amadey | 256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26

Analysis

max time kernel
41s
max time network
206s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
18-04-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe
Size

2.9MB
MD5

fb9013139f2568146f3db1a376908f08
SHA1

9dba582a4dd436e70444f4607858f215bb3e5f0f
SHA256

256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26
SHA512

ada9b0d18737cf64162eb8decd29dc98b10a3aff52e21a19785c24d3d6616a4c2431a45131024d1108da9334cafe8ebcf2b127a74e50c4a3b37c33bd59ddc433
SSDEEP

24576:zaEid4Bn1gYPGT64NVjrSE8RzHifChWJmp2eE1vg9CLeFHR2vZI6x6YjkfEDMDHu:zMdm1TGTrxUr4LNIHywkWsaLtrU

Score

10^/10

amadey glupteba lumma redline stealc zgrat @oleh_psp livetraffic dropper evasion infostealer loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

4.184.225.183:30592

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Extracted

Family

stealc

http://52.143.157.84

http://185.172.128.209

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

lumma

https://affordcharmcropwo.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe	family_zgrat_v1
behavioral2/memory/5952-920-0x000002171F790000-0x000002171FA4B000-memory.dmp	family_zgrat_v1
behavioral2/memory/5952-922-0x000002171F790000-0x000002171FA4B000-memory.dmp	family_zgrat_v1
behavioral2/memory/5952-926-0x000002171F790000-0x000002171FA4B000-memory.dmp	family_zgrat_v1
behavioral2/memory/5952-928-0x000002171F790000-0x000002171FA4B000-memory.dmp	family_zgrat_v1
behavioral2/memory/5952-932-0x000002171F790000-0x000002171FA4B000-memory.dmp	family_zgrat_v1
behavioral2/memory/5952-936-0x000002171F790000-0x000002171FA4B000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5652-846-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4124-361-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exechrosha.exe256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exeexplorha.exeamert.exec37a0feacf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c37a0feacf.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

48 4544 rundll32.exe
50 1564 rundll32.exe
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
48	4544	rundll32.exe
50	1564	rundll32.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrosha.exeexplorha.exeamert.exec37a0feacf.exeexplorha.exe256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c37a0feacf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c37a0feacf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe

Executes dropped EXE 12 IoCs

Processes:

explorha.exeamert.exe19058d25cb.exec37a0feacf.exeexplorha.exechrosha.exeswiiiii.exealexxxxxxxx.exegold.exepropro.exeTraffic.exeNewB.exe

pid	process
3376	explorha.exe
2544	amert.exe
2936	19058d25cb.exe
5024	c37a0feacf.exe
1280	explorha.exe
420	chrosha.exe
2004	swiiiii.exe
3468	alexxxxxxxx.exe
3620	gold.exe
2624	propro.exe
4488	Traffic.exe
1532	NewB.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exeamert.exec37a0feacf.exeexplorha.exechrosha.exe256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Wine	c37a0feacf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Wine	chrosha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Wine	256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

4756 rundll32.exe
4544 rundll32.exe
1564 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4756	rundll32.exe
4544	rundll32.exe
1564	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Windows\CurrentVersion\Run\19058d25cb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000055001\\19058d25cb.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Windows\CurrentVersion\Run\c37a0feacf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000056001\\c37a0feacf.exe"	explorha.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

135 pastebin.com
136 pastebin.com
173 pastebin.com
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

208 ipinfo.io
209 ipinfo.io
220 api.myip.com
230 ipinfo.io
132 ip-api.com
201 api.myip.com
202 api.myip.com

flow	ioc
135	pastebin.com
136	pastebin.com
173	pastebin.com

flow	ioc
208	ipinfo.io
209	ipinfo.io
220	api.myip.com
230	ipinfo.io
132	ip-api.com
201	api.myip.com
202	api.myip.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000055001\19058d25cb.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exeexplorha.exeamert.exec37a0feacf.exeexplorha.exechrosha.exe

pid	process
4100	256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe
3376	explorha.exe
2544	amert.exe
5024	c37a0feacf.exe
1280	explorha.exe
420	chrosha.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

swiiiii.exealexxxxxxxx.exegold.exe

description	pid	process	target process
PID 2004 set thread context of 3724	2004	swiiiii.exe	RegAsm.exe
PID 3468 set thread context of 1852	3468	alexxxxxxxx.exe	RegAsm.exe
PID 3620 set thread context of 4124	3620	gold.exe	RegAsm.exe

Drops file in Windows directory 2 IoCs

Processes:

256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

5516 sc.exe
5736 sc.exe
7156 sc.exe
1376 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1196 2004 WerFault.exe swiiiii.exe
5244 3056 WerFault.exe toolspub1.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5216 schtasks.exe

pid	process
5516	sc.exe
5736	sc.exe
7156	sc.exe
1376	sc.exe

pid	pid_target	process	target process
1196	2004	WerFault.exe	swiiiii.exe
5244	3056	WerFault.exe	toolspub1.exe

pid	process
5216	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133579528658072531"	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

propro.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	propro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	propro.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exeexplorha.exeamert.exechrome.exec37a0feacf.exerundll32.exepowershell.exeexplorha.exechrosha.exe

pid	process
4100	256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe
4100	256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe
3376	explorha.exe
3376	explorha.exe
2544	amert.exe
2544	amert.exe
4928	chrome.exe
4928	chrome.exe
5024	c37a0feacf.exe
5024	c37a0feacf.exe
4544	rundll32.exe
4544	rundll32.exe
4544	rundll32.exe
4544	rundll32.exe
4544	rundll32.exe
4544	rundll32.exe
4544	rundll32.exe
4544	rundll32.exe
4544	rundll32.exe
4544	rundll32.exe
3732	powershell.exe
3732	powershell.exe
3732	powershell.exe
3732	powershell.exe
1280	explorha.exe
1280	explorha.exe
420	chrosha.exe
420	chrosha.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4928 chrome.exe
4928 chrome.exe
4928 chrome.exe

pid	process
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

chrome.exepowershell.exeTraffic.exe

description	pid	process
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeDebugPrivilege	4488	Traffic.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe19058d25cb.exechrome.exe

pid	process
4100	256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
2936	19058d25cb.exe
4928	chrome.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe

