Overview

overview

10

Static

static

3

xfer recor...nt.exe

windows7-x64

10

Analysis

  • max time kernel
    600s
  • max time network
    593s
  • platform
    windows7_x64
  • resource
    win7-20240903-es
  • resource tags

    arch:x64arch:x86image:win7-20240903-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    06-10-2024 16:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xfer records serum keygen torrent.exe

  • Size

    789.6MB

  • MD5

    c34b5e3e41da18832f20396ce3f0830f

  • SHA1

    ff9ddeee78b111a35e064ccd59e91881c61dd948

  • SHA256

    a0e6d0eb6d9a7c3e70e4908be70d3a1439421692d033e2a07a36284fb08c2910

  • SHA512

    5e57e493e9bff3efa992e9ed6e4fb25d717b57208ca73dcb57d87b421b0afe27d387dfea444f7f1222063e0fa05b6631cc0a7c9ba83e88d0d98130e433ccc0c6

  • SSDEEP

    393216:SjSaYG7C1vebP6ORz930cDuiG2atWnVdYqf0euoAXwc:SuNGG1OP6ORZEciaa4XYqnNvc

Score
10/10
lummastealcvidardefault5_dozcredential_accessdiscoveryevasionexecutionpersistencespywarestealer

Malware Config

Extracted

Family

lumma

C2

https://trustterwowqm.shop/api

Extracted

Family

vidar

C2

http://proxy.johnmccrea.com/

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default5_doz

C2

http://62.204.41.159

Attributes
  • url_path

    /edd20096ecef326d.php

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://my.cloudme.com/v1/ws2/:gofilenew/:mpresents/mpresents.txt

