amadey | 049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97

Resubmissions

17/02/2024, 10:02

240217-l24trade9w 10

17/02/2024, 08:08

240217-j1qvdsdc95 10

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2024, 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97.exe
Size

1.8MB
MD5

c9d376e79eb0251dfb1b0fb3e8b76afc
SHA1

b7630bdc371afbf8085c3e067f3292dbf7c436e3
SHA256

049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97
SHA512

6b23e23e0a960e7e8dc1bcfd8bd47d0df595b54db18c7f761273e767d75de58a7666d837036b4d6229e072ca2a871f75eb9457449a71759cba651d4efea0d218
SSDEEP

49152:6zryoaJgiTbUaOhHtjJSG1Eix9yRtQzYx7ZJXgsY+3n:s+DqiTw14yjyUMx7Dgs53

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

new

185.215.113.67:26260

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

redline

Botnet

@oni912

45.15.156.209:40481

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTrafic

20.218.68.91:9552

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

remcos

Botnet

1800

xrootx.zapto.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
viewer.exe
copy_folder
viewer
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
viewer
mouse_option
false
mutex
Rmc-BAHBFO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

lumma

https://mealroomrallpassiveer.shop/api

https://gemcreedarticulateod.shop/api

https://secretionsuitcasenioise.shop/api

https://claimconcessionrebe.shop/api

https://liabilityarrangemenyit.shop/api

https://triangleseasonbenchwj.shop/api

https://resergvearyinitiani.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		4740	schtasks.exe
		2572	schtasks.exe
		2176	schtasks.exe
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Wine		049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97.exe

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/files/0x000600000002326e-500.dat	family_zgrat_v1
behavioral2/files/0x000600000002326e-519.dat	family_zgrat_v1
behavioral2/files/0x000600000002326e-518.dat	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

resource	yara_rule
behavioral2/memory/5084-641-0x0000000000400000-0x0000000002FC1000-memory.dmp	family_glupteba
behavioral2/memory/5084-808-0x0000000000400000-0x0000000002FC1000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023228-34.dat	family_redline
behavioral2/memory/3984-49-0x0000000000E80000-0x0000000000ED4000-memory.dmp	family_redline
behavioral2/memory/4520-143-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
behavioral2/files/0x000600000002323b-174.dat	family_redline
behavioral2/memory/388-347-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5096 created 2508	5096	MsBuild.exe	65

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ladas.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
71	404	rundll32.exe
87	4544	rundll32.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4928	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ladas.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ladas.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	STAR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	1800.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	7200.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	explorgu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	nine.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	STAR.exe

Executes dropped EXE 43 IoCs

pid	Process
1804	explorgu.exe
3984	new.exe
3408	ladas.exe
2100	for.exe
3404	father1.exe
1972	bott.exe
540	STAR.exe
3240	Conhost.exe
1552	nine.exe
5084	d21cbe21e38b385a41a68c5e6dd32f4c.exe
1480	cmd.exe
2620	lolololoMRK123.exe
2412	WerFault.exe
4676	987123.exe
2948	qemu-ga.exe
1532	daisy123.exe
3052	lumma123142124.exe
4164	National.exe
1412	WerFault.exe
2160	1800.exe
212	father1.exe
3876	viewer.exe
2480	Process not Found
4784	phonesteal.exe
5004	InstallSetup3.exe
3256	BroomSetup.exe
2400	5AFC.exe
3864	nsq5EF6.tmp
2228	d21cbe21e38b385a41a68c5e6dd32f4c.exe
4220	explorer.exe
4780	7200.exe
4580	7200.exe
724	7200.exe
2004	848F.exe
2320	vzxmpncsktsu.exe
1108	csrss.exe
2316	icfsvec
2280	BC68.exe
4920	injector.exe
3460	CCE5.exe
3196	E8AC.exe
1488	windefender.exe
4972	windefender.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Wine	ladas.exe
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Wine	049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97.exe
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Wine	explorgu.exe

Loads dropped DLL 11 IoCs

pid	Process
4052	WerFault.exe
404	rundll32.exe
4544	rundll32.exe
5004	InstallSetup3.exe
5004	InstallSetup3.exe
3864	nsq5EF6.tmp
3864	nsq5EF6.tmp
4164	National.exe
5004	InstallSetup3.exe
3460	CCE5.exe
3460	CCE5.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3928	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-BAHBFO = "\"C:\\ProgramData\\viewer\\viewer.exe\""	1800.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-BAHBFO = "\"C:\\ProgramData\\viewer\\viewer.exe\""	1800.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-BAHBFO = "\"C:\\ProgramData\\viewer\\viewer.exe\""	viewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-BAHBFO = "\"C:\\ProgramData\\viewer\\viewer.exe\""	viewer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\93db7362-854d-4b28-89aa-862ff7c9d4f4\\7200.exe\" --AutoStart"	7200.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ladas.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000417001\\ladas.exe"	explorgu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
141	api.2ip.ua
143	api.2ip.ua

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4220	049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97.exe
1804	explorgu.exe
3408	ladas.exe

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 3404 set thread context of 4520	3404	father1.exe	99
PID 2100 set thread context of 4456	2100	for.exe	100
PID 2620 set thread context of 2196	2620	lolololoMRK123.exe	115
PID 2412 set thread context of 388	2412	WerFault.exe	126
PID 1532 set thread context of 1508	1532	daisy123.exe	155
PID 3052 set thread context of 2676	3052	lumma123142124.exe	157
PID 3876 set thread context of 4992	3876	viewer.exe	191
PID 212 set thread context of 852	212	father1.exe	278
PID 4220 set thread context of 4780	4220	explorer.exe	239
PID 4580 set thread context of 724	4580	7200.exe	247
PID 2004 set thread context of 740	2004	848F.exe	255
PID 2320 set thread context of 4220	2320	vzxmpncsktsu.exe	267
PID 4164 set thread context of 5096	4164	National.exe	279

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorgu.job	049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97.exe
File opened for modification	C:\Windows\rss	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\rss\csrss.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4024	sc.exe
3096	sc.exe
516	sc.exe
852	sc.exe
1384	sc.exe
820	sc.exe
4980	sc.exe
400	sc.exe
1328	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 55 IoCs