Suspicious use of SendNotifyMessage 61 IoCs

Processes:

19058d25cb.exechrome.exe

pid	process
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe
2936	19058d25cb.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exeexplorha.exe19058d25cb.exechrome.exe

description	pid	process	target process
PID 4100 wrote to memory of 3376	4100	256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe	explorha.exe
PID 4100 wrote to memory of 3376	4100	256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe	explorha.exe
PID 4100 wrote to memory of 3376	4100	256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe	explorha.exe
PID 3376 wrote to memory of 2544	3376	explorha.exe	amert.exe
PID 3376 wrote to memory of 2544	3376	explorha.exe	amert.exe
PID 3376 wrote to memory of 2544	3376	explorha.exe	amert.exe
PID 3376 wrote to memory of 2936	3376	explorha.exe	19058d25cb.exe
PID 3376 wrote to memory of 2936	3376	explorha.exe	19058d25cb.exe
PID 3376 wrote to memory of 2936	3376	explorha.exe	19058d25cb.exe
PID 2936 wrote to memory of 4928	2936	19058d25cb.exe	chrome.exe
PID 2936 wrote to memory of 4928	2936	19058d25cb.exe	chrome.exe
PID 4928 wrote to memory of 2036	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 2036	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 4120	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 1288	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 1288	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 3068	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 3068	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 3068	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 3068	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 3068	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 3068	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 3068	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 3068	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 3068	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 3068	4928	chrome.exe	chrome.exe
PID 4928 wrote to memory of 3068	4928	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe
"C:\Users\Admin\AppData\Local\Temp\256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Users\Admin\AppData\Local\Temp\1000054001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000054001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2544
- - C:\Users\Admin\AppData\Local\Temp\1000055001\19058d25cb.exe
    "C:\Users\Admin\AppData\Local\Temp\1000055001\19058d25cb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffdf78c9758,0x7ffdf78c9768,0x7ffdf78c9778
        5⤵
        
        PID:2036
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1780,i,7706796460948998977,6909501842268103637,131072 /prefetch:2
        5⤵
        
        PID:4120
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1780,i,7706796460948998977,6909501842268103637,131072 /prefetch:8
        5⤵
        
        PID:1288
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1780,i,7706796460948998977,6909501842268103637,131072 /prefetch:8
        5⤵
        
        PID:3068
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=1780,i,7706796460948998977,6909501842268103637,131072 /prefetch:1
        5⤵
        
        PID:660
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1780,i,7706796460948998977,6909501842268103637,131072 /prefetch:1
        5⤵
        
        PID:2116
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4424 --field-trial-handle=1780,i,7706796460948998977,6909501842268103637,131072 /prefetch:1
        5⤵
        
        PID:2200
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3192 --field-trial-handle=1780,i,7706796460948998977,6909501842268103637,131072 /prefetch:8
        5⤵
        
        PID:4968
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1780,i,7706796460948998977,6909501842268103637,131072 /prefetch:8
        5⤵
        
        PID:420
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1780,i,7706796460948998977,6909501842268103637,131072 /prefetch:8
        5⤵
        
        PID:1644
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3144 --field-trial-handle=1780,i,7706796460948998977,6909501842268103637,131072 /prefetch:8
        5⤵
        
        PID:5376
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1780,i,7706796460948998977,6909501842268103637,131072 /prefetch:8
        5⤵
        
        PID:5384
- - C:\Users\Admin\AppData\Local\Temp\1000056001\c37a0feacf.exe
    "C:\Users\Admin\AppData\Local\Temp\1000056001\c37a0feacf.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:5024
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:4756
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:4544
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:96
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\768987046148_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3732
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:1564

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1280

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:420
- C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2004
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 752
    3⤵
    - Program crash
    PID:1196
- C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1852
  - - C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4488
  - - C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
      4⤵
      PID:5648
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:6600
- C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
  "C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3620
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4124
- C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
  "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
  2⤵
  - Executes dropped EXE
  PID:1532
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:5216
- - C:\Users\Admin\AppData\Local\Temp\1000193001\ISetup8.exe
    "C:\Users\Admin\AppData\Local\Temp\1000193001\ISetup8.exe"
    3⤵
    PID:5856
  - - C:\Users\Admin\AppData\Local\Temp\u4io.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u4io.0.exe"
      4⤵
      PID:5540
  - - C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
      "C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"
      4⤵
      PID:5496
    - - C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
        
        C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
        5⤵
        
        PID:6976
      - C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
        
        C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
        6⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        7⤵
        
        PID:6416
  - - C:\Users\Admin\AppData\Local\Temp\u4io.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u4io.1.exe"
      4⤵
      PID:4532
- - C:\Users\Admin\AppData\Local\Temp\1000194001\toolspub1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000194001\toolspub1.exe"
    3⤵
    PID:3056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 516
      4⤵
      Program crash
      PID:5244
- - C:\Users\Admin\AppData\Local\Temp\1000195001\4767d2e713f2021e8fe856e3ea638b58.exe
    "C:\Users\Admin\AppData\Local\Temp\1000195001\4767d2e713f2021e8fe856e3ea638b58.exe"
    3⤵
    PID:5652
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2256
- - C:\Users\Admin\AppData\Local\Temp\1000196001\FirstZ.exe
    "C:\Users\Admin\AppData\Local\Temp\1000196001\FirstZ.exe"
    3⤵
    PID:5448
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      PID:6548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2784
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3532
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:5516
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:5736
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:7156
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:1376
- - C:\Users\Admin\AppData\Local\Temp\1000198001\Uni400uni.exe
    "C:\Users\Admin\AppData\Local\Temp\1000198001\Uni400uni.exe"
    3⤵
    PID:4304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000198001\Uni400uni.exe" -Force
      4⤵
      PID:6124
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      PID:5172
    - - C:\Users\Admin\Pictures\7Q8K4CuZckrXWNnEVGMeayW6.exe
        
