bdaejec | d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3

Analysis

max time kernel
143s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
Size

2.7MB
MD5

37b5c009c69a10a13cc9a566bfd59207
SHA1

9d5fb6faa35f0ebeea941e2f206fa463a73fd1b5
SHA256

d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3
SHA512

b008c035c3db830143d702f719001436c137d90a330c4666171173ec839c177b5eacb62cdc158287c0df14f58b22d902bd5090eb0c4bbc6179f1f3584a69216a
SSDEEP

49152:K5yaUm6/qD9dDqnroHO0ksLzZmLXpO9q+0Ollh1d2HObA3:K5zX9cnsHXLzZcZy0Orhf2Hv

Score

10^/10

bdaejec aspackv2 backdoor discovery spyware stealer

Malware Config

Extracted

Family

bdaejec

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec
Bdaejec family
bdaejec

Detects Bdaejec Backdoor. 1 IoCs

Bdaejec is backdoor written in C++.

Processes:

resource	yara_rule
behavioral1/memory/2800-80-0x0000000000130000-0x0000000000139000-memory.dmp	family_bdaejec_backdoor

Drops file in Drivers directory 1 IoCs

Processes:

d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\QFHoBh.exe	aspack_v212_v242

Executes dropped EXE 6 IoCs

Processes:

MicrosoftWindows.exeQFHoBh.exeMicrosoft Windows.exeQFHoBh.exeMicrosoft Windows.exeQFHoBh.exe

pid process

2812 MicrosoftWindows.exe
2800 QFHoBh.exe
2124 Microsoft Windows.exe
2316 QFHoBh.exe
2660 Microsoft Windows.exe
2992 QFHoBh.exe

pid	process
2812	MicrosoftWindows.exe
2800	QFHoBh.exe
2124	Microsoft Windows.exe
2316	QFHoBh.exe
2660	Microsoft Windows.exe
2992	QFHoBh.exe

Loads dropped DLL 30 IoCs

Processes:

d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exeMicrosoftWindows.exeQFHoBh.exeMicrosoft Windows.exeQFHoBh.exeMicrosoft Windows.exeWerFault.exeQFHoBh.exe

pid	process
1340	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
2812	MicrosoftWindows.exe
2812	MicrosoftWindows.exe
2812	MicrosoftWindows.exe
2812	MicrosoftWindows.exe
2812	MicrosoftWindows.exe
2800	QFHoBh.exe
2800	QFHoBh.exe
2800	QFHoBh.exe
2124	Microsoft Windows.exe
2124	Microsoft Windows.exe
2124	Microsoft Windows.exe
2124	Microsoft Windows.exe
2124	Microsoft Windows.exe
2316	QFHoBh.exe
2316	QFHoBh.exe
2316	QFHoBh.exe
2124	Microsoft Windows.exe
2660	Microsoft Windows.exe
2660	Microsoft Windows.exe
2660	Microsoft Windows.exe
2660	Microsoft Windows.exe
2660	Microsoft Windows.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
2992	QFHoBh.exe
2992	QFHoBh.exe
2992	QFHoBh.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe

description	ioc	process
File opened (read-only)	\??\Q:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\T:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\X:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\H:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\M:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\N:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\I:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\B:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\E:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\G:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\O:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\R:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\U:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\Y:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\A:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\J:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\K:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\V:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\W:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\Z:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\L:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\P:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
File opened (read-only)	\??\S:	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe

Drops file in System32 directory 1 IoCs

Processes:

d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe

description ioc process

File created C:\Windows\SysWOW64\MicrosoftWindows.exe d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe

description	ioc	process
File created	C:\Windows\SysWOW64\MicrosoftWindows.exe	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe

Drops file in Program Files directory 64 IoCs

Processes:

QFHoBh.exeMicrosoftWindows.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	QFHoBh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	QFHoBh.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	QFHoBh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	QFHoBh.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	QFHoBh.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	QFHoBh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	QFHoBh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	QFHoBh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	QFHoBh.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	QFHoBh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	QFHoBh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	QFHoBh.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	QFHoBh.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	QFHoBh.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	QFHoBh.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	QFHoBh.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	QFHoBh.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	QFHoBh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Zpaxhu\Microsoft Windows.exe	MicrosoftWindows.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	QFHoBh.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	QFHoBh.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	QFHoBh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