pid	pid_target	Process	procid_target
4524	5084	WerFault.exe	106
2880	5084	WerFault.exe	106
4932	5084	WerFault.exe	106
2912	1552	WerFault.exe	105
4892	5084	WerFault.exe	106
376	5084	WerFault.exe	106
960	2196	WerFault.exe	115
1688	2196	WerFault.exe	115
4604	5084	WerFault.exe	106
2416	5084	WerFault.exe	106
1796	4676	WerFault.exe	131
2480	5084	WerFault.exe	106
1148	5084	WerFault.exe	106
3564	5084	WerFault.exe	106
2884	5084	WerFault.exe	106
2404	5084	WerFault.exe	106
1176	2676	WerFault.exe	157
1476	5084	WerFault.exe	106
3392	5084	WerFault.exe	106
216	5084	WerFault.exe	106
4904	5084	WerFault.exe	106
1528	5084	WerFault.exe	106
224	5084	WerFault.exe	106
5072	5084	WerFault.exe	106
1528	2400	WerFault.exe	207
2244	5084	WerFault.exe	106
5020	2228	WerFault.exe	219
3824	2228	WerFault.exe	219
3652	2228	WerFault.exe	219
920	2228	WerFault.exe	219
5072	2228	WerFault.exe	219
964	2228	WerFault.exe	219
1412	2228	WerFault.exe	219
4040	2228	WerFault.exe	219
3104	2228	WerFault.exe	219
2628	724	WerFault.exe	247
3824	2228	WerFault.exe	219
220	1108	WerFault.exe	272
1148	1108	WerFault.exe	272
852	1108	WerFault.exe	272
3064	1108	WerFault.exe	272
1816	1108	WerFault.exe	272
4916	1108	WerFault.exe	272
4360	1108	WerFault.exe	272
2648	1108	WerFault.exe	272
4200	1108	WerFault.exe	272
4800	5096	WerFault.exe	279
400	5096	WerFault.exe	279
1528	1108	WerFault.exe	272
2496	1108	WerFault.exe	272
5012	1108	WerFault.exe	272
3696	2316	WerFault.exe	300
3832	1108	WerFault.exe	272
4176	1108	WerFault.exe	272
4128	3864	WerFault.exe	210

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5AFC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	icfsvec
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	icfsvec
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cmd.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5AFC.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5AFC.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	icfsvec
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsq5EF6.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsq5EF6.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCE5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCE5.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4740	schtasks.exe
2572	schtasks.exe
2176	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3864	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-622 = "Korea Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1800.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4220	049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97.exe
4220	049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97.exe
1804	explorgu.exe
1804	explorgu.exe
3408	ladas.exe
3408	ladas.exe
1480	cmd.exe
1480	cmd.exe
404	rundll32.exe
404	rundll32.exe
404	rundll32.exe
404	rundll32.exe
404	rundll32.exe
404	rundll32.exe
540	STAR.exe
540	STAR.exe
404	rundll32.exe
404	rundll32.exe
404	rundll32.exe
404	rundll32.exe
3984	WerFault.exe
3984	WerFault.exe
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3492	powershell.exe
3492	powershell.exe
3424	Process not Found
3424	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1480	cmd.exe
3876	viewer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	540	STAR.exe
Token: SeDebugPrivilege	3984	WerFault.exe
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeDebugPrivilege	3864	nsq5EF6.tmp
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeDebugPrivilege	1508	RegAsm.exe
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeDebugPrivilege	4520	RegAsm.exe
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeDebugPrivilege	388	RegAsm.exe
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4992	iexplore.exe
3256	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 3984	1804	explorgu.exe	93
PID 1804 wrote to memory of 3984	1804	explorgu.exe	93
PID 1804 wrote to memory of 3984	1804	explorgu.exe	93
PID 1804 wrote to memory of 3408	1804	explorgu.exe	94
PID 1804 wrote to memory of 3408	1804	explorgu.exe	94
PID 1804 wrote to memory of 3408	1804	explorgu.exe	94
PID 1804 wrote to memory of 2100	1804	explorgu.exe	95
PID 1804 wrote to memory of 2100	1804	explorgu.exe	95
PID 1804 wrote to memory of 2100	1804	explorgu.exe	95
PID 1804 wrote to memory of 3404	1804	explorgu.exe	97
PID 1804 wrote to memory of 3404	1804	explorgu.exe	97
PID 1804 wrote to memory of 3404	1804	explorgu.exe	97
PID 3404 wrote to memory of 4520	3404	father1.exe	99
PID 3404 wrote to memory of 4520	3404	father1.exe	99
PID 3404 wrote to memory of 4520	3404	father1.exe	99
PID 3404 wrote to memory of 4520	3404	father1.exe	99
PID 3404 wrote to memory of 4520	3404	father1.exe	99
PID 3404 wrote to memory of 4520	3404	father1.exe	99
PID 3404 wrote to memory of 4520	3404	father1.exe	99
PID 3404 wrote to memory of 4520	3404	father1.exe	99
PID 2100 wrote to memory of 3144	2100	for.exe	101
PID 2100 wrote to memory of 3144	2100	for.exe	101
PID 2100 wrote to memory of 3144	2100	for.exe	101
PID 2100 wrote to memory of 4456	2100	for.exe	100
PID 2100 wrote to memory of 4456	2100	for.exe	100
PID 2100 wrote to memory of 4456	2100	for.exe	100
PID 2100 wrote to memory of 4456	2100	for.exe	100
PID 2100 wrote to memory of 4456	2100	for.exe	100
PID 2100 wrote to memory of 4456	2100	for.exe	100
PID 2100 wrote to memory of 4456	2100	for.exe	100
PID 2100 wrote to memory of 4456	2100	for.exe	100
PID 4456 wrote to memory of 1972	4456	RegAsm.exe	102
PID 4456 wrote to memory of 1972	4456	RegAsm.exe	102
PID 4456 wrote to memory of 1972	4456	RegAsm.exe	102
PID 4456 wrote to memory of 540	4456	RegAsm.exe	104
PID 4456 wrote to memory of 540	4456	RegAsm.exe	104
PID 4456 wrote to memory of 540	4456	RegAsm.exe	104
PID 1804 wrote to memory of 3240	1804	explorgu.exe	188
PID 1804 wrote to memory of 3240	1804	explorgu.exe	188
PID 1804 wrote to memory of 3240	1804	explorgu.exe	188
PID 3240 wrote to memory of 1552	3240	Conhost.exe	105
PID 3240 wrote to memory of 1552	3240	Conhost.exe	105
PID 3240 wrote to memory of 1552	3240	Conhost.exe	105
PID 3240 wrote to memory of 5084	3240	Conhost.exe	106
PID 3240 wrote to memory of 5084	3240	Conhost.exe	106
PID 3240 wrote to memory of 5084	3240	Conhost.exe	106
PID 3240 wrote to memory of 1480	3240	Conhost.exe	184
PID 3240 wrote to memory of 1480	3240	Conhost.exe	184
PID 3240 wrote to memory of 1480	3240	Conhost.exe	184
PID 1804 wrote to memory of 4052	1804	explorgu.exe	193
PID 1804 wrote to memory of 4052	1804	explorgu.exe	193
PID 1804 wrote to memory of 4052	1804	explorgu.exe	193
PID 4052 wrote to memory of 404	4052	WerFault.exe	109
PID 4052 wrote to memory of 404	4052	WerFault.exe	109
PID 404 wrote to memory of 3040	404	rundll32.exe	160
PID 404 wrote to memory of 3040	404	rundll32.exe	160
PID 1804 wrote to memory of 2620	1804	explorgu.exe	111
PID 1804 wrote to memory of 2620	1804	explorgu.exe	111
PID 1804 wrote to memory of 2620	1804	explorgu.exe	111
PID 2620 wrote to memory of 2196	2620	lolololoMRK123.exe	115
PID 2620 wrote to memory of 2196	2620	lolololoMRK123.exe	115
PID 2620 wrote to memory of 2196	2620	lolololoMRK123.exe	115
PID 2620 wrote to memory of 2196	2620	lolololoMRK123.exe	115
PID 2620 wrote to memory of 2196	2620	lolololoMRK123.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2508
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  PID:4616