        "C:\Users\Admin\Pictures\7Q8K4CuZckrXWNnEVGMeayW6.exe"
        5⤵
        
        PID:4332
      - C:\Users\Admin\AppData\Local\Temp\u3cc.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3cc.0.exe"
        6⤵
        
        PID:1820
      - C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"
        6⤵
        
        PID:7132
        
        C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
        
        C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
        7⤵
        
        PID:7204
      - C:\Users\Admin\AppData\Local\Temp\u3cc.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3cc.1.exe"
        6⤵
        
        PID:5896
    - - C:\Users\Admin\Pictures\dHSaGPqbkxYDGhyUY0Q9Lbp1.exe
        
        "C:\Users\Admin\Pictures\dHSaGPqbkxYDGhyUY0Q9Lbp1.exe"
        5⤵
        
        PID:668
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6364
    - - C:\Users\Admin\Pictures\ylnJzD5DpH8dCLYukwvQYDvX.exe
        
        "C:\Users\Admin\Pictures\ylnJzD5DpH8dCLYukwvQYDvX.exe"
        5⤵
        
        PID:2636
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6388
    - - C:\Users\Admin\Pictures\jXvhv8WCRVtqCgSsEztJ8Ttr.exe
        
        "C:\Users\Admin\Pictures\jXvhv8WCRVtqCgSsEztJ8Ttr.exe"
        5⤵
        
        PID:4316
    - - C:\Users\Admin\Pictures\02QnqZmw4BnrJpfA2HygkTBs.exe
        
        "C:\Users\Admin\Pictures\02QnqZmw4BnrJpfA2HygkTBs.exe"
        5⤵
        
        PID:6152
      - C:\Users\Admin\AppData\Local\Temp\7zSF095.tmp\Install.exe
        
        .\Install.exe /sQwdidHh "385118" /S
        6⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        7⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        
        PID:5956
    - - C:\Users\Admin\Pictures\hkEyhNKr7JSMT8p94WWVpmMu.exe
        
        "C:\Users\Admin\Pictures\hkEyhNKr7JSMT8p94WWVpmMu.exe" --silent --allusers=0
        5⤵
        
        PID:6524
      - C:\Users\Admin\Pictures\hkEyhNKr7JSMT8p94WWVpmMu.exe
        
        C:\Users\Admin\Pictures\hkEyhNKr7JSMT8p94WWVpmMu.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x6959e1d0,0x6959e1dc,0x6959e1e8
        6⤵
        
        PID:6820
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\hkEyhNKr7JSMT8p94WWVpmMu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\hkEyhNKr7JSMT8p94WWVpmMu.exe" --version
        6⤵
        
        PID:6300
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      PID:5504
- - C:\Users\Admin\AppData\Local\Temp\1000200001\070.exe
    "C:\Users\Admin\AppData\Local\Temp\1000200001\070.exe"
    3⤵
    PID:5152
  - - C:\Users\Admin\AppData\Local\Temp\is-3PL0V.tmp\is-0D1UR.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-3PL0V.tmp\is-0D1UR.tmp" /SL4 $30254 "C:\Users\Admin\AppData\Local\Temp\1000200001\070.exe" 3710753 52224
      4⤵
      PID:5912
    - - C:\Users\Admin\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe
        
        "C:\Users\Admin\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe" -i
        5⤵
        
        PID:5392
    - - C:\Users\Admin\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe
        
        "C:\Users\Admin\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe" -s
        5⤵
        
        PID:5520
- C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
  "C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
  2⤵
  PID:5508
- C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
  2⤵
  PID:5888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6104
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  PID:6060
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    PID:6116
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:5272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\768987046148_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:4340
- C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
  "C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe"
  2⤵
  PID:6112
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  PID:5680
- C:\Users\Admin\AppData\Local\Temp\1000167001\build_1GyXIDXRUC.exe
  "C:\Users\Admin\AppData\Local\Temp\1000167001\build_1GyXIDXRUC.exe"
  2⤵
  PID:5992
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5956
- C:\Users\Admin\AppData\Local\Temp\1000173001\Startup.exe
  "C:\Users\Admin\AppData\Local\Temp\1000173001\Startup.exe"
  2⤵
  PID:5952
- C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"
  2⤵
  PID:5540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force
    3⤵
    PID:1264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    PID:5612
  - - C:\Users\Admin\Pictures\XNM7V1jHJLb8oxrsr5sLugOA.exe
      "C:\Users\Admin\Pictures\XNM7V1jHJLb8oxrsr5sLugOA.exe"
      4⤵
      PID:4132
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1920
  - - C:\Users\Admin\Pictures\s0T5mAx8RNWlQ0TtvApQBTi6.exe
      "C:\Users\Admin\Pictures\s0T5mAx8RNWlQ0TtvApQBTi6.exe"
      4⤵
      PID:1584
    - - C:\Users\Admin\AppData\Local\Temp\u180.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u180.0.exe"
        5⤵
        
        PID:6680
  - - C:\Users\Admin\Pictures\vq1ErcWGdnaHNd3jjf5s0qeu.exe
      "C:\Users\Admin\Pictures\vq1ErcWGdnaHNd3jjf5s0qeu.exe"
      4⤵
      PID:5308
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:6572
  - - C:\Users\Admin\Pictures\xFrLknhh36QkLgggGDfBuJoH.exe
      "C:\Users\Admin\Pictures\xFrLknhh36QkLgggGDfBuJoH.exe"
      4⤵
      PID:6656
  - - C:\Users\Admin\Pictures\i7bYeZeFhANyvuRkT8mmfHEe.exe
      "C:\Users\Admin\Pictures\i7bYeZeFhANyvuRkT8mmfHEe.exe" --silent --allusers=0
      4⤵
      PID:6544
    - - C:\Users\Admin\Pictures\i7bYeZeFhANyvuRkT8mmfHEe.exe
        