Signatures

  • Detect Vidar Stealer 5 IoCs
    stealer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Modifies firewall policy service 3 TTPs 1 IoCs
    evasion
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 62 IoCs
  • Executes dropped EXE 24 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 12 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 5 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 11 IoCs
  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\smss.exe
    \SystemRoot\System32\smss.exe
    1⤵
      PID:256
      • C:\Users\Admin\Documents\iofolko5\O0Ea6JNLqTaUCbFuFK480sxW.exe
        C:\Users\Admin\Documents\iofolko5\O0Ea6JNLqTaUCbFuFK480sxW.exe
        2⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        PID:2528
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2528 -s 204
          3⤵
          • Loads dropped DLL
          PID:1964
    • C:\Users\Admin\AppData\Local\Temp\xfer records serum keygen torrent.exe
      "C:\Users\Admin\AppData\Local\Temp\xfer records serum keygen torrent.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c move Newbie Newbie.bat & Newbie.bat
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2752
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "wrsa opssvc"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2744
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2296
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3064
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c md 705685
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2512
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V "LadderAllenChiSocial" Dependence
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3068
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c copy /b ..\Cholesterol + ..\Mart + ..\Pretty + ..\Consequently + ..\Latter + ..\An + ..\Hungarian + ..\Pod + ..\Publishers + ..\Termination + ..\Auto + ..\Names + ..\Bad + ..\Book + ..\Contribution + ..\Trunk + ..\Dollar + ..\Viewer + ..\Montgomery + ..\Accounts + ..\Forwarding + ..\Columns + ..\Incident + ..\D + ..\Innovation + ..\Pair + ..\Own h
          3⤵
          • System Location Discovery: System Language Discovery
          PID:588
        • C:\Users\Admin\AppData\Local\Temp\705685\Confirmation.pif
          Confirmation.pif h
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2496
          • C:\Users\Admin\AppData\Local\Temp\705685\Confirmation.pif
            C:\Users\Admin\AppData\Local\Temp\705685\Confirmation.pif
            4⤵
            • Modifies firewall policy service
            • Checks computer location settings
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3048
            • C:\Users\Admin\Documents\iofolko5\FpyQtM4RiLrXpETrJ2fo_FXO.exe
              C:\Users\Admin\Documents\iofolko5\FpyQtM4RiLrXpETrJ2fo_FXO.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1644
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2076
            • C:\Users\Admin\Documents\iofolko5\jofn3zwnZjCjWt8xusRYD1cc.exe
              C:\Users\Admin\Documents\iofolko5\jofn3zwnZjCjWt8xusRYD1cc.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:2812
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                6⤵
                  PID:2736
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  6⤵
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Checks processor information in registry
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2836
                  • C:\ProgramData\DHJEBGIEBF.exe
                    "C:\ProgramData\DHJEBGIEBF.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    PID:2948
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:2480
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JKKEBGCGHIDH" & exit
                    7⤵
                    • System Location Discovery: System Language Discovery
                    PID:2892
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout /t 10
                      8⤵
                      • System Location Discovery: System Language Discovery
                      • Delays execution with timeout.exe
                      PID:2756
              • C:\Users\Admin\Documents\iofolko5\ThAVVP3o0_BoxmfVCFSxC2PZ.exe
                C:\Users\Admin\Documents\iofolko5\ThAVVP3o0_BoxmfVCFSxC2PZ.exe
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                PID:2512
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  6⤵
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Checks processor information in registry
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1168
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCAAEBFHJJD.exe"
                    7⤵
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:2964
                    • C:\Users\AdminCAAEBFHJJD.exe
                      "C:\Users\AdminCAAEBFHJJD.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      PID:2816
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        9⤵
                        • System Location Discovery: System Language Discovery
                        PID:2832
              • C:\Users\Admin\Documents\iofolko5\ihZKKtkWlE9zeJ9TK4sc7Pgy.exe
                C:\Users\Admin\Documents\iofolko5\ihZKKtkWlE9zeJ9TK4sc7Pgy.exe
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                PID:396
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2524
              • C:\Users\Admin\Documents\iofolko5\4yqBItroKdpJQ7g13X_gqZKM.exe
                C:\Users\Admin\Documents\iofolko5\4yqBItroKdpJQ7g13X_gqZKM.exe
                5⤵
                • Executes dropped EXE
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:2340
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\ProfileDetails.ps1"
                  6⤵
                  • Drops file in System32 directory
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2304
                  • C:\Users\Public\InformationCheck.exe
                    "C:\Users\Public\InformationCheck.exe" C:\Users\Public\Details.au3
                    7⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:2076
              • C:\Users\Admin\Documents\iofolko5\Rjuwc4Y_AEym8UYvDO4XIjvd.exe
                C:\Users\Admin\Documents\iofolko5\Rjuwc4Y_AEym8UYvDO4XIjvd.exe
                5⤵
                • Drops startup file
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                PID:2496
                • C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\LKMService.exe
                  "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\LKMService.exe"
                  6⤵
                  • Drops startup file
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  • Modifies system certificate store
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1960
                  • C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\GoogleUpdater.exe
                    "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\GoogleUpdater.exe" --checker
                    7⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1124
                  • C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\74806897ce7746c081fe105d59018237.exe
                    "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\74806897ce7746c081fe105d59018237.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    PID:2680
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:1796
              • C:\Users\Admin\Documents\iofolko5\WG68MMj9CsZYFhlAUnMThHi5.exe
                C:\Users\Admin\Documents\iofolko5\WG68MMj9CsZYFhlAUnMThHi5.exe
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:2960
                • C:\Users\Admin\AppData\Local\Temp\is-QG6DN.tmp\WG68MMj9CsZYFhlAUnMThHi5.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-QG6DN.tmp\WG68MMj9CsZYFhlAUnMThHi5.tmp" /SL5="$12019E,5073833,54272,C:\Users\Admin\Documents\iofolko5\WG68MMj9CsZYFhlAUnMThHi5.exe"
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  PID:2860
                  • C:\Users\Admin\AppData\Local\Screen Camera Lite\screencameralite32.exe
                    "C:\Users\Admin\AppData\Local\Screen Camera Lite\screencameralite32.exe" -i
                    7⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:2228
              • C:\Users\Admin\Documents\iofolko5\S9E_zuKRBtLLiTnLzOiXuMPM.exe
                C:\Users\Admin\Documents\iofolko5\S9E_zuKRBtLLiTnLzOiXuMPM.exe
                5⤵
                • Drops startup file
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:1176
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:1376
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2804
              • C:\Users\Admin\Documents\iofolko5\O0Ea6JNLqTaUCbFuFK480sxW.exe
                C:\Users\Admin\Documents\iofolko5\O0Ea6JNLqTaUCbFuFK480sxW.exe
                5⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2844
              • C:\Users\Admin\Documents\iofolko5\zhr9Vkmk6r7zDBC3JtPjhNfV.exe
                C:\Users\Admin\Documents\iofolko5\zhr9Vkmk6r7zDBC3JtPjhNfV.exe
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                PID:2508
                • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2148
              • C:\Users\Admin\Documents\iofolko5\EkRTKeBHSNKeo2WUEGtuO7Lv.exe
                C:\Users\Admin\Documents\iofolko5\EkRTKeBHSNKeo2WUEGtuO7Lv.exe
                5⤵
                • Executes dropped EXE
                PID:1832
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                  6⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2076
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                  6⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1568
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                  6⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:880
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                  6⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2256
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe delete "QTXSWVVV"
                  6⤵
                  • Launches sc.exe
                  PID:2272
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe create "QTXSWVVV" binpath= "C:\ProgramData\aevrrerqmhcb\hutopimmbtzg.exe" start= "auto"
                  6⤵
                  • Launches sc.exe
                  PID:1560
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop eventlog
                  6⤵
                  • Launches sc.exe
                  PID:1772
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe start "QTXSWVVV"
                  6⤵
                  • Launches sc.exe
                  PID:2488
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1796
      • C:\ProgramData\aevrrerqmhcb\hutopimmbtzg.exe
        C:\ProgramData\aevrrerqmhcb\hutopimmbtzg.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        PID:1192
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:2484
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          2⤵
          • Power Settings
          PID:2864
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1588
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:3004
        • C:\Windows\system32\conhost.exe
          C:\Windows\system32\conhost.exe
          2⤵
            PID:1736
          • C:\Windows\system32\svchost.exe
            svchost.exe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2732

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        System Services

        2
        T1569

        Service Execution

        2
        T1569.002

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        3
        T1543

        Windows Service

        3
        T1543.003

        Power Settings

        1
        T1653

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        3
        T1543

        Windows Service

        3
        T1543.003

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Impair Defenses

        2
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Modify Registry

        3
        T1112

        Subvert Trust Controls

        1
        T1553

        Install Root Certificate

        1
        T1553.004

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        3
        T1552

        Credentials In Files

        3
        T1552.001

        Discovery

        Browser Information Discovery

        1
        T1217

        Process Discovery

        1
        T1057

        Query Registry

        3
        T1012

        System Information Discovery

        3
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        2
        T1005

        Command and Control

        Web Service

        1
        T1102

        Exfiltration

        Impact

        Service Stop

        1
        T1489

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\DHJEBGIEBF.exe
          Filesize