824 2124 WerFault.exe Microsoft Windows.exe

pid	pid_target	process	target process
824	2124	WerFault.exe	Microsoft Windows.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

QFHoBh.exed9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exeMicrosoftWindows.exeQFHoBh.execmd.exeWScript.execmd.exeIEXPLORE.EXEd9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.execmd.exeMicrosoft Windows.exeQFHoBh.exeMicrosoft Windows.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QFHoBh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftWindows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QFHoBh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Microsoft Windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QFHoBh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Microsoft Windows.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438304297"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6D9DDC31-A790-11EF-999E-E67A421F41DB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Modifies data under HKEY_USERS 6 IoCs

Processes:

QFHoBh.exeQFHoBh.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	QFHoBh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	QFHoBh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	QFHoBh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	QFHoBh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	QFHoBh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	QFHoBh.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exeMicrosoftWindows.exeMicrosoft Windows.exe

pid	process
1340	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
2812	MicrosoftWindows.exe
2124	Microsoft Windows.exe
2812	MicrosoftWindows.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Microsoft Windows.exe

description pid process

Token: SeDebugPrivilege 2124 Microsoft Windows.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2416 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2416 iexplore.exe
2416 iexplore.exe
2404 IEXPLORE.EXE
2404 IEXPLORE.EXE
2404 IEXPLORE.EXE
2404 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	2124	Microsoft Windows.exe

pid	process
2416	iexplore.exe

pid	process
2416	iexplore.exe
2416	iexplore.exe
2404	IEXPLORE.EXE
2404	IEXPLORE.EXE
2404	IEXPLORE.EXE
2404	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exed9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exeMicrosoftWindows.exeQFHoBh.exeMicrosoft Windows.exeQFHoBh.exeMicrosoft Windows.exe