        C:\Users\Admin\Pictures\i7bYeZeFhANyvuRkT8mmfHEe.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2a4,0x2a8,0x2ac,0x280,0x260,0x69a5e1d0,0x69a5e1dc,0x69a5e1e8
        5⤵
        
        PID:6796
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\i7bYeZeFhANyvuRkT8mmfHEe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\i7bYeZeFhANyvuRkT8mmfHEe.exe" --version
        5⤵
        
        PID:7128
    - - C:\Users\Admin\Pictures\i7bYeZeFhANyvuRkT8mmfHEe.exe
        
        "C:\Users\Admin\Pictures\i7bYeZeFhANyvuRkT8mmfHEe.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6544 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240418222920" --session-guid=32c1ff87-9cd2-4fdd-9168-dd539ca0ed51 --server-tracking-blob="YWQ4MWViNzliOGZjMzhkNmFjZjMzYTQxYzg5N2JkZTgyYTkxNmRkNjVkYTNmMjQwYWI5OWFhN2Y1YWMwNmQ5NDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNDc5MzM3LjE4MDkiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiNWRjOGRiMTktMjRjNy00YjgyLWI3MzEtNGE3Y2Y5ZDgxMDhiIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4804000000000000
        5⤵
        
        PID:6420
      - C:\Users\Admin\Pictures\i7bYeZeFhANyvuRkT8mmfHEe.exe
        
        C:\Users\Admin\Pictures\i7bYeZeFhANyvuRkT8mmfHEe.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2a0,0x2b0,0x2b4,0x27c,0x2b8,0x6811e1d0,0x6811e1dc,0x6811e1e8
        6⤵
        
        PID:792
  - - C:\Users\Admin\Pictures\zlf8RmnBjHV5mV5IQQ1AL247.exe
      "C:\Users\Admin\Pictures\zlf8RmnBjHV5mV5IQQ1AL247.exe"
      4⤵
      PID:6596
    - - C:\Users\Admin\AppData\Local\Temp\7zS2AA0.tmp\Install.exe
        
        .\Install.exe /sQwdidHh "385118" /S
        5⤵
        
        PID:6344
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        
        PID:5180

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
1⤵
PID:6172

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
66111dd1bfae946e7110bc08e783b9c0

SHA1
3d7bfad9f08f39ac6f2e8dcf00b224d6119f6a4c

SHA256
cf46edae74bc028f53c56afc2192804f3fe5de285ac15a6ec50d04995ad111e2

SHA512
b1008e5dcd0c0eaec9599bb728c701a89ccd75d877e4b3de32e6673b1784fab80ef2d61da8c0e6d61ee842564c147c2bfbb68ad7a4ee89f0a95a61e5c6e28204

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
04f400d579f873ec1785be7b20c6a660

SHA1
15060e590f07f61b86a18783a87bd5ffedc0194f

SHA256
52fad1d8f4e0bf95e2aa5cf3fd00977aca5999a0c1db66ed364966057fb3553a

SHA512
2864e8034f10364a280f7402244be9a86e807707e4f576cfe67d057a19c518e579428e7be3a5569eb09c5c126f3f7c520cb18b7ee1e7c531a420ed319faef50a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
542060aa4436970e813147371c3f83f6

SHA1
b081ff827f2eb1b9d43d729e610e0f442e2db64b

SHA256
82659e6a993e0f4632403d0e2c98d161e40646673841d7c4dd80f40cafce517a

SHA512
bcdc2eea9702ab2666834be7995da1e4093c21497aa8bad78f796c5e4ed0572a2cedb5ca8631c739e8235a928cf2625b0d7ea29599408cbcde4c5a0bb29b3b71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
703B

MD5
e62ec68a57190435b82c200d12d5211a

SHA1
4d5d91f04a1bb1bdbf32bbee652851477d55064a

SHA256
ee39b6b8748397db808fd337259abddcdcc44ab30105cb11daf0776be645d546

SHA512
4f678e37ed68759436adfcbd4cab7fe8397af5dcfadebf514c3d5300efd816ee8b19bd4a717f902e793259a70e97c4d159fb348535178008a5c809b1f017880f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
37d2ba45feaace8a2e8e61322781ce85

SHA1
e14eadda523b06983b5cbb3935bdaa5d2d8733a0

SHA256
5772b73c0885231f3877477ec8daa9443c88df87e868f1a70b37ead24412e528

SHA512
7276eb168289f3fced03bad2f80c47e7d524eabc8740c0211d75c8cbeb9ea7f566c4f2bcd429a6af96e962745b35992ba54aabb04222a84d7e74839aeaaa57e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
03fd847df279ed7c5e7d366fdca8dfe4

SHA1
dc56e21bb6dff41e2abd10d2dcd7a2d66f662854

SHA256
aaf1b15118a6a06d2f7365d8d791f55f1e1f394e89a110ff411d72d3f3d83415

SHA512
00c7b26201c20b321e532d18f6b2cd22057178b679e8245014b459ce719a43dab2585698619f4a31372276de473d9c20a1556a201e9d27c7fad94f5d874c8287

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
0a0b4d6879860cc551271edf794404b3

SHA1
c186e77819ffb662f8e36f1df1c272cffd31f1f2

SHA256
1d966bf11b58838f9ebf3cd8e720bbea0577dada132aeef9663db9facfe15f8f

SHA512
a20f6cd2885437c4b5dde007a806f75f185726aaae7d2983874902b0e19e3cab5283e3221906afa84eacf60558673bb22696d94245f2bee3a7a7b0d486038925

