agenttesla | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
1050s
max time network
1051s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-09-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Malware Config

Extracted

Family

redline

Botnet

deepweb

91.92.253.107:1334

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.stingatoareincendii.ro
Port:
21
Username:
[email protected]
Password:
3.*RYhlG)lkA

Extracted

Family

cobaltstrike

http://89.197.154.115:7700/RKyG

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; ASU2JS)

Extracted

Family

xworm

Version

5.0

45.141.26.197:7000

Mutex

9nYi5R05H806aXaO

Attributes

Install_directory
%AppData%
install_file
VLC_Media.exe

aes.plain

Extracted

Family

stealc

Botnet

leva

http://185.215.113.100

Attributes

url_path
/e2b1563c6670f193.php

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe	family_xworm
behavioral1/memory/2136-547-0x0000000000080000-0x00000000000B2000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3824-21-0x00000244DE410000-0x00000244DE42E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3824-21-0x00000244DE410000-0x00000244DE42E000-memory.dmp	family_sectoprat

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

lamp.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ lamp.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4484 powershell.exe
3084 powershell.exe
4580 powershell.exe
1164 powershell.exe
3524 powershell.exe
2592 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

Jbrja.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys Jbrja.exe
Sets service image path in registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

Jbrja.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Jbrja.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	lamp.exe

pid	process
4484	powershell.exe
3084	powershell.exe
4580	powershell.exe
1164	powershell.exe
3524	powershell.exe
2592	powershell.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	Jbrja.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	Jbrja.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lamp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lamp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lamp.exe

Drops startup file 3 IoCs

Processes:

66d70e8640404_trics.exeVLC_Media.exe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk	66d70e8640404_trics.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk	VLC_Media.exe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk	VLC_Media.exe.exe

Executes dropped EXE 42 IoCs

Processes:

66d9f685932be_uninstaller.exe66d9f6e9330e4_deep.exe66d9ddcb9dbfe_Build.exeabQOhgu.exenotebyx.exeTikTokTool24.exeAccounts.exeMeeting.sfx.exeMeeting.exeywp.exeResolve.pifResolve.pifpdfconv.exe66d8985a256af_installer.exe66d8985a256af_installer.exeR.exewbspam.exeVLC_Media.exe.exewbspam.exeXWORM-V5.4.exeXWorm V5.4.exeVLC_Media.exe.exe66d7540419a3a_installer.exe66d7540419a3a_installer.exe66d6af212bad3_kbdturme.exe66d6af212bad3_kbdturme.tmp66d6af212bad3_kbdturme.exe66d6af212bad3_kbdturme.tmpAutoIt3.exeAutoIt3.exe66d5edf357fbf_BitcoinCore.exetqh64.exeCo.exe66d70e8640404_trics.exe66d70e8640404_trics.exelamp.exerev.exeprompt.exeew.exe1.exeJbrja.exeJbrja.exe

pid	process
1592	66d9f685932be_uninstaller.exe
3824	66d9f6e9330e4_deep.exe
4356	66d9ddcb9dbfe_Build.exe
3496	abQOhgu.exe
2620	notebyx.exe
3980	TikTokTool24.exe
5016	Accounts.exe
3952	Meeting.sfx.exe
1464	Meeting.exe
4760	ywp.exe
3128	Resolve.pif
2980	Resolve.pif
2788	pdfconv.exe
1660	66d8985a256af_installer.exe
4396	66d8985a256af_installer.exe
4728	R.exe
4488	wbspam.exe
2136	VLC_Media.exe.exe
3240	wbspam.exe
2560	XWORM-V5.4.exe
2884	XWorm V5.4.exe
1200	VLC_Media.exe.exe
1452	66d7540419a3a_installer.exe
2696	66d7540419a3a_installer.exe
4732	66d6af212bad3_kbdturme.exe
4528	66d6af212bad3_kbdturme.tmp
1668	66d6af212bad3_kbdturme.exe
4052	66d6af212bad3_kbdturme.tmp
996	AutoIt3.exe
4768	AutoIt3.exe
1404	66d5edf357fbf_BitcoinCore.exe
1460	tqh64.exe
2584	Co.exe
2368	66d70e8640404_trics.exe
2140	66d70e8640404_trics.exe
1908	lamp.exe
796	rev.exe
4744	prompt.exe
3736	ew.exe
3008	1.exe
3996	Jbrja.exe
3384	Jbrja.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

lamp.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine lamp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine	lamp.exe

Loads dropped DLL 32 IoCs

Processes:

pdfconv.exerundll32.exewbspam.exeXWorm V5.4.exerundll32.exe66d6af212bad3_kbdturme.tmp66d6af212bad3_kbdturme.tmp

pid	process
2788	pdfconv.exe
2788	pdfconv.exe
2788	pdfconv.exe
2788	pdfconv.exe
2788	pdfconv.exe
2788	pdfconv.exe
2788	pdfconv.exe
2788	pdfconv.exe
3648	rundll32.exe
3240	wbspam.exe
3240	wbspam.exe
3240	wbspam.exe
3240	wbspam.exe
3240	wbspam.exe
3240	wbspam.exe
3240	wbspam.exe
3240	wbspam.exe
3240	wbspam.exe
3240	wbspam.exe
3240	wbspam.exe
3240	wbspam.exe
3240	wbspam.exe
3240	wbspam.exe
3240	wbspam.exe
3240	wbspam.exe
3240	wbspam.exe
3240	wbspam.exe
3240	wbspam.exe
2884	XWorm V5.4.exe
688	rundll32.exe
4528	66d6af212bad3_kbdturme.tmp
4052	66d6af212bad3_kbdturme.tmp

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe	agile_net
behavioral1/memory/2884-755-0x00000266CBDE0000-0x00000266CCBC0000-memory.dmp	agile_net

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

pdfconv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	pdfconv.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

pdfconv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	pdfconv.exe
Key opened	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pdfconv.exe
Key opened	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pdfconv.exe
Key opened	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pdfconv.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pdfconv.exe66d70e8640404_trics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CMark Experience Studio = "C:\\Users\\Admin\\AppData\\Local\\Programs\\PCV Convert Manager\\pdfconv.exe"	pdfconv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe"	66d70e8640404_trics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Jbrja.exe

description	ioc	process
File opened (read-only)	\??\O:	Jbrja.exe
File opened (read-only)	\??\T:	Jbrja.exe
File opened (read-only)	\??\U:	Jbrja.exe
File opened (read-only)	\??\W:	Jbrja.exe
File opened (read-only)	\??\X:	Jbrja.exe
File opened (read-only)	\??\Y:	Jbrja.exe
File opened (read-only)	\??\B:	Jbrja.exe
File opened (read-only)	\??\K:	Jbrja.exe
File opened (read-only)	\??\S:	Jbrja.exe
File opened (read-only)	\??\M:	Jbrja.exe
File opened (read-only)	\??\N:	Jbrja.exe
File opened (read-only)	\??\R:	Jbrja.exe
File opened (read-only)	\??\V:	Jbrja.exe
File opened (read-only)	\??\G:	Jbrja.exe
File opened (read-only)	\??\L:	Jbrja.exe
File opened (read-only)	\??\I:	Jbrja.exe
File opened (read-only)	\??\J:	Jbrja.exe
File opened (read-only)	\??\P:	Jbrja.exe
File opened (read-only)	\??\Q:	Jbrja.exe
File opened (read-only)	\??\Z:	Jbrja.exe
File opened (read-only)	\??\E:	Jbrja.exe
File opened (read-only)	\??\H:	Jbrja.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

8 discord.com
48 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com

flow	ioc
8	discord.com
48	discord.com

flow	ioc
8	ip-api.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\abQOhgu.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\a\notebyx.exe	autoit_exe

Drops file in System32 directory 2 IoCs

Processes:

1.exe

description ioc process

File created C:\Windows\SysWOW64\Jbrja.exe 1.exe
File opened for modification C:\Windows\SysWOW64\Jbrja.exe 1.exe
Enumerates processes with tasklist 1 TTPs 8 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

1916 tasklist.exe
4476 tasklist.exe
1080 tasklist.exe
3572 tasklist.exe
1576 tasklist.exe
3088 tasklist.exe
352 tasklist.exe
1456 tasklist.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

lamp.exe

pid process

1908 lamp.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Jbrja.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\Jbrja.exe	1.exe

pid	process
1916	tasklist.exe
4476	tasklist.exe
1080	tasklist.exe
3572	tasklist.exe
1576	tasklist.exe
3088	tasklist.exe
352	tasklist.exe
1456	tasklist.exe

pid	process
1908	lamp.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

abQOhgu.exenotebyx.exeResolve.pifAutoIt3.exe66d70e8640404_trics.exe

description	pid	process	target process
PID 3496 set thread context of 1660	3496	abQOhgu.exe	RegSvcs.exe
PID 2620 set thread context of 4504	2620	notebyx.exe	RegSvcs.exe
PID 3128 set thread context of 2980	3128	Resolve.pif	Resolve.pif
PID 4768 set thread context of 4384	4768	AutoIt3.exe	MSBuild.exe
PID 2368 set thread context of 2140	2368	66d70e8640404_trics.exe	66d70e8640404_trics.exe

Drops file in Program Files directory 1 IoCs

Processes:

pdfconv.exe

description ioc process

File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe pdfconv.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	pdfconv.exe

Drops file in Windows directory 3 IoCs

Processes:

