amadey | 9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658

Analysis

max time kernel
31s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/06/2024, 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658.exe
Size

1.8MB
MD5

3c791a1e752923485b04c0a6b8ee4198
SHA1

9793391c4c4fc27f55f6c2e0ea534a19cf2c68d3
SHA256

9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658
SHA512

d81dbd90321692ea6fdc483d9f635ce9d731284de1e4944b77878556fd5d927541f6b5bb358fabf2a3e95d808a3bc8e20fc9ac1b4e2851a969b56ad7af4066c2
SSDEEP

49152:tEglGOP94VaT4Vcf8LSC1GpQX0PYSm6jhrEm:7uG4VacQhRm6jREm

Score

10^/10

amadey redline risepro 0e6740 e76b71 newbild evasion execution infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

newbild

185.215.113.67:40960

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00050000000193a9-270.dat	family_redline
behavioral1/memory/2924-294-0x00000000002B0000-0x0000000000300000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	38f549a6ee.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3136	powershell.exe
1080	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	38f549a6ee.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	38f549a6ee.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658.exe

Executes dropped EXE 13 IoCs

pid	Process
2704	explortu.exe
1984	explortu.exe
940	38f549a6ee.exe
2552	72c8cfb0ba.exe
1752	axplong.exe
1092	c3a9c5fb49.exe
3024	judit.exe
1564	stub.exe
2924	redline123123.exe
2112	upd.exe
2564	setup222.exe
2240	gold.exe
2296	lummac2.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	38f549a6ee.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	axplong.exe

Loads dropped DLL 22 IoCs

pid	Process
1372	9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658.exe
2704	explortu.exe
2704	explortu.exe
2704	explortu.exe
940	38f549a6ee.exe
2704	explortu.exe
1752	axplong.exe
3024	judit.exe
1564	stub.exe
1752	axplong.exe
1752	axplong.exe
1752	axplong.exe
2284	WerFault.exe
2284	WerFault.exe
1752	axplong.exe
2284	WerFault.exe
1752	axplong.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1752	axplong.exe
1752	axplong.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\72c8cfb0ba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\72c8cfb0ba.exe"	explortu.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
81	pastebin.com
82	pastebin.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0006000000015616-98.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
1372	9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658.exe
2704	explortu.exe
940	38f549a6ee.exe
1752	axplong.exe
2552	72c8cfb0ba.exe
1984	explortu.exe
2552	72c8cfb0ba.exe
1984	explortu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2704 set thread context of 1984	2704	explortu.exe	29

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658.exe
File created	C:\Windows\Tasks\axplong.job	38f549a6ee.exe

Launches sc.exe 18 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3772	sc.exe
4068	sc.exe
3896	sc.exe
1592	sc.exe
1268	sc.exe
3224	sc.exe
2584	sc.exe
3776	sc.exe
3968	sc.exe
1384	sc.exe
412	sc.exe
3640	sc.exe
1180	sc.exe
3604	sc.exe
3060	sc.exe
1760	sc.exe
4080	sc.exe
3064	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2284	2112	WerFault.exe	53
1360	2240	WerFault.exe	56
3160	3116	WerFault.exe	75