          547KB

          MD5

          3052cbcb7461c502a7ecfa933515d258

          SHA1

          9ab40f94db334eb846b91bf081acd2f943319aa5

          SHA256

          f6bba2d93711805269a9ae75ef72f380a6e7de9229cb891f2a6e47dc17755c00

          SHA512

          5fbdcf89281b21e0aade6088f2b343a724f90d5423f269c654a88a3bfa3c51e435caf32e714c9c48c6bb41ab3186522b3eeb5dec49bff4c57c70ea6b8149900f

          Download Submit

        • C:\ProgramData\JKKEBGCGHIDH\AECAKJ
          Filesize

          6KB

          MD5

          66fb0a7a75628675789c8d445c27b22a

          SHA1

          49d580af70b52e4770e29005909aca9ca0e1331e

          SHA256

          ad359bc31b3603b7a4bbb08a5d7a4c5ae0effdd0d83c701ae5b3f40ed70111d2

          SHA512

          f47c166fb2970fe8987a5c62839983b275c84a3c5517f033d428aca8e51fd2e721edc46a1a2879cda6f5175c803d24475629788ecb2b59cf6cbf774c4ad19f3f

          Download Submit

        • C:\ProgramData\JKKEBGCGHIDH\IEGCBA
          Filesize

          92KB

          MD5

          0040f587d31c3c0be57da029997f9978

          SHA1

          d4729f8ed094797bd54ea8a9987aaa7058e7eaa2

          SHA256

          a285e3bc24d218869afd114c236f0aafebeba96d4105ddd379ae31f03b26079b

          SHA512

          3e4ffca2ff979b5f91a0c8d5d1fa52f0ab47ff63e50b1cc5e7708c4ba8359ee8505a9259f329da5733048e953f0778af73ce76735b481d558dd05a2cb45a5977

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\mozglue[1].dll
          Filesize

          593KB

          MD5

          c8fd9be83bc728cc04beffafc2907fe9

          SHA1

          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

          SHA256

          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

          SHA512

          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\705685\h
          Filesize

          1.9MB

          MD5

          cc7a8aeef189d5d3b73ef5f925107d00

          SHA1

          8035bae2fd84c9bf1e1455cd1c9178e31c5a7885

          SHA256

          68ef046a83320974ab117c14e1d6f445cabbcfcfdbff037dd344b4198f7e4f6f

          SHA512

          2ff7978a02573b6467f1ad6e2a328b9b1f567a28190aef5984e579420b7268bcbebbb47578bbe5161a7193953eab7fd48714d135efde7f77c96080d96806fd98

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Accounts
          Filesize

          76KB

          MD5

          9bab97cdffb7bbdfe74bd30cbd1eaef6

          SHA1

          97fec5799dfdebc5627a481b311f634557f3d6aa

          SHA256

          336d5af1df844eab930cd6a65fcea4dfa895ff465dc18adbd7b65add7f8c0d56

          SHA512

          a434068e0f3c69e911c1a678b49ef37378532ae900d1e603b16875530cbcd52095cb0080d9230ad966c7f495cc2debfabd2ae85861663a84f7572327ffdad795

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\An
          Filesize

          67KB

          MD5

          f7c2147a96c7ceff920cdf8d7ba2c41a

          SHA1

          40bd65cd077c6ec2068c34d6a6210f56a681c8f0

          SHA256

          2ce3441be7ef60f42c32cdea702fdef8424afdf63d04df78c2cc12e4d07ad370

          SHA512

          20261b3a25f1456391b98a2f3ff07ba650021495b8337d98a59d770556406dd429085ff67319c59215f96740ee5590927720bc21a7ead20c60d3970b52d42f5e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Auto
          Filesize

          53KB

          MD5

          e5cf813fd0b4a67dc95f61a18c45fdc3

          SHA1

          41156af7456f50f4efb6397db974891a605587ea

          SHA256

          6ca17f468b33577dfa31ec11374591268e4d2dee6071aebb1bf370d4d1221218

          SHA512

          8d12f1ce0fc5285c9ae1124ab1aa5feb375007f700f69eedcc1e3f0540a1717e9d246fb63679af1b087b95b5ae000a0456d41475c4b05bfc64f4f016c8d71f84

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Bad
          Filesize

          51KB

          MD5

          7df19ed322c890772903197caf80ae37

          SHA1

          8e347272daae4e9397b21b2c628e9397708c5ff2

          SHA256

          8a1ab4dba26b101261b6ad5c9654718a69ce3610719977af3c7d0c4cd7e432d2

          SHA512

          8c1113a9269bc5973a4b21338a25eae535a7d47679d5badf092f260b19d65f2436ede07ce847f99e8a80058f68015eec24840c2cb29d8bb1e335220b4c3eb4fa

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Book
          Filesize

          50KB

          MD5

          9f1fd1c8dd619d82d6765b702486984e

          SHA1

          f8b9bcae0864699eb11431de29183f8ff839df18

          SHA256

          71963eab0dc18e4b7ab67d48f514c5fab3ebf1004bf1311fa2964963cb8e3f27

          SHA512

          e86c95f03512f37c6e8f5adbd0803343b2a9791ce44d494422ed1ad1380e986457ac2d4c25d90be3e867842f1a084765ee40fa703319ed52ef6b9820b22e2734

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Cab3036.tmp
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Cholesterol
          Filesize