C:\Users\Admin\AppData\Local\Temp\049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97.exe
"C:\Users\Admin\AppData\Local\Temp\049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97.exe"
1⤵
- DcRat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4220

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\1000409001\new.exe
  "C:\Users\Admin\AppData\Local\Temp\1000409001\new.exe"
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Users\Admin\AppData\Local\Temp\1000417001\ladas.exe
  "C:\Users\Admin\AppData\Local\Temp\1000417001\ladas.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:3408
- C:\Users\Admin\AppData\Local\Temp\1000429001\for.exe
  "C:\Users\Admin\AppData\Local\Temp\1000429001\for.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe"
      4⤵
      Executes dropped EXE
      PID:1972
  - - C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:540
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
        5⤵
        Executes dropped EXE
        
        PID:2948
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
      4⤵
      PID:1908
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3144
- C:\Users\Admin\AppData\Local\Temp\1000430001\father1.exe
  "C:\Users\Admin\AppData\Local\Temp\1000430001\father1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4520
- C:\Users\Admin\AppData\Local\Temp\1000436001\dayroc.exe
  "C:\Users\Admin\AppData\Local\Temp\1000436001\dayroc.exe"
  2⤵
  PID:3240
- - C:\Users\Admin\AppData\Local\Temp\nine.exe
    "C:\Users\Admin\AppData\Local\Temp\nine.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:1552
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "nine.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\nine.exe" & exit
      4⤵
      PID:4220
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "nine.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:3864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1496
      4⤵
      Program crash
      PID:2912
- - C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
    "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
    3⤵
    - Executes dropped EXE
    PID:5084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 372
      4⤵
      Program crash
      PID:4524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 388
      4⤵
      Program crash
      PID:2880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 388
      4⤵
      Program crash
      PID:4932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 680
      4⤵
      Program crash
      PID:4892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 728
      4⤵
      Program crash
      PID:376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 728
      4⤵
      Program crash
      PID:4604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 692
      4⤵
      Program crash
      PID:2416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 728
      4⤵
      Program crash
      PID:2480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 760
      4⤵
      Program crash
      PID:1148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 768
      4⤵
      Program crash
      PID:3564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 876
      4⤵
      Program crash
      PID:2884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 660
      4⤵
      Program crash
      PID:2404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 816
      4⤵
      Program crash
      PID:1476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 796
      4⤵
      Program crash
      PID:3392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 920
      4⤵
      Program crash
      PID:216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 800
      4⤵
      Program crash
      PID:4904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 760
      4⤵
      Program crash
      PID:1528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 932
      4⤵
      Program crash
      PID:224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 788
      4⤵
      Program crash
      PID:5072
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
      "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:2228
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 340
        5⤵
        Program crash
        
        PID:5020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 356
        5⤵
        Program crash
        
        PID:3824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 356
        5⤵
        Program crash
        
        PID:3652
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 644
        5⤵
        Program crash
        
        PID:920
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 692
        5⤵
        Program crash
        
        PID:5072
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 692
        5⤵
        Program crash
        
        PID:964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 732
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Program crash
        
        PID:1412
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 740
        5⤵
        Program crash
        
        PID:4040
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 716
        5⤵
        Program crash
        
        PID:3104
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4948
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2856
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:4928
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1212
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4952
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 908
        5⤵
        Program crash
        
        PID:3824
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        
        PID:1108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 372
        6⤵
        Program crash
        
        PID:220
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 388
        6⤵
        Program crash
        
        PID:1148
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 392
        6⤵
        Program crash
        
        PID:852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 680
        6⤵
        Program crash
        
        PID:3064
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 696
        6⤵
        Program crash
        
        PID:1816
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 744
        6⤵
        Program crash
        
        PID:4916
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 744
        6⤵
        Program crash
        
        PID:4360
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 696
        6⤵
        Program crash
        
        PID:2648
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 776
        6⤵
        Program crash
        
        PID:4200
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3632
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2572
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:3692
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3656
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 888
        6⤵
        Program crash
        
        PID:1528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 856
        6⤵
        Program crash
        
        PID:2496
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 900
        6⤵
        Program crash
        
        PID:5012
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4152
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 972
        6⤵
        Program crash
        
        PID:3832
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 996
        6⤵
        Program crash
        
        PID:4176
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        
        PID:4920
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2176
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 876
      4⤵
      Program crash
      PID:2244
- - C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
    3⤵
    PID:1480
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  PID:4052
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:3040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\168293393341_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3492
- C:\Users\Admin\AppData\Local\Temp\1000438001\lolololoMRK123.exe
  "C:\Users\Admin\AppData\Local\Temp\1000438001\lolololoMRK123.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 816
      4⤵
      Program crash
      PID:960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1176
      4⤵
      Program crash
      PID:1688
- C:\Users\Admin\AppData\Local\Temp\1000439001\goldprime33333.exe
  "C:\Users\Admin\AppData\Local\Temp\1000439001\goldprime33333.exe"
  2⤵
  PID:2412
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:388
- C:\Users\Admin\AppData\Local\Temp\1000440001\987123.exe
  "C:\Users\Admin\AppData\Local\Temp\1000440001\987123.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:4676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 456
    3⤵
    - Program crash
    PID:1796
- C:\Users\Admin\AppData\Local\Temp\1000441001\daisy123.exe
  "C:\Users\Admin\AppData\Local\Temp\1000441001\daisy123.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1532
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4220
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- C:\Users\Admin\AppData\Local\Temp\1000442001\lumma123142124.exe
  "C:\Users\Admin\AppData\Local\Temp\1000442001\lumma123142124.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2676
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1184
      4⤵
      Program crash
      PID:1176
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4544
- C:\Users\Admin\AppData\Local\Temp\1000443001\National.exe
  "C:\Users\Admin\AppData\Local\Temp\1000443001\National.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:4164
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    PID:5096
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 448
      4⤵
      Program crash
      PID:4800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 428
      4⤵
      Program crash
      PID:400
- C:\Users\Admin\AppData\Local\Temp\1000444001\redline1234min.exe
  "C:\Users\Admin\AppData\Local\Temp\1000444001\redline1234min.exe"
  2⤵
  PID:1412
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "FLWCUERA"
    3⤵
    - Launches sc.exe
    PID:1384
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000444001\redline1234min.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1480
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3240
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:820
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "FLWCUERA"
    3⤵
    - Launches sc.exe
    PID:4980
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4024
- C:\Users\Admin\AppData\Local\Temp\1000445001\1800.exe
  "C:\Users\Admin\AppData\Local\Temp\1000445001\1800.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  PID:2160
- - C:\ProgramData\viewer\viewer.exe
    "C:\ProgramData\viewer\viewer.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    PID:3876
  - - \??\c:\program files (x86)\internet explorer\iexplore.exe
      "c:\program files (x86)\internet explorer\iexplore.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4992
- C:\Users\Admin\AppData\Local\Temp\1000446001\father1.exe
  "C:\Users\Admin\AppData\Local\Temp\1000446001\father1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:212
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5004
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:852
- C:\Users\Admin\AppData\Local\Temp\1000449001\phonesteal.exe
  "C:\Users\Admin\AppData\Local\Temp\1000449001\phonesteal.exe"
  2⤵
  - Executes dropped EXE
  PID:4784
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "THYAWYFT"
    3⤵
    - Launches sc.exe
    PID:400
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "THYAWYFT" binpath= "C:\ProgramData\mkiurbjjkopl\vzxmpncsktsu.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3096
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "THYAWYFT"
    3⤵
    - Launches sc.exe
    PID:516
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1328
- C:\Users\Admin\AppData\Local\Temp\1000451001\InstallSetup3.exe
  "C:\Users\Admin\AppData\Local\Temp\1000451001\InstallSetup3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      PID:376
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4216
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:4740
- - C:\Users\Admin\AppData\Local\Temp\nsq5EF6.tmp
    C:\Users\Admin\AppData\Local\Temp\nsq5EF6.tmp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 2376
      4⤵
      Program crash
      PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5084 -ip 5084
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5084 -ip 5084
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5084 -ip 5084
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1552 -ip 1552
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5084 -ip 5084
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5084 -ip 5084
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2196 -ip 2196
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2196 -ip 2196
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5084 -ip 5084
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5084 -ip 5084
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4676 -ip 4676
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5084 -ip 5084
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5084 -ip 5084
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5084 -ip 5084
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5084 -ip 5084
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5084 -ip 5084
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2676 -ip 2676
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5084 -ip 5084
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5084 -ip 5084
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5084 -ip 5084
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5084 -ip 5084
1⤵
PID:2484