description	pid	process	target process
PID 3040 wrote to memory of 1340	3040	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
PID 3040 wrote to memory of 1340	3040	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
PID 3040 wrote to memory of 1340	3040	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
PID 3040 wrote to memory of 1340	3040	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
PID 1340 wrote to memory of 2812	1340	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe	MicrosoftWindows.exe
PID 1340 wrote to memory of 2812	1340	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe	MicrosoftWindows.exe
PID 1340 wrote to memory of 2812	1340	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe	MicrosoftWindows.exe
PID 1340 wrote to memory of 2812	1340	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe	MicrosoftWindows.exe
PID 1340 wrote to memory of 2812	1340	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe	MicrosoftWindows.exe
PID 1340 wrote to memory of 2812	1340	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe	MicrosoftWindows.exe
PID 1340 wrote to memory of 2812	1340	d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe	MicrosoftWindows.exe
PID 2812 wrote to memory of 2800	2812	MicrosoftWindows.exe	QFHoBh.exe
PID 2812 wrote to memory of 2800	2812	MicrosoftWindows.exe	QFHoBh.exe
PID 2812 wrote to memory of 2800	2812	MicrosoftWindows.exe	QFHoBh.exe
PID 2812 wrote to memory of 2800	2812	MicrosoftWindows.exe	QFHoBh.exe
PID 2812 wrote to memory of 2800	2812	MicrosoftWindows.exe	QFHoBh.exe
PID 2812 wrote to memory of 2800	2812	MicrosoftWindows.exe	QFHoBh.exe
PID 2812 wrote to memory of 2800	2812	MicrosoftWindows.exe	QFHoBh.exe
PID 2800 wrote to memory of 1640	2800	QFHoBh.exe	cmd.exe
PID 2800 wrote to memory of 1640	2800	QFHoBh.exe	cmd.exe
PID 2800 wrote to memory of 1640	2800	QFHoBh.exe	cmd.exe
PID 2800 wrote to memory of 1640	2800	QFHoBh.exe	cmd.exe
PID 2800 wrote to memory of 1640	2800	QFHoBh.exe	cmd.exe
PID 2800 wrote to memory of 1640	2800	QFHoBh.exe	cmd.exe
PID 2800 wrote to memory of 1640	2800	QFHoBh.exe	cmd.exe
PID 2124 wrote to memory of 2316	2124	Microsoft Windows.exe	QFHoBh.exe
PID 2124 wrote to memory of 2316	2124	Microsoft Windows.exe	QFHoBh.exe
PID 2124 wrote to memory of 2316	2124	Microsoft Windows.exe	QFHoBh.exe
PID 2124 wrote to memory of 2316	2124	Microsoft Windows.exe	QFHoBh.exe
PID 2124 wrote to memory of 2316	2124	Microsoft Windows.exe	QFHoBh.exe
PID 2124 wrote to memory of 2316	2124	Microsoft Windows.exe	QFHoBh.exe
PID 2124 wrote to memory of 2316	2124	Microsoft Windows.exe	QFHoBh.exe
PID 2316 wrote to memory of 1224	2316	QFHoBh.exe	cmd.exe
PID 2316 wrote to memory of 1224	2316	QFHoBh.exe	cmd.exe
PID 2316 wrote to memory of 1224	2316	QFHoBh.exe	cmd.exe
PID 2316 wrote to memory of 1224	2316	QFHoBh.exe	cmd.exe
PID 2316 wrote to memory of 1224	2316	QFHoBh.exe	cmd.exe
PID 2316 wrote to memory of 1224	2316	QFHoBh.exe	cmd.exe
PID 2316 wrote to memory of 1224	2316	QFHoBh.exe	cmd.exe
PID 2124 wrote to memory of 2660	2124	Microsoft Windows.exe	Microsoft Windows.exe
PID 2124 wrote to memory of 2660	2124	Microsoft Windows.exe	Microsoft Windows.exe
PID 2124 wrote to memory of 2660	2124	Microsoft Windows.exe	Microsoft Windows.exe
PID 2124 wrote to memory of 2660	2124	Microsoft Windows.exe	Microsoft Windows.exe
PID 2124 wrote to memory of 2660	2124	Microsoft Windows.exe	Microsoft Windows.exe
PID 2124 wrote to memory of 2660	2124	Microsoft Windows.exe	Microsoft Windows.exe
PID 2124 wrote to memory of 2660	2124	Microsoft Windows.exe	Microsoft Windows.exe
PID 2812 wrote to memory of 2128	2812	MicrosoftWindows.exe	WScript.exe
PID 2812 wrote to memory of 2128	2812	MicrosoftWindows.exe	WScript.exe
PID 2812 wrote to memory of 2128	2812	MicrosoftWindows.exe	WScript.exe
PID 2812 wrote to memory of 2128	2812	MicrosoftWindows.exe	WScript.exe
PID 2812 wrote to memory of 2128	2812	MicrosoftWindows.exe	WScript.exe
PID 2812 wrote to memory of 2128	2812	MicrosoftWindows.exe	WScript.exe
PID 2812 wrote to memory of 2128	2812	MicrosoftWindows.exe	WScript.exe
PID 2124 wrote to memory of 824	2124	Microsoft Windows.exe	WerFault.exe
PID 2124 wrote to memory of 824	2124	Microsoft Windows.exe	WerFault.exe
PID 2124 wrote to memory of 824	2124	Microsoft Windows.exe	WerFault.exe
PID 2124 wrote to memory of 824	2124	Microsoft Windows.exe	WerFault.exe
PID 2124 wrote to memory of 824	2124	Microsoft Windows.exe	WerFault.exe
PID 2124 wrote to memory of 824	2124	Microsoft Windows.exe	WerFault.exe
PID 2124 wrote to memory of 824	2124	Microsoft Windows.exe	WerFault.exe
PID 2660 wrote to memory of 2992	2660	Microsoft Windows.exe	QFHoBh.exe
PID 2660 wrote to memory of 2992	2660	Microsoft Windows.exe	QFHoBh.exe
PID 2660 wrote to memory of 2992	2660	Microsoft Windows.exe	QFHoBh.exe
PID 2660 wrote to memory of 2992	2660	Microsoft Windows.exe	QFHoBh.exe