TikTokTool24.exe

description	ioc	process
File opened for modification	C:\Windows\ChampionshipsJustice	TikTokTool24.exe
File opened for modification	C:\Windows\ConsistentParadise	TikTokTool24.exe
File opened for modification	C:\Windows\FranklinBrochures	TikTokTool24.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\wbspam.exe	pyinstaller

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\66d9f685932be_uninstaller.exe	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1772	3496	WerFault.exe	abQOhgu.exe
3772	4760	WerFault.exe	ywp.exe
4468	4760	WerFault.exe	ywp.exe
3456	2980	WerFault.exe	Resolve.pif
2344	2980	WerFault.exe	Resolve.pif
3096	4384	WerFault.exe	MSBuild.exe
3656	1460	WerFault.exe	tqh64.exe
2108	2584	WerFault.exe	Co.exe
3168	2584	WerFault.exe	Co.exe

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

choice.exeResolve.pif66d6af212bad3_kbdturme.tmpMSBuild.exetasklist.exefindstr.exe66d9f685932be_uninstaller.exeschtasks.exeTikTokTool24.exeMeeting.sfx.exeMeeting.exefindstr.exeAutoIt3.exetqh64.exe66d70e8640404_trics.exeew.execmd.exePING.EXEcmd.exeResolve.pifcmd.exe66d70e8640404_trics.execmd.exepdfconv.exeJbrja.exeJbrja.exeabQOhgu.exeRegSvcs.exetasklist.execmd.exePING.EXE1.exepowershell.exe66d6af212bad3_kbdturme.exe66d6af212bad3_kbdturme.exe66d6af212bad3_kbdturme.tmpAutoIt3.exeCo.exelamp.exenotebyx.exeRegSvcs.exeywp.exefindstr.exepowershell.execmd.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Resolve.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66d6af212bad3_kbdturme.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66d9f685932be_uninstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TikTokTool24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meeting.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meeting.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tqh64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66d70e8640404_trics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Resolve.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66d70e8640404_trics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdfconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbrja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbrja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abQOhgu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66d6af212bad3_kbdturme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66d6af212bad3_kbdturme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66d6af212bad3_kbdturme.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Co.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lamp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notebyx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEcmd.exePING.EXEcmd.exe

pid process

4140 PING.EXE
3928 cmd.exe
3160 PING.EXE
3308 cmd.exe

pid	process
4140	PING.EXE
3928	cmd.exe
3160	PING.EXE
3308	cmd.exe

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pdfconv.exeAutoIt3.exeJbrja.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	pdfconv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	pdfconv.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	pdfconv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	pdfconv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	pdfconv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	pdfconv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	pdfconv.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	pdfconv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Jbrja.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	pdfconv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	pdfconv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	pdfconv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	pdfconv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	pdfconv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	pdfconv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jbrja.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	pdfconv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	pdfconv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	pdfconv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	pdfconv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	pdfconv.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	pdfconv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	pdfconv.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

Jbrja.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Jbrja.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Jbrja.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Jbrja.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	Jbrja.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	Jbrja.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

pdfconv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\937545B11B5D80F15FD922F1D880FE57FD60151E	pdfconv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\937545B11B5D80F15FD922F1D880FE57FD60151E\Blob = 030000000100000014000000937545b11b5d80f15fd922f1d880fe57fd60151e2000000001000000a00200003082029c30820205a003020102020872fc501b4d54055f300d06092a864886f70d01010b05003081853145304306035504030c3c566572695369677020436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b3009060355040613025553301e170d3232303930363232303932325a170d3236303930353232303932325a3081853145304306035504030c3c566572695369677020436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b300906035504061302555330819f300d06092a864886f70d010101050003818d00308189028181009c182054159e9fb54bd85d80b9dbbf878f8009db9cd747f7c167b17106623c42bedcaf21387a13d5342b8229f108b7969c7ef95c4f74863a8346ab719f190da0425fed7b96ac86370365df168794b61baf11d3be4bb4a4fa2b7fcc3eb1a90c16b91c7c9bc44079e012cc507717b629738912fd74929cff741d7cd0f63af2d0cf0203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038181006be8f14f52647e2640a9c8f8cc30d54720e8e9110765446a42884ff8b1981ed806a9df1b73b5b55e7f06156fa6a99c3c603b7e69a0d393525a86d047de9db5e5a4ac692391e89c9d4afc05a17cbbbdb4f24ac4f1454c8a0888959bc2a23cd20940aef406b4d1c32d77afb9b315eb28e4019f5010b186e13d0e460d3608dc19b5	pdfconv.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4140 PING.EXE
3160 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3148 schtasks.exe
4060 schtasks.exe

pid	process
4140	PING.EXE
3160	PING.EXE

pid	process
3148	schtasks.exe
4060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

66d9f6e9330e4_deep.exeRegSvcs.exeRegSvcs.exeResolve.pifpdfconv.exerundll32.exepowershell.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exeVLC_Media.exe.exerundll32.exe66d6af212bad3_kbdturme.tmppowershell.exe

pid	process
3824	66d9f6e9330e4_deep.exe
3824	66d9f6e9330e4_deep.exe
1660	RegSvcs.exe
1660	RegSvcs.exe
4504	RegSvcs.exe
4504	RegSvcs.exe
3128	Resolve.pif
3128	Resolve.pif
3128	Resolve.pif
3128	Resolve.pif
3128	Resolve.pif
3128	Resolve.pif
3128	Resolve.pif
3128	Resolve.pif
3128	Resolve.pif
3128	Resolve.pif
2788	pdfconv.exe
2788	pdfconv.exe
2788	pdfconv.exe
2788	pdfconv.exe
3648	rundll32.exe
3648	rundll32.exe
3648	rundll32.exe
3648	rundll32.exe
4484	powershell.exe
4484	powershell.exe
1784	msedge.exe
1784	msedge.exe
976	msedge.exe
976	msedge.exe
3084	powershell.exe
3084	powershell.exe
4580	powershell.exe
4580	powershell.exe
1164	powershell.exe
1164	powershell.exe
3524	powershell.exe
3524	powershell.exe
2136	VLC_Media.exe.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
4052	66d6af212bad3_kbdturme.tmp
4052	66d6af212bad3_kbdturme.tmp
2788	pdfconv.exe
2788	pdfconv.exe
2592	powershell.exe
2592	powershell.exe
2592	powershell.exe
2788	pdfconv.exe
2788	pdfconv.exe
2788	pdfconv.exe
2788	pdfconv.exe
2136	VLC_Media.exe.exe
2136	VLC_Media.exe.exe
2136	VLC_Media.exe.exe
2136	VLC_Media.exe.exe
2136	VLC_Media.exe.exe
2136	VLC_Media.exe.exe
2136	VLC_Media.exe.exe
2136	VLC_Media.exe.exe
2136	VLC_Media.exe.exe
2136	VLC_Media.exe.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

Jbrja.exe

pid process

3384 Jbrja.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

abQOhgu.exenotebyx.exe

pid process

3496 abQOhgu.exe
2620 notebyx.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

976 msedge.exe
976 msedge.exe
976 msedge.exe

pid	process
3384	Jbrja.exe

pid	process
976	msedge.exe
976	msedge.exe
976	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

New Text Document mod.exe66d9f6e9330e4_deep.exeRegSvcs.exeRegSvcs.exetasklist.exetasklist.exepdfconv.exepowershell.exeVLC_Media.exe.exepowershell.exepowershell.exepowershell.exepowershell.exeVLC_Media.exe.exeXWorm V5.4.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepowershell.exe1.exeJbrja.exe

description	pid	process
Token: SeDebugPrivilege	248	New Text Document mod.exe
Token: SeDebugPrivilege	3824	66d9f6e9330e4_deep.exe
Token: SeDebugPrivilege	1660	RegSvcs.exe
Token: SeDebugPrivilege	4504	RegSvcs.exe
Token: SeDebugPrivilege	1576	tasklist.exe
Token: SeDebugPrivilege	3088	tasklist.exe
Token: SeDebugPrivilege	2788	pdfconv.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	2136	VLC_Media.exe.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	2136	VLC_Media.exe.exe
Token: SeDebugPrivilege	1200	VLC_Media.exe.exe
Token: SeDebugPrivilege	2884	XWorm V5.4.exe
Token: SeDebugPrivilege	352	tasklist.exe
Token: SeDebugPrivilege	1456	tasklist.exe
Token: SeDebugPrivilege	1916	tasklist.exe
Token: SeDebugPrivilege	4476	tasklist.exe
Token: SeDebugPrivilege	1080	tasklist.exe
Token: SeDebugPrivilege	3572	tasklist.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeIncBasePriorityPrivilege	3008	1.exe
Token: SeLoadDriverPrivilege	3384	Jbrja.exe
Token: 33	3384	Jbrja.exe
Token: SeIncBasePriorityPrivilege	3384	Jbrja.exe
Token: 33	3384	Jbrja.exe
Token: SeIncBasePriorityPrivilege	3384	Jbrja.exe
Token: 33	3384	Jbrja.exe
Token: SeIncBasePriorityPrivilege	3384	Jbrja.exe
Token: 33	3384	Jbrja.exe
Token: SeIncBasePriorityPrivilege	3384	Jbrja.exe
Token: 33	3384	Jbrja.exe
Token: SeIncBasePriorityPrivilege	3384	Jbrja.exe
Token: 33	3384	Jbrja.exe
Token: SeIncBasePriorityPrivilege	3384	Jbrja.exe
Token: 33	3384	Jbrja.exe
Token: SeIncBasePriorityPrivilege	3384	Jbrja.exe
Token: 33	3384	Jbrja.exe
Token: SeIncBasePriorityPrivilege	3384	Jbrja.exe
Token: 33	3384	Jbrja.exe
Token: SeIncBasePriorityPrivilege	3384	Jbrja.exe
Token: 33	3384	Jbrja.exe
Token: SeIncBasePriorityPrivilege	3384	Jbrja.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

abQOhgu.exenotebyx.exeResolve.pifpdfconv.exemsedge.exe66d6af212bad3_kbdturme.tmp

pid	process
3496	abQOhgu.exe
3496	abQOhgu.exe
2620	notebyx.exe
2620	notebyx.exe
3128	Resolve.pif
3128	Resolve.pif
3128	Resolve.pif
2788	pdfconv.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
4052	66d6af212bad3_kbdturme.tmp

