

Download
memory/2056-92-0x0000000072C80000-0x000000007336E000-memory.dmp

Filesize
6.9MB

Download
memory/2056-78-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2056-79-0x0000000000640000-0x000000000067E000-memory.dmp

Filesize
248KB

Download
memory/2056-110-0x0000000004870000-0x00000000048B7000-memory.dmp

Filesize
284KB

Download
memory/2056-240-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2056-250-0x0000000072C80000-0x000000007336E000-memory.dmp

Filesize
6.9MB

Download
memory/2092-1172-0x00007FF7C47F0000-0x00007FF7C4E5C000-memory.dmp

Filesize
6.4MB

Download
memory/2092-901-0x00007FF7C47F0000-0x00007FF7C4E5C000-memory.dmp

Filesize
6.4MB

Download
memory/2100-1517-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2100-1514-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3188-314-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3188-243-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3188-248-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3208-313-0x0000000001010000-0x0000000001026000-memory.dmp

Filesize
88KB

Download
memory/3208-32-0x0000000000F20000-0x0000000000F36000-memory.dmp

Filesize
88KB

Download
memory/3208-1787-0x0000000002E40000-0x0000000002E56000-memory.dmp

Filesize
88KB

Download
memory/3440-581-0x0000000072C80000-0x000000007336E000-memory.dmp

Filesize
6.9MB

Download
memory/3700-577-0x0000000002A40000-0x0000000002E45000-memory.dmp

Filesize
4.0MB

Download
memory/3700-885-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3700-578-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3700-1248-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3700-1503-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4244-1277-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/4244-235-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/4244-883-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/4244-327-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/4244-1531-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/4244-512-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/4324-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-2398-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4716-210-0x0000000000540000-0x00000000011D8000-memory.dmp

Filesize
12.6MB

Download
memory/4716-237-0x0000000072C80000-0x000000007336E000-memory.dmp

Filesize
6.9MB

Download
memory/4716-209-0x0000000072C80000-0x000000007336E000-memory.dmp

Filesize
6.9MB

Download
memory/4788-109-0x0000000006500000-0x000000000651E000-memory.dmp

Filesize
120KB

Download
memory/4788-87-0x0000000000160000-0x000000000017E000-memory.dmp

Filesize
120KB

Download
memory/4788-93-0x0000000072C80000-0x000000007336E000-memory.dmp

Filesize
6.9MB

Download
memory/4788-98-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/4788-99-0x0000000005F00000-0x00000000060C2000-memory.dmp

Filesize
1.8MB

Download
memory/4788-228-0x0000000072C80000-0x000000007336E000-memory.dmp

Filesize
6.9MB

Download
memory/4788-104-0x0000000006600000-0x0000000006B2C000-memory.dmp

Filesize
5.2MB

Download
memory/4788-107-0x00000000060D0000-0x0000000006136000-memory.dmp

Filesize
408KB

Download
memory/4788-108-0x0000000006400000-0x0000000006476000-memory.dmp

Filesize
472KB

Download
memory/4888-256-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/4888-260-0x00000000076E0000-0x0000000007702000-memory.dmp

Filesize
136KB

Download
memory/4888-534-0x000000000A3C0000-0x000000000A3DA000-memory.dmp

Filesize
104KB

Download
memory/4888-255-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/4888-253-0x0000000072C80000-0x000000007336E000-memory.dmp

Filesize
6.9MB

Download
memory/4888-539-0x000000000A3B0000-0x000000000A3B8000-memory.dmp

Filesize
32KB

Download
memory/4888-262-0x0000000007F80000-0x00000000082D0000-memory.dmp

Filesize
3.3MB

Download
memory/4888-328-0x000000000A2A0000-0x000000000A2D3000-memory.dmp

Filesize
204KB

Download
memory/4888-331-0x000000006C000000-0x000000006C350000-memory.dmp

Filesize
3.3MB

Download
memory/4888-332-0x000000007F5A0000-0x000000007F5B0000-memory.dmp

Filesize
64KB

Download
memory/4888-254-0x0000000004E20000-0x0000000004E56000-memory.dmp

Filesize
216KB

Download
memory/4888-340-0x000000000A4E0000-0x000000000A574000-memory.dmp

Filesize
592KB

Download
memory/4888-259-0x00000000077E0000-0x0000000007E08000-memory.dmp

Filesize
6.2MB

Download
memory/4888-338-0x000000000A2E0000-0x000000000A385000-memory.dmp

Filesize
660KB

Download
memory/4888-562-0x0000000072C80000-0x000000007336E000-memory.dmp

Filesize
6.9MB

Download
memory/4888-333-0x000000000A280000-0x000000000A29E000-memory.dmp

Filesize
120KB

Download
memory/4888-263-0x0000000008300000-0x000000000831C000-memory.dmp

Filesize
112KB

Download
memory/4888-330-0x000000006C350000-0x000000006C39B000-memory.dmp

Filesize
300KB

Download
memory/4888-339-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/4888-282-0x0000000009380000-0x00000000093BC000-memory.dmp

Filesize
240KB

Download
memory/4888-261-0x0000000007F10000-0x0000000007F76000-memory.dmp

Filesize
408KB

Download
memory/4920-1257-0x00007FF6F82B0000-0x00007FF6F8851000-memory.dmp

Filesize
5.6MB

Download
memory/4920-329-0x00007FF6F82B0000-0x00007FF6F8851000-memory.dmp

Filesize
5.6MB

Download
memory/5076-97-0x0000000072C80000-0x000000007336E000-memory.dmp

Filesize
6.9MB

Download
memory/5076-80-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5076-84-0x0000000000470000-0x00000000004CA000-memory.dmp

Filesize
360KB

Download
memory/5076-246-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download