ammyyadmin | bd948aeb2b607b34e8d32f22b9e5aee402057adebae4a2e0c70bd666e688f1f8

max time kernel
619s
max time network
625s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 14:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

xworm

Version

3.0

notes-congress.gl.at.ply.gg:24370

Mutex

xfgLgucyz0P7wfhC

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

91.92.254.40:4782

192.168.43.241:4782

Mutex

56928f7b-c5c9-4b24-af59-8c509ce1d27e

Attributes

encryption_key
60574F1741A0786C827AF49C652AB3A7DA0533D1
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows System
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

14.243.221.170:3322

Mutex

ynBzTukwLg8N

Attributes

delay
3
install
false
install_file
Clean.bat
install_folder
%Temp%

aes.plain

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

45.136.51.217:5173

Mutex

fJtDNXkZg2XmnSxFi9

Attributes

encryption_key
7Ds8HmxRNTT7TqM6R6Sm
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Extracted

Family

redline

Botnet

duc

159.223.34.114:1912

Extracted

Family

quasar

Version

1.4.0

Botnet

Target

127.0.0.1:6070

affasdqa.ddns.net:6070

haffasdqa.duckdns.org:6070

Mutex

670d21b7-71ed-4958-9ba7-a58fa54d8203

Attributes

encryption_key
25B2622CE0635F9A273AB61B1B7D7B94220AC509
install_name
svhoste.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhoste
subdirectory
SubDir

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

SolaraFake

anyone-blogging.gl.at.ply.gg:22284

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
Windows.exe
install_folder
%Temp%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

newoffice

117.18.7.76:3782

Mutex

d908c8ed-ea88-484e-a3d2-dcbe66ac7cfc

Attributes

encryption_key
FD2DE574AF7E363A5304DF85B3475F93A948C103
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Client Startup
subdirectory
SubDir

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000004ed7-166.dat	family_ammyyadmin

Ammyyadmin family
ammyyadmin
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000d000000016cc8-159.dat	family_xworm
behavioral1/memory/1736-161-0x0000000000F00000-0x0000000000F5A000-memory.dmp	family_xworm

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 23 IoCs

resource	yara_rule
behavioral1/files/0x0009000000018683-817.dat	family_quasar
behavioral1/memory/2752-821-0x0000000001240000-0x0000000001564000-memory.dmp	family_quasar
behavioral1/memory/2748-826-0x0000000000E00000-0x0000000001124000-memory.dmp	family_quasar
behavioral1/memory/2484-878-0x00000000071D0000-0x0000000007DB2000-memory.dmp	family_quasar
behavioral1/files/0x0005000000019613-889.dat	family_quasar
behavioral1/memory/1684-893-0x0000000000820000-0x000000000086E000-memory.dmp	family_quasar
behavioral1/memory/3036-1204-0x0000000000FE0000-0x0000000001064000-memory.dmp	family_quasar
behavioral1/files/0x0006000000019c5b-1224.dat	family_quasar
behavioral1/memory/2720-1225-0x0000000000810000-0x0000000000894000-memory.dmp	family_quasar
behavioral1/memory/848-1289-0x0000000000090000-0x0000000000114000-memory.dmp	family_quasar
behavioral1/memory/376-1305-0x00000000001C0000-0x0000000000244000-memory.dmp	family_quasar
behavioral1/memory/532-1325-0x00000000011E0000-0x0000000001264000-memory.dmp	family_quasar
behavioral1/memory/2772-1371-0x0000000000100000-0x0000000000184000-memory.dmp	family_quasar
behavioral1/memory/764-1392-0x0000000000D50000-0x0000000000DD4000-memory.dmp	family_quasar
behavioral1/memory/2328-1407-0x00000000010B0000-0x0000000001134000-memory.dmp	family_quasar
behavioral1/memory/1460-1447-0x0000000005B70000-0x0000000005E94000-memory.dmp	family_quasar
behavioral1/memory/2448-1448-0x0000000001180000-0x0000000001204000-memory.dmp	family_quasar
behavioral1/memory/2652-1468-0x0000000000180000-0x0000000000204000-memory.dmp	family_quasar
behavioral1/memory/2656-1484-0x0000000000990000-0x0000000000A14000-memory.dmp	family_quasar
behavioral1/memory/2104-1555-0x0000000001030000-0x0000000001354000-memory.dmp	family_quasar
behavioral1/memory/828-1556-0x0000000000350000-0x00000000003D4000-memory.dmp	family_quasar
behavioral1/files/0x000500000001960b-1559.dat	family_quasar
behavioral1/memory/2604-1561-0x0000000000BE0000-0x0000000000F04000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/1476-899-0x0000000000D70000-0x0000000000DC2000-memory.dmp	family_redline
behavioral1/files/0x000500000001961b-898.dat	family_redline

Redline family
redline

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001a4ec-1586.dat	family_lockbit