          58KB

          MD5

          cd96b4863f697f41f60fe1d5f7aa2958

          SHA1

          272043393f93d90c051793b2edb18f142b57e8c2

          SHA256

          901119c87ac00f1394dba5f99d02f8cf53f4f3868562a255d6ea16a6358d1da6

          SHA512

          f8da02c973cd8d148a19553b85b1e3c329b3d3eb7bd6c8f622729e7eb0f72b5c8d24c86deb53da1051cb490fc21209906ddf8d5bd917552e84c35bb7ed9efe6d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Columns
          Filesize

          95KB

          MD5

          c06e45b2b7b81f8671590708bf240f71

          SHA1

          cd1c65d4262e13dba3f4e7d3126efd0abad8ff27

          SHA256

          537c0d2b5de595cb390a5f9b996af785e94048436f53fa79e16a992fb153ce03

          SHA512

          d6374b53063d1d815ca0167e1884c4cbebfd896250bcc952303dfeb1b5d3383d049178db5c2843069fb9a1b6b3365d59a49bbbe23c2355d96fa85ab90f7a4713

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Consequently
          Filesize

          83KB

          MD5

          d94e99b3fe12d0adc81d3235fdf35ede

          SHA1

          f5512fb99f35b9f136dc025466aadf30a233e1c2

          SHA256

          6aff44a7ffc9e68ddf9e83762a1ee54a95c908fa44f7aff571c70ea1b68d5d8c

          SHA512

          74f989f27491bf4a1e6b934463b10b143adac6b0171432b4acb5549d026674553c485232fb5f6d914a6301efb9060071de35118856938a4b6d0613e0f194b22b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Contribution
          Filesize

          82KB

          MD5

          77fe9ace744ea5090f60c91e0f35e232

          SHA1

          9b8f6c2d2d2bae9a5b97c36f238251ecc3bc4eb4

          SHA256

          50a10473e5659812016e2fbe16740d09e25aba4590483ff37ca2b79bcbfad888

          SHA512

          73f381a503c579ea54c5f755abb5323ab8e94311227489bc194a3dfa91b425cf1478bb634fceaeb1ff25938ba6d5a643c27a5de0c7df172c06e4f50a3009719f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\D
          Filesize

          73KB

          MD5

          46a05962148668c2eab300841c246d0b

          SHA1

          cd899d60d0773ce1641f28f11255f08883f57c4a

          SHA256

          10eeb06915f4f2c3b3545d5570df38fa89a633ef41d24d51f758bf183dd890fe

          SHA512

          dda4a3794b641e42d65ac033e26b83ef45cfd9411e2ed09328b9aff1924611c9f018aad65ead6458f332e83af375f67e2cf7ebe14b596bc086713cbdbd3bebff

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Dependence
          Filesize

          6KB

          MD5

          44d3d34ebe8fcd06a1e36f3c52eb029f

          SHA1

          d5ea64f3e680a385928f6e7b59f759d2a9363e5e

          SHA256

          261130e99004776150ed5700d12be8164998c2d4f8545b773afcfd7623a7882c

          SHA512

          ac2d9e84c8f4e3ce60e3a3548db6c16a681559d2fef11b572a819a1f03ed47577c7afe649ceb3e102fcd9ae7a7e3735e66eb7cfbf1e98269f275ce1251cb5cbe

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Dollar
          Filesize

          74KB

          MD5

          7a260353296373d18688959ec639481c

          SHA1

          dec75bfce0274b77b630d84b90d42203262f5945

          SHA256

          97f47aad3b772a61eb33146c3ad884fa98a62ba74f721c5c385a1752639f28b4

          SHA512

          f16a938613403149453294de62ba381d3303256b8a292faa9e60ddc15b9b1691ebde2021fd7330683b350250236f77689ec76036fa9d2562c04a51f199a1f154

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\74806897ce7746c081fe105d59018237.exe
          Filesize

          2.0MB

          MD5

          79cf58b32eff022542a2dbcdbb6c42a9

          SHA1

          0f4cff683494e602effa0932c7f457743fb929cd

          SHA256

          850840373ee776ef1ade522751768d515c320dc399cecd4a2f37127fa8d4e0ac

          SHA512

          990fe9234df23de9529c0682fb50430713184a86d3241dea5de904209727a62fa3c63aa7fe1eed6d47db252afce3f3e0f64170e980f47053a870cbbf61898bd4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Forwarding
          Filesize

          97KB

          MD5

          8158c9ef2b8c79ed8ff700a7fcf2046a

          SHA1

          44eca002690aa07cdffa9624aed883eba0c7bb8c

          SHA256

          026c51576201a0db9c97c92459bcdaf375fc1c16762df36ddef7cc95f2ec3bbc

          SHA512

          27b25e1d594eedf07a6bab19b813714b45be345426d91ba6ac2faa7f5806bc1799c8fee2412efb59313d0517be1a107c01a12a17ab81161800b0e57e17392690

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Hungarian
          Filesize

          52KB

          MD5

          fb5e25f08ed7f7b8021e02c368cb09a7

          SHA1

          710cd4681badea027e91b9bb361ae2ed3d990567

          SHA256

          565401f0f128368517bcf7660641ab133b31b8f62c9d67d809a929f93a604835

          SHA512

          0ad50fd132480c42c94ab18cc5a1850e999dffe4a75f1b90a1b35443fe67bc1a4f4c579826cebcab6b80859e0050c511a091e49b03d3eca42b467f56dc396006