Suspicious use of SendNotifyMessage 19 IoCs

Processes:

abQOhgu.exenotebyx.exeResolve.pifmsedge.exe

pid	process
3496	abQOhgu.exe
3496	abQOhgu.exe
2620	notebyx.exe
2620	notebyx.exe
3128	Resolve.pif
3128	Resolve.pif
3128	Resolve.pif
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Meeting.sfx.exepdfconv.exeVLC_Media.exe.exe

pid process

3952 Meeting.sfx.exe
3952 Meeting.sfx.exe
2788 pdfconv.exe
2136 VLC_Media.exe.exe

pid	process
3952	Meeting.sfx.exe
3952	Meeting.sfx.exe
2788	pdfconv.exe
2136	VLC_Media.exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document mod.exeabQOhgu.exenotebyx.exeTikTokTool24.execmd.exe

description	pid	process	target process
PID 248 wrote to memory of 1592	248	New Text Document mod.exe	66d9f685932be_uninstaller.exe
PID 248 wrote to memory of 1592	248	New Text Document mod.exe	66d9f685932be_uninstaller.exe
PID 248 wrote to memory of 1592	248	New Text Document mod.exe	66d9f685932be_uninstaller.exe
PID 248 wrote to memory of 3824	248	New Text Document mod.exe	66d9f6e9330e4_deep.exe
PID 248 wrote to memory of 3824	248	New Text Document mod.exe	66d9f6e9330e4_deep.exe
PID 248 wrote to memory of 4356	248	New Text Document mod.exe	66d9ddcb9dbfe_Build.exe
PID 248 wrote to memory of 4356	248	New Text Document mod.exe	66d9ddcb9dbfe_Build.exe
PID 248 wrote to memory of 3496	248	New Text Document mod.exe	abQOhgu.exe
PID 248 wrote to memory of 3496	248	New Text Document mod.exe	abQOhgu.exe
PID 248 wrote to memory of 3496	248	New Text Document mod.exe	abQOhgu.exe
PID 248 wrote to memory of 2620	248	New Text Document mod.exe	notebyx.exe
PID 248 wrote to memory of 2620	248	New Text Document mod.exe	notebyx.exe
PID 248 wrote to memory of 2620	248	New Text Document mod.exe	notebyx.exe
PID 3496 wrote to memory of 1660	3496	abQOhgu.exe	RegSvcs.exe
PID 3496 wrote to memory of 1660	3496	abQOhgu.exe	RegSvcs.exe
PID 3496 wrote to memory of 1660	3496	abQOhgu.exe	RegSvcs.exe
PID 3496 wrote to memory of 1660	3496	abQOhgu.exe	RegSvcs.exe
PID 2620 wrote to memory of 4504	2620	notebyx.exe	RegSvcs.exe
PID 2620 wrote to memory of 4504	2620	notebyx.exe	RegSvcs.exe
PID 2620 wrote to memory of 4504	2620	notebyx.exe	RegSvcs.exe
PID 2620 wrote to memory of 4504	2620	notebyx.exe	RegSvcs.exe
PID 248 wrote to memory of 3980	248	New Text Document mod.exe	TikTokTool24.exe
PID 248 wrote to memory of 3980	248	New Text Document mod.exe	TikTokTool24.exe
PID 248 wrote to memory of 3980	248	New Text Document mod.exe	TikTokTool24.exe
PID 248 wrote to memory of 5016	248	New Text Document mod.exe	Accounts.exe
PID 248 wrote to memory of 5016	248	New Text Document mod.exe	Accounts.exe
PID 3980 wrote to memory of 1360	3980	TikTokTool24.exe	cmd.exe
PID 3980 wrote to memory of 1360	3980	TikTokTool24.exe	cmd.exe
PID 3980 wrote to memory of 1360	3980	TikTokTool24.exe	cmd.exe
PID 248 wrote to memory of 3952	248	New Text Document mod.exe	Meeting.sfx.exe
PID 248 wrote to memory of 3952	248	New Text Document mod.exe	Meeting.sfx.exe
PID 248 wrote to memory of 3952	248	New Text Document mod.exe	Meeting.sfx.exe
PID 248 wrote to memory of 1464	248	New Text Document mod.exe	Meeting.exe
PID 248 wrote to memory of 1464	248	New Text Document mod.exe	Meeting.exe
PID 248 wrote to memory of 1464	248	New Text Document mod.exe	Meeting.exe
PID 248 wrote to memory of 4760	248	New Text Document mod.exe	ywp.exe
PID 248 wrote to memory of 4760	248	New Text Document mod.exe	ywp.exe
PID 248 wrote to memory of 4760	248	New Text Document mod.exe	ywp.exe
PID 1360 wrote to memory of 1576	1360	cmd.exe	tasklist.exe
PID 1360 wrote to memory of 1576	1360	cmd.exe	tasklist.exe
PID 1360 wrote to memory of 1576	1360	cmd.exe	tasklist.exe
PID 1360 wrote to memory of 4668	1360	cmd.exe	findstr.exe
PID 1360 wrote to memory of 4668	1360	cmd.exe	findstr.exe
PID 1360 wrote to memory of 4668	1360	cmd.exe	findstr.exe
PID 1360 wrote to memory of 3088	1360	cmd.exe	tasklist.exe
PID 1360 wrote to memory of 3088	1360	cmd.exe	tasklist.exe
PID 1360 wrote to memory of 3088	1360	cmd.exe	tasklist.exe
PID 1360 wrote to memory of 2672	1360	cmd.exe	findstr.exe
PID 1360 wrote to memory of 2672	1360	cmd.exe	findstr.exe
PID 1360 wrote to memory of 2672	1360	cmd.exe	findstr.exe
PID 1360 wrote to memory of 4208	1360	cmd.exe	cmd.exe
PID 1360 wrote to memory of 4208	1360	cmd.exe	cmd.exe
PID 1360 wrote to memory of 4208	1360	cmd.exe	cmd.exe
PID 1360 wrote to memory of 1040	1360	cmd.exe	findstr.exe
PID 1360 wrote to memory of 1040	1360	cmd.exe	findstr.exe
PID 1360 wrote to memory of 1040	1360	cmd.exe	findstr.exe
PID 1360 wrote to memory of 2592	1360	cmd.exe	cmd.exe
PID 1360 wrote to memory of 2592	1360	cmd.exe	cmd.exe
PID 1360 wrote to memory of 2592	1360	cmd.exe	cmd.exe
PID 1360 wrote to memory of 3128	1360	cmd.exe	Resolve.pif
PID 1360 wrote to memory of 3128	1360	cmd.exe	Resolve.pif
PID 1360 wrote to memory of 3128	1360	cmd.exe	Resolve.pif
PID 1360 wrote to memory of 1336	1360	cmd.exe	choice.exe
PID 1360 wrote to memory of 1336	1360	cmd.exe	choice.exe

outlook_office_path 1 IoCs

Processes:

pdfconv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pdfconv.exe

outlook_win_path 1 IoCs

Processes:

pdfconv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pdfconv.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:248
- C:\Users\Admin\AppData\Local\Temp\a\66d9f685932be_uninstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66d9f685932be_uninstaller.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1592
- - C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfconv.exe
    "C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfconv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfconv.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2140
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfconv.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfconv.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2592
- C:\Users\Admin\AppData\Local\Temp\a\66d9f6e9330e4_deep.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66d9f6e9330e4_deep.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3824
- C:\Users\Admin\AppData\Local\Temp\a\66d9ddcb9dbfe_Build.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66d9ddcb9dbfe_Build.exe"
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Users\Admin\AppData\Local\Temp\a\abQOhgu.exe
  "C:\Users\Admin\AppData\Local\Temp\a\abQOhgu.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\a\abQOhgu.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 804
    3⤵
    - Program crash
    PID:1772
- C:\Users\Admin\AppData\Local\Temp\a\notebyx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\notebyx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\a\notebyx.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
- C:\Users\Admin\AppData\Local\Temp\a\TikTokTool24.exe
  "C:\Users\Admin\AppData\Local\Temp\a\TikTokTool24.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Columbia Columbia.bat & Columbia.bat & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1576
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4668
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3088
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 196323
      4⤵
      System Location Discovery: System Language Discovery
      PID:4208
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "cheatsfortyumsent" Zen
      4⤵
      System Location Discovery: System Language Discovery
      PID:1040
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Immediate + ..\Surrounded + ..\Familiar + ..\Enclosed + ..\Telecommunications + ..\Boolean + ..\Integrating + ..\Stack + ..\Lawn F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\196323\Resolve.pif
      Resolve.pif F
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3128
    - - C:\Users\Admin\AppData\Local\Temp\196323\Resolve.pif
        
        C:\Users\Admin\AppData\Local\Temp\196323\Resolve.pif
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2980
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1196
        6⤵
        Program crash
        
        PID:3456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1172
        6⤵
        Program crash
        