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
137KB

MD5
6c9b6a32082a328cddd8a4b759d54718

SHA1
6fd5dd4f086c6740f8f7ce3a07ce36b9e966fdaf

SHA256
d75ef75a2ccd21597bfa5c5682c7995a245a28942871d1093aedabc12b32e175

SHA512
fd40f1ab4aa628484a40e5505332bdbcb51b3abe05caa2d37b901e8ce6f1b86185f94915cf840af9a39370c42c6b3ae041e8ce297c501649b093ec7730bb8f6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
273KB

MD5
cddff43689f185bcfffffa4d7f52085d

SHA1
fd9f9fc07e98d4fa0e45568ffc882abdc77ec74b

SHA256
877b7ac2e8fef0dd3ffa766d71f00e5b7bf6fd9f1aec1e82136c9f697d67cec5

SHA512
5bcd56e86466579374f9a488ff6b018a5cb4fe7f50194639df0d34cf9ae3775ee445d564a9f1e3997220e68f0cf260e8b96cf1706faa5290c1d89e48b7a44c4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
94855049590df2a11123e4b4dfb202a0

SHA1
60934db6289c32668291284f4024608874fc4901

SHA256
6a050ffa045a5aa2214f5452b3a580e33c0d488eeec2cffd76cf5a656ede0e2a

SHA512
7c6e93423e2fab8e3536add6b3d5df552541afbb0a95d6fb8f1c5f4f7882ea549a84ef00cd66f4c5765bdb80d36749db165e64456d8059e1c7368185d6b5579e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
89fea0f6ba5c52e76c81fe473367b9f8

SHA1
01c68a516231eec1856f5527d7e517705035a4bf

SHA256
17eb9345b1a3edf85019d43e977e2542cdf60d1867f573622c238a82031a66cb

SHA512
a066a71e2f77869e427bad6ed05fd6f4f890aa43910b1c41c270623826a2288413b16bb212baa2ceaafb139408dd3f258cd9d711a9cbe48014fab583fc88cb4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
2.9MB

MD5
fb9013139f2568146f3db1a376908f08

SHA1
9dba582a4dd436e70444f4607858f215bb3e5f0f

SHA256
256e281c960de9e841950d5160195d5d2aa4e90570199905a2878bc813ebbc26

SHA512
ada9b0d18737cf64162eb8decd29dc98b10a3aff52e21a19785c24d3d6616a4c2431a45131024d1108da9334cafe8ebcf2b127a74e50c4a3b37c33bd59ddc433

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000054001\amert.exe

Filesize
1.8MB

MD5
1ed78f44a2cad6e08da27edbc701b4bc

SHA1
e7a8bc103762db81429b13497c065ac16cac4b85

SHA256
20bd5a075cfee256a6cc19803fb9964834590840ada1212f7eca0a9d990e8359

SHA512
3882675eadbc45a7b534c0efc671551926bbc333275e03e8a4b23fdfc958af231094b65855fceccf6ec7c63ead1ad1a21bf3853e95eb05adca093a7820c22244

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000055001\19058d25cb.exe

Filesize
1.1MB

MD5
76c779d2a6e42c6dbcff43e67bb38ca3

SHA1
558f8e6b714efaeaba794e7d2b7821936a4da077

SHA256
e820be731929c621a94de7bd83e0da4796c103632961bda20ffbd568279e6f43

SHA512
516d91d0e635f3468d135bf51f507fe3d81c1fb72c8baccc08a0e7c05c6dcaefd2816ca937cb2f8ca0ab8f4c8e78a2917b22dc10c289221e8450cfba34bebf3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000056001\c37a0feacf.exe

Filesize
2.2MB

MD5
3709ad0a7007bcae942b905a07bd6bba

SHA1
9d25192c841f3b2fb1b9bbb0dfdcec6cdaaca3a7

SHA256
2248caa741ec4d757c597091f2bab56f694181ef5a677bdab47d990e4c7f695a

SHA512
d41cbc49ded02909e0eae68da22988c36993bde9db4025f64d45007d2c47ed07a7cdc1a2b28ae1cb7ecb8d4c5169cb4084650adaddb656caf33b4e0ad85239fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

Filesize
488KB

MD5
82053649cadec1a338509e46ba776fbd

SHA1
6d8e479a6dc76d54109bb2e602b8087d55537510

SHA256
30468f8b767772214c60a701ecfee11c634516c3e2de146cd07638ea00dd0b6e

SHA512
e4b2b219483477a73fec5a207012f77c7167bf7b7f9adcb80ee92f87ddfe592a0d520f2afee531d1cce926ef56da2b065b13630a1cc171f48db8f7987e10897a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000167001\build_1GyXIDXRUC.exe

Filesize
210KB

MD5
51b0ed6b4908a21e5cc1d9ec7c046040

SHA1
d874f6da7327b2f1b3ace5e66bc763c557ac382e

SHA256
4e68c5a537320cbe88842a53e5691b7f1a590b9c0b491a12baaeeda111dcaa4d

SHA512
48ec96b209d7061a1276496feb250cf183891b950465d3a916c999aa1efc1c8831b068ce0fce4ce21d09677f945b3d816ed4040146462a0ce0845318041586a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000173001\Startup.exe

Filesize
3.3MB

MD5
76eae6ef736073145d6c06d981615ff9

SHA1
6612a26d5db4a6a745fed7518ec93a1121fffd9c

SHA256
3acdea11112584cd1f78da03f6af5cfc0f883309fc5ec552fa6b9c85a6c483bb

SHA512
e7c118bbe9f62d5834b374e05242636b32daab2c1fe607521d6e78520665c59f78637b74c85d171f8608e255be50731771f0a09dcca69e016b281ee02ab77231

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe

Filesize
559KB

MD5
9ee0c556e1b952495a74709e6b06459a

SHA1
1b631e41b43d6f7ef3f7d140c1eb14ecf1cd861d

SHA256
0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129

SHA512
1ec91c9e0ab4e359be73677f81150922ed06fc58e621e2115d4c607afb94dbf69a8362db14a531ff6aba69b1dc8e3cd2a0aa0ba626320caa9c250060bbe44558