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5084 -ip 5084
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5084 -ip 5084
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5084 -ip 5084
1⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\5AFC.exe
C:\Users\Admin\AppData\Local\Temp\5AFC.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 456
  2⤵
  - Program crash
  PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2400 -ip 2400
1⤵
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5084 -ip 5084
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2228 -ip 2228
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2228 -ip 2228
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2228 -ip 2228
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2228 -ip 2228
1⤵
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2228 -ip 2228
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2228 -ip 2228
1⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\7200.exe
C:\Users\Admin\AppData\Local\Temp\7200.exe
1⤵
PID:4220
- C:\Users\Admin\AppData\Local\Temp\7200.exe
  C:\Users\Admin\AppData\Local\Temp\7200.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4780
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\93db7362-854d-4b28-89aa-862ff7c9d4f4" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:3928
- - C:\Users\Admin\AppData\Local\Temp\7200.exe
    "C:\Users\Admin\AppData\Local\Temp\7200.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\7200.exe
      "C:\Users\Admin\AppData\Local\Temp\7200.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      PID:724
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 572
        5⤵
        Program crash
        
        PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2228 -ip 2228
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2228 -ip 2228
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2228 -ip 2228
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 724 -ip 724
1⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\848F.exe
C:\Users\Admin\AppData\Local\Temp\848F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2004
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:740

C:\ProgramData\mkiurbjjkopl\vzxmpncsktsu.exe
C:\ProgramData\mkiurbjjkopl\vzxmpncsktsu.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2320
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2228 -ip 2228
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1108 -ip 1108
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1108 -ip 1108
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1108 -ip 1108
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1108 -ip 1108
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1108 -ip 1108
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1108 -ip 1108
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1108 -ip 1108
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1108 -ip 1108
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1108 -ip 1108
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5096 -ip 5096
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5096 -ip 5096
1⤵
PID:4052

C:\Users\Admin\AppData\Roaming\icfsvec
C:\Users\Admin\AppData\Roaming\icfsvec
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 348
  2⤵
  - Program crash
  PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1108 -ip 1108
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1108 -ip 1108
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1108 -ip 1108
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2316 -ip 2316
1⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\BC68.exe
C:\Users\Admin\AppData\Local\Temp\BC68.exe
1⤵
- Executes dropped EXE
PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C3BC.bat" "
1⤵
PID:4536
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1108 -ip 1108
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1108 -ip 1108
1⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\CCE5.exe
C:\Users\Admin\AppData\Local\Temp\CCE5.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3460

C:\Users\Admin\AppData\Local\Temp\E8AC.exe
C:\Users\Admin\AppData\Local\Temp\E8AC.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3864 -ip 3864
1⤵
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\BKFBAKFC

Filesize
92KB

MD5
c00f3970108a8af891b5768c37ef0b63

SHA1
cf5e378a5236a9a015fa5617a303f9a5a296e645

SHA256
d1edb25dac788ec78d570f905d9c81651b4229228272b3ebc64d20b3ca8c6d43

SHA512
7542d99357fab4e243caad174e1f1eb172c334ede37af2e32f49bb30fece84599eb28bea005eccd920d5903a85dbe4bf56a55f8d87f29eaab6187a72d15be93b

Download Submit
C:\ProgramData\GHIDHCBG

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
2.8MB

MD5
11db56e3d0623b22459b9d1327ee852d

SHA1
c4cc3357ffd12d9d01c86f8eb69577f2f079bc2c

SHA256
6ece3bcffb38a8983479ec7200280d0bb0a71af6825ccc9e2d34cbcbb6a72679

SHA512
6aa4f6af7ba3cc8b329fc3d50eec0f2ccded7934a8e0055d8641850d8b73bf7ee432ee413a0be17007690cc465717f909ea12799804bc3059abc692b7a8caf30

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
1.8MB

MD5
09798643b32adac9fa941aa5d67c3130

SHA1
5150a5ff6ebe5f621a968b0b200b385f4b39e675

SHA256
b0f465eae77a72032993908c846cd0df140cf8ca4868e48db8d03fced1fbcbea

SHA512
427a3606fe59dd352b82e035310021767faf91f9c993eb686362b89f75746347d31588362b6a79bc344a3b0fb640c7b39775bf66a34627bba918a5ebf61334ec

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
2KB

MD5
1305705ab4eb7a8ff5a73874670d91f4

SHA1
a118cf0ba2d4ac47473b9140c0aa7745efc6aac7

SHA256
d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b

SHA512
27ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\father1.exe.log

Filesize
137B

MD5
8a8f1e8a778dff107b41ea564681fe7b

SHA1
08efcfdc3e33281b2b107d16b739b72af4898041

SHA256
d09cdd05da4e3e875d3d5d66c542404519759acda2efa7c00ca69aa3f6234de4

SHA512
a372330793e09c661e6bf8b2c293c1af81de77972b8b4ba47055f07be0fcdfe5e507adbc53903a0cd90c392b36fe4a8a41d3fea923ad97fa061dbef65398edf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
768KB