        PID:2344
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1336
- C:\Users\Admin\AppData\Local\Temp\a\Accounts.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Accounts.exe"
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Users\Admin\AppData\Local\Temp\a\Meeting.sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Meeting.sfx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3952
- C:\Users\Admin\AppData\Local\Temp\a\Meeting.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Meeting.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1464
- C:\Users\Admin\AppData\Local\Temp\a\ywp.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ywp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1276
    3⤵
    - Program crash
    PID:3772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1316
    3⤵
    - Program crash
    PID:4468
- C:\Users\Admin\AppData\Local\Temp\a\66d8985a256af_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66d8985a256af_installer.exe"
  2⤵
  - Executes dropped EXE
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\a\66d8985a256af_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66d8985a256af_installer.exe" -sfxwaitall:0 "rundll32" setup_app_tmp.dll,setuptool
    3⤵
    - Executes dropped EXE
    PID:4396
  - - C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" setup_app_tmp.dll,setuptool
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:3648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
    3⤵
    PID:2088
- C:\Users\Admin\AppData\Local\Temp\a\R.exe
  "C:\Users\Admin\AppData\Local\Temp\a\R.exe"
  2⤵
  - Executes dropped EXE
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\wbspam.exe
    "C:\Users\Admin\AppData\Local\Temp\wbspam.exe"
    3⤵
    - Executes dropped EXE
    PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\wbspam.exe
      "C:\Users\Admin\AppData\Local\Temp\wbspam.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3240
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c
        5⤵
        
        PID:3276
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c
        5⤵
        
        PID:2244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/rz9598cHay
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd1793cb8,0x7ffdd1793cc8,0x7ffdd1793cd8
        6⤵
        
        PID:2072
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1820,7756300179006939590,10788331440045344878,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1796 /prefetch:2
        6⤵
        
        PID:884
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,7756300179006939590,10788331440045344878,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1784
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1820,7756300179006939590,10788331440045344878,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
        6⤵
        
        PID:3124
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,7756300179006939590,10788331440045344878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
        6⤵
        
        PID:836
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,7756300179006939590,10788331440045344878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
        6⤵
        
        PID:2052
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,7756300179006939590,10788331440045344878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
        6⤵
        
        PID:4088
- - C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4580
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\VLC_Media.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3524
- C:\Users\Admin\AppData\Local\Temp\a\XWORM-V5.4.exe
  "C:\Users\Admin\AppData\Local\Temp\a\XWORM-V5.4.exe"
  2⤵
  - Executes dropped EXE
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- C:\Users\Admin\AppData\Local\Temp\a\66d7540419a3a_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66d7540419a3a_installer.exe"
  2⤵
  - Executes dropped EXE
  PID:1452
- - C:\Users\Admin\AppData\Local\Temp\a\66d7540419a3a_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66d7540419a3a_installer.exe" -sfxwaitall:0 "rundll32" setup_app.dll,setupvar
    3⤵
    - Executes dropped EXE
    PID:2696
  - - C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" setup_app.dll,setupvar
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
    3⤵
    PID:4396
- C:\Users\Admin\AppData\Local\Temp\a\66d6af212bad3_kbdturme.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66d6af212bad3_kbdturme.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4732
- - C:\Users\Admin\AppData\Local\Temp\is-CO8MB.tmp\66d6af212bad3_kbdturme.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-CO8MB.tmp\66d6af212bad3_kbdturme.tmp" /SL5="$60350,10276342,812544,C:\Users\Admin\AppData\Local\Temp\a\66d6af212bad3_kbdturme.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\a\66d6af212bad3_kbdturme.exe
      "C:\Users\Admin\AppData\Local\Temp\a\66d6af212bad3_kbdturme.exe" /VERYSILENT /NORESTART
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1668
    - - C:\Users\Admin\AppData\Local\Temp\is-9LKRE.tmp\66d6af212bad3_kbdturme.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9LKRE.tmp\66d6af212bad3_kbdturme.tmp" /SL5="$70350,10276342,812544,C:\Users\Admin\AppData\Local\Temp\a\66d6af212bad3_kbdturme.exe" /VERYSILENT /NORESTART
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:4052
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        6⤵
        
        PID:3400
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
        
        C:\Windows\system32\find.exe
        
        find /I "wrsa.exe"
        7⤵
        
        PID:1936
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        6⤵
        
        PID:1496
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\system32\find.exe
        
        find /I "opssvc.exe"
        7⤵
        
        PID:884
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        6⤵
        
        PID:200
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\system32\find.exe
        
        find /I "avastui.exe"
        7⤵
        
        PID:4596
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
        6⤵
        
        PID:5024
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
        
        C:\Windows\system32\find.exe
        
        find /I "avgui.exe"
        7⤵
        
        PID:456
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
        6⤵
        
        PID:3560
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\system32\find.exe
        
        find /I "nswscsvc.exe"
        7⤵
        
        PID:3796
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
        6⤵
        
        PID:2884
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
        
        C:\Windows\system32\find.exe
        
        find /I "sophoshealth.exe"
        7⤵
        
        PID:3000
      - C:\Users\Admin\AppData\Local\banqueteer\AutoIt3.exe
        
        "C:\Users\Admin\AppData\Local\banqueteer\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\banqueteer\\calimanco1.a3x"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\qTS9Ah7.a3x && del C:\ProgramData\\qTS9Ah7.a3x
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\banqueteer\AutoIt3.exe
        
        AutoIt3.exe C:\ProgramData\\qTS9Ah7.a3x
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:4768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 1272
        10⤵
        Program crash
        
        PID:3096
- C:\Users\Admin\AppData\Local\Temp\a\66d5edf357fbf_BitcoinCore.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66d5edf357fbf_BitcoinCore.exe"
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Users\Admin\AppData\Local\Temp\a\tqh64.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tqh64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1296
    3⤵
    - Program crash
    PID:3656
- C:\Users\Admin\AppData\Local\Temp\a\Co.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Co.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1136
    3⤵
    - Program crash
    PID:2108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1136
    3⤵
    - Program crash
    PID:3168
- C:\Users\Admin\AppData\Local\Temp\a\66d70e8640404_trics.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66d70e8640404_trics.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\a\66d70e8640404_trics.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66d70e8640404_trics.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2140
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3148
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4060
- C:\Users\Admin\AppData\Local\Temp\a\lamp.exe
  "C:\Users\Admin\AppData\Local\Temp\a\lamp.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:1908
- C:\Users\Admin\AppData\Local\Temp\a\rev.exe
  "C:\Users\Admin\AppData\Local\Temp\a\rev.exe"
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Users\Admin\AppData\Local\Temp\a\prompt.exe
  "C:\Users\Admin\AppData\Local\Temp\a\prompt.exe"
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Users\Admin\AppData\Local\Temp\a\ew.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ew.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3736
- C:\Users\Admin\AppData\Local\Temp\a\1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\a\1.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3928
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3496 -ip 3496
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4760 -ip 4760
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4760 -ip 4760
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2980 -ip 2980
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2980 -ip 2980
1⤵
PID:4904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4384 -ip 4384
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1460 -ip 1460
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2584 -ip 2584
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2584 -ip 2584
1⤵
PID:2268

C:\Windows\SysWOW64\Jbrja.exe
C:\Windows\SysWOW64\Jbrja.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3996
- C:\Windows\SysWOW64\Jbrja.exe
  C:\Windows\SysWOW64\Jbrja.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
228fefc98d7fb5b4e27c6abab1de7207

SHA1
ada493791316e154a906ec2c83c412adf3a7061a

SHA256
448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2

SHA512
fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
026e0c65239e15ba609a874aeac2dc33

SHA1
a75e1622bc647ab73ab3bb2809872c2730dcf2df

SHA256
593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292

SHA512
9fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
247B

MD5
94bd83393ee4e3c749f28c3414160cbc

SHA1
68effb04ecc392f2ae4ad7bdc1e99b9116da474c

SHA256
e1dbf44fca250f32925910fcd7f59276e46d0d916eff30fdf9f85ef91bcd3d4b

SHA512
203109a405cd685a195e6cdae5d0a624abcd6c6a9333b88f312e50f96bafa03057366bd78bf62df8784ec97f14677d56f8b78b472000044618a784bcf7af3e8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ca64b37b773de5190b1de6b8bd1656a9

SHA1
a68b1b38f0ce533b95a9f2dbe878d93f33589f81

SHA256
9f05eb3261ade3d08cef61755eaae91b3a727b117a2d9ef6c1288e1e2e2e8009

SHA512
fb596c140f5e851802fb5c290c98ce0ca888553a5d1250b170d3937f0dae1ffba7ad9f286edf30ce8729bd951a6c29a77b7e3bbb21b9d290ab83bc3a06c20869

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fc41896545e39e73e6919b7420192fdd

SHA1
269ec110c9c752dea9dcfabfd450283bf7723159

SHA256
c631f6df783a1697e8cb601a5e8bacb1ed9c5ba1241e2e1715d766c22af90c49

SHA512
67e03297dc755f1d7611c22356921ce0b852f0aa6a9bde598f4426465aaad1769d28ea33b09940626ec30e4af3d8cf8fd3ccb81f856344a1f5405264fb0f2a92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
88ca984219c6383a0aa8158f3c60c170

SHA1
47260bf501725ce2816d9e3ed0e23eeac84e872d

SHA256
628a3521e88c24094490abc03d5d90dcb27014ea56073180f0bf1076d073cdf6

SHA512
7c43db226b9f7a491d195a1262127df985b7ce6cd957127632e6cfdda7e03e4bf32bf257913f4c4736ff2383f0c45918d1968281d3e0d831bd05315d005a3801