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Incident
          Filesize

          75KB

          MD5

          50106d16ba7533876ebf0a17b25e126b

          SHA1

          5bd3772a4d820deb24480f48eaadd138c98e1ffa

          SHA256

          20457a6e41ebfa593801db8dbec760da03ed63d42f81ad7abc17093de7b04c4c

          SHA512

          8e8e3a7703f774c7ad4418433031e65bc834ea7a00724659b1fa1c71af31ee2198f970d15a4728d6e52959f929a4493a8555bcfd9c463484f8cc853b78c2b9b6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Innovation
          Filesize

          77KB

          MD5

          72632a0bab5eac2286554b42f86a1820

          SHA1

          7d6f4d44e96280bb76ae04408e14abcfadfd636f

          SHA256

          1249c7d926fd5d22568f720531c895144d7a07fae2c928ec32cb1d37a54589d6

          SHA512

          a5dea1a1c17dea656e84baf7f30ae1d1a98fa4bd74bdad6abf8785da8a710aa1e1b7365b1b3b9508d47f1b28d74cdcb275a0304a108e4c1b64ffb23b04cddc27

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Latter
          Filesize

          76KB

          MD5

          f8b6b7007a00fbd87c41e86c2fa670ba

          SHA1

          0a32ab0eb8033559a56505dc46568a53e7babb8c

          SHA256

          ff095a33aacfc49fbc7f9e69b9c9be9e70038793d1f0775b34a122effd35bd53

          SHA512

          30f5e6eef2f3d9ccdc27c7cdb5a423f40df62be22f2d5f8afdea34cd6f9ac93480c6c94566c48b9d3616ef8b91c313db14ea4f3665d6cba117191344a88de008

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Mart
          Filesize

          97KB

          MD5

          f1a876f0e12db86afec877c784919983

          SHA1

          4a3f852628b40253c048ba1c60b4ba235647323d

          SHA256

          7690fd321edac355958e096891770cf9c4bfcbfd4a46ac42e5cc4b5a78c2705b

          SHA512

          a47983c031e9909b5e3f7346a2c3ed893c6a9b51fdf9e988a009b3154fdc7e35628544cf62552c671fe87bab34c429ca69acd9b5d7dbccfd0d8fa092042bcdd4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Montgomery
          Filesize

          96KB

          MD5

          c567e9aa3ca6191e46732f680524b457

          SHA1

          fabc567d73942b10248a8b434bc44b8b2560933f

          SHA256

          43ee7d4b00558674c0b2b0afcf84ff7d963c8a99dd08ef33d1a826960d1678c1

          SHA512

          19c044ea54a79f4b8556867889167b86a3f3d5fe02f5cae5a6370300151ca2e4becd2ee22917b31761c3c87728f5f029a3ec57be806a20c08067eb4a1911d79d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Names
          Filesize

          62KB

          MD5

          b12bd6871223fbb0c514296c0de2f135

          SHA1

          98cae3783bf77ef9609a1b085f612fbf0ee90d5f

          SHA256

          a446dd4efbf1c81cec086d265ac1477117c0760503cd9fc0f293cbbdb558ec71

          SHA512

          978b6034a9ded4994d689d0adb58cdbbbd2e94381db80f6834c589916fda3cd8cf76b4f4ac7c36bcd7a72507a22d2a038037cdd619cbe088523f5ae0c8ca0e68

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Newbie
          Filesize

          17KB

          MD5

          74c97b08b7dc106d2da14e17aff27cc1

          SHA1

          7345d2022cf8c4059fc33e3172a7e11fe030b992

          SHA256

          36d455e9d16898df044eb2b1611a453c3445fdf12a1505e0432a79f605acd462

          SHA512

          18a5a91c87a6a1c7f0a6552870641fd3a4e15e8dd31b80265e46d10641430e56edafc3bbb1a815f6fda3a225c3f7d6ddda6a6062dee240ce080c91fc9e50215a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Own
          Filesize

          58KB

          MD5

          ea92f24f6b30c72cc570b324b457a5cb

          SHA1

          9db0e258914511a2587449e54b0d0dfd95df9e51

          SHA256

          d9f5f85a8617c15e64b1d195b505484e81dbd90f76f09c9bc2064b8009def948

          SHA512

          c01dad9318d9b673334df4b55079c42e7f1dee0da70a0734cf35a2cbfd24b679976c7e7efa6163fea5597e59b3edb9707e2ad10770ed56a71a0260f5be7f7efa

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Pair
          Filesize

          62KB

          MD5

          5820dd5134bdfbd4a1d33c3f69722af3

          SHA1

          135315758a0f889142c6b1d03aa4d446d68109d2

          SHA256

          0a51d6d1756a88dfdd6f7f17d8c104d6a7bc3c483e7f5a909d5f0376388a12f2

          SHA512

          8d24719c5bd654b6461fe44249fd47f583a375c8eb137b1c36eaf8a53fccb871e59c9845d9f3397b508b2f6b76ea700ee8ca9cbe76df5cc77ba18fede7547818

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Pod
          Filesize

          77KB

          MD5

          95bf8570f5eee649f7a8cf26bb6d9282

          SHA1

          267c6d85685fae5f3e847da5f6cd5e06060471f3

          SHA256

          b66f0aeb70777264810b5e8500b6e562d8613c348626b4c72e19be813ddfdcbc

          SHA512

          58b65bc54f79d953a3ba1439c02c6c3a189db272654309368eb4190150df4cc47f8af8d8fb396670f76606f7c11e900c2933011ef09ca1b041162a2f5db17cbe