MD5
f09fe4a2690969f52cca208a10ce8b75

SHA1
e5c1c4ba5583fdd102a824c003a4ad94651b3648

SHA256
40f3e0d5cec50ef1114b997caa0a711c6ce073c5007de29efb17e97a3507fd5d

SHA512
804c4aae3aed427588d81c3e67e48238b5313f49c2bf1fd8912dbd09b54dd93a23b1a41ec516b6cc6c7243c8e1e1872133e8da7e1c05dc711037ae3de7a77010

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
1.1MB

MD5
82440cf5ce19f1ad6657e691efc349d2

SHA1
233049ed0a7b967476007985696aca02f9d8731d

SHA256
5e11a19af389479113dcd2503ea167299b75a6c299f7f4f9a28040fceb5556bb

SHA512
94faae02e725a12201d4dd8a8a88bded6c43ac567fd76c096397f968290da287b21e709b1e6ba155909bde8546e762fb0a8e6d4332fd34511bd46ff0c822717b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000409001\new.exe

Filesize
313KB

MD5
f7df4f6867414bb68132b8815f010e4a

SHA1
ff3b43447568de645671afb2214b26901ad7a4fc

SHA256
2c9490406c7ea631dddcd60f862445faef37c036651636e4bf5e6fe0837c4b42

SHA512
0ad9b1544c25ae7814fe1ecdb1cfd466fd14603a6d55749e63ce6b90926ad239f134aef1bcaa0910b79235b8a3873ad11698e17dbd0cfee92fb909f4daf0412e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000417001\ladas.exe

Filesize
2.2MB

MD5
6e49f343ba6688d54501cd8b58c89001

SHA1
80041efafa9271ff87ef2280dbe5c73cf8f75fb3

SHA256
28629cecd53471422a7b134c53549766172fa9ea00a672143dea813b3bd03953

SHA512
60436fb8aa1bcc6d71bd743e2129e12b1290b1588e8438cd85e88b4953dd69de6dea4e9f33e01bfc2866d991e9de41c8a4fc1aecbcd4af50a030d6787f25fab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000429001\for.exe

Filesize
1.6MB

MD5
8c281571c5fdaf40aa847d90e5a81075

SHA1
041fa6e79e9027350c1f241375687de7f8cba367

SHA256
0182e73c39240c0e660bbdd4262209f08d767562d4794b7ed5e36a4d4f36b409

SHA512
b0e481681b02e4cc4f95deff2fa21354f94ad34e6611d97de3a127ae285038164df724f3db27bbf03caa217c3d8dabf77bfdadeaf9af8a1915edacbd35c1c862

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000430001\father1.exe

Filesize
473KB

MD5
510dfa5c4583fda89207e06125341dc3

SHA1
91e7c4915b8db8effcb1a26d77c3987a695ae66a

SHA256
93b1c76d04b7977a070685303973aad9308781cd057bbf672b4f1367874807d6

SHA512
20d75af986ae7593dfa62fe7004a0108ee4c3f37f0d8807442d7d594b55c74f1ccbc0fbd5a3c89f18a75f19b3807f3183240739f498d4379fa0a06ed3163c792

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000436001\dayroc.exe

Filesize
1.9MB

MD5
ef91a7bb3f10577083de823a70d50ac7

SHA1
af866f02854d53dbc923bb8c555a3fe40fdbbf7f

SHA256
0b20a6da02fd0f6e86bcc90abb7ffc1a5b23c8e9b57b0eb07138897b691f2868

SHA512
f0cbcdfde24ed7f08b94702414da5d3e6f9170221cb1f030bf9714bbd0fbf9e88e525049a805f61e086f89b78ac8e007e1f86f9af93d87f124a7dafc92fc71d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000436001\dayroc.exe

Filesize
1.5MB

MD5
06fa0bf5994771b0522804b89809bde5

SHA1
cca7c72e64babefa00fc769d9362cb128e3749a1

SHA256
a98d56f8bc2f633724a16d85ff39a02101da42eb78bb088f6f6cae43d8749864

SHA512
51b01a804ba8aff5a3b0e2315a551334928aff4cea1bfa3c993d4c34523654a928e7281275bc62f159db1b1fed8a75affb329540204b0a319b4b12fd8e7d85f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000436001\dayroc.exe

Filesize
884KB

MD5
65c74ccff0873daf9673ca72e0055328

SHA1
338b2a8e300267f83be33abc9d43fdd6389207bf

SHA256
d57cbcc3b567565cfa1227e134d13d41eb196bf7e0608bbb1e98d9df36b131ea

SHA512
73bf289e8db3fc59668ff7d370a6af51dcd7f955c574a5728d9358b676649b4f5103f3a0a1508d36c5bdd062477182030d6260b225b37ae71120859e26953442

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000438001\lolololoMRK123.exe

Filesize
698KB

MD5
bf2a3e48b0ea897e1cb01f8e2d37a995

SHA1
4e7cd01f8126099d550e126ff1c44b9f60f79b70

SHA256
207c4f9e62528d693f096220ad365f5124918efc7994c537c956f9a79bcbadd3

SHA512
78769b0130eed100e2bb1d0794f371b0fa1286d0c644337bc2d9bbe24f6467fd89aa8acf92ac719cc3c045d57097665fe8f3f567f2d4297a7ee7968bbab58b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000439001\goldprime33333.exe

Filesize
473KB

MD5
84cb35b70c2266fe9e772a021fbbe22d

SHA1
fbabe9ad454f21ef5a20221623d77f2b196ae380

SHA256
e37fa16a9b76172e6e54eb24ca65c8e5e6a57f2ba8a0299807d65f765a2b4505

SHA512
168e81403a03c395732a48e6a14bcff09410da38f8f65c01ff2590b19df649c381c330caba7750a8daa1ea61e617f3482be3882a55d6fb1df36ca143e4b1e13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000440001\987123.exe

Filesize
209KB

MD5
8dc46fadb945e97bf84f5702dcc691a2

SHA1
31e22604a1257732590549cb416015492284c5d3

SHA256
70fd119c172767101ef790b866591f8bec84744879d5987bef27b0ec665e3a39

SHA512
c305b0c1817ef1bd776349338268736466639f692478208e5f153373cec98bec8441f9a6edf1e6a496e58af4ed95cedc7a99fff5a86430617f77002df11e44b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000441001\daisy123.exe

Filesize
729KB

MD5
1338b7ca5a623cd47c66cf7206c03032

SHA1
9ce813616c42f78a4ab1abd7f9ae80844572c5f7

SHA256
b763ff181cebb4524a148d2689b39f4744fbf0237ae7c18cd4085f3fead3bd8e

SHA512
990f171c4c31cf1b33304eb08c3fa6ef3827890c71cfc452ec223050d27a0f8a2670fae0cc0f346eb4b3ba603da18d707a5045ccfe15903ba6ced9836a94af73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000442001\lumma123142124.exe

Filesize
384KB

MD5
51a7489e65f007d55033dcfcabcef011

SHA1
0941ec05d4b8b284d14ce9f0a56cd7d14617e399

SHA256
66fca478c19837741208deb7b06b47943b67c2e70bb5f03486a98c0e120196a1

SHA512
b3bccf89e9efb315f0dd4f99d5c0b4f8f8cd8cb8c29e9c20c362e14bc51f0c2ba33ed9360ce5eaf1b279643664016c9481313ea04b9c137c30aa943e47e3e875