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x001e0000000195c5-858.dat	family_asyncrat
behavioral1/files/0x000900000001a037-1273.dat	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	System32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Active Setup\Installed Components	Explorer.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	System32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	System32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation	Ammyy.exe

Executes dropped EXE 51 IoCs

pid	Process
1736	XClient.exe
3012	Ammyy.exe
2196	Ammyy.exe
980	Ammyy.exe
3016	PowerRat.exe
1700	Kerish_Doctor_Windows_XP.exe
2256	Kerish_Doctor_Windows_XP.tmp
1480	yb.exe
2756	fe481e02-0f2a-455e-bd53-88e6728ccaed.exe
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2932	yb.exe
2752	Client-built.exe
2748	Client.exe
1560	TCP.exe
332	System32.exe
1684	nbothjkd.exe
1476	system32.exe
2348	icsys.icn.exe
1120	explorer.exe
772	spoolsv.exe
1196	svchost.exe
2276	spoolsv.exe
2480	svchost.exe
2708	malware.exe
3036	svhoste.exe
1996	fsyjawdr.exe
2744	Solara_Protect.exe
2720	svhoste.exe
2384	Windows.exe
848	svhoste.exe
376	svhoste.exe
532	svhoste.exe
1920	networks_profile.exe
2940	networks_profile.exe
1388	NVIDIAS.exe
2772	svhoste.exe
764	svhoste.exe
2328	svhoste.exe
1700	svhoste.exe
1460	qNVQKFyM.exe
2448	svhoste.exe
2652	svhoste.exe
2656	svhoste.exe
2104	discord.exe
828	svhoste.exe
2604	Client.exe
3024	000.exe
2116	builder.exe
2308	spoolsv.exe
2452	explorer.exe
2776	spoolsv.exe

Loads dropped DLL 45 IoCs

pid	Process
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
1700	Kerish_Doctor_Windows_XP.exe
2256	Kerish_Doctor_Windows_XP.tmp
2256	Kerish_Doctor_Windows_XP.tmp
2256	Kerish_Doctor_Windows_XP.tmp
2756	fe481e02-0f2a-455e-bd53-88e6728ccaed.exe
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
1480	yb.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
332	System32.exe
332	System32.exe
2348	icsys.icn.exe
1120	explorer.exe
772	spoolsv.exe
1196	svchost.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
1484	Process not Found
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
912	cmd.exe
2484	4363463463464363463463463.exe
2172	Process not Found
1920	networks_profile.exe
2940	networks_profile.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
1196	svchost.exe
2452	explorer.exe

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0006000000019611-874.dat	themida
behavioral1/memory/332-879-0x0000000000400000-0x0000000000FE2000-memory.dmp	themida
behavioral1/files/0x0005000000019619-891.dat	themida
behavioral1/memory/332-908-0x0000000000400000-0x0000000000FE2000-memory.dmp	themida
behavioral1/memory/2348-913-0x0000000000400000-0x0000000000FE2000-memory.dmp	themida
behavioral1/files/0x0006000000019622-920.dat	themida
behavioral1/memory/1120-925-0x0000000000400000-0x0000000000FE2000-memory.dmp	themida
behavioral1/files/0x0006000000019625-935.dat	themida
behavioral1/memory/772-940-0x0000000000400000-0x0000000000FE2000-memory.dmp	themida
behavioral1/memory/772-957-0x0000000000400000-0x0000000000FE2000-memory.dmp	themida
behavioral1/memory/2348-959-0x0000000000400000-0x0000000000FE2000-memory.dmp	themida
behavioral1/memory/332-961-0x0000000000400000-0x0000000000FE2000-memory.dmp	themida
behavioral1/memory/1120-963-0x0000000000400000-0x0000000000FE2000-memory.dmp	themida
behavioral1/memory/1120-1589-0x0000000000400000-0x0000000000FE2000-memory.dmp	themida

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 9 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\X:	000.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
13	raw.githubusercontent.com
68	raw.githubusercontent.com
140	raw.githubusercontent.com
141	raw.githubusercontent.com
238	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
89	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	000.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper	000.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
3016	PowerRat.exe
332	System32.exe
2348	icsys.icn.exe
1120	explorer.exe
772	spoolsv.exe
1196	svchost.exe
2276	spoolsv.exe
1996	fsyjawdr.exe
2308	spoolsv.exe
2452	explorer.exe
2776	spoolsv.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Kerish Doctor\unins000.dat	Kerish_Doctor_Windows_XP.tmp
File created	C:\Program Files (x86)\Kerish Doctor\is-EFQFJ.tmp	Kerish_Doctor_Windows_XP.tmp
File opened for modification	C:\Program Files (x86)\Kerish Doctor\unins000.dat	Kerish_Doctor_Windows_XP.tmp