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000193001\ISetup8.exe

Filesize
412KB

MD5
6a84e6c0021605ff091449bfbe83a7b3

SHA1
9ff7c79006f2ec923f3789e92eea390dc987ddca

SHA256
850ef11c40f5aeb9e66b7e595842089f74e35134cc2571f1217fc391fb5beec8

SHA512
294866d1444906bdb2e270a1bc0363b8da30fcb3e6d5399b13e70b55d9670b5829d20a259b3338d7949e2afdb8d0bdac6c11bf9cbfd360c69ea6d21be9e7361a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000194001\toolspub1.exe

Filesize
307KB

MD5
a11d2533c5dd2b17161fc2eea2ba1bef

SHA1
f7f42c054b83cb0cc3bb0a54a75195f920d9ced8

SHA256
4da76547d7081b68f3af83c77a5c75b2ff3f0691d7c58aca34632ff2ecd1e98c

SHA512
0053214e42b72365bd435ab8f35e4ddc8774c347dfa57d90c9f49c81b23dd1178f0a77b0facb0cce0d29b67b33eb7243a5c7c4f267274374e095a47f4a301a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000195001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
4.2MB

MD5
2e78c9318e8d9e63a9bbd8756a1fc49a

SHA1
5a92c19ea81fd2313a6538d5786368e470f54bce

SHA256
91ea2eb28f0db5a6bba60519b77c8dc4005beac2fb3ebc2180aa0032c6a8135c

SHA512
ec17194bfc8d1fc54375a63cb2d067753d4c210ad5c62bd6c536606cdeab278b48f3b3618afbc792d6082892d277fd3a0561812bf06337f6af173ce2f1d0f586

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000196001\FirstZ.exe

Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000198001\Uni400uni.exe

Filesize
556KB

MD5
e1d8325b086f91769120381b78626e2e

SHA1
0eb6827878445d3e3e584b7f08067a7a4dc9e618

SHA256
b925abb193e7003f4a692064148ffe7840096022a44f4d5ae4c0abb59a287934

SHA512
c8c0b424c2ed7ee598997bdc0b0d2099b650a280903716891b0eaa340acf556c0642d921fcb7f654387a4a1f1ec4a32feaf8d872b51ca482a977f11e2974072c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000200001\070.exe

Filesize
3.9MB

MD5
f1d29fddb47e42d7dbf2cf42ba36cc72

SHA1
95be0248f53891aa5abecc498af5c3c98b532ba6

SHA256
a50431ef857f65eb57d4418d917b25307371dd2612c045c0d34f78cea631996c

SHA512
f2e82e4e57dc6b3033ac74846f9830092521a26067d96f1c07b613258267c2d578bee901a0db04cd4fad13d2cc8afbbd3c3a685e040d225afd70203891632bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6165ce5a

Filesize
5.9MB

MD5
dcc26dd014bad9eafa9066d3781b615d

SHA1
b0cb8621ca58a196ac73bed4e525deacfaf2d836

SHA256
69502ffc7e2b8946d420e682cd1421f58a17f489590f761c580ce2a4feb74ae3

SHA512
5a7804fdebe09aada86e327899fa7ce6830c26c426d398dd72ef68121c33e59c2572709a725f43d6f1d31c52e7b4ea10b2128d00d530a00ef9db9a8efef204e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2AA0.tmp\Install.exe

Filesize
6.8MB

MD5
e77964e011d8880eae95422769249ca4

SHA1
8e15d7c4b7812a1da6c91738c7178adf0ff3200f

SHA256
f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50

SHA512
8feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404182229169046796.dll

Filesize
4.6MB

MD5
0415cb7be0361a74a039d5f31e72fa65

SHA1
46ae154436c8c059ee75cbc6a18ccda96bb2021d

SHA256
bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798

SHA512
f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe

Filesize
9.0MB

MD5
1608c5afa992c1a3448462a7e263566d

SHA1
a17b862f6146ec63dfcb5bed51b48e4a56614266

SHA256
dab8ed8c479d94f414512759b04b27a41d5dc77a3c363374dc5f3aac8c0e8c82

SHA512
c87f53be6746c676cf7e9c2a18bdfcbddc3f8a2bd2172081c86f82fc0753fc922879062df68b2d1ee0113b90706a0fe573716834b80d6cd63e9d7a74c4a4a4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp26EC.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe

Filesize
768KB

MD5
77800b6fb2312b6190bcd9bc6e04a724

SHA1
2b6ea129d8c3d1c89e6bfc5dd4200c050b5d49b1

SHA256
55959234025a7063268f62d57108df68c41f3e9c1564f215236f9c5ec4ca42b6

SHA512
aefbaa04f4045b3ebb985eddf6e5a3328b1f6f8043fbbcd835a8f1412e2c5ab1fa317d2b03aa7ee2c3a1bcc9e0f5f68b6fc35f0875127ffae3bd309914d58382

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gx1teefy.kj0.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
e76c4352c134e0d598b5fac39c39b441

SHA1
c4797a85520739557f6332d02499d472a76ad32e

SHA256
c008eec8db8ed2f343875edf9777f9324f09a4fca360e6e2b8084b9b14fba807

SHA512
fe9070ada0ea0fcf89e8da273db19c556d635aa62f1d26ec22cab34705592e75324fa6557129a13259c424aa6fd0c3947609320f5161fe767e40347c2bfece7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D99.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7DCA.tmp

Filesize
92KB

MD5
da89a93663ee51bf2303b11ab8cd8a3e

SHA1
1e60b798570c9c85b7163b7d6491e9af68eef7ce

SHA256
0ba211c75db7dd3a8837bcb806e38070b86592e4d0db1e1a6d989985e146cacb

SHA512
7d2e4257a52bae57f70c2987b2f9e74a736262cd6813064af0f80ed626b9ac8d2d5db8b3b91854ad220139033aed89bf3edef28ffdc157aa12e0aae3f19a1571