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000442001\lumma123142124.exe

Filesize
600KB

MD5
cad41f50c144c92747eee506f5c69a05

SHA1
f08fd5ec92fd22ba613776199182b3b1edb4f7b2

SHA256
1ac5eed2f7fc98b3d247240faa30f221f5692b15ea5b5c1eba3390709cb025c6

SHA512
64b89f3a3b667cd81f33985db9c76ffd0bb716ce8ed93f97c24d3c20e7236d91d02af9371a26d41f55b564702bd1f6fd7489055868fcd1610c04beb79ae8c045

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000442001\lumma123142124.exe

Filesize
576KB

MD5
f43abe3c7cc9d32091dbd9c81d4c9528

SHA1
44d69855775a46b7ad1fa52e24a4880cf9d7e7d6

SHA256
ef2b842b8e14c6f96390342d32c99ea30b599b44c1fe9c6b6d0f44747e2af8b9

SHA512
c93a3ca9639b49a0f9b133faf56ddec04af1cbb5e7680409e4a28707b4a95a6f6f7492838d97d082b9bf5d54316d3be37d3e4f9c230665ab461f2bfd8e554616

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000443001\National.exe

Filesize
1024KB

MD5
d51523aa33a7e91a07a564b734a48478

SHA1
9c42245605220c15dd13727f3c6b938699d7a3d7

SHA256
8c76133c72e19c9eeff864db71c00781eed6c92a9630186cda997c60b6ddf604

SHA512
f9c59711f4e788d202dbf9bf95a911e723c5ceba208ff025ccb09c9d2bb04f53cdcd9e962359f615299a2b808f4ede5271d6110ad8997760dba2f2fd3b4d0da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000443001\National.exe

Filesize
5.3MB

MD5
695aa77fcab5f9b824df3b9a664f834c

SHA1
2b6decd0c3c2c0fcfa3564bcfa3b98c4393c94c4

SHA256
fa454ef534990945fa6a7ecb3847133fece30aa70e6aa4ee5f76c8adc722419e

SHA512
819c749a481d7a404fab3547ccef6a1a3893a1f4c3677abfe14791e701747fcbd10d14c21be16843be7bd5f61dac79e57596e53f8341bde75470e9707cb950bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000443001\National.exe

Filesize
3.6MB

MD5
fe81c7122aa7fad96063c124efe7d975

SHA1
5b11bbc146830eea672134083c4566e89f1559e1

SHA256
f2384c620638ad97ec27c5983a7c64db5f71c9e80b12fce1b74fc8250cef1103

SHA512
9ae97a3d24495ea82ad660e0e25221cc644b1fef1794ceb66fe8b64c19fa971b798e61ccc395bfb53bbe6f26d7d4692bd8ce5564fb229f484d168ad019c619e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000444001\redline1234min.exe

Filesize
6.4MB

MD5
2eafb4926d78feb0b61d5b995d0fe6ee

SHA1
f6e75678f1dafcb18408452ea948b9ad51b5d83e

SHA256
50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30

SHA512
1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000445001\1800.exe

Filesize
483KB

MD5
854330d29537a29370768614dccb3642

SHA1
63cb03e1bb0dfbaab5a5e9f1648b3634b7fe0122

SHA256
26470b8160eb4aa46d378b894397f0aa6308a62b04c07cca690d04fa7e8cbb81

SHA512
070f7fb17590e858a9984a81d4e276b775d263e13b2619e37e50ef44db920bd17e2573f4a678f905cf48a6535633ddf48e8283508ccacc2de40d1869dbb789da

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000449001\phonesteal.exe

Filesize
2.3MB

MD5
e8b99b8122f599df6b7a6f5046c7a23c

SHA1
cf33531f98102d4e5c24331221a8061a62f65eb2

SHA256
16817acd89f36b405809bf9b0b501fe4ec63b12a76454d991f2192b3f6238b3d

SHA512
012c77e154154c12f02c91755d00893536a3e04203fcd34a9cf896fa29e9765a16319c2ad0a11703d1b4ceef25ce9433d3e8c073ceeba9a6791fd04f5b9c6898

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000449001\phonesteal.exe

Filesize
1.1MB

MD5
0ca44e6ea41cf5a96d104f32d0e7bfdf

SHA1
e270017abf9da222649db28a4debea8134dbddb7

SHA256
79c0085696eb6fb55560b8dfd6ebc1fd616cab581591183d3eacba0b6ccd7bab

SHA512
487521c62ec3517046c47d1ffc2af64763f9f158f7294b1c65375f02abffbdd29c16ad5f188da24ae9e37019e5a3731bf0c18740a366979c363fd69efb018b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000449001\phonesteal.exe

Filesize
1.1MB

MD5
88e5b44cd011c8740a14f84a95408003

SHA1
37b6eed0e006baecd11ce60d58fc30f887ece905

SHA256
60d1c3d7f8778e773e10a1afe1440bcda8173e9133d4e506776f9bb23a7c5aaa

SHA512
dcc3dc06d95351517bfec652cb55868f8bf16aa205fa40404ccaa53ec37fc4796af6172f87b256b9ae956fc501e5e984c4b0f0a9b83411f4c4ca3bf0c4e18b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000451001\InstallSetup3.exe

Filesize
1.4MB

MD5
91406bcba2d81aefef72f021d95962e5

SHA1
4188938c35832ba7e9229add9e4ae120324de32b

SHA256
7ac862083447d1fa02f2d457ca44fcc0c22c5ebee445c15a1a1ceecf05953059

SHA512
cb319ae5351d3064afdabc2e7fda3007eb3d6a9360004d34e420047c7435b4442bd753448600106560edb8f58781b2064b31b733df9886ecd5fd4d01ba7683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000451001\InstallSetup3.exe

Filesize
1.2MB

MD5
a58ca7ead0167cfc3c531c905111f5df

SHA1
a1be53f2870a433bfab9a3549d4f7c0d64504794

SHA256
176ef5396f7af390bccd0cf0dbcee36f5a56da708a6c413cb0631652a71595ac

SHA512
5d0538d6eda750f028486e0e836ff03e127f9133567fcd4946692548beba484e3c2a445f123de9e01fdfd9bf920fb8f8be190272ef6bf6cb81e2ec567ff63469

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000451001\InstallSetup3.exe

Filesize
320KB

MD5
63810e4c240138e11c5613372220b752

SHA1
b0d3b20e1ba249d24ed3b02048ed8f16e3f245f4

SHA256
21e19ec0cab342b57881d1e3346ff263e1cc0c75ce8f9c875ae4238d2df11ad9

SHA512
91071187895f594a5ac62c5dfdaeae4a573da99efad2b9a4e8bcb7a3f86a7308a5023c3ae711a2c71950dc88e10079da058706987791ec1a09f723641342ba6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AFC.exe