C:\Users\Admin\AppData\Local\Temp\d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
"C:\Users\Admin\AppData\Local\Temp\d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
  "C:\Users\Admin\AppData\Local\Temp\d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe" Master
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\SysWOW64\MicrosoftWindows.exe
    "C:\Windows\System32\MicrosoftWindows.exe" C:\Users\Admin\AppData\Local\Temp\d9a4f54c662d3aec62bb01cde6af3f54c0a028add5bd3200543f085f771e00b3.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\QFHoBh.exe
      C:\Users\Admin\AppData\Local\Temp\QFHoBh.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1aa7755e.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\1270.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2128
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.35my.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2416
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2404

C:\Program Files (x86)\Microsoft Zpaxhu\Microsoft Windows.exe
"C:\Program Files (x86)\Microsoft Zpaxhu\Microsoft Windows.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\TEMP\QFHoBh.exe
  C:\Windows\TEMP\QFHoBh.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\TEMP\40166a11.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1224
- C:\Program Files (x86)\Microsoft Zpaxhu\Microsoft Windows.exe
  "C:\Program Files (x86)\Microsoft Zpaxhu\Microsoft Windows.exe" Win7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\TEMP\QFHoBh.exe
    C:\Windows\TEMP\QFHoBh.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    PID:2992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Windows\TEMP\4f134729.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 420
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1270.vbs

Filesize
500B

MD5
db6d4ab31c682c46ff351e92753a8a09

SHA1
99e4945e61c87d7b547f65e9001265ec9a55aa7d

SHA256
ede31ad2241c0a027f9b4296a9181862782b54a93ff47357725e66cd6f9a6312

SHA512
1f72e46ef5414d08e137e7cd6a482099e1a5e3c540dfccedfa214e188474929b4e535c39f39ccfb5ca958d218ba0a02f4dd45b288f4ea905cd22be6f063aa06d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
80f15fab6493126a732144c71ddef638

SHA1
7bc47059d839864b44c85c147a95dd2fdf74c4ec

SHA256
3e9d00d39c5a7e0d6888ef2388fdc3b1dc673300d9ab0be96c55ff42c84131e9

SHA512
542338a7b62b261cca7f6009ba1a99a373e3f50bcc744ff602858a8083d88c36715332c4f858eca177b9e9dded17b15d14e4510b7971b6b4e36fc53221f2f409

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
908b4d73efcbef95dc9c43704b16666c

SHA1
3cdbc07d80552d109c46c044b5138d0b42bf37d9

SHA256
1d81a6cb73d721908601f0b6a6e2d3bb911f55698ed4442ae71393ecde1517ae

SHA512
5e3f4eb441872f1ba03e3ae337c382cad9d65ee656f48446effdfd10fcbf751174ad681ea020f34b2abe00b7597c3db2a16e3bf1571550e1bea0179b54e508b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bdfa847eef10d79ac837498af892af0

SHA1
94e7ce9822a7e040f3a7de2adb9d018dd469fe43

SHA256
30570ca894a5433c20e2b262ad7d03df23fb60501e732411ea1d1d75acfea803

SHA512
ac12b57497010048524a8b163d028207a2da71a836410fb0aa42cc72d043177fa910f5c6a8864cee4ba493ecd2105864ccee42175e71c8a066f84a5ee9236aba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ad7593192b88f56b6ff26d5df152f5e

SHA1
8df846416da9e3826eba13307ced757c88cb2dff

SHA256
01af49dc5073380ec44dec529792d589f75e2c139276d91a8ca0f6efa4b5e6c5

SHA512
ff50b42a6202766cc5615f5388a4db311542926aadb446581ef87dfc19db690dacf7bd0a9e21c063123e85a93b1faec74e288921c9ffc3ac6e814008671c37fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bfd079f97d448e5448c2bfe49c00b17

SHA1
8337ba5eb54cfb47cd23fa3dc178a951fa93bd84

SHA256
22eb35235bdcc4dcafccd7499f9d94dd6c4d7b410b8042daec1496bb8b65ac3d

SHA512
50013b4c8a4b45882ba7ee456c23405e1cf5e5c796ec2689c2badd67bb4b050931e3866c53616bb85e57b7102530eb35b198c617cfe7c283d36ffa768ffdad62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a48cf897396defcc414c67198d62fbdd