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	System32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1164	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kerish_Doctor_Windows_XP.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TCP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVIDIAS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nbothjkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qNVQKFyM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kerish_Doctor_Windows_XP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsyjawdr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara_Protect.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe481e02-0f2a-455e-bd53-88e6728ccaed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2136	PING.EXE
2524	PING.EXE
1300	PING.EXE
2532	PING.EXE
184	PING.EXE
1864	PING.EXE
2396	PING.EXE
2572	PING.EXE
1992	PING.EXE
1504	PING.EXE
2364	PING.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2832	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1488	taskkill.exe
1836	taskkill.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	Ammyy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253378e747e813ab36b	Ammyy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 14710c68a0f55477d9530eeb72ef19d9389e471687f7af0f26a2a7d96df5f65024fc8c3dbe4ae16aa37593531f4752336c8eaf6ee0df9da60d2ca751dcc1fb371de76a27fd3eca3106d2be	Ammyy.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	Explorer.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	malware.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	malware.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	4363463463464363463463463.exe

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
1864	PING.EXE
2136	PING.EXE
2524	PING.EXE
1992	PING.EXE
2532	PING.EXE
184	PING.EXE
2396	PING.EXE
2572	PING.EXE
1300	PING.EXE
1504	PING.EXE
2364	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1188	schtasks.exe
2104	schtasks.exe
2052	schtasks.exe
900	schtasks.exe
300	schtasks.exe
2636	schtasks.exe
2864	schtasks.exe
3052	schtasks.exe
992	schtasks.exe
2404	schtasks.exe
2536	schtasks.exe
2000	schtasks.exe
1384	schtasks.exe
1716	schtasks.exe
2240	schtasks.exe
2032	schtasks.exe
1696	schtasks.exe
2332	schtasks.exe
1548	schtasks.exe
2804	schtasks.exe
444	schtasks.exe
756	schtasks.exe
2792	schtasks.exe
2692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2256	Kerish_Doctor_Windows_XP.tmp
2256	Kerish_Doctor_Windows_XP.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
332	System32.exe
332	System32.exe
332	System32.exe
332	System32.exe
332	System32.exe
332	System32.exe
332	System32.exe
332	System32.exe
332	System32.exe
332	System32.exe
332	System32.exe
332	System32.exe
332	System32.exe
332	System32.exe
332	System32.exe
332	System32.exe
332	System32.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1120	explorer.exe
1196	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	4363463463464363463463463.exe
Token: SeDebugPrivilege	1736	XClient.exe
Token: SeDebugPrivilege	1736	XClient.exe
Token: 33	2628	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2628	AUDIODG.EXE
Token: 33	2628	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2628	AUDIODG.EXE
Token: SeDebugPrivilege	2752	Client-built.exe
Token: SeDebugPrivilege	2748	Client.exe
Token: SeDebugPrivilege	1684	nbothjkd.exe
Token: SeDebugPrivilege	2480	svchost.exe
Token: SeDebugPrivilege	3036	svhoste.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	2720	svhoste.exe
Token: SeDebugPrivilege	2744	Solara_Protect.exe
Token: SeDebugPrivilege	2384	Windows.exe
Token: SeDebugPrivilege	848	svhoste.exe
Token: SeDebugPrivilege	376	svhoste.exe
Token: SeDebugPrivilege	532	svhoste.exe
Token: SeDebugPrivilege	2772	svhoste.exe
Token: SeDebugPrivilege	764	svhoste.exe
Token: SeDebugPrivilege	2328	svhoste.exe
Token: SeDebugPrivilege	1700	svhoste.exe
Token: SeDebugPrivilege	1460	qNVQKFyM.exe
Token: SeDebugPrivilege	2448	svhoste.exe
Token: SeDebugPrivilege	2652	svhoste.exe
Token: SeDebugPrivilege	2656	svhoste.exe
Token: SeDebugPrivilege	2104	discord.exe
Token: SeDebugPrivilege	828	svhoste.exe
Token: SeDebugPrivilege	2604	Client.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2848	WMIC.exe
Token: SeSecurityPrivilege	2848	WMIC.exe
Token: SeTakeOwnershipPrivilege	2848	WMIC.exe
Token: SeLoadDriverPrivilege	2848	WMIC.exe
Token: SeSystemProfilePrivilege	2848	WMIC.exe
Token: SeSystemtimePrivilege	2848	WMIC.exe
Token: SeProfSingleProcessPrivilege	2848	WMIC.exe
Token: SeIncBasePriorityPrivilege	2848	WMIC.exe
Token: SeCreatePagefilePrivilege	2848	WMIC.exe
Token: SeBackupPrivilege	2848	WMIC.exe
Token: SeRestorePrivilege	2848	WMIC.exe
Token: SeShutdownPrivilege	2848	WMIC.exe
Token: SeDebugPrivilege	2848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2848	WMIC.exe
Token: SeRemoteShutdownPrivilege	2848	WMIC.exe
Token: SeUndockPrivilege	2848	WMIC.exe
Token: SeManageVolumePrivilege	2848	WMIC.exe
Token: 33	2848	WMIC.exe
Token: 34	2848	WMIC.exe
Token: 35	2848	WMIC.exe
Token: SeShutdownPrivilege	1900	Explorer.exe
Token: SeIncreaseQuotaPrivilege	2848	WMIC.exe
Token: SeSecurityPrivilege	2848	WMIC.exe
Token: SeTakeOwnershipPrivilege	2848	WMIC.exe
Token: SeLoadDriverPrivilege	2848	WMIC.exe
Token: SeSystemProfilePrivilege	2848	WMIC.exe
Token: SeSystemtimePrivilege	2848	WMIC.exe
Token: SeProfSingleProcessPrivilege	2848	WMIC.exe
Token: SeIncBasePriorityPrivilege	2848	WMIC.exe
Token: SeCreatePagefilePrivilege	2848	WMIC.exe
Token: SeBackupPrivilege	2848	WMIC.exe
Token: SeRestorePrivilege	2848	WMIC.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
980	Ammyy.exe
2256	Kerish_Doctor_Windows_XP.tmp
1900	Explorer.exe
1900	Explorer.exe
1900	Explorer.exe
1900	Explorer.exe
1900	Explorer.exe
1900	Explorer.exe
1900	Explorer.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
980	Ammyy.exe
1900	Explorer.exe
1900	Explorer.exe
1900	Explorer.exe