Filesize
210KB

MD5
c2de7ade299a06166e220fcef5d1ba8c

SHA1
d12c026b1027400546ab28afb3e524c7ac883fe2

SHA256
06e3dd9b9dbd34e7b59e7d4c3e91e758990f36a59f8693588a41a2e1cdc46d70

SHA512
a432913d00b47098f2e50d93a235655d08558d39f0b75f072761c4f6cf1fa9c74c4b3787bff0d5becc93bcaf372bfbc78db1d285bc877860a8e414904135aa56

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
128KB

MD5
1844d76e7d4331107eeb8fc6274fa9b2

SHA1
82ae81925c68a662af3b5243db9ae9d0b1721958

SHA256
0fddf79ba668abf7a760e7076da3fdcca389e221c5005b10737a75b271da3aa1

SHA512
2be6c7a7f25b12ee3082f122fd17ded3697dd97518e41765d49f5141e969b6e4d24f664a6aae29e647c2e8d7518d3a6b1216c8a460a7425ab4c60e5bd60dc947

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_atfp3imu.ada.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
1.6MB

MD5
455b779a2d02700890449806008c8fc9

SHA1
68d0976fb223cbe6b39ef22988d83d0da15fe9cb

SHA256
971fc75f876ddc751c297563fa61c83325acc19756124c2737f5e084c1c35678

SHA512
4855c5e2d37094de49508621886b5693c2d579894de8dd11751fdf4a94a5473cbe5db4adf9382924a7b7258a5428a2a16269860424b864a49661bb907661d597

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
2.8MB

MD5
406f1a49f0aafa73fb1bcdf00a434527

SHA1
aca2f0c06799e7bc6be4e96f77b593ec1417a5fe

SHA256
2f0cfc0992376054a8854522a3cbde4dca6517cbb73db3029015ebe94221adb0

SHA512
e66da581187fcfd9b4a71c792bd1725e39f2640c5f9de72ef00df5dd2c25c484dc7d1fe2a798d993812fc573aaaac4b81dc4711e858bc13da3342900675d4523

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
1.4MB

MD5
5904aaeffd4e1c818f4602fe793873a0

SHA1
1517968f1c0012b6b6a6962a38f234bf63b3832a

SHA256
400c81a62d355dbf62a72cde07bd4eb5739b8281f88d5a52ad4ac7a4598a6304

SHA512
a4896503c7169653efb12dc48d023b26a6254098f997bcd355aaf2eadf7ef2385e5112d6f110ddf56c27f2d652e6995a0bf0ec49ef99bc4cf200d7f0799a04ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nine.exe

Filesize
257KB

MD5
9377b2d9cf30cdb95938581d2f443d0c

SHA1
5b2d23dea7d5f7deded14b1f33e08260b9c25878

SHA256
1b045d664cd5ce2bf315bffef85f0b4be363bd6d146533e3c3624257122330e9

SHA512
4278f05d7da33465332fe62b8a9f1e01717f99a3b7e8f7769ec62947b9aca924228575087a035bcc064f816e4b58ff28bc7ba0cc84545ebbe8cc0d69b7ca7f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq5EF6.tmp

Filesize
251KB

MD5
8099f80f064b7d443ec93ae86ab319af

SHA1
25a67a801fcc7cd1d71a2b0dcce208e08f73a8b6

SHA256
b4849f02af98969dffd7e6d0b448efba10ff2cd3aef1d2626fd26dea3596d1db

SHA512
f87fd187ce3f2d962f38c958097936f48b839ea127e240f7b24877e056f765e6c90fe354cfd3a848814aec6ae3dbcfa50b7e162d2654f6f1d3da72756716224c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5996.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

Filesize
170KB

MD5
55f8359ef2f889e04fe418c80bc952ed

SHA1
b2ac224b69c20b721ef9810b79003b513823e55f

SHA256
732cb080fb5e27e98728c42f77b5dd865faa1f5e840d8113c9f30fa2c3f550c8

SHA512
42bfba12e19f399beb54d65dfdb8767584c75264a1f321aee68cb85880d7ac606b3022bb0ab7df72075d3f2271e7d4918c9c7bae7acf6675856bcd21f6fe46b8

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.1MB

MD5
fd17bf7b07fc556a1748e9aafed3a89f

SHA1
ba458f77410c2cd7644bb5a6f37d88ed86ebdfcf

SHA256
e649e0c94651f1201d50828cc7598eebf21dbae67631308b412febb3c9dbf9f6

SHA512
53a3975029e7788acab6242527a9f056b98e246c72a88eb440cf1407b96c86ef6781fffe0bf441d3d25521be3577ef7c87218ffb42b9aae49453861854fda3c4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
960KB

MD5
b6c58c88af87c88d7ad0a24ce5ef7407

SHA1
466aaa5a37c29c68a2852fd74d03ef6c7599691c

SHA256
6323464413929fee9e795cb652317d033281ded620cb8f42e37891e438425e00

SHA512
3023d9f3bede569f9976a7aeaa3c89f44118dc0238b75d6f77b883de2697a94f2ecf9a8e6c2d69b86d16ff7b84e4fa4f81b4ce1cf198411dbff5d4b1823afe7c

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
832KB

MD5
4910dd4bddaa4c47d72780db97bdaade

SHA1
ce6c6e7ed66a71dd0cfe3efbc56385d7e806c401

SHA256
c99cdd0b5ed5f4c884fe2b7edbf9eea97ae5a0c4a0687da839c27c5d4df8a6dc

SHA512
b152f4aaf0e39bd90f2a5367b4ec1796d61eab27bd38d7297b2c2e7c37f94e15191e158b7f4b25227dc167975b4320604cdb06ad401d7a1dfd7cbe70cac31ed1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe

Filesize
570KB

MD5
ea037914e6f1aa6a8ad565407158d49b

SHA1
5fbbd923c0bbcf33fafca5a0ed847c19478856e5

SHA256
9deee2315490381305b70eeaff5805df00d10feb9d9f78fbce33b3cd5795ed73

SHA512
369943b3ac01a8c89c7d163391e60c2a4f9f616ade5161df8a67e75c490ff4a70b37d4b617675518c924d2fbc07605a37d4f76166da9becefcb4bd5052a69e55

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe

Filesize
313KB

MD5
753db7d6804f9f27aaf30fe62c00a011

SHA1
4c29fef91e4a099c08b90c0aa9f0397fba36d452

SHA256
8f09598518b4d2a084e1fe1068c43027fe9e6caed74de0926bdac110a305ac2c

SHA512
7ff04ef374e8a97b58f110dbf3451493c2e2644fce3935a6d4107074819d9547ea861c06a2ed24b5d459f41784bcc0be107c920e78310332ca50f3143b7ac830

Download Submit
memory/388-347-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1412-707-0x00007FF7035E0000-0x00007FF70401D000-memory.dmp

Filesize
10.2MB

Download
memory/1480-370-0x0000000000400000-0x0000000002BD7000-memory.dmp

Filesize
39.8MB

Download
memory/1508-488-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1552-383-0x0000000000400000-0x0000000002BED000-memory.dmp