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Prefers
          Filesize

          866KB

          MD5

          b9df2ef7468fd0d82bad1bb800179153

          SHA1

          8eaf7188c40c2d8aeabc382ef6d234c83411f0e8

          SHA256

          3527e01919c940aa96aff2fc7fbcda0a709e8167f0ccd7cf99b3b05d6e9b2cfa

          SHA512

          d678757093dd50c5b11ad8d3b77963ed41db163d2bad4bf4fb669155fb06585442d2a4a04da3b1c4fbb5de8e5638ce194122758654a47fb73374f493e2fb2093

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Pretty
          Filesize

          68KB

          MD5

          c0d47c5a852d5b150d4635751b05354b

          SHA1

          33105a6dfb946e370069feb96437bb9b511ca6ed

          SHA256

          061ead97da5d75329854ffe838d655a4009f464d8c213899d86d1877c522c9bc

          SHA512

          37d527c5d2d8270810aa71de26a4f3b1e92aeb0a74d2ac50a8613d75ec3df1091e86cf964481169a1b8a0d6815b92b644c3fcbeac112c373398b68b9177370c0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Publishers
          Filesize

          77KB

          MD5

          aeec156eadda8f3ab54942386d115c9e

          SHA1

          2180f4d8b6bb116a58d53d4620dc219f53a32cea

          SHA256

          edc26d860fb93ae719fdce0d9de9a1a367c4ee5d8d5d594675c08fac3c5702ac

          SHA512

          90f15cf5ed4484ba008a57df129076fac5209d08e7efa7f794f441e436a7834d713a54a9bf419af71452d5053f0f9f0e4fcbca8f8740f7f380e605565a35ced1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar3059.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Termination
          Filesize

          59KB

          MD5

          37e21ab4cf57679f57be62e06d54ebde

          SHA1

          e03642b281d2c352ca6c4b174c6d1132fc74c8fd

          SHA256

          141ac183e79cad7b4b2299b0d6d126a80234ca44e93a537fd59396b51f122668

          SHA512

          41112a7e25967324edaf823624ae11865f94a0eab9b282f28f6bd006e8ce0a72782fa1b5255531950000895190e2ac0c421644d1ba09ac8a81473a7c580b9c8f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Trunk
          Filesize

          82KB

          MD5

          b7073eaa1c4888f97adcfb867def3dea

          SHA1

          a3e096bd72e7f6f57d61d832503993dddfe1e072

          SHA256

          14e43584f53942c2386a7c9d68e1c1836147e4a2bf7dc684731f2aedcf241405

          SHA512

          3fdc291916b18cfe1cf56d73d9a856b2f4ab89658c9660f7a3bca3f97cc311be3150cc6798a5c520e8eb0103e8301fac0bf2b7d4d35eeff5d1508961d58a79f3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Viewer
          Filesize

          61KB

          MD5

          5e431b7c5ed155f8a046fb475d0fc84e

          SHA1

          e361e0bc22f99e5e7dbc989c8d7e6d6ebb9878c5

          SHA256

          e65eed1c391c70880e08056d2c7a35fb8650b01d92edb57a7fc9990373ad6724

          SHA512

          2437af95290ea7329ebcf18c719e144a1cea3f43e659830c065408e52e367cc8e1507b04bec2c04ee18a0464ca3dee147329598b06973fe3ce7e67fa42c98a06

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_7198ef6f1ebc4af89cad27ec24855b9e.lnk
          Filesize

          1KB

          MD5

          37097e18917e9de128cfdb8cb49c3618

          SHA1

          dc821aaf204cabae453f657ed919c331e77c5378

          SHA256

          aa5f61ff197d20f4fa828b8a45d14de20137229420099afffa8c57c3fb355610

          SHA512

          94e5ae1bf69b8051854fb239063e69c6727a021021443f8eeb4f26dde25a3cc7edadc1c66f893bcc89886936972424682dc02bf5b2f06e3dd6df4eaafb79f5e8

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_78218197a93449cbb1e8621973cc0a79.lnk
          Filesize

          1KB

          MD5

          c9e01d82002ffb9aa803b3178dc66124

          SHA1

          0943a94ffd557702fde139c15448b7a885f702fa

          SHA256

          77e5a3603bf8c736ae8c2bfa9209e259945ff95cd810a44a71983be210a66d6b

          SHA512

          6c52953a941050dc2df1fbe203a31e71f2b2a6993012bed8ce3aa91ed5ed045d1dcbe267f67587cf1bd4e7f4986001bccb3336eb381a364b4a4d2b49edd75d36

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_9dc04a2255f34ae7944488043aea72af.lnk
          Filesize

          1KB

          MD5

          5bfcf696783171beb772b1ea0b86d2d6

          SHA1

          62d9a0debbbd5cba1c10b7c99e4b27e9973f55ce

          SHA256

          642f78a116ed65f855bce178c57bb60cd4eb635491da2f0a6d5687f17400dc88

          SHA512

          50b24801b291a94771354b7a1c5ce8dbc2ac413f6d5bcaea749989cee986fe05484d0f96ff9ecb1d7456ed73893ba195924b428222f0220ced43c895f9154a77

          Download Submit

        • C:\Users\Admin\Documents\iofolko5\4yqBItroKdpJQ7g13X_gqZKM.exe
          Filesize