Suspicious use of SetWindowsHookEx 40 IoCs

pid	Process
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2860	fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
2748	Client.exe
332	System32.exe
332	System32.exe
1684	nbothjkd.exe
2348	icsys.icn.exe
2348	icsys.icn.exe
1120	explorer.exe
1120	explorer.exe
772	spoolsv.exe
772	spoolsv.exe
1196	svchost.exe
1196	svchost.exe
2276	spoolsv.exe
2276	spoolsv.exe
1996	fsyjawdr.exe
2720	svhoste.exe
848	svhoste.exe
376	svhoste.exe
532	svhoste.exe
2772	svhoste.exe
764	svhoste.exe
2328	svhoste.exe
1700	svhoste.exe
1460	qNVQKFyM.exe
2448	svhoste.exe
2652	svhoste.exe
2656	svhoste.exe
828	svhoste.exe
2604	Client.exe
3024	000.exe
3024	000.exe
2308	spoolsv.exe
2308	spoolsv.exe
2452	explorer.exe
2452	explorer.exe
2776	spoolsv.exe
2776	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 1736	2484	4363463463464363463463463.exe	31
PID 2484 wrote to memory of 1736	2484	4363463463464363463463463.exe	31
PID 2484 wrote to memory of 1736	2484	4363463463464363463463463.exe	31
PID 2484 wrote to memory of 1736	2484	4363463463464363463463463.exe	31
PID 2484 wrote to memory of 3012	2484	4363463463464363463463463.exe	33
PID 2484 wrote to memory of 3012	2484	4363463463464363463463463.exe	33
PID 2484 wrote to memory of 3012	2484	4363463463464363463463463.exe	33
PID 2484 wrote to memory of 3012	2484	4363463463464363463463463.exe	33
PID 2196 wrote to memory of 980	2196	Ammyy.exe	35
PID 2196 wrote to memory of 980	2196	Ammyy.exe	35
PID 2196 wrote to memory of 980	2196	Ammyy.exe	35
PID 2196 wrote to memory of 980	2196	Ammyy.exe	35
PID 2484 wrote to memory of 3016	2484	4363463463464363463463463.exe	38
PID 2484 wrote to memory of 3016	2484	4363463463464363463463463.exe	38
PID 2484 wrote to memory of 3016	2484	4363463463464363463463463.exe	38
PID 2484 wrote to memory of 3016	2484	4363463463464363463463463.exe	38
PID 2484 wrote to memory of 1700	2484	4363463463464363463463463.exe	39
PID 2484 wrote to memory of 1700	2484	4363463463464363463463463.exe	39
PID 2484 wrote to memory of 1700	2484	4363463463464363463463463.exe	39
PID 2484 wrote to memory of 1700	2484	4363463463464363463463463.exe	39
PID 2484 wrote to memory of 1700	2484	4363463463464363463463463.exe	39
PID 2484 wrote to memory of 1700	2484	4363463463464363463463463.exe	39
PID 2484 wrote to memory of 1700	2484	4363463463464363463463463.exe	39
PID 1700 wrote to memory of 2256	1700	Kerish_Doctor_Windows_XP.exe	40
PID 1700 wrote to memory of 2256	1700	Kerish_Doctor_Windows_XP.exe	40
PID 1700 wrote to memory of 2256	1700	Kerish_Doctor_Windows_XP.exe	40
PID 1700 wrote to memory of 2256	1700	Kerish_Doctor_Windows_XP.exe	40
PID 1700 wrote to memory of 2256	1700	Kerish_Doctor_Windows_XP.exe	40
PID 1700 wrote to memory of 2256	1700	Kerish_Doctor_Windows_XP.exe	40
PID 1700 wrote to memory of 2256	1700	Kerish_Doctor_Windows_XP.exe	40
PID 2256 wrote to memory of 1480	2256	Kerish_Doctor_Windows_XP.tmp	41
PID 2256 wrote to memory of 1480	2256	Kerish_Doctor_Windows_XP.tmp	41
PID 2256 wrote to memory of 1480	2256	Kerish_Doctor_Windows_XP.tmp	41