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup222.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup222.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	setup222.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	setup222.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	setup222.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup222.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1372	9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658.exe
2704	explortu.exe
940	38f549a6ee.exe
1752	axplong.exe
1056	chrome.exe
1056	chrome.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
1372	9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658.exe
940	38f549a6ee.exe
1092	c3a9c5fb49.exe
1092	c3a9c5fb49.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1092	c3a9c5fb49.exe
1092	c3a9c5fb49.exe
1056	chrome.exe
1056	chrome.exe
1092	c3a9c5fb49.exe
1092	c3a9c5fb49.exe
1092	c3a9c5fb49.exe
1092	c3a9c5fb49.exe
1092	c3a9c5fb49.exe
1092	c3a9c5fb49.exe
1092	c3a9c5fb49.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
1092	c3a9c5fb49.exe
1092	c3a9c5fb49.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1092	c3a9c5fb49.exe
1092	c3a9c5fb49.exe
1092	c3a9c5fb49.exe
1092	c3a9c5fb49.exe
1092	c3a9c5fb49.exe
1092	c3a9c5fb49.exe
1092	c3a9c5fb49.exe
1092	c3a9c5fb49.exe
1092	c3a9c5fb49.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1984	explortu.exe
2552	72c8cfb0ba.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 2704	1372	9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658.exe	28
PID 1372 wrote to memory of 2704	1372	9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658.exe	28
PID 1372 wrote to memory of 2704	1372	9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658.exe	28
PID 1372 wrote to memory of 2704	1372	9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658.exe	28
PID 2704 wrote to memory of 1984	2704	explortu.exe	29
PID 2704 wrote to memory of 1984	2704	explortu.exe	29
PID 2704 wrote to memory of 1984	2704	explortu.exe	29
PID 2704 wrote to memory of 1984	2704	explortu.exe	29
PID 2704 wrote to memory of 1984	2704	explortu.exe	29
PID 2704 wrote to memory of 1984	2704	explortu.exe	29
PID 2704 wrote to memory of 1984	2704	explortu.exe	29
PID 2704 wrote to memory of 1984	2704	explortu.exe	29
PID 2704 wrote to memory of 1984	2704	explortu.exe	29
PID 2704 wrote to memory of 1984	2704	explortu.exe	29
PID 2704 wrote to memory of 1984	2704	explortu.exe	29
PID 2704 wrote to memory of 1984	2704	explortu.exe	29
PID 2704 wrote to memory of 940	2704	explortu.exe	31
PID 2704 wrote to memory of 940	2704	explortu.exe	31
PID 2704 wrote to memory of 940	2704	explortu.exe	31
PID 2704 wrote to memory of 940	2704	explortu.exe	31
PID 2704 wrote to memory of 2552	2704	explortu.exe	32
PID 2704 wrote to memory of 2552	2704	explortu.exe	32
PID 2704 wrote to memory of 2552	2704	explortu.exe	32
PID 2704 wrote to memory of 2552	2704	explortu.exe	32
PID 940 wrote to memory of 1752	940	38f549a6ee.exe	33
PID 940 wrote to memory of 1752	940	38f549a6ee.exe	33
PID 940 wrote to memory of 1752	940	38f549a6ee.exe	33
PID 940 wrote to memory of 1752	940	38f549a6ee.exe	33
PID 2704 wrote to memory of 1092	2704	explortu.exe	34
PID 2704 wrote to memory of 1092	2704	explortu.exe	34
PID 2704 wrote to memory of 1092	2704	explortu.exe	34
PID 2704 wrote to memory of 1092	2704	explortu.exe	34
PID 1092 wrote to memory of 1056	1092	c3a9c5fb49.exe	35
PID 1092 wrote to memory of 1056	1092	c3a9c5fb49.exe	35
PID 1092 wrote to memory of 1056	1092	c3a9c5fb49.exe	35
PID 1092 wrote to memory of 1056	1092	c3a9c5fb49.exe	35
PID 1056 wrote to memory of 2008	1056	chrome.exe	36
PID 1056 wrote to memory of 2008	1056	chrome.exe	36
PID 1056 wrote to memory of 2008	1056	chrome.exe	36
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38
PID 1056 wrote to memory of 2976	1056	chrome.exe	38

C:\Users\Admin\AppData\Local\Temp\9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658.exe
"C:\Users\Admin\AppData\Local\Temp\9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:1984
- - C:\Users\Admin\1000015002\38f549a6ee.exe
    "C:\Users\Admin\1000015002\38f549a6ee.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:1752
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3024
      - C:\Users\Admin\AppData\Local\Temp\onefile_3024_133631680998960000\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1564
    - - C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe"
        5⤵
        Executes dropped EXE
        
        PID:2924
    - - C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe"
        5⤵
        Executes dropped EXE
        
        PID:2112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 52
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2284
    - - C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:2564
      - C:\Users\Admin\AppData\Local\Temp\SetupWizard.exe
        
        SetupWizard.exe
        6⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\SetupWizard-da33c5f78a9be5ed\SetupWizard.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SetupWizard-da33c5f78a9be5ed\SetupWizard.exe"
        7⤵
        
        PID:2908
    - - C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
        5⤵
        Executes dropped EXE
        
        PID:2240
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 84
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1360
    - - C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"
        5⤵
        Executes dropped EXE
        
        PID:2296
    - - C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe"
        5⤵
        
        PID:2448
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:3184
    - - C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
        5⤵
        