SHA1
96ecac5e7fc53c3d479ed2a3854e80d7ceb18165

SHA256
62792ccb3488702127737b75265671a2dbd3a1d8e81800df4f38ae54d913f8ba

SHA512
e43f82819397de6c00a9662798f4e26c1af8a7d1f9327d13c1b8bf22434678b482cf2b0ac120f756a4db45a1cb85dea371dfaf41c6c23fb8ae68e3e3af1164c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4b1b25fa4d18eb1184e238bf5da5f82

SHA1
a917a134de30d276a4ba57f672db447c6ae23bb9

SHA256
39bc956fb98158e568c3ad6d77ca22d53ea56439543d20b2fd2665853e88505a

SHA512
233a5c8d27a77f5452393b7ce8a93e60a5eaecf12938e5040c9a0d6d51cd198aa86fbb3e722115b3f64e3ea7869889fa6e6e4c4f23a6850efd55c64961eb2c6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2a870316ac5415f777b531d67a1249b

SHA1
82465b0de20ac6f5f7c21d2dd52ec5922d50931a

SHA256
f074545e969a57a7107ccfc558d13288fcee44d32dc352eaa8c66541a278d225

SHA512
107c788e119ef2c9ab1fc59f2df853d15c98b4237a9ca92b560297bf238e9c55c2035553e7d9c0147fc7b6887725a88ebdf6336f306409e3f63a2c693f9c52af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74d50cea48ab327189af123ea29ef610

SHA1
cab9dc255921bdd9a52c845e2bdaa28fd905a563

SHA256
e6357775495b7184651d7064834f43e9d3f95dc3befee62ba7ec36ec3a613f39

SHA512
17e65ac4d29e21b4e1145f4503dbe32a48de60c167da1f38444e3e6c8406966616517709dab2403079dfbdd3bc014057989321f446bca2cdb968b76763d6d498

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d720815e5611bdc05f0496dac887f9c7

SHA1
411915209e3d98fa3237a229f40a481350eaf7e8

SHA256
60673be7746a882036c38dfcf8610b2cf128eff01d58c21654a5b3796c404144

SHA512
d5167f0682d0fa1501dbb4560a97a323af70fe716b2bbff501a607f6829e9c647a8975fe1a7884d956a830ea6453b7a49f3208620b5edf5b4472be568c6f6c07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d6c8dcfa1647d410bd824a04e406b7f

SHA1
82d740afc9647a180777efb3965eed819fefa345

SHA256
d08e71f785d189d7878db898ea3466bf48bba64cdcf9a35190fc8be3b20461f2

SHA512
d1f240c7ff4dedbdb96f7d1882bf3aeea071a50b286ff42a38e9e58452c1ba52017827d7b3f08a1f6a496f4e2e1e6226efb4ac3050d1fd69a0ae020eefa92a48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edfa02ee9e9e43f19d822b76c17ac8e7

SHA1
29bd0b7ad4d48df99afb021f9af414ee603214d8

SHA256
c54da76e1af891812c56df3465ee087ded21471fc87d3b8a2edb57e21300caee

SHA512
901b9ba71083f5d7c70954ef45cb7eedced3d2e66486925a392c18281aaa56b9d2c494ce7e6c74b797b2173eba63356434fba06bcc7a0f61f7b4443a4fe96d54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3181e0aee0f95f359ba64e266bfc62e4

SHA1
500e6608364e8844cb4560b7df71d285a7c1dc69

SHA256
85bfc50dbac67127d66b98b6fbe321d3a1727a2690d68d53506c3750da959233

SHA512
954294e98d83fd3b0fc1850dd84f66e8814faac7ce01af1ef0ea7dad4b5010434c5cbcaafa07d5309f0cca4eb3518f1e042dd5df1c09f3b436e999d7d4fc3090

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9744fc220f926ba668186cfe235bf76