PID 2256 wrote to memory of 1480	2256	Kerish_Doctor_Windows_XP.tmp	41
PID 2256 wrote to memory of 1480	2256	Kerish_Doctor_Windows_XP.tmp	41
PID 2256 wrote to memory of 1480	2256	Kerish_Doctor_Windows_XP.tmp	41
PID 2256 wrote to memory of 1480	2256	Kerish_Doctor_Windows_XP.tmp	41
PID 2256 wrote to memory of 2756	2256	Kerish_Doctor_Windows_XP.tmp	42
PID 2256 wrote to memory of 2756	2256	Kerish_Doctor_Windows_XP.tmp	42
PID 2256 wrote to memory of 2756	2256	Kerish_Doctor_Windows_XP.tmp	42
PID 2256 wrote to memory of 2756	2256	Kerish_Doctor_Windows_XP.tmp	42
PID 2256 wrote to memory of 2756	2256	Kerish_Doctor_Windows_XP.tmp	42
PID 2256 wrote to memory of 2756	2256	Kerish_Doctor_Windows_XP.tmp	42
PID 2256 wrote to memory of 2756	2256	Kerish_Doctor_Windows_XP.tmp	42
PID 2756 wrote to memory of 2860	2756	fe481e02-0f2a-455e-bd53-88e6728ccaed.exe	44
PID 2756 wrote to memory of 2860	2756	fe481e02-0f2a-455e-bd53-88e6728ccaed.exe	44
PID 2756 wrote to memory of 2860	2756	fe481e02-0f2a-455e-bd53-88e6728ccaed.exe	44
PID 2756 wrote to memory of 2860	2756	fe481e02-0f2a-455e-bd53-88e6728ccaed.exe	44
PID 2756 wrote to memory of 2860	2756	fe481e02-0f2a-455e-bd53-88e6728ccaed.exe	44
PID 2756 wrote to memory of 2860	2756	fe481e02-0f2a-455e-bd53-88e6728ccaed.exe	44
PID 2756 wrote to memory of 2860	2756	fe481e02-0f2a-455e-bd53-88e6728ccaed.exe	44
PID 1480 wrote to memory of 2932	1480	yb.exe	46
PID 1480 wrote to memory of 2932	1480	yb.exe	46
PID 1480 wrote to memory of 2932	1480	yb.exe	46
PID 1480 wrote to memory of 2932	1480	yb.exe	46
PID 1480 wrote to memory of 2932	1480	yb.exe	46
PID 1480 wrote to memory of 2932	1480	yb.exe	46
PID 1480 wrote to memory of 2932	1480	yb.exe	46
PID 2484 wrote to memory of 2752	2484	4363463463464363463463463.exe	47
PID 2484 wrote to memory of 2752	2484	4363463463464363463463463.exe	47
PID 2484 wrote to memory of 2752	2484	4363463463464363463463463.exe	47
PID 2484 wrote to memory of 2752	2484	4363463463464363463463463.exe	47
PID 2752 wrote to memory of 2636	2752	Client-built.exe	48
PID 2752 wrote to memory of 2636	2752	Client-built.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:596

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3012
- C:\Users\Admin\AppData\Local\Temp\Files\PowerRat.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\PowerRat.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:3016
- C:\Users\Admin\AppData\Local\Temp\Files\Kerish_Doctor_Windows_XP.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Kerish_Doctor_Windows_XP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\is-V6TI6.tmp\Kerish_Doctor_Windows_XP.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-V6TI6.tmp\Kerish_Doctor_Windows_XP.tmp" /SL5="$301C0,33350357,805376,C:\Users\Admin\AppData\Local\Temp\Files\Kerish_Doctor_Windows_XP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\is-PJ15M.tmp\yb.exe
      "C:\Users\Admin\AppData\Local\Temp\is-PJ15M.tmp\yb.exe" --partner 697304 --distr /quiet /msicl "YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Users\Admin\AppData\Local\Temp\is-PJ15M.tmp\yb.exe
        