        PID:2560
      - C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
        6⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\1000003001\b2c2c1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000003001\b2c2c1.exe"
        7⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
        8⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\1000004001\FirstZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\FirstZ.exe"
        7⤵
        
        PID:3704
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:3696
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        9⤵
        
        PID:3752
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        8⤵
        Launches sc.exe
        
        PID:412
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        8⤵
        Launches sc.exe
        
        PID:3604
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        8⤵
        Launches sc.exe
        
        PID:3776
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        8⤵
        Launches sc.exe
        
        PID:3640
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        8⤵
        Launches sc.exe
        
        PID:3772
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        8⤵
        
        PID:3856
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        8⤵
        
        PID:3848
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        8⤵
        
        PID:3884
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        8⤵
        
        PID:3876
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WSNKISKT"
        8⤵
        Launches sc.exe
        
        PID:3896
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
        8⤵
        Launches sc.exe
        
        PID:3968
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        8⤵
        Launches sc.exe
        
        PID:4068
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WSNKISKT"
        8⤵
        Launches sc.exe
        
        PID:4080
    - - C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
        5⤵
        
        PID:3820
      - C:\Users\Admin\AppData\Local\Temp\onefile_3820_133631681275710000\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
        6⤵
        
        PID:4036
    - - C:\Users\Admin\AppData\Local\Temp\1000073001\bin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000073001\bin.exe"
        5⤵
        
        PID:2768
      - C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"
        6⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\1000001001\blob.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000001001\blob.exe"
        7⤵
        
        PID:2316
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        8⤵
        
        PID:3032
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        8⤵
        
        PID:2504
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        8⤵
        
        PID:3036
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        8⤵
        
        PID:2784
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "YCSDKNAW"
        8⤵
        Launches sc.exe
        
        PID:2584
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "YCSDKNAW" binpath= "C:\ProgramData\anoomxjjawjf\vxfagazdltye.exe" start= "auto"
        8⤵
        Launches sc.exe
        
        PID:3060
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        8⤵
        Launches sc.exe
        
        PID:1760
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "YCSDKNAW"
        8⤵
        Launches sc.exe
        
        PID:1180
    - - C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe"
        5⤵
        
        PID:3116
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 64
        6⤵
        Program crash
        
        PID:3160
- - C:\Users\Admin\AppData\Local\Temp\1000016001\72c8cfb0ba.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\72c8cfb0ba.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\1000017001\c3a9c5fb49.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\c3a9c5fb49.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ea9758,0x7fef6ea9768,0x7fef6ea9778
        5⤵
        
        PID:2008
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1348,i,11061632202809717481,5930412833997906070,131072 /prefetch:2
        5⤵
        
        PID:2976
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1348,i,11061632202809717481,5930412833997906070,131072 /prefetch:8
        5⤵
        
        PID:1612
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1348,i,11061632202809717481,5930412833997906070,131072 /prefetch:8
        5⤵
        
        PID:108
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1704 --field-trial-handle=1348,i,11061632202809717481,5930412833997906070,131072 /prefetch:1
        5⤵
        
        PID:2648
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2308 --field-trial-handle=1348,i,11061632202809717481,5930412833997906070,131072 /prefetch:1
        5⤵
        
        PID:2660
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=1348,i,11061632202809717481,5930412833997906070,131072 /prefetch:2
        5⤵
        
        PID:2544
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1284 --field-trial-handle=1348,i,11061632202809717481,5930412833997906070,131072 /prefetch:1
        5⤵
        
        PID:3044
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3640 --field-trial-handle=1348,i,11061632202809717481,5930412833997906070,131072 /prefetch:1
        5⤵
        
        PID:1032
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3756 --field-trial-handle=1348,i,11061632202809717481,5930412833997906070,131072 /prefetch:8
        5⤵
        
        PID:3068
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4256 --field-trial-handle=1348,i,11061632202809717481,5930412833997906070,131072 /prefetch:8
        5⤵
        
        PID:1764

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2896

C:\ProgramData\anoomxjjawjf\vxfagazdltye.exe
C:\ProgramData\anoomxjjawjf\vxfagazdltye.exe
1⤵
PID:2272
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:2888
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:2952
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:1372
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:2988
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  PID:860