Download Submit
C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\Adapt4.1.dll

Filesize
6.9MB

MD5
a48d47a826bd19bed46d82e4d12d0747

SHA1
fe7ced0a8757f86abbc4a28f5d9ac4808ded1c8f

SHA256
10c91979275078c324a5f2c1b027d51140160a892d986f25dd5ad6a6a93d53d1

SHA512
b6274971776a967b2deb9805418af439b0412f0a23233189d8087fee124c952a14fd2a8acc005fa26cb8f906421814726a3681786620b63b32b301d6712a351e

Download Submit
C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\CES_PlugIn_4.dll

Filesize
515KB

MD5
576bbf8adb9278830e883ecac484bead

SHA1
c1242601d50012dc51b545d7b9a24fb5108b0f70

SHA256
5b26c145a7cc91e95175d38047e46a3a0b8766905b9d51f4e6bb559a439b3761

SHA512
0957743b19e989742b9584d7791249f3fb64615210ec2110c40ae774d4fb4fa4dcda498e019fbd316b42ab23bde314af24eeba20674b0190c1a2760debd55103

Download Submit
C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\Dependency.db

Filesize
5.6MB

MD5
452c732598cff53811896cff493a026b

SHA1
53d370accb009685ade791d5d7e5e190b89384c1

SHA256
6053b66fca4a247f202eee0e32dc3a05c426addcb30fbf1d959488042cfded15

SHA512
a26ee492733aafc5c90dff79eb1887176e162481996acb3bf99718d3f799daa289bc3c50f4c02f71ef61d6a5a670cdb925b3a5b47bd16c24938c41205bb6a0cf

Download Submit
C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\WPS32.DLL

Filesize
144KB

MD5
1536f15da51dc7988f17fe81aa6d7dd1

SHA1
e19ab45229d89c6d5450c607d1784e37b1ebdd3e

SHA256
605630f97e3f6b834b2210ef69825c8fb22a9efcaa51f3276833afae114e4377

SHA512
96120bbc85bdfcfb3f80e944c866cf0d67eaee990691484929c52863ee37a19907a32ef79c88fdcb4a975eb4bcdc49014c665d36e152d8ff01b7270629e3cf4a

Download Submit
C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\WRS6.DLL

Filesize
360KB

MD5
b8d1b2aefecfe0ec73ef065f377af918

SHA1
eab322acb1d95179969b75c56febd042258cc668

SHA256
7f741ee47a3ac13b2f310a94c75204f842c13d57bb9a05a04e5a6d4a9d55a87e

SHA512
9ca8cfa74af6a607a25ba61ccb4bc6608e63cb4ff37da6403395acd85177259d9e482d3787715b38776edf66eef49983830add9d21b033dfffea18a4d70ffc68

Download Submit
C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\file.wav

Filesize
5.2MB

MD5
61b6d43b7aa1a2e45f59a99cd5c80f5f

SHA1
a45ec665632501a7fdd90520d1a5cc9e29ddcc3c

SHA256
49bdbd9c6f651f573b08c8300fcdf928be36d86450433bac00aa610d74049f66

SHA512
d74bfb70184f802cf3997fa16b1fd637e22653ba87d085b651c373608934b5f961e2d85aae6155f3ca96eb1d7afd9ac34fd88bbe78a8c9d79583061c4279df93

Download Submit
C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdc32.dll

Filesize
348KB

MD5
1e2c7829fac8f5c3f02d5d46c164a908

SHA1
4e8e9bafa543dc15d88542f2c026b7d87cb537b0

SHA256
ed00a76486bf4b644186f2ea83559392d6a5c30beeae2674f4d56fb1f679c364

SHA512
0e381fefbac7ea9937a76df4a5d1b1d8d899bc7332c40684a9a57625f437b2457b57959f3e2d42241824026fe7da4018b6f197b970a25d78f0ed0eae218f984f

Download Submit
C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfconv.exe

Filesize
11.2MB

MD5
7366d8ddcc9fb6721c53f5feef334b1e

SHA1
91f437cf6b6dd98da5ccbb543020b5e6f1f30f27

SHA256
b3b91381d1df6f08d06ac4f74bca4e597b596001966cee4bc4401a46f1b318b0

SHA512
41990b1d6338bdd865f5f3f0915fd85ca3d165d27ca4d2f85e2def8d27d3363a28387689a3d1e4bb3b581ca71b0c2dc62cd54bf9e99537750d2f934ddfb81de1

Download Submit
C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfhelper.dll

Filesize
694KB

MD5
9daa3cad815d1d77018e6c02421f1dba

SHA1
d3b5219540c529c91d1054cc1b7281c23fecd6dc

SHA256
67f2299c1d29f05e573143191959264aaf130c7b450bddd25e1223c06407eff7

SHA512
6a47e0bc8608473fc35828ccfbaeb238b53283a56516cc4e81ac93339a0cad11f55c5ecc88d26f8b9479ef2b47088a516cc7cfea4cbd0dd21c22a117d62e9368

Download Submit
C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\ter22.dll

Filesize
1.8MB

MD5
ca1b509a093a8121d9b5753fca1e070a

SHA1
e2d20c24c8f2ddf460658d0637b1a91972163a52

SHA256
3e20fd7f5c97cc35b9567bbe85be68b70cf4eafba9b7d9adebd753e98b5cda8f

SHA512
b20423239c43aa87fd032053d65f83b89adf9479dc38a8abc88b4f2e0e15c9a6eb86f6f2b1ea451f9f7af250ac17fed236cf7c8a736559ae504131cb44deda04

Download Submit
C:\Users\Admin\AppData\Local\Temp\196323\F

Filesize
619KB

MD5
1b8a259d820e3b6dbf0085bb888cd64d

SHA1
8bc44f1b3f13d760c4831afbb4b46ebb42a0f3f5

SHA256
99d569e8196faf244515691abd0be3dcb410900ccf91a874b3270ca3d93b3d0c

SHA512
12b5d873fe487c1e00c6eb8a0f18ced6ce942ae64fedb0efbaab63ea43c2b79cdd41785f02cd7032b2c55f865e401b54486d39b533039418e31cf36b08986244

Download Submit
C:\Users\Admin\AppData\Local\Temp\196323\Resolve.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boolean

Filesize
75KB

MD5
e61e8143ab0c091309715bc5fede9d63

SHA1
600855ba65c808f489efd667910fb89d7b9d6d0e

SHA256
befb65ad68ce0b25655fb6e18f85acdc454230d6e324e7f311d463ea622780db

SHA512
7fb1cdaf23cd719dbc2a3271bc679b1314e644cf59cae6f6278a2cc692998022de66adc3e5045ae4bea7a3e40787b4dfb2fdd322e09c9a33f819bf7f80ffc47f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Columbia

Filesize
13KB

MD5
76dca068cb629666eca91144e30f7d9a

SHA1
7eb536e6526ecc51d4dc1527295f9605bfddc0e9

SHA256
05e7bcacb4803b7b87a0546551228b5886131fc3571a5d8b38b881c11e77abc6

SHA512
5f2aa6ac46d5bebe3fb6133350446628965ea4a1f953b7a1768fce3f6215618bb62fa7925c44bbf3622af1ebc34e3a1f9da4ddde20c168cd70f656c86892fa30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enclosed

Filesize
78KB

MD5
1a56e65997e9317f8803df90a7deedaa

SHA1
bc9a75f41c00a207803199166d123c784c7f5c9d

SHA256
676ee76d9ff695d3e0f2872ffbd7b0d45bac9d3bec4eee1f832bb7236524512f

SHA512
5477017782136c556c497ff990dedd715c56b98cc0ccaa3b4147191cc0a4b856f281ca4a4389396ed4bfa2ae10220e9a39d5faf3c5f315d53f4c89c954185d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Familiar

Filesize
97KB

MD5
cdab67159fb964233535ad7044bde466

SHA1
2c079c4950d6dd45409e9a387e2cc982cc598ebf

SHA256
560d27faaa415138b6c2a3c363b870456fea8d43ad628c4bf0436e2da855332b

SHA512
5aab34193aef060c13b38947e5f505340dcad13ec069c78605cf5fe490f04802f269ed36e27f9f6c13a1cf59270127f8cca576cb35e1ea53112f2869ef441131

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fee

Filesize
871KB

MD5
5caf62d6192678a255b317eeb20e8c75

SHA1
ed34e0ef143514b6558def99f9ea29a1c6db9037

SHA256
ead456b39b62db259dcda071b17f4f75d9451536cf919a811e1337bbd892e6f3

SHA512
4e94042139864b4369f27540c69cd52f17b09a8b20472c2f58bd08933c798bb648caf54fd1186e0ab13a3b7cb7f0d56f1cacdc73f9d15bbb59c7d957337a348d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fyypeq

Filesize
40KB

MD5
ab893875d697a3145af5eed5309bee26

SHA1
c90116149196cbf74ffb453ecb3b12945372ebfa

SHA256
02b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba

SHA512
6b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Immediate

Filesize
74KB

MD5
46a0e930cb7c3f5d03df571170e2b22d

SHA1
91b833cbb6a8c4345cbc013e1732ddccefcba1a4

SHA256
d0161d8e383e516187955f3885e39775859f50d04b67fba7a99f0570639f6988

SHA512
e89980de6ecf1107ddde9457427bbccd353ca3ab52e4ce9c23b4a161b9a73a8fdb8650319537958d15575176feddb1ed39724803bfa54c9fb994c01125506b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Integrating