        C:\Users\Admin\AppData\Local\Temp\is-PJ15M.tmp\yb.exe --stat dwnldr/p=697304/fail=1
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\is-PJ15M.tmp\fe481e02-0f2a-455e-bd53-88e6728ccaed.exe
      "C:\Users\Admin\AppData\Local\Temp\is-PJ15M.tmp\fe481e02-0f2a-455e-bd53-88e6728ccaed.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Users\Admin\AppData\Local\Temp\is-5A308.tmp\fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5A308.tmp\fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp" /SL5="$20286,32073403,64512,C:\Users\Admin\AppData\Local\Temp\is-PJ15M.tmp\fe481e02-0f2a-455e-bd53-88e6728ccaed.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2860
- C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windows System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2636
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2748
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Windows System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:444
- C:\Users\Admin\AppData\Local\Temp\Files\TCP.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\TCP.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1560
- C:\Users\Admin\AppData\Local\Temp\Files\System32.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\System32.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:332
- - \??\c:\users\admin\appdata\local\temp\files\system32.exe
    c:\users\admin\appdata\local\temp\files\system32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1476
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2348
  - - \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:1120
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:772
      - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        6⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:1196
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:49 /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2240
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:50 /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2032
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:51 /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:756
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:52 /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2536
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:53 /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2692
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Windows\Explorer.exe
        
        C:\Windows\Explorer.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1900
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        7⤵
        
        PID:3064
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        7⤵
        
        PID:2072
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        7⤵
        
        PID:2312
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        7⤵
        
        PID:2684
    - - C:\Windows\Explorer.exe
        
        C:\Windows\Explorer.exe
        5⤵
        
        PID:2908
- C:\Users\Admin\AppData\Local\Temp\Files\nbothjkd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\nbothjkd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1684
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\nbothjkd.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1716
- C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\Files\malware.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\malware.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command Expand-Archive "tor-win32-0.3.4.9.zip" " TorFiles"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /K TorFiles\tor\tor.exe --nt-service --HTTPTunnelPort 8118
    3⤵
    PID:2612
- C:\Users\Admin\AppData\Local\Temp\Files\svhoste.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svhoste.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\svhoste.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1188
- - C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2720
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1696
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tG1oVEjjnPng.bat" "
      4⤵
      PID:920
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1768
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1864
    - - C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:848
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2864
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NTXioVKXQ52s.bat" "
        6⤵
        
        PID:2620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2396
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:376
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3052
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\njkHVpelMWw2.bat" "
        8⤵
        
        PID:1456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:532
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2792
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zDKZ0bvw69tJ.bat" "
        10⤵
        
        PID:1720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2572
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:992
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rZ6jv7boBS44.bat" "
        12⤵
        
        PID:2432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:764
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2404
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\46a3anobk9pe.bat" "
        14⤵
        
        PID:604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1300
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1548
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3CW8rYiN8W59.bat" "
        16⤵
        
        PID:2932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2000
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\H08hl8kjIxUD.bat" "
        18⤵
        
        PID:2012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2448
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2804
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Js2rUnomwXxF.bat" "
        20⤵
        
        PID:1416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2104
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\R1RGM26tCuoG.bat" "
        22⤵
        
        PID:2092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:184
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:300
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Hk7EIg3d5Bdl.bat" "
        24⤵
        
        PID:1500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2052
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XvcTxjDdRLAB.bat" "
        26⤵
        
        PID:3012
- C:\Users\Admin\AppData\Local\Temp\Files\fsyjawdr.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\fsyjawdr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1996
- C:\Users\Admin\AppData\Local\Temp\Files\Solara_Protect.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Solara_Protect.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Local\Temp\Windows.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:776
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Local\Temp\Windows.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA4D7.tmp.bat""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:912
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\Windows.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2384
- C:\Users\Admin\AppData\Local\Temp\Files\networks_profile.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\networks_profile.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\Files\networks_profile.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\networks_profile.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2940
- C:\Users\Admin\AppData\Local\Temp\Files\NVIDIAS.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\NVIDIAS.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1388
- C:\Users\Admin\AppData\Local\Temp\Files\qNVQKFyM.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\qNVQKFyM.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1460
- C:\Users\Admin\AppData\Local\Temp\Files\discord.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\discord.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:900
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2604
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1384
- C:\Users\Admin\AppData\Local\Temp\Files\000.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\000.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies WinLogon
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1836
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' set FullName='UR NEXT'
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2848
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' rename 'UR NEXT'
      4⤵
      System Location Discovery: System Language Discovery
      PID:320
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /f /r /t 0
      4⤵
      PID:1748
- C:\Users\Admin\AppData\Local\Temp\Files\builder.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\builder.exe"
  2⤵
  - Executes dropped EXE
  PID:2116

C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe" -service -lunch
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:980

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1348

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5b0
1⤵
PID:2728

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1664

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
89eedb291bed9be2226d65bcc340d90e

SHA1
5fb7b023a1c961dc0dd9ae0d417bbbb82a12e356

SHA256
d8dffd345590bfb1aff8d41b0421339a236c807ab6c0f0fc97657b889068bb72

SHA512
29596e0fc3f21eabb8ccbef0941b0381264cd80ebb0bc55d8c43bd26359348638d9d7a2b664047eeae71660776d0fe7a54209cd2999cbc23d4fdea324c5d0266