SHA1
5a211f7263b874db7bfc144da242bf6d19db9ef8

SHA256
91e0787ed8970c8c373f2dfeed19345ee88eae31aac6e32824e082e5990488ed

SHA512
e8d627436d372ccc370f2f3a0408bfa290e187bf2c9f22e514daf77955e2a00d3924311bb88dd870680de0013f7b607ce499a647e00df56c255a06f983f7a3e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b146825d82d1deb0c5a4ab7f83f3865

SHA1
7806a66ba3df158a59cfbee339a637dd367fd0de

SHA256
d556b1474baf80a12314c7ee6263f3123f4cd1630e4a108eb8d404a342e1ddb3

SHA512
46405c914ad47ad080d5166f0308ef032f45a8d13b10ce5524d6ebea11bccef60fa485bacfd828e6e324899f101d51bb28d3f32d05d22cb1f48c68e3fd4c3d27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c3e047e63cd4e22ff0daf9ca171b660

SHA1
d6fc9ecdd3e3a8b30488bc54ab07a59354c28f30

SHA256
9b9870dd7a9ee4c71f18f319b3dc65f3e056c08ef586094edbde9bf7761db2e7

SHA512
efd93e111fcb9496922ddbc7969125c08640e752665632ab52ac0b465cf5c423c2a863b01ca7ead01d239e61137fd1190172283b01ddd27a9aac162f9f2bfd16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5d52e53bf19f202ca6e34b4b42678bcf

SHA1
541c1c3bc470c39a1ca47e7c9e0a1c815b714a9f

SHA256
5738b4667c50eae10df0608b7db1bc5e75b6bea024de84e278f97fd31c75b5b7

SHA512
f8018980ecc76815dee4afc44ff06caf32a2dd659088d3237a0b4a74e954103a4a65f3aa6226065130de63f7e064af184109c098667ee00ca37cc8b5b9b05f03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\gsz3hkd\imagestore.dat

Filesize
16KB

MD5
e0f21360fd68a30b58421280afa2c6f9

SHA1
74062845bb85bc5d6a5036851ae27d004f261555

SHA256
0bca4d1578c36f69ea6d62d70f4a3be098a8f0f9398ffa30f9315f761a3aeade

SHA512
b78c71ad60dd003f6e0497fd009628e75bfa93385b2b986b90e9badc9d8e2aff9d14cfb9634b79e7799debc4db173e76c930772f02ba667864b011039ca783d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\favicon[1].ico

Filesize
16KB

MD5
49a6303c76e070fc2435e7cde915a4f4

SHA1
cb9173836ac64e866fefe09d30c0f0afefbdab57

SHA256
a3aaff7b12d1614278a0baaba23e90826399aecdb2e1910c86e00c456b9ebb6d

SHA512
5677f41e8ded8ab6b8f4bc5952b3941ddaef5e96b0da5fc9c5ea8007e75d98319cec6d878834cbd84873be4e87b09914015deb010baa5a9b2bfd04d5f8853dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1aa7755e.bat

Filesize
187B

MD5
29d04d5ae9ccf9c6725eb691db8cdd3f

SHA1
d1e5bc07549de8691f624bf3ea933cd2bbc216e7

SHA256
5925c688f723f4ddf3f0e1f8005779393ac02157d04e3339dc9c1431b47c14f4

SHA512
f72762993eb306b6602ee1abdb196152acc30bae161d20926ef6e182528dc0ce8179ff7dfc7e05430709e55b3319bb40969d91aca709b0994a5d0586c15aec6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\253456F6.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4B06.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4B19.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\40166a11.bat

Filesize
133B

MD5
0917e986853b157c1b9d0e161e43c171

SHA1
352c72964480fa908bfc0e44a2707d198ab89d72

SHA256
a2329c9141d356771ea63190dcaafb3fe2f1b6cbf58912e17b464dde7c2413c3

SHA512
2f3300063695fc3bc73bd8934f6ecb6d702f993bc1663f8664b25cecf446ea455bf3ea1209317d2aea13329e9f251cee1d766c5dd1e150109896677b10ded3cc