Filesize
39.9MB

Download
memory/1804-23-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1804-399-0x00000000000C0000-0x000000000055C000-memory.dmp

Filesize
4.6MB

Download
memory/1804-27-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/1804-113-0x00000000000C0000-0x000000000055C000-memory.dmp

Filesize
4.6MB

Download
memory/1804-139-0x00000000000C0000-0x000000000055C000-memory.dmp

Filesize
4.6MB

Download
memory/1804-26-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/1804-29-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/1804-25-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1804-24-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/1804-22-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/1804-21-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/1804-20-0x00000000000C0000-0x000000000055C000-memory.dmp

Filesize
4.6MB

Download
memory/1804-153-0x00000000000C0000-0x000000000055C000-memory.dmp

Filesize
4.6MB

Download
memory/1804-19-0x00000000000C0000-0x000000000055C000-memory.dmp

Filesize
4.6MB

Download
memory/1804-28-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/1804-572-0x00000000000C0000-0x000000000055C000-memory.dmp

Filesize
4.6MB

Download
memory/1804-771-0x00000000000C0000-0x000000000055C000-memory.dmp

Filesize
4.6MB

Download
memory/2100-159-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/2100-158-0x0000000002DB0000-0x0000000004DB0000-memory.dmp

Filesize
32.0MB

Download
memory/2100-114-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/2100-111-0x0000000000720000-0x00000000008B8000-memory.dmp

Filesize
1.6MB

Download
memory/2100-112-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/2196-293-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2196-308-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2480-654-0x00007FF6F7FF0000-0x00007FF6F8A2D000-memory.dmp

Filesize
10.2MB

Download
memory/2676-523-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2676-530-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3404-138-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/3404-137-0x0000000004AB0000-0x0000000004B0A000-memory.dmp

Filesize
360KB

Download
memory/3404-134-0x00000000024F0000-0x000000000254C000-memory.dmp

Filesize
368KB

Download
memory/3404-147-0x0000000002770000-0x0000000004770000-memory.dmp

Filesize
32.0MB

Download
memory/3404-135-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/3404-150-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/3404-136-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/3408-82-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/3408-84-0x0000000000FE0000-0x0000000001574000-memory.dmp

Filesize
5.6MB

Download
memory/3408-80-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/3408-81-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/3408-87-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/3408-329-0x0000000000FE0000-0x0000000001574000-memory.dmp

Filesize
5.6MB

Download
memory/3408-79-0x0000000000FE0000-0x0000000001574000-memory.dmp

Filesize
5.6MB

Download
memory/3408-709-0x0000000000FE0000-0x0000000001574000-memory.dmp

Filesize
5.6MB

Download
memory/3408-83-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/3408-85-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/3408-91-0x0000000005930000-0x0000000005932000-memory.dmp

Filesize
8KB

Download
memory/3408-90-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/3408-89-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/3408-88-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/3408-495-0x0000000000FE0000-0x0000000001574000-memory.dmp

Filesize
5.6MB

Download
memory/3408-86-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/3424-368-0x0000000003320000-0x0000000003336000-memory.dmp

Filesize
88KB

Download
memory/3492-539-0x00000153BC2C0000-0x00000153BC308000-memory.dmp

Filesize
288KB

Download
memory/3492-551-0x00000153BC2C0000-0x00000153BC308000-memory.dmp

Filesize
288KB

Download
memory/3864-815-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3984-58-0x0000000005BD0000-0x0000000005C0C000-memory.dmp

Filesize
240KB

Download
memory/3984-59-0x0000000005C20000-0x0000000005C6C000-memory.dmp

Filesize
304KB

Download
memory/3984-149-0x0000000005B80000-0x0000000005B90000-memory.dmp

Filesize
64KB

Download
memory/3984-50-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/3984-51-0x0000000005F00000-0x00000000064A4000-memory.dmp

Filesize
5.6MB

Download
memory/3984-57-0x0000000005B60000-0x0000000005B72000-memory.dmp

Filesize
72KB

Download
memory/3984-56-0x0000000005CA0000-0x0000000005DAA000-memory.dmp

Filesize
1.0MB

Download
memory/3984-55-0x0000000006AD0000-0x00000000070E8000-memory.dmp

Filesize
6.1MB

Download
memory/3984-49-0x0000000000E80000-0x0000000000ED4000-memory.dmp

Filesize
336KB

Download
memory/3984-54-0x00000000058E0000-0x00000000058EA000-memory.dmp

Filesize
40KB

Download
memory/3984-142-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/3984-53-0x0000000005B80000-0x0000000005B90000-memory.dmp

Filesize
64KB

Download
memory/3984-52-0x0000000005950000-0x00000000059E2000-memory.dmp

Filesize
584KB

Download
memory/4220-3-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/4220-5-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/4220-8-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/4220-4-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/4220-2-0x00000000009D0000-0x0000000000E6C000-memory.dmp

Filesize
4.6MB

Download
memory/4220-7-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/4220-6-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/4220-16-0x00000000009D0000-0x0000000000E6C000-memory.dmp

Filesize
4.6MB

Download
memory/4220-11-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/4220-1-0x0000000077274000-0x0000000077276000-memory.dmp

Filesize
8KB

Download
memory/4220-9-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/4220-10-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/4220-0-0x00000000009D0000-0x0000000000E6C000-memory.dmp

Filesize
4.6MB

Download
memory/4456-152-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4520-151-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/4520-143-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4992-655-0x0000000001410000-0x0000000001492000-memory.dmp

Filesize
520KB

Download
memory/4992-663-0x0000000001410000-0x0000000001492000-memory.dmp

Filesize
520KB

Download
memory/4992-698-0x0000000001410000-0x0000000001492000-memory.dmp

Filesize
520KB

Download
memory/4992-697-0x0000000001410000-0x0000000001492000-memory.dmp

Filesize
520KB

Download
memory/4992-696-0x0000000001410000-0x0000000001492000-memory.dmp

Filesize
520KB

Download
memory/4992-695-0x0000000001410000-0x0000000001492000-memory.dmp

Filesize
520KB

Download
memory/4992-692-0x0000000001410000-0x0000000001492000-memory.dmp

Filesize
520KB

Download
memory/4992-653-0x0000000001410000-0x0000000001492000-memory.dmp

Filesize
520KB

Download
memory/4992-665-0x0000000001410000-0x0000000001492000-memory.dmp

Filesize
520KB

Download
memory/4992-664-0x0000000001410000-0x0000000001492000-memory.dmp

Filesize
520KB

Download
memory/4992-699-0x0000000001410000-0x0000000001492000-memory.dmp

Filesize
520KB

Download
memory/4992-658-0x0000000001410000-0x0000000001492000-memory.dmp

Filesize
520KB

Download
memory/5084-808-0x0000000000400000-0x0000000002FC1000-memory.dmp

Filesize
43.8MB

Download
memory/5084-641-0x0000000000400000-0x0000000002FC1000-memory.dmp

Filesize
43.8MB

Download