          2.0MB

          MD5

          a4aed3956f4142020f7c42873e6af07d

          SHA1

          855f5c99fa81dc4ed2487f50c2773cf79c87eafc

          SHA256

          a1a9d12374857e24fb88241356db79f47728948ae409b56f60e5d2bff0f9566a

          SHA512

          a373b30dad0f3afe6548b509a5213aa0250c468c21c3ecde79397bf9d27858f9a562bf87055c41f6d929a0b727c1bc9b073491c0f4bcf57194c4dfe2eb23d436

          Download Submit

        • C:\Users\Admin\Documents\iofolko5\EkRTKeBHSNKeo2WUEGtuO7Lv.exe
          Filesize

          10.4MB

          MD5

          6e1953433d891db10790aafcced19b30

          SHA1

          c46581f4673f068a357b76fbe1bfd1909b81d79f

          SHA256

          af708267cf479834fbd0811c58facd377ccd0226a3733ae9f6e086813e68bcfa

          SHA512

          44a6753572ba7ece19aa3f29acda2237cd405b4cfc9f65513da357b9a72819ee95d2787e5ddbccc184b6bf73998b5d17a7456deb64c00d2639e4c9d49c346149

          Download Submit

        • C:\Users\Admin\Documents\iofolko5\FpyQtM4RiLrXpETrJ2fo_FXO.exe
          Filesize

          547KB

          MD5

          32a74d2e5779c6054d8ada03757490b3

          SHA1

          e34c1108974bf4f0a69630e423eb8345d988d7fe

          SHA256

          49974b62aecbde0d25f7166abef73861baa9bd047ef95856eefb4a3bb764c656

          SHA512

          022f9af039d59bf74a8dd4a8e887bdeb6e99ad4535ecef3de23e4b6b53a502d67df72d9bbf4719eba05085a09f13caa828707da2fc109de6443f6744dc93a6b2

          Download Submit

        • C:\Users\Admin\Documents\iofolko5\O0Ea6JNLqTaUCbFuFK480sxW.exe
          Filesize

          11.4MB

          MD5

          07fc5b4f3a432b09b0d51f8b00ef05f3

          SHA1

          b098b5f859f45314d5edd03aad9eab420bbdec40

          SHA256

          d65629e6028c54eb383b310547426ed1907296a14a2e8977b9d469126de1f8a9

          SHA512

          ba4c21a022ea2253f26400c7d247d1b886f29e7d2e8722d3c1545830695106168605a963e448651e7d2613545ad903f4dbd17e09e30ed2167d5e65755794c888

          Download Submit

        • C:\Users\Admin\Documents\iofolko5\Rjuwc4Y_AEym8UYvDO4XIjvd.exe
          Filesize

          26KB

          MD5

          cdb17e17bc4e4d51fde6a4620cec014c

          SHA1

          c184c6c58a66555685be713dcd2d11e6f0af7c37

          SHA256

          b10c9d5286c17c05f587660664ab7f5723817fc98343c02c6b91ccc562e1019f

          SHA512

          acde9cf8b3ee05efe99f5bd1e096e2016f0f6f7fc196f89f6a9592480ee0afe134d4ebdb2a5c6c8782290c5da31b07f9e58cc1722a9fe4bf70d9ca05e1b2417a

          Download Submit

        • C:\Users\Admin\Documents\iofolko5\S9E_zuKRBtLLiTnLzOiXuMPM.exe
          Filesize

          10.1MB

          MD5

          4577ea4b86da052900468e8cf8a775b8

          SHA1

          2e7d6608bb4d90a41627dc9381acb0a7704b301b

          SHA256

          2333a83bfd543d45bb945d6b879216b8505398258f2dc43571708393189419a7

          SHA512

          1fe8fe00ef8eeab0f4ee0313bb145425cec548a2769b58487ba0f32651ef02fe51bc08fa80177b498160ece1a849fb8513caada7a14214542f6ef0ccb5cab125

          Download Submit

        • C:\Users\Admin\Documents\iofolko5\ThAVVP3o0_BoxmfVCFSxC2PZ.exe
          Filesize

          502KB

          MD5

          f8709a8399a1628382709223abe02ec9

          SHA1

          1a12ca70489ce1736f92f3256b021f8bcabe04e7

          SHA256

          203d078e2698c9e7215f49d4968cda0c17a7056970753a686af15d948977ec1e

          SHA512

          a6e6bdf9ad7c1df54cf2dc998db0d792feccb0922bf580bc05acdb975103a9fc10372cedb1942411ea69c4254e2ee60286826ac14cfc59cc9e174d932451b50a

          Download Submit

        • C:\Users\Admin\Documents\iofolko5\WG68MMj9CsZYFhlAUnMThHi5.exe
          Filesize

          5.1MB

          MD5

          7fb844b9db3bce3572c214ac937e602f

          SHA1

          aed85a4d762521756df49396c1c9e90de1cb790b

          SHA256

          4ea672d50c3229eacc4a5b5864da02cd25cbefe8cc2b4d9e2b7b2d616611a93e

          SHA512

          5fbad67ad0628c48f6c4e0fab2944b36755d2c960209bc672a677704fb012129d12adab682b1fdaca09a07f432f99ef3a605c4841a4d722bd8f7ff4555655a45

          Download Submit

        • C:\Users\Admin\Documents\iofolko5\jofn3zwnZjCjWt8xusRYD1cc.exe
          Filesize