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
PID:4052
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2664
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3148
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1592
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3064
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1384
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1268
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3224
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:3260
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:1212
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:3292
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:3040
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3300
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000015002\38f549a6ee.exe

Filesize
1.8MB

MD5
e57fb0e1f4bae86d6715f0c0f0494f5c

SHA1
7c91e431737125cb524b9f6cc66f0dd47a3de318

SHA256
44ab5e6a8f3711137610a5e0f0fb1199f16dd6bb2b04814439edb2ffce6bfd84

SHA512
cf0e26931ae0e9ffb9faf2f27dac912648dd1fa0d369a7b6317b36a4ebea016c349081c549acc6375e60dc3cbdbe31a34d7ed11683baf91747cab71e911ef1e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab96941cce9903e839eec70436693548

SHA1
5d9f4899edc77cc715f74fc7a7c79430810167a9

SHA256
66fb7cbd1c016662a658fa8ab3bac55010d3d835dc874a267f0c8b3719199ee4

SHA512
a935fa918b0bb7da5353114cc86a9aac3f819dfa29173831ba24c07816b0f67fb5b293de70ffade6310ef095ef1cf19e0ca31270af3a75fcf8a81ce99a896a60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
896a7c29f660516bc645011a67159f50

SHA1
12900a06ea504fdc11781c1a8ef47c7418f07cb5

SHA256
13cd424cb77991d9e347f5907cb5f63e09d48dcc711f01eb6ffa13639d67c5b5

SHA512
5eab02cbb43052107905c4009c7166519e1fac4f4c3ee1c0598a3649000e2af51d0dee86e3ca6d5e4261c248548a9f59136450ef3c2beecf8f7c70bf35ee40ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a1676eb2ba6ce382d03c5bd0d3275cc0

SHA1
64152a1496cc2901e0d6a6f23f3d0360e2dfd059

SHA256
6fb034d85acbfda20e473893d44003dcbd60ee4eba9a4ccb49f67f90c3a4ffd7

SHA512
8ec8100f0fdfb34ec045da4218ba0aebc3240a457ae08d02b1e741522ec08098a664de6f9f49d251b20d00a74991cff396160d652cfa7fd2bd35c3a7a7b4b03a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
683a43e57527d4679d1b73cd2d107d7d

SHA1
a0efc963349191c081cc793dd2189346cc5ef416

SHA256
e0abd314099d118dfed2b6f2dc7a6d968235c444463949ae1ee24b1bb2099346

SHA512
49e4c4aa89a6702e0406b42b54e0219797aae9a4495a9deec854db4e559f330313e4005032a1b5732f8b992ce84b916780f1f9fd5b7536cc384e54446be640ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\blob.exe

Filesize
2.5MB

MD5
fbfbe4ee13baecac3e7d16bec24cf079

SHA1
360caf2bb458bee7e65c316099a868b929839d25

SHA256
3d65e5f78fa228a79d279fd903b45e584effe6b680d3a3adcb582985de62d01e

SHA512
8f5d849e739430cdc560f9dbda5f2f72a07ed0493054298b0d195cf50c972e9a24effdb71cadeea6ced14663fc1268f4a0f45234f37aac334638ffcd8057b28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\b2c2c1.exe

Filesize
455KB

MD5
f8ec725e4b969f157fd70166e73a56a3

SHA1
8bc092817245f2727154454e0011a8d6704e2eb7

SHA256
eb74efaf4832a80809815051fc97704819fbc4b1d57f07faf39746a02ed1dd10

SHA512
7dc3acb485263fd616ea84999a897f0e298f21485a34457697c523a095083d7de599b3cfc4bc3d45a5d36bc374a3a5e8778646dfa97c447d4be710021678e040

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\FirstZ.exe

Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe

Filesize
10.7MB

MD5
c09ff1273b09cb1f9c7698ed147bf22e

SHA1
5634aec5671c4fd565694aa12cd3bf11758675d2

SHA256
bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92

SHA512
e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe

Filesize
297KB

MD5
0efd5136528869a8ea1a37c5059d706e

SHA1
3593bec29dbfd333a5a3a4ad2485a94982bbf713

SHA256
7c21c1f3063ba963818542036a50f62ac7494ad422e7088897b55c61306ec74e

SHA512
4ac391812634107e4a4318c454a19e7c34abfc1f97acc9bcd0fac9a92c372e5ebfe809e5c433479142537762ed633564bc690b38fc268b169498d6a54249e3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe

Filesize
1.7MB

MD5
e8a7d0c6dedce0d4a403908a29273d43

SHA1
8289c35dabaee32f61c74de6a4e8308dc98eb075

SHA256
672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a

SHA512
c8bf2f42f7bcf6f6b752ba5165c57ee99d4b31d5ba48ce1c2651afdb8bc37a14f392253f3daa0e811116d11d4c9175dc55cfb1baac0c30a71a18e1df17e73770

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\72c8cfb0ba.exe

Filesize
1.3MB

MD5
eaeb97136749e4deaee312e528bf9779

SHA1
0afc2a6771c6db9919d8643f5d83deb8dc1519c0

SHA256
dd436ab0298af6d6491b71fcdcfa96c0f9249c9f0963ca250bab44fe59e9d5e9

SHA512
5d600b58153d220c3e71a6f9d030bf708c7614a63517ccec55f996dc716de163b458708cdc4bf1a165785255acc69c0f64dfc690cc0be9764dc1e95f088cbcd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\c3a9c5fb49.exe

Filesize
1.1MB

MD5
91933a5a8691f29886c5777d509be653

SHA1
b64f1ac79b1e6e4b770adcc03fb8f12e9b0d51d5

SHA256
1520cd319db75f759bc4f825f39af1c59578e163e35ebf02a59a9647cdab0fa0

SHA512
5f9d479b16bcbc02c174cecb91ad2ba956ca1b899523e584c88c55e58edda1d7719e2bfcbf54401fece7ac38e974e30cc99bd1a9e46324bbfd386133d0171906

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe

Filesize
96KB

MD5
8677376c509f0c66d1f02c6b66d7ef90

SHA1
e057eddf9d2e319967e200a5801e4bbe6e45862a

SHA256
f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96

SHA512
e0c685e289c10a48b5fa251aa4414653c103dac69faf536b9ae9598e066aab5a03b03c09096c42a0f244aeaf80f2b9e4aa28d6b28da436587a3f52a9155473d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe

Filesize
522KB

MD5
70a578f7f58456e475facd69469cf20a

SHA1
83e147e7ba01fa074b2f046b65978f838f7b1e8e

SHA256
5c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a

SHA512
707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe

Filesize
310KB

MD5
6e3d83935c7a0810f75dfa9badc3f199

SHA1
9f7d7c0ea662bcdca9b0cda928dc339f06ef0730

SHA256
dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed

SHA512
9f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe

Filesize
3.6MB

MD5
c28a2d0a008788b49690b333d501e3f3

SHA1
6a25fdb8613db00b09d4d6e1ad302c20c7f7e2c4

SHA256
f61712dccccf8f19c6dbf0dfb7c7c0be9eb2f13d3381ee94e4cb6cb70ffb5f5a

SHA512
455923a63e60b6079d7e0af2bfae5f922b205d024def456ae95158ef1bfcdbc4f56e24b4421a2203f4618d0ea29e229e331c7ee0d7881ee8ebac83fa72f5d788

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe

Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe

Filesize
10.7MB

MD5
3f4f5c57433724a32b7498b6a2c91bf0

SHA1
04757ff666e1afa31679dd6bed4ed3af671332a3

SHA256
0608a7559f895fab33ae65bbfbdc5bebd21eea984f76e1b5571c80906824d665

SHA512
cf572ca616b4f4e6e472e33e8d6d90b85d5885fa64d8bca4507450d66d65057efa771f58c31ea13f394fd0e7b0ff2fcaa9d54c61f28b27b98a79c27bc964f935

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000073001\bin.exe

Filesize
424KB

MD5
13e5872e9b7c47090e035dc228c5589f

SHA1
c55a9708091f19b5fc5baf7c37beb99d8d3bf760

SHA256
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc

SHA512
260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe

Filesize
659KB

MD5
bbd06263062b2c536b5caacdd5f81b76

SHA1
c38352c1c08fb0fa5e67a079998ef30ebc962089

SHA256
1875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9

SHA512
7faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\627615824406

Filesize
85KB

MD5
5788e4008911979a5c117c6d86e55c51

SHA1
ff665c8e96ff7d2c33e1f909e5257b092a2be520

SHA256
224faba4204c7f3741493796f51d026bc2b20b07acad4248d00f997e7c61e7bf

SHA512
80e6e86b5161f8b5100e1aaa4b163e9220d3a4f9f89a1cab30f09decec9083267b768e315c37d5fdc681a8018f89e3df5d80679abc79cdd99de470e49464d41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar710C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3024_133631680998960000\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3024_133631680998960000\stub.exe