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
806348b22c6dd26c61181c48cfc5f642

SHA1
03250b1f532729f9912db0ff027dca6f1cfbe8dc

SHA256
a49e5e3965cc5c43f9487f4520f13834527a6c1dbd1493d7788a9957319738d4

SHA512
3629509f317f48111fc18689b7f4c64406faea051455aae00e6cf0b9f733f70f2a19c31c847bfad7039c80fde9658f58ee509fe2dafcde8f941ad5e0dd1c42e0

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
307B

MD5
f795d65e68db37483dc74e692495e0b5

SHA1
e021c93cc3604b1b8fe1b0fe9de76bc68fa529ae

SHA256
812d72aab775a459c3a30e847c5a6dec7eb6772e81ea65e09e4ca08b89e08787

SHA512
4573e027414e4c25b4e7419bdad607f93c642f4acec6a66db05bc54fcc6593dba9c34059ab6d5b1bec71b4a3fe5b369513656302776a6f3b2691c3ef61ab3e68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69c1482effacac93a70b44ac67fdb135

SHA1
dece5d2365a67a12adae6d97d872e506448899fc

SHA256
78a10d0edfc7d8eae5bc1d41e8b1b0cd1aa1f41d54ee020d1f5ef1c748b10d2b

SHA512
d5ef9d75c78dcd3ac904e0593987466357dd6b8308de7ca34b38039ba217d44819e5b51cdbfe1a7e15dbd3edcf00d3850b7436fde1f04e61bbc82e8194b32a26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c957b78fb26cac8406c32e008d716866

SHA1
7642b09111213a251035ac763f5ea91dc435a35f

SHA256
2d560470ae8f3e6d661a7f2d7462907fca8e7db973ff6961a6c590ccd43886a5

SHA512
c34bdef421255906048f2910b4875d57e816cae4459eaa01791483ac3ffdc07479388944300b4637dc8a1323d20237fd0324b2ef6b83d6fe4cbe3c0bbb56acc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb68e67e517af6d7baa5793305a35d99

SHA1
ffd419833aa5bbe8a86afac0b3371db932c90665

SHA256
3d3d27bcc62ab945bead14fde93cc39b6f930883921b1f3c2e0c081e70be3b86

SHA512
a09066790ef4287482fe68a1e0504bbabda737e3892c986af78ef96eca28115285cc53474e5bd65eacba88cc0351db712435b808c74c5ffd735c113d0406e412

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82607e954d21ffc1794057586477e4be

SHA1
e9d91e23969e9836fc2e06e5e3078cfc7930830a

SHA256
382f5a8778654148c5866a02b95b27c67887dbce90e05b8de7d1a2a2dd3f7586

SHA512
94f1d0f34b58febfcb3e741d233b6351df5ba07a7ab28d2b2132e4fcabad7010737eca1d4c6b2328f411e97fd421081a6c20e6e3865de00e893066ce33d200a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
871e3e7c1d82bb964ebbcc28dc2e916b

SHA1
483fd82373fe95b41f639f9fe486c062c8afab90

SHA256
92d4a7afe03bc5e35552ff5b6d1e03b1fc138d2b2c86d608b574e24f8554242d

SHA512
8f6bb04b2cf5c9a55535bf0dc3fd275dca371cd141f4c7dc5c3d0430d75902a6aa02049e846fb36c257152cc23cf1e49695e62168ecf7d98b5eb5fe371cb131e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcf0df88352ee86cbab90af9d409920f

SHA1
832c497c060d050825af9ba8144b084c6367606f

SHA256
1ddb567766b7a75d68dd319a55c626addd312b8c3ffd0fd1b1766e78cf6d56b4

SHA512
51e451b346c1ae1e520a432fa9e3da17358984f1dc0ac83e5c22045098f128b76a796e5c09d267383073b7623e5bfde494e55cf6021f1a996c7a2410b5431138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9UR26M8S\YandexPackSetup[1]

Filesize
10.2MB

MD5
72adca482c5a3344fc97e6dad581a3fd

SHA1
75b7802a90230f2f148fa8bd279c59c1fb8ddae7

SHA256
b6df4a1ae75c122bf785a01b620b4d0b6e8d2f12d726020fd3f663c34145df59

SHA512
926329a9bd72d0b6a492808f897aedad1bf571bd43fd9fb6fc85a4f9987aa7b6e12e694476974b8a24874c48b18525702bad9734d4449d13807431db4fdf7e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CW8rYiN8W59.bat

Filesize
208B

MD5
d4b54373531c70ad8e1b6693f05feeb0

SHA1
42613d384f5644d3441a0d46e29df4a421230baf

SHA256
0c71395f8edf514e6abdcb588397eda5dd6a4730bb47443f28f7a554a9733109

SHA512
f496943d9d14fbd72cfa3ca55875bf62bad92cdc28d59e09382d224d6ff7b053948174d7ea5871bf527f5a8a52423b10e163fcfd5a1b199487bcfbbd37ceb43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\46a3anobk9pe.bat