Filesize
67KB

MD5
b5c63f06efb3ebd3635ea9674ed2b75b

SHA1
b28455870b0a9cbf86c05251ddd529c9fba3fcdc

SHA256
905c08df52e22e0e9b6dcc521af4bcc78e27db1998b864ff458394e9bfea2ad3

SHA512
927650c4bde375414687aff58afafcbb568361cea5c49112c2ce0da727ac5ea653b724259fba41c3b4acef558dfba26ef6045d3a2a0e8cfb6f0fe4a0bedd71d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lawn

Filesize
24KB

MD5
5d023824f0bb91de408ef1d6b954eb23

SHA1
81b140234856964ffd7aa100c6d80047523df019

SHA256
a1bcbe39003c15ee1e531e4ccaac05d2f7d925aef40abc5ef8aa80bed4a150a0

SHA512
4711aaaa8a4a53892b0feb7a25487a5e7a528100b3df8207500b4e056c432c96e335c6953ad4bedb73a6a1894b4b25b10a1c2a3955a6f26b98a15960473b186b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stack

Filesize
79KB

MD5
f8dfadd15b0c724443f9c5f12f26483b

SHA1
330dc644e1a79e8aa686627fd1201c7c948698f7

SHA256
50c93fae7f594407a32afbda2f877e316cca94de54101db07311291542d604b1

SHA512
9376a9a5ae5ce389224262ede24d4718bddc8e139df61f37313bf3ecab3702ee7d9b63d033259dd781760ce7f356219cb327d65a2217a34ef92f2b78fa94fa55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Surrounded

Filesize
65KB

MD5
5722f4e1e52db6ce97a2ada9ac187c71

SHA1
ad9f049e3c8cf08a147e36ae1260f5ebb40a4408

SHA256
ad76b6da286a036e7dac58ad4d18c87302d91b1768fc8aa08be7d438ff07eb5a

SHA512
2a4e2e2d77808682b521924000758d2709f30f71831c6ef04d8942c8fe492e0b1d5219fff74b05c17314973bc6f828133e79340f087f10e33279be00221a9ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Telecommunications

Filesize
60KB

MD5
be0addb87db5a1247b11c445e1f253d5

SHA1
5c36f70eec403f8279734e6ca4a1ac22f2a41384

SHA256
e2d45abe5aff4929c51f336ff68e1cffa9a030ff05bf5f7954f4e8bff798edd3

SHA512
b48cfb275128e1dd61e7b6ff344bc23d679d57db8e265ebc1c8632180c982c628818bfc703d5f563f97792cba770aa01cc344ee19603b865b5d77043b61b2ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe

Filesize
176KB

MD5
a9376f54dd83bf547f6188f8904ae3af

SHA1
85bb802b0ade5b2136c83e6217a2aaace3735edc

SHA256
44661d9d0df9aa2e03844719c9e6963a738e431c565f0983d309a0e113508d17

SHA512
71a4e6251e201441ccc1ae9633790b977a898e6f42b0d25f4c54d66d99311dad5b63e25f7ac703e932db5a526290f95e9abfe2158b72cd21e8564ac1942a48a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe

Filesize
13.8MB

MD5
efb0528d6978337e964d999dacb621df

SHA1
244979b8495d3d173a4359d62ad771f99a0033fc

SHA256
4786ac3ceb9ecdcb98bdd19a0e93750e6c9c0df460751994840f8ea9733cc491

SHA512
4b16aca5638094741a9e5f0e4581b5c3cdbd77835035362468d2a0e077fba0f96b8dd98c4a4ea853b3b623d5b525fe64091daa1b761597b660840a371fbae0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zen

Filesize
859B

MD5
e026bc307ba75a0005b762fd057cb2c6

SHA1
b0b4dbdf5e5ce0eab9b8eaa2ec3e7ac299f7ea00

SHA256
506dc21f9f2fdb9ec97eea78f987be593c91a719cd77eba9e6256792fc463ba1

SHA512
1962d5c7bd6f7a78ceec8873f138c23f7571707467c7a50e8e129977e6dfd8d8d67565e0fc798ded8c356107fb597af2353283c4e6a95564709d9a97e299c80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r5ktxeft.0tr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe

Filesize
206KB

MD5
5dfd11773a165d97e5f0c53d51c52492

SHA1
3025f864238e45ed6ef5545386893f6efadcd29f

SHA256
c62e1a6d73e76fea81515d2aee25494b8553f41855549e2d8f98fe6d689569c4

SHA512
59a8782b4b517987d6347c3936ab196e7ca4edbcd668852711f6b29acc045ac8e769c68b5f4985c234da518acdd8c671a531a707f2706a35bd110bde2931b303

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1.exe

Filesize
1.5MB

MD5
2978ce3b334332c2bf8e6c45652c599c

SHA1
d297e5a04848168db55cb7aa43ec9f68e88e3ff5

SHA256
f17af5296ff826f4199381574dccb3dcb8a5deeb811e40929f95c722ab70aeb7

SHA512
57f28c9287b185183f190f3864edd84de8e6f8a28ab86468eff195a717eb57bc1c89c2b144f3a60b5c8880983ef85e3387bb0e1805d3295bfbcc323a996a5b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66d5edf357fbf_BitcoinCore.exe

Filesize
13.4MB

MD5
26dc83cd26d56041c731e497b96a8a73

SHA1
5338d1bc7da69233af80ca7ef13fa1dacfc0748c

SHA256
b8927abe41a230bb684bcd01fa78d688ccf6c0df1c2177a46510b76df9f6ea6a

SHA512
60b6625e3eaeeef6445b2809f1023557a1786aabc57a4b016216bd2567f278a5a228cb07a074790e90f5c83d8e939afbbe140bb9213b252b7631336ed8a653f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66d6af212bad3_kbdturme.exe

Filesize
10.7MB

MD5
b2ceff540f1fb7234b424a5702e989ba

SHA1
db23b99773aaf3c3ccf45bb93a7321647aad99f9

SHA256
eaa5582959770d5fa7fc18fa15d6e6aedec88b7503b8d16df3dd82626fab57d9

SHA512
d42c2dbc0aecb9220c634cb3fbbe7c67eea107599048d7e3c66c01c0ed6a3c5639b6448fcc4de30e1a38a1b19bdd9882513403e3abfbffbfbdaadae49b59b342

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66d70e8640404_trics.exe

Filesize
8.3MB

MD5
b5887a19fe50bfa32b524aaad0a453bc

SHA1
cd1f3905959cd596c83730a5b03ceef4e9f2a877

SHA256
fce5cbeec1eb5274fc3afa55e57fb2f724688cb9d4661a8a86716011493564c7

SHA512
5b9914c94101b53314b14335e687552e5da0a4085afb826ae94f45769e9b1e66a35624b6e6b60257514f4adf2acc5c9e048bfa3a24aafb891d203e3011c02538

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66d7540419a3a_installer.exe

Filesize
4.8MB

MD5
9a0770b61e54640630a3c8542c5bc7ac

SHA1
7cc5f989a483ec381d0293978796e28a4e8b4a90

SHA256
9526753470158f5c148ba6c12f2dbd0f77cbe830ace567c44b5399d0e05b2b0c

SHA512
608e16e2c8466e2736861773710bf8a1bc3ba9860f7ed6ac8d7706ea2c9f42343e3ba88236945b0f5b70fb0ee4d1ad355d87f9fbb6edb9e23c518a1dfa839a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66d8985a256af_installer.exe

Filesize
4.7MB

MD5
4b0348bf0a8544b5c6b90c79bbeca054

SHA1
fffc3fed695f793866fc13fd2000531134e8874f

SHA256
aa0b653006f07f7129c7c1ac1d2d3fbd7a3039b2f4a00771a8138705d5782ae0

SHA512
887d7b2ff7bb4b0d0fbf68cf444e3274aa42cf30d02d322c8edb566984e6e1e9f3fe4dd29d1d70f6cd557f12749e5e17eff171c8a8391288dc3a63cb8d5fb5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66d9ddcb9dbfe_Build.exe

Filesize
20.9MB

MD5
df763cc3afd7e98d660e5db9de5b1d95

SHA1
e50abf286735649267da3024aa27544eaf095845

SHA256
aee46fb12d8bd25b4033b3ef7fb04703961e68e6cbc40d6aa410b01b05e4b411

SHA512
a7622cf295023ca9073d3ae239b98268705f1b9ea850bc6c8f6db66f175b546df95a1dd4978bf376af4a6d4568ae0f78b66b3fa885a5146f6692a35c69b879c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66d9f685932be_uninstaller.exe

Filesize
5.5MB

MD5
fdf999d19df6b5c6a03bdbe1990347b3

SHA1
3266aa1f4ee746d69601c42afcda7666efd08ea2

SHA256
7a15dd944f05b7280ae9d297f7707f5ee712821fbae770930bae1539cf9e0b4e

SHA512
3232b2b0e373104b0f3d31d0275e0d40d247abd3b3fc288cc75d29ed26161726d31728f7ac25a771b277f74fe9a274346820f7087596caf6184ea7c7ce340274

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66d9f6e9330e4_deep.exe

Filesize
2.1MB

MD5
6a94b94ba557d5d85a1da20213d48974

SHA1
a311aa3a9243849b883867fa3d772e4c4e95d080

SHA256
e4a125aa374a939c07ee3172dd5cdb23990096efe7059e9d647f1eaadc32e3dd

SHA512
a246f8f4341a144f4946179c518fea833dbec7e40c69023e10687f85d97c28e1851334f20260069c0d6500ecb859c2e2553b4492cda22c6145966bc893a54c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Accounts.exe