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3cc.1.exe

Filesize
1.4MB

MD5
192215a77aa5b55fb8d7c8bde710766c

SHA1
abdebd3df7ece0e77db262c7785c9d22e466ff4e

SHA256
e4ff74661fc56868ee52ea5dc1e779eaec574040bc86cdc995d53dbd2cab8cb0

SHA512
1d9d2c5271318653f8f90756579a34934c2d2598fba08bcfd0134d9bda7e748d09c77eeba47c056b0a04d8b5c8b5311392ce04ecba2402fa6b9a879b4829cff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4io.0.exe

Filesize
306KB

MD5
9e7bd4e6b0220bbb8c4068a02939e692

SHA1
92b8c83e84d6823bf4cf5238f368c27e5243241d

SHA256
a547ce72c56e28616970d53b15e05cf4532a20384cae7a72b8428789a48028ef

SHA512
7c1a0dcdcbeb988679ad24cbef85bd0b3f6c6c41c8699d506be3a1d6b0542fff0f6ec85eb53fe98278f787cd108771e2d168e2a9080327706edc629c41f57522

Download Submit
C:\Users\Admin\AppData\Local\fIVrM3jkxFyNrTCpWBmm6bcN.exe

Filesize
4.2MB

MD5
1842fc317e5a1d69802a698ae55c38f2

SHA1
151e6beea179734ac936b9a09553694497ac25b5

SHA256
3a28b148d121751482a29d954aeed15f8ae208f86cd3ed6b819c5c5c842e0cf9

SHA512
c625d83b286c3e704f43ec80a4fed5c91bba6929c1c89e23bdc642d8778ea063507b578a7ef74368c815f4baf03fc1a8edfb4b3d9449619c3651a8cf33b139c2

Download Submit
C:\Users\Admin\AppData\Local\wOSV49Qvzsru7wJBGg0c1voL.exe

Filesize
6.5MB

MD5
5d5da0738299d8893b79a6c926765e5f

SHA1
b05c2cfd30ca1c163cb829b7e7e5ea2d6c57d1d1

SHA256
53c80bee05d28fe65ab0ae6459753fe7b804c0b68b85faaf828576687ef28ca3

SHA512
d9fffe943131e71762f5e2e1ad3d23053069f0f028054be9ec2c8491a6812adadacbf099ab8fa79ca9916ceda14ccaedfe4a0e1e5235871a97145ef77d7b0b26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2768987046-1485460554-1347040953-1000\76b53b3ec448f7ccdda2063b15d2bfc3_3227306b-8fcd-4334-bbe4-c13e7901b430

Filesize
2KB

MD5
659d9a0d15fce057267752ff36a9f30f

SHA1
2d87a0069ac97c1552251a062f722b074b67fbff

SHA256
42f8e9ad9e411a4aa29985567a3c57b815abba41e4229124042c8980ec8cbee4

SHA512
c4c0fada852c1a234846dcd5d3f9eb2f808614760a3926e9703ef33860b4a7428dad94cf60ff5c75f191517213904e395bef97d1422b38955dff5ad731899f76

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Pictures\hkEyhNKr7JSMT8p94WWVpmMu.exe

Filesize
5.1MB

MD5
272e7962692d1d599014524771228bd6

SHA1
741c05400d3144acbf6da3ba8f412e70aa3547bd

SHA256
67847fc8aee420a18e803263e41182040c8207df365633fb3ef9468cf2915823

SHA512
87543b55d7b4e50e89c0d09d77ef202a41a9ae212a0ac8e3b252373d632c22c073489999a0867202bf8fcdf746a19cb3c8a576d7b0cebb321bb9f05d30229f09

Download Submit
C:\Users\Admin\Pictures\i7bYeZeFhANyvuRkT8mmfHEe.exe

Filesize
5.1MB

MD5
72de3b515de1de5ea7a1349e0f136bd9

SHA1
13a3e2db62367b28778cacc6e402a18eee375d68

SHA256
014a31da2f23d56d905753518f6b04bfd585dd9035eb1f7c2516a67f4906130e

SHA512
971ad96d26fcbfb1b7089166cee233110f872b1d0413420baa0bd43d8dfbcf533df48ab44f253ca374025cf1d9da5cb94da3b2bbbf04b1a90fb44153c2c43866

Download Submit
C:\Users\Admin\Pictures\nxynpeU0HLv9TC1496T1gFq1.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
ee0c10da3dbe0c08de2f181e6646e70f

SHA1
ce4cee7ec18ed12e0a3b32beb5509018d99f36a4

SHA256
e85c221e420c65e8a31e85d92657aa7c1263eade2ca3b39a36f6586f53c125a7

SHA512
a98508d370a04d2c8bddf911aa896bcc530fa1c8a45ea69d76c97314dde013080110bb36ac036413e4151f62cca8f291e1a5f469541364d1161e2afe617216d7

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
7cc972a3480ca0a4792dc3379a763572

SHA1
f72eb4124d24f06678052706c542340422307317

SHA256
02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5

SHA512
ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

Download Submit
\??\pipe\crashpad_4928_YPACXIQCXGJXZPTM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/420-714-0x0000000000300000-0x00000000007CE000-memory.dmp

Filesize
4.8MB

Download
memory/420-890-0x0000000000300000-0x00000000007CE000-memory.dmp

Filesize
4.8MB

Download
memory/420-410-0x0000000000300000-0x00000000007CE000-memory.dmp

Filesize
4.8MB

Download
memory/420-265-0x0000000000300000-0x00000000007CE000-memory.dmp

Filesize
4.8MB

Download
memory/420-563-0x0000000000300000-0x00000000007CE000-memory.dmp

Filesize
4.8MB

Download
memory/1280-269-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/1280-267-0x0000000000AD0000-0x0000000000DED000-memory.dmp

Filesize
3.1MB

Download
memory/1280-268-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/1280-263-0x0000000000AD0000-0x0000000000DED000-memory.dmp