Filesize
17.9MB

MD5
972d9d2422f1a71bed840709024302f8

SHA1
e52170710e3c413ae3cfa45fcdecf19db4aa382c

SHA256
1c666df4eafab03ecde809ffbc40dd60b8ac2fe7bdca5632c5c4002254e6e564

SHA512
3d84252756dcb4820b7794e9a92811d32631b9f3e9bd1a558fd040736b1472c0d00efb6ff7a13ae3bcd327f3bfac2b6ad94a5a3dfbc8ba54511a366c4f4727a6

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8

Filesize
14B

MD5
5e52b74c8e2a6d79f949fbb4eb476b21

SHA1
f1db39c705690b41243b2af96d9dd9d1a36a1f78

SHA256
7e68391432f9de6eb838bc2319f59e464e2db243aa5af00038f17efe9d073f6a

SHA512
301c91c56878cdeb452816a409f1cc6d53f33235fe6ee4ae2ad8cd84d01debb3fa9d7bc7657ba5e22c3a7352e80a5997789dee640d27f7b9300825489ad95c92

Download Submit
\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
3c791a1e752923485b04c0a6b8ee4198

SHA1
9793391c4c4fc27f55f6c2e0ea534a19cf2c68d3

SHA256
9a42c088e4e3639c2f2894d9bd698c356f6ac40b0bac816a6bad1c126ca90658

SHA512
d81dbd90321692ea6fdc483d9f635ce9d731284de1e4944b77878556fd5d927541f6b5bb358fabf2a3e95d808a3bc8e20fc9ac1b4e2851a969b56ad7af4066c2

Download Submit
\Users\Admin\AppData\Local\Temp\SetupWizard-da33c5f78a9be5ed\SetupWizard.exe

Filesize
42.6MB

MD5
e4b86504b7f85a6248e3dfd4e2e9fdf5

SHA1
d932f240e9b50e58ee4962040d6c856d98630c09

SHA256
ae0b50c7c42615b19e0c4cf5d05611ca1e057929b8065fe9a99d7a492c9b441a

SHA512
7baac3b3eac897e06c7f7623d563fa9ab90c26ff04783a511a241ae59755316c9a580d7b91d0e227c6df14a21c4750c6c0a52f02e9c9282b597686878216ffa2

Download Submit
\Users\Admin\AppData\Local\Temp\SetupWizard.exe

Filesize
36.2MB

MD5
bfa6ee61bd4d54d0168942bd934fca57

SHA1
fe32c8db5e2d86f45056b88a795cb64e89f9e9d9

SHA256
674c91e5221bea7c55e22322173859bbbdb4491e03ea17b19976c708d8c65397

SHA512
f542ff662ce5c9b394f7aca1adc8ccbf8384161f9a09274cc2a5c2a0a639cd43ae1babbebb54ce3a59e7b4450b67ed9f0156009a983f73db5d39aa79f115002b

Download Submit
memory/940-92-0x0000000000A60000-0x0000000000F2C000-memory.dmp

Filesize
4.8MB

Download
memory/940-61-0x0000000000A60000-0x0000000000F2C000-memory.dmp

Filesize
4.8MB

Download
memory/1080-862-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/1080-861-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/1372-1-0x0000000077800000-0x0000000077802000-memory.dmp