Filesize
19KB

MD5
8a4f0f41b42e3f0027066f418e5436c5

SHA1
3ce8dec5bcfd824805e40ec6f9d43ac45b6f029c

SHA256
a0b724fea63d02a4b665dfb5c047da345e949385758e6bdc20b3c42951c549e4

SHA512
19c0c02ba0fa3899f1f67cc19daab651a4384217cf81f50c3b3774cae09c5f2117bc2d43698866156e93a00948014345f96db1c8a637daf0a146862531ce3ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Co.exe

Filesize
264KB

MD5
50968bf1892077705f9182f7028c8ef2

SHA1
4785419ec767a0f0678175c8ae8fbd0b8bec624f

SHA256
d65403b37e00e6268b8a0d4e1271f35077d3e3b82573d42eeb7260836edabc24

SHA512
3e2809a85bdf471227f59d800069285e93b0ac200a284d18026637dcc2bc27df5b34445032483679f88b79b936b90e183a873a3bd073bcdb96e1e7189bc34c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Meeting.exe

Filesize
72KB

MD5
1ebcc328f7d1da17041835b0a960e1fa

SHA1
adf1fe6df61d59ca7ac6232de6ed3c07d6656a8c

SHA256
6779bc4c64850150de694166f4b215ce25bbaca7d60b293fa7bb65e6bdecbc1a

SHA512
0c537e8dbdf5de433f862a31fbcb5a709f7727783cb36f7ed3dcac1acb44d704d5ad570035259022b46a0370754d029f476ae40280983d1586de9098e31a31d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Meeting.sfx.exe

Filesize
291KB

MD5
1a679e0ccedfb2c3b8ebaf8d9b22f96a

SHA1
6ae0ff6690d0a857d145f671589a97620c1e43e5

SHA256
d16eb8da5c5ce99f1a2e38677eff8d2ae532cb1ad0eddf10a311583004675960

SHA512
8e60833f266f1a092846892659b117e06f96d5f7017ce0847333a7ae38f30b2a274bf6fe0ee43d5e94c1aa87a84ce340c4b66de256883bcf2bbc17038353a4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\R.exe

Filesize
9.5MB

MD5
fb3065fb8f756f9ccca0ef035ddb0f0d

SHA1
0d6409e94e7c06be8dbf43c78c26d26f86a1454e

SHA256
4d53c18f9c35747419cc289b1da6998457cb6ff5aeaddc1e5e474586b739b1c7

SHA512
7eb443b4efeca64f1c7fdb3273523a87ed103d78cdb1cfe0c55d1491edacffae5d4d8563598ca43012add7eeb29a405f84bab66feb67211534c18f76ff04bced

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TikTokTool24.exe

Filesize
1.2MB

MD5
3c0bc60ec3907224b9720d80bf799281

SHA1
303ce336a032b419eba255bd502bdbfcc343607f

SHA256
07d538c1cab4f197f08f0d1811a2e3538e373659e25bc08d129fe4caf631048a

SHA512
62ee08410a3deed3d65ee15e78cf43cd11ada873cb98ebecdc7eefddc4b598af2386d44f23b4e1f8496baffdd071deb888b2ab63be368b6e0d4782cb2e15a8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\XWORM-V5.4.exe

Filesize
14.2MB

MD5
741b1f2ee5826897af2ba2ec765296e4

SHA1
706534d9c6a16354974b3b6fd6d1f620524b7dd1

SHA256
0b142a5773fcd9ae5cbb967f748e8da9a89e74aa50a0e1cd52f3aaa313bc749d

SHA512
a0b14ab280d906a8ad1681e335d30a457b02355cc941d12208f2ef460a9b1f700b84789749ee2080fb4351cce09e3cceeb9fea94478c3c81ae1fb184892de03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\abQOhgu.exe

Filesize
1022KB

MD5
387d4b12ac9e87b9db76589fcca2b937

SHA1
4a51340e1817d7ab2c739b1237c541b58e3b7c9a

SHA256
30d91ef269ca652f181ba1985cf2cf8a5790305927c6887e0c298c38ae87afcf

SHA512
35bd0a53169d56a12260ec280977fdf0e3c07b41baa836a931667aaaeffebad902f7fb1b61b3d33072a02823a959a54a6327aed57580b970bc0bcee464cd4f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ew.exe

Filesize
55KB

MD5
d76e1525c8998795867a17ed33573552

SHA1
daf5b2ffebc86b85e54201100be10fa19f19bf04

SHA256
f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd

SHA512
c02e1dcea4dc939bee0ca878792c54ff9be25cf68c0631cba1f15416ab1dabcd16c9bb7ad21af69f940d122b82880b1db79df2264a103463e193f8ae157241dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lamp.exe

Filesize
1.7MB

MD5
1777e41c01138cfcd1b8e4b6082ae3b1

SHA1
bf83c19106c0226d8e3e08fbbd5633ce96472bf0

SHA256
7af1ac95d468a1b0d9dfb2dbe0dba8b3aca9a09e2620a0ec35dc087f829f9401

SHA512
e44f8d2b9c5f33b48c64107b9a1c8fd0ac77bf88b465e6fcdbcc2b1b3253f71922b350048e55b6d97e938892084b0d7cc098cdd208ee1f15b9434426449fa88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\notebyx.exe

Filesize
1.0MB

MD5
7a8463b22eb60bf18f4df8444e006d96

SHA1
f1577856bf96eea03ba84a5fd85dfc9426d60def

SHA256
07dfcd4aad4d53de15bd688a17d31ce50d591173d60fa2cb629b9ed94179cc2a

SHA512
5bc787b6e6cc02c96481bfa87fa3336ba53aa596c1c4b053de40e18d400305481a7059a71c9ee9ad1e6ce3260a743860595a7cddbdbcffd7dfeb8eed06de9779

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\prompt.exe

Filesize
203KB

MD5
26ea34638c9aab0fb5411b9944f50404

SHA1
ab99b7c04950cdbaa28e6de6095efcb4d1e336b0

SHA256
01c4c4582cdfc256135e87ae42ebccb02f2c2cdea4a37c233948a3ac454e1593

SHA512
7f66607bd31f5dda446ba646e471a8546b975688a1468fd42fb10e60ab3986920efd3acf5c0b0836f7abd27f7f24544fc0e77c428ac01e84526d7794a8cc23f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\rev.exe

Filesize
203KB

MD5
c457b64b8faf93fb23adb3d3b6a6cb78

SHA1
b7171be5e8a552346f4f44148c8935ed52ba90d6

SHA256
592474a6afcaa6a1147524a4a24ae9a535cd58f043e218ab64ae218ee7229f42

SHA512
0810734f3717783de50b02b64e60dfbe210ecc43be4a013c6f3a659b31122e3195a0fcd2adec2cf14be3d6c4ab6405af7c17ef8ac2ff8b30d7eb5a6c59e89ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tqh64.exe

Filesize
273KB

MD5
2d8bfa12ffd53e578028edae844e7611

SHA1
a0db3c316b9fc54b056ccb4cf284b90c95bfa605

SHA256
d61d2772dc9bd808c17c2862d4be8aa61ccc6851012967e82b2f514f94ab6f97

SHA512
8a107dcb884a19492604487f044f5e90aadfc6fd6594b3271081167bde5180c2db4fcf5333fa141944dc209f19476bf5a2c2d24f419a482cd94510185b1cc0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ywp.exe

Filesize
268KB

MD5
6a9213568bc6a19895240ff14fd57329

SHA1
bd18494cb4d7f652bcf9ce187e11ed0eccda65f8

SHA256
5618de81f0a47570c7048019102af4664a7402b657dcc060148243e97159ad97

SHA512
d6c658c22dd0e70f09c0a3d07b656ea6315c39a99bd7855f202447f88359272efdc8cfba17b5243b26fac69b5159ce2cec106f42df22bdb72f948c4f9618335d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogpXG\ogpXG.dll

Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAE71.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAE87.tmp

Filesize
114KB

MD5
e54dec68d633001c42366d0ecde3f2e0

SHA1
68ad889d9b6f02fa8d7c3df69d30eeff5745ef52

SHA256
387015740938f6d013d089c66d2250c6f4e80f9d7d7a0887043df3dc3f812f02

SHA512
dd531dfbbb35f4d92858227bebb93f396690e8a902cd61fc80e7a981cd34a4fdd8490130a552069f48f6a06f21f7c3a63e6e205274bb50f85cb81a1b329901f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAEB2.tmp

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAEC8.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAECE.tmp

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAEF9.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wbspam.exe

Filesize
9.1MB

MD5
2439191ec6705d5ec64a62100c3403b5

SHA1
082d5e6026166c28ce86084a670aeb51fdced867

SHA256
a4baabd02d5098ad2e56769050d9d59f3689e46fa71a08cf25a4f60aed5f6439

SHA512
8f0f1c093ac1988a2d9ea8a068afe130411a96cfe38d64a1ab4a94ec0bb1e5972ba0b78b5ff9422488b966cc15eae468bf41b7981cfff9203f5e37237dbc9b4d

Download Submit
memory/248-25-0x00007FFDD63B0000-0x00007FFDD6E72000-memory.dmp

Filesize
10.8MB

Download
memory/248-2-0x00007FFDD63B0000-0x00007FFDD6E72000-memory.dmp

Filesize
10.8MB

Download
memory/248-1-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/248-0-0x00007FFDD63B3000-0x00007FFDD63B5000-memory.dmp