Download Submit
C:\Windows\Temp\4f134729.bat

Filesize
133B

MD5
1c31223e77ef583328590ed5b576bf27

SHA1
7e842f75af4af44e11e41411047bf694f18f7391

SHA256
d29491356b547913d57619c8fa7294c8014c36108076ccf3a093e0e456e50e22

SHA512
764b946c5b1352d0513b6e722e531530520f534daa75912c5bf2f96e33525aa1462e6acdb041a421f935ba06fe41fd5612396de1ba5ad6dd52257d0585e4b05b

Download Submit
\Users\Admin\AppData\Local\Temp\QFHoBh.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Windows\SysWOW64\MicrosoftWindows.exe

Filesize
203KB

MD5
44ac4d8a1dd1c157c2cc064df56c1708

SHA1
ec82794ec83453d400a79df923a1b65a5507d243

SHA256
3b5acacb66902a70cdd388ae3e084e1e0c3f233a2be6c5636cd143acd0f671b1

SHA512
b4bfc3775be5847c6467bb5f4630187557fc126a30686374095c0bc6a0fc93dd4cfd9739f02ac8af260f1e84c4d6174d7dfa36df56ba6b7d13af189b799b04e9

Download Submit
memory/1340-82-0x0000000003950000-0x0000000003A9A000-memory.dmp

Filesize
1.3MB

Download
memory/1340-10-0x0000000003950000-0x0000000003A9A000-memory.dmp

Filesize
1.3MB

Download
memory/1340-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1340-179-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/1340-178-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/1340-173-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/2124-88-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2124-98-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2124-101-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download
memory/2124-100-0x0000000000260000-0x00000000003AA000-memory.dmp

Filesize
1.3MB

Download
memory/2124-170-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2124-171-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2316-119-0x0000000000140000-0x0000000000149000-memory.dmp

Filesize
36KB

Download
memory/2316-102-0x0000000000140000-0x0000000000149000-memory.dmp

Filesize
36KB

Download
memory/2316-109-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2316-108-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2316-107-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2660-177-0x0000000000AE0000-0x0000000000C2A000-memory.dmp

Filesize
1.3MB

Download
memory/2660-176-0x0000000000AE0000-0x0000000000C2A000-memory.dmp

Filesize
1.3MB

Download
memory/2660-175-0x0000000000AE0000-0x0000000000C2A000-memory.dmp

Filesize
1.3MB

Download
memory/2660-141-0x0000000000370000-0x0000000000379000-memory.dmp

Filesize
36KB

Download
memory/2660-142-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2660-143-0x0000000000AE0000-0x0000000000C2A000-memory.dmp

Filesize
1.3MB

Download
memory/2660-144-0x0000000000AE0000-0x0000000000C2A000-memory.dmp

Filesize
1.3MB

Download
memory/2660-146-0x0000000000AE0000-0x0000000000C2A000-memory.dmp

Filesize
1.3MB

Download
memory/2660-651-0x0000000000370000-0x0000000000379000-memory.dmp

Filesize
36KB

Download
memory/2660-130-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2660-174-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2660-140-0x0000000000370000-0x0000000000379000-memory.dmp

Filesize
36KB

Download
memory/2660-652-0x0000000000370000-0x0000000000379000-memory.dmp

Filesize
36KB

Download
memory/2800-30-0x0000000000130000-0x0000000000139000-memory.dmp

Filesize
36KB

Download
memory/2800-80-0x0000000000130000-0x0000000000139000-memory.dmp

Filesize
36KB

Download
memory/2800-35-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2800-36-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2812-27-0x0000000000B90000-0x0000000000CDA000-memory.dmp

Filesize
1.3MB

Download
memory/2812-83-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2812-129-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2812-28-0x0000000000270000-0x0000000000279000-memory.dmp

Filesize
36KB

Download
memory/2812-17-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2812-12-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2992-160-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2992-169-0x00000000010D0000-0x00000000010D9000-memory.dmp

Filesize
36KB

Download
memory/2992-159-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2992-158-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2992-147-0x00000000010D0000-0x00000000010D9000-memory.dmp

Filesize
36KB

Download
memory/3040-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3040-1-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download