Filesize
8KB

Download
memory/1372-2-0x00000000002C1000-0x00000000002EF000-memory.dmp

Filesize
184KB

Download
memory/1372-3-0x00000000002C0000-0x0000000000782000-memory.dmp

Filesize
4.8MB

Download
memory/1372-5-0x00000000002C0000-0x0000000000782000-memory.dmp

Filesize
4.8MB

Download
memory/1372-15-0x00000000002C0000-0x0000000000782000-memory.dmp

Filesize
4.8MB

Download
memory/1372-16-0x0000000007150000-0x0000000007612000-memory.dmp

Filesize
4.8MB

Download
memory/1372-0-0x00000000002C0000-0x0000000000782000-memory.dmp

Filesize
4.8MB

Download
memory/1564-281-0x000000013F460000-0x0000000140695000-memory.dmp

Filesize
18.2MB

Download
memory/1752-363-0x0000000001280000-0x000000000174C000-memory.dmp

Filesize
4.8MB

Download
memory/1752-485-0x0000000001280000-0x000000000174C000-memory.dmp

Filesize
4.8MB

Download
memory/1752-93-0x0000000001280000-0x000000000174C000-memory.dmp

Filesize
4.8MB

Download
memory/1752-247-0x0000000001280000-0x000000000174C000-memory.dmp

Filesize
4.8MB

Download
memory/1984-25-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/1984-37-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/1984-34-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/1984-26-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/1984-28-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/1984-30-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/1984-33-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/1984-27-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/1984-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1984-41-0x00000000011F0000-0x00000000016B2000-memory.dmp

Filesize
4.8MB

Download
memory/1984-40-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/1984-43-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/1984-44-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/1984-45-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/1984-46-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2112-347-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2448-566-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/2448-540-0x00000000006E0000-0x00000000006FC000-memory.dmp

Filesize
112KB

Download
memory/2448-550-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/2448-554-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/2448-556-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/2448-560-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/2448-541-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/2448-519-0x0000000000220000-0x00000000005BC000-memory.dmp

Filesize
3.6MB

Download
memory/2448-521-0x00000000050F0000-0x00000000051F6000-memory.dmp

Filesize
1.0MB

Download
memory/2448-562-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/2448-542-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/2448-544-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/2448-539-0x00000000024F0000-0x00000000025DC000-memory.dmp

Filesize
944KB

Download
memory/2448-548-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/2448-546-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/2448-558-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/2448-552-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/2448-570-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/2448-568-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/2448-564-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/2552-246-0x0000000000BE0000-0x0000000001112000-memory.dmp

Filesize
5.2MB

Download
memory/2552-86-0x0000000000BE0000-0x0000000001112000-memory.dmp

Filesize
5.2MB

Download
memory/2552-76-0x0000000000BE0000-0x0000000001112000-memory.dmp

Filesize
5.2MB

Download
memory/2552-470-0x0000000000BE0000-0x0000000001112000-memory.dmp

Filesize
5.2MB

Download
memory/2564-520-0x000000013F5C0000-0x000000013F5E4000-memory.dmp

Filesize
144KB

Download
memory/2704-182-0x00000000011F0000-0x00000000016B2000-memory.dmp

Filesize
4.8MB

Download
memory/2704-21-0x00000000011F0000-0x00000000016B2000-memory.dmp

Filesize
4.8MB

Download
memory/2704-469-0x00000000011F0000-0x00000000016B2000-memory.dmp

Filesize
4.8MB

Download
memory/2704-245-0x00000000011F0000-0x00000000016B2000-memory.dmp

Filesize
4.8MB

Download
memory/2704-248-0x0000000006AD0000-0x0000000006F9C000-memory.dmp

Filesize
4.8MB

Download
memory/2704-17-0x00000000011F0000-0x00000000016B2000-memory.dmp

Filesize
4.8MB

Download
memory/2704-82-0x0000000006AD0000-0x0000000007002000-memory.dmp

Filesize
5.2MB

Download
memory/2704-18-0x00000000011F1000-0x000000000121F000-memory.dmp

Filesize
184KB

Download
memory/2704-77-0x00000000011F0000-0x00000000016B2000-memory.dmp

Filesize
4.8MB

Download
memory/2704-60-0x0000000006AD0000-0x0000000006F9C000-memory.dmp

Filesize
4.8MB

Download
memory/2704-181-0x00000000011F0000-0x00000000016B2000-memory.dmp

Filesize
4.8MB

Download
memory/2704-19-0x00000000011F0000-0x00000000016B2000-memory.dmp

Filesize
4.8MB

Download
memory/2924-294-0x00000000002B0000-0x0000000000300000-memory.dmp

Filesize
320KB

Download
memory/3024-330-0x000000013FC80000-0x0000000140755000-memory.dmp

Filesize
10.8MB

Download
memory/3136-865-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download
memory/3136-864-0x0000000019E20000-0x000000001A102000-memory.dmp

Filesize
2.9MB

Download