Filesize
8KB

Download
memory/248-24-0x00007FFDD63B3000-0x00007FFDD63B5000-memory.dmp

Filesize
8KB

Download
memory/688-774-0x00007FFDD1C40000-0x00007FFDD1DE8000-memory.dmp

Filesize
1.7MB

Download
memory/688-770-0x00007FFDD1C40000-0x00007FFDD1DE8000-memory.dmp

Filesize
1.7MB

Download
memory/688-771-0x00007FFDD1C40000-0x00007FFDD1DE8000-memory.dmp

Filesize
1.7MB

Download
memory/796-1110-0x0000000140000000-0x00000001400354C0-memory.dmp

Filesize
213KB

Download
memory/1404-1032-0x0000000140000000-0x0000000140275000-memory.dmp

Filesize
2.5MB

Download
memory/1660-259-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/1660-257-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1660-258-0x0000000005F00000-0x00000000064A6000-memory.dmp

Filesize
5.6MB

Download
memory/1668-798-0x00000000008D0000-0x00000000009A4000-memory.dmp

Filesize
848KB

Download
memory/1668-957-0x00000000008D0000-0x00000000009A4000-memory.dmp

Filesize
848KB

Download
memory/1908-1098-0x0000000000780000-0x0000000000E15000-memory.dmp

Filesize
6.6MB

Download
memory/1908-1112-0x0000000000780000-0x0000000000E15000-memory.dmp

Filesize
6.6MB

Download
memory/2136-547-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/2368-1077-0x0000000005720000-0x00000000057BC000-memory.dmp

Filesize
624KB

Download
memory/2368-1079-0x00000000056F0000-0x0000000005712000-memory.dmp

Filesize
136KB

Download
memory/2368-1076-0x00000000004C0000-0x0000000000D02000-memory.dmp

Filesize
8.3MB

Download
memory/2368-1078-0x0000000005A00000-0x0000000005BB0000-memory.dmp

Filesize
1.7MB

Download
memory/2560-744-0x0000000000920000-0x0000000001750000-memory.dmp

Filesize
14.2MB

Download
memory/2592-959-0x0000000006220000-0x0000000006577000-memory.dmp

Filesize
3.3MB

Download
memory/2592-980-0x0000000007CD0000-0x0000000007CE5000-memory.dmp

Filesize
84KB

Download
memory/2592-979-0x0000000007C90000-0x0000000007CA1000-memory.dmp

Filesize
68KB

Download
memory/2592-978-0x0000000007920000-0x00000000079C4000-memory.dmp

Filesize
656KB

Download
memory/2592-969-0x000000006B700000-0x000000006B74C000-memory.dmp

Filesize
304KB

Download
memory/2592-968-0x00000000067C0000-0x000000000680C000-memory.dmp

Filesize
304KB

Download
memory/2788-389-0x0000000075830000-0x00000000758B5000-memory.dmp

Filesize
532KB

Download
memory/2788-383-0x0000000001600000-0x0000000001659000-memory.dmp

Filesize
356KB

Download
memory/2788-478-0x0000000075830000-0x00000000758B5000-memory.dmp

Filesize
532KB

Download
memory/2788-390-0x0000000005230000-0x0000000005389000-memory.dmp

Filesize
1.3MB

Download
memory/2788-399-0x0000000000400000-0x0000000000F44000-memory.dmp

Filesize
11.3MB

Download
memory/2788-400-0x0000000000400000-0x0000000000F44000-memory.dmp

Filesize
11.3MB

Download
memory/2788-404-0x000000006E600000-0x000000006E69D000-memory.dmp

Filesize
628KB

Download
memory/2788-403-0x0000000063280000-0x00000000634BE000-memory.dmp

Filesize
2.2MB

Download
memory/2788-415-0x0000000000400000-0x0000000000F44000-memory.dmp

Filesize
11.3MB

Download
memory/2884-769-0x00000266E8100000-0x00000266E8CEE000-memory.dmp

Filesize
11.9MB

Download
memory/2884-755-0x00000266CBDE0000-0x00000266CCBC0000-memory.dmp

Filesize
13.9MB

Download
memory/2980-341-0x0000000000A50000-0x0000000000AAB000-memory.dmp

Filesize
364KB

Download
memory/2980-342-0x0000000000A50000-0x0000000000AAB000-memory.dmp

Filesize
364KB

Download
memory/2980-344-0x0000000000A50000-0x0000000000AAB000-memory.dmp

Filesize
364KB

Download
memory/3084-697-0x000001CDD0BD0000-0x000001CDD0BF2000-memory.dmp

Filesize
136KB

Download
memory/3648-483-0x00007FFDD22D0000-0x00007FFDD2477000-memory.dmp

Filesize
1.7MB

Download
memory/3648-481-0x00007FFDD22D0000-0x00007FFDD2477000-memory.dmp

Filesize
1.7MB

Download
memory/3648-479-0x00007FFDD22D0000-0x00007FFDD2477000-memory.dmp

Filesize
1.7MB

Download
memory/3824-23-0x00000244DFDF0000-0x00000244DFE2C000-memory.dmp

Filesize
240KB

Download
memory/3824-22-0x00000244DFC20000-0x00000244DFC32000-memory.dmp

Filesize
72KB

Download
memory/3824-21-0x00000244DE410000-0x00000244DE42E000-memory.dmp

Filesize
120KB

Download
memory/3824-26-0x00000244F95B0000-0x00000244F9772000-memory.dmp

Filesize
1.8MB

Download
memory/3824-27-0x00000244F9CB0000-0x00000244FA1D8000-memory.dmp

Filesize
5.2MB

Download
memory/3824-197-0x00000244F93E0000-0x00000244F9456000-memory.dmp

Filesize
472KB

Download
memory/3824-198-0x00000244F8540000-0x00000244F855E000-memory.dmp

Filesize
120KB

Download
memory/3824-200-0x00000244DE2E0000-0x00000244DE3E0000-memory.dmp

Filesize
1024KB

Download
memory/3824-199-0x00007FF7B0690000-0x00007FF7B08B3000-memory.dmp

Filesize
2.1MB

Download
memory/3824-20-0x00000244DE2E0000-0x00000244DE3E0000-memory.dmp

Filesize
1024KB

Download
memory/4052-955-0x0000000000670000-0x00000000009A4000-memory.dmp

Filesize
3.2MB

Download
memory/4384-990-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4484-502-0x0000000006600000-0x000000000664C000-memory.dmp

Filesize
304KB

Download
memory/4484-535-0x0000000007B00000-0x0000000007B0E000-memory.dmp

Filesize
56KB

Download
memory/4484-489-0x0000000005860000-0x0000000005E8A000-memory.dmp

Filesize
6.2MB

Download
memory/4484-488-0x0000000005100000-0x0000000005136000-memory.dmp

Filesize
216KB

Download
memory/4484-526-0x0000000007940000-0x000000000794A000-memory.dmp

Filesize
40KB

Download
memory/4484-527-0x0000000007B40000-0x0000000007BD6000-memory.dmp

Filesize
600KB

Download
memory/4484-490-0x00000000056D0000-0x00000000056F2000-memory.dmp

Filesize
136KB

Download
memory/4484-516-0x00000000078D0000-0x00000000078EA000-memory.dmp

Filesize
104KB

Download
memory/4484-515-0x0000000007F30000-0x00000000085AA000-memory.dmp

Filesize
6.5MB

Download
memory/4484-514-0x0000000007800000-0x00000000078A4000-memory.dmp

Filesize
656KB

Download
memory/4484-513-0x0000000007530000-0x000000000754E000-memory.dmp

Filesize
120KB

Download
memory/4484-504-0x000000006BCA0000-0x000000006BCEC000-memory.dmp

Filesize
304KB

Download
memory/4484-573-0x0000000007C00000-0x0000000007C08000-memory.dmp

Filesize
32KB

Download
memory/4484-503-0x0000000006B30000-0x0000000006B64000-memory.dmp

Filesize
208KB

Download
memory/4484-571-0x0000000007C10000-0x0000000007C2A000-memory.dmp

Filesize
104KB

Download
memory/4484-561-0x0000000007B20000-0x0000000007B35000-memory.dmp

Filesize
84KB

Download
memory/4484-491-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/4484-497-0x00000000060E0000-0x0000000006437000-memory.dmp

Filesize
3.3MB

Download
memory/4484-501-0x0000000006570000-0x000000000658E000-memory.dmp

Filesize
120KB

Download
memory/4484-529-0x0000000007AD0000-0x0000000007AE1000-memory.dmp

Filesize
68KB

Download
memory/4504-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-297-0x0000000006830000-0x0000000006880000-memory.dmp

Filesize
320KB

Download
memory/4504-301-0x0000000006920000-0x00000000069B2000-memory.dmp

Filesize
584KB

Download
memory/4504-311-0x00000000068B0000-0x00000000068BA000-memory.dmp

Filesize
40KB

Download
memory/4528-800-0x0000000000910000-0x0000000000C44000-memory.dmp

Filesize
3.2MB

Download
memory/4728-528-0x0000000000C00000-0x0000000001582000-memory.dmp

Filesize
9.5MB

Download
memory/4732-789-0x00000000008D0000-0x00000000009A4000-memory.dmp

Filesize
848KB

Download
memory/4732-802-0x00000000008D0000-0x00000000009A4000-memory.dmp

Filesize
848KB

Download
memory/4744-1119-0x0000000140000000-0x00000001400354C0-memory.dmp

Filesize
213KB

Download
memory/5016-320-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/5016-339-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download