Filesize
3.1MB

Download
memory/1280-285-0x0000000000AD0000-0x0000000000DED000-memory.dmp

Filesize
3.1MB

Download
memory/1852-346-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2544-45-0x00000000010C0000-0x000000000158E000-memory.dmp

Filesize
4.8MB

Download
memory/2544-49-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/2544-47-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/2544-70-0x00000000010C0000-0x000000000158E000-memory.dmp

Filesize
4.8MB

Download
memory/2544-64-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2544-65-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/2544-46-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/2544-48-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/2544-51-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/2544-44-0x00000000010C0000-0x000000000158E000-memory.dmp

Filesize
4.8MB

Download
memory/2544-50-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/3376-29-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/3376-506-0x0000000000AD0000-0x0000000000DED000-memory.dmp

Filesize
3.1MB

Download
memory/3376-27-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/3376-26-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/3376-302-0x0000000000AD0000-0x0000000000DED000-memory.dmp

Filesize
3.1MB

Download
memory/3376-25-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/3376-125-0x0000000000AD0000-0x0000000000DED000-memory.dmp

Filesize
3.1MB

Download
memory/3376-31-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/3376-24-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/3376-23-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/3376-774-0x0000000000AD0000-0x0000000000DED000-memory.dmp

Filesize
3.1MB

Download
memory/3376-201-0x0000000000AD0000-0x0000000000DED000-memory.dmp

Filesize
3.1MB

Download
memory/3376-28-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/3376-30-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/3376-22-0x0000000000AD0000-0x0000000000DED000-memory.dmp

Filesize
3.1MB

Download
memory/3376-103-0x0000000000AD0000-0x0000000000DED000-memory.dmp

Filesize
3.1MB

Download
memory/3376-614-0x0000000000AD0000-0x0000000000DED000-memory.dmp

Filesize
3.1MB

Download
memory/3376-144-0x0000000000AD0000-0x0000000000DED000-memory.dmp

Filesize
3.1MB

Download
memory/3376-21-0x0000000000AD0000-0x0000000000DED000-memory.dmp

Filesize
3.1MB

Download
memory/3724-315-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3724-312-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3732-164-0x0000014F7C060000-0x0000014F7C070000-memory.dmp

Filesize
64KB

Download
memory/3732-243-0x00007FFDE4C90000-0x00007FFDE567C000-memory.dmp

Filesize
9.9MB

Download
memory/3732-163-0x00007FFDE4C90000-0x00007FFDE567C000-memory.dmp

Filesize
9.9MB

Download
memory/3732-165-0x0000014F7C060000-0x0000014F7C070000-memory.dmp

Filesize
64KB

Download
memory/3732-166-0x0000014F7BFE0000-0x0000014F7C002000-memory.dmp

Filesize
136KB

Download
memory/3732-169-0x0000014F7C2F0000-0x0000014F7C366000-memory.dmp

Filesize
472KB

Download
memory/3732-207-0x0000014F7C060000-0x0000014F7C070000-memory.dmp

Filesize
64KB

Download
memory/3732-221-0x0000014F7C290000-0x0000014F7C2A2000-memory.dmp

Filesize
72KB

Download
memory/3732-234-0x0000014F7C050000-0x0000014F7C05A000-memory.dmp

Filesize
40KB

Download
memory/4100-3-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/4100-12-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/4100-8-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/4100-6-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/4100-9-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/4100-1-0x0000000076FD4000-0x0000000076FD5000-memory.dmp

Filesize
4KB

Download
memory/4100-7-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/4100-4-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/4100-19-0x0000000001270000-0x000000000158D000-memory.dmp

Filesize
3.1MB

Download
memory/4100-0-0x0000000001270000-0x000000000158D000-memory.dmp

Filesize
3.1MB

Download
memory/4100-2-0x0000000001270000-0x000000000158D000-memory.dmp

Filesize
3.1MB

Download
memory/4100-5-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/4100-10-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/4124-361-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5024-132-0x0000000005580000-0x0000000005582000-memory.dmp

Filesize
8KB

Download
memory/5024-455-0x0000000000F00000-0x0000000001492000-memory.dmp

Filesize
5.6MB

Download
memory/5024-99-0x0000000000F00000-0x0000000001492000-memory.dmp

Filesize
5.6MB

Download
memory/5024-202-0x0000000000F00000-0x0000000001492000-memory.dmp

Filesize
5.6MB

Download
memory/5024-106-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/5024-107-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/5024-286-0x0000000000F00000-0x0000000001492000-memory.dmp

Filesize
5.6MB

Download
memory/5024-113-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/5024-603-0x0000000000F00000-0x0000000001492000-memory.dmp

Filesize
5.6MB

Download
memory/5024-726-0x0000000000F00000-0x0000000001492000-memory.dmp

Filesize
5.6MB

Download
memory/5024-108-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/5024-131-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/5024-116-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/5024-114-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/5024-121-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/5024-123-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/5024-126-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/5024-129-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/5024-130-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/5024-261-0x0000000000F00000-0x0000000001492000-memory.dmp

Filesize
5.6MB

Download
memory/5172-850-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5540-864-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/5652-846-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/5856-626-0x0000000000400000-0x0000000002C4A000-memory.dmp

Filesize
40.3MB

Download
memory/5952-936-0x000002171F790000-0x000002171FA4B000-memory.dmp

Filesize
2.7MB

Download
memory/5952-932-0x000002171F790000-0x000002171FA4B000-memory.dmp

Filesize
2.7MB

Download
memory/5952-928-0x000002171F790000-0x000002171FA4B000-memory.dmp

Filesize
2.7MB

Download
memory/5952-926-0x000002171F790000-0x000002171FA4B000-memory.dmp

Filesize
2.7MB

Download
memory/5952-922-0x000002171F790000-0x000002171FA4B000-memory.dmp

Filesize
2.7MB

Download
memory/5952-920-0x000002171F790000-0x000002171FA4B000-memory.dmp

Filesize
2.7MB

Download
memory/5956-720-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6104-571-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/6104-534-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/6104-538-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download