          580KB

          MD5

          07ef2ce16206c30507e56eb70a8a487b

          SHA1

          d7edd7ba0bef5df88b4ad069fee3203620dd900c

          SHA256

          cb521bcf0eedc08f1e79613098dea9380b2e8bb2d7a727b9f400c3dda1ce1dc8

          SHA512

          1c75d6106300e2d9c8c93e01f23df4ac44091cdb2a34a4ad2d1b43add3403fc0993f60be35a57bb086eb7bccae9140d4be2ece8227d72fcf26f2b806269db82f

          Download Submit

        • C:\Users\Admin\Documents\iofolko5\zhr9Vkmk6r7zDBC3JtPjhNfV.exe
          Filesize

          11.3MB

          MD5

          b884d5dacd4ac3c4eba7908f3321024a

          SHA1

          11dc977173cf2a04400a6962f83623f24ea4a5d5

          SHA256

          009a220aa4d13841b9e09749de6bf74d689b01c9dd87cf8dff1c3913bac2469b

          SHA512

          7d6be676c38fdd2730abaf12bd0e5ed68991b2f8b29fbfd6754d4150f451299eb2cd51c2974bf7526af60e0d9f90c9d9176750f81c469882df33613b64fec137

          Download Submit

        • C:\Users\Public\Details.au3
          Filesize

          3B

          MD5

          ecaa88f7fa0bf610a5a26cf545dcd3aa

          SHA1

          57218c316b6921e2cd61027a2387edc31a2d9471

          SHA256

          f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

          SHA512

          37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

          Download Submit

        • C:\Users\Public\InformationCheck.exe
          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

          Download Submit

        • C:\Users\Public\ProfileDetails.ps1
          Filesize

          383B

          MD5

          a7597477b3fd067f03911945bcf7b410

          SHA1

          2dded896ba1fe6bbf4bc8f561120a49fd2b3adf7

          SHA256

          725da51af1815984ef47eded7ad62bfe6c49183782a88034e323200d1014e925

          SHA512

          83adf1b3c61ae51e38b1d6303dfb500b7f148473a3b985fc77b720d9b655abd71d1fc674530343a06b0cc7b59f6fe84c66c47a9fc140a862322018a483276080

          Download Submit

        • \Users\Admin\AppData\Local\Temp\705685\Confirmation.pif
          Filesize

          872KB

          MD5

          18ce19b57f43ce0a5af149c96aecc685

          SHA1

          1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

          SHA256

          d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

          SHA512

          a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

          Download Submit

        • \Users\Admin\Documents\iofolko5\ihZKKtkWlE9zeJ9TK4sc7Pgy.exe
          Filesize

          502KB

          MD5

          7190153d0911b484897f675396cb3b2e

          SHA1

          080c1575a72025404e2ce0b1074805e320160681

          SHA256

          4117ea0dd73f5f306ae2f976c09a4ec8b4ead662458406975f369ad55113d8c7

          SHA512

          a8f383c1976d8513494766e794d65ad40f2c5884693475828b5d185ec7092fdc25b2b92e7f41bc03e460181876f4c260524db47550232a885dc33aaae01885ff

          Download Submit

        • memory/1124-338-0x0000000001370000-0x000000000137C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1960-296-0x0000000000100000-0x000000000010C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2076-95-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

          Download

        • memory/2076-105-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2076-101-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

          Download

        • memory/2076-106-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

          Download

        • memory/2076-107-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

          Download

        • memory/2076-103-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

          Download

        • memory/2076-97-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

          Download

        • memory/2076-99-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

          Download

        • memory/2228-532-0x0000000000400000-0x0000000000765000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2304-281-0x0000000002810000-0x000000000281A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2304-280-0x000000001B9B0000-0x000000001B9F6000-memory.dmp

          Filesize

          280KB

          Download

        • memory/2304-277-0x00000000027F0000-0x00000000027FE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2304-276-0x00000000022D0000-0x00000000022D8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2304-275-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2304-326-0x000000001BE80000-0x000000001BEB6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2304-282-0x0000000002A10000-0x0000000002A18000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2304-288-0x000000001BE00000-0x000000001BE4E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2304-299-0x000000001BE60000-0x000000001BE70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2496-274-0x0000000000E10000-0x0000000000E1C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2524-230-0x0000000000400000-0x0000000000661000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/2524-240-0x0000000000400000-0x0000000000661000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/2524-232-0x0000000000400000-0x0000000000661000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/2524-236-0x0000000000400000-0x0000000000661000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/2524-228-0x0000000000400000-0x0000000000661000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/2524-234-0x0000000000400000-0x0000000000661000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/2524-239-0x0000000000400000-0x0000000000661000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/2836-180-0x0000000000400000-0x0000000000676000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/2836-172-0x0000000000400000-0x0000000000676000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/2836-174-0x0000000000400000-0x0000000000676000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/2836-176-0x0000000000400000-0x0000000000676000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/2836-178-0x0000000000400000-0x0000000000676000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/2836-182-0x0000000000400000-0x0000000000676000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/2836-185-0x0000000000400000-0x0000000000676000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/2836-186-0x0000000000400000-0x0000000000676000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/2860-531-0x0000000003970000-0x0000000003CD5000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/3048-150-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-158-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-151-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-148-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-154-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-142-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-144-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-146-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-213-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-149-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-143-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-170-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-147-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-152-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-93-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-81-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-153-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-74-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-72-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-71-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-145-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3048-200-0x00000000007F0000-0x00000000009D4000-memory.dmp

          Filesize

          1.9MB

          Download