Filesize
208B

MD5
9b829e02267fe46cac2b7fef9a0a4fba

SHA1
a4fa022036f742700ae3177189800a131b0a5107

SHA256
6d302117286f3fb73cd0608ca00213f1a296abcfa7a911eb9e669a9e8b8a32b5

SHA512
c5cc40d7471a1a11414423eb8c0e83fe6b3b497a0c5a7277b97943889bde0d81970da0a62fa6b9cdb5b983531b5bd8ad0dd3fb38b0787db46f3ad41d1dcc8043

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB0F9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PowerRat.exe

Filesize
463KB

MD5
f8a989ff9bf3894acb35c791d053cbec

SHA1
afb3cf59d939b5be709ed23d8b424987e618dbe4

SHA256
d417caa99ea8b4f00e4a6cc324a7901dbfddc0dbe19de513bcf4e84ceac90d21

SHA512
8dc32c1c7b408dcb8c95838d96ee711acf6157ae54fb44c1f07834eeec9618977ebdbb134e27c2663593b3372d4855146f5e24f4df7ffdd6f5028c0818cdf01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
334KB

MD5
4b336f0e5c5b9d47feef5cbe4a9d6f31

SHA1
235b9e56ca1507b235b54afd72ad2039507c6be9

SHA256
48ab21dbd847648c04854b28fb65d3ddb32da1e23e5e15dae21988735fca8f98

SHA512
59348a0375a091a725b636658d14766cb3fb687975690d4a74b5a9ac6b68883f853d43d796882c8d0263634ab20ff61acfe55a5896319da83a416adf74be06dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fsyjawdr.exe

Filesize
1.2MB

MD5
75fd2eb14bbf23564f73e2898036d772

SHA1
e29a3b16797552eda08e4407404754d104a7893d

SHA256
d65c30e0a68cb621e9ee353783c6c5083456fb3b7e632a05fa75921af51a3d2c

SHA512
c0506b3d97f5108435cab7ec731923b1f7fbbde95ec72096a91c6ed1d6123c3708297a885de76b0dcbb4f8b0e1a3bda06b9fbb948f7fa98a1e3318b76851109e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nbothjkd.exe

Filesize
288KB

MD5
42f1ecb6f9e2f73bb66e84e5f8ca4fb4

SHA1
51aa8b14ec657171aab0dd13fb87c8e915073d08

SHA256
2a700406a42a06541dfee93faa1079b51c7a899e3cffcbc31390473852d7e5cc

SHA512
207162c793e58d702f9474cdfbc4738eaec2e23ad66636a706ad7f8de4f82ae136dc884d5c6f9acb35f3370c8402bd9e3d5572063def33d469b2398e0ac4c398

Download Submit
C:\Users\Admin\AppData\Local\Temp\H08hl8kjIxUD.bat

Filesize
208B

MD5
22e5a075187b99c0f68a7eb4638a5e4c

SHA1
d852194d6d4600485831b51581fb7acec2b9c0ae

SHA256
10b11529dfc148f4dcdd410d5c7eff67260f0c4cce596a5e0866f0f54eb77c1c

SHA512
da7c3923aeb302180d84b8aadf146ac0e5e0186d8d82c65352a9fbe0f643e7e72240a8c5f8fe06c46d84537df46e3c618ca3403ebc82b8e27b67658004056dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hk7EIg3d5Bdl.bat

Filesize
208B

MD5
7dbe9d97513f8d1420c99417f35ce922

SHA1
92910bb5d9b3524878fe2120d4b83ffaece94227

SHA256
f96ab42113da869ee63aaababbdf204a3cf2ecd4911d9f5baf39a92c4958f356

SHA512
96345440fba6285f044d10bf7bc3662a4dd6968cb97c8851f5c6c7fb3c0e8260f40e4c613ce069e5fc80fa824dce4cb9f485b7aeac2f29d31e4bf9ce7654b551

Download Submit
C:\Users\Admin\AppData\Local\Temp\Js2rUnomwXxF.bat

Filesize
208B

MD5
d0670cab1491554ae4a1f92ba42768cb

SHA1
5708edd709c9e5cae5d965636e3c60e3ca8cd728

SHA256
b6d300cc00718f75b044105c5c1d0e016b2f857383d8337b02664715a9d6168e

SHA512
5769af75ec1c01a535aeb759f5afe11d4812f0d01cb3578d9246b645bfd61b8bcc376371c059d9fe53996aeaca1482bb1c11d4ea38ebb439da462bab4376499a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTXioVKXQ52s.bat

Filesize
208B

MD5
71f4e8e0f364b05626b20f690c9a007c

SHA1
98efec7caed9ad1eee9af5dd247b22ca04b72bbd

SHA256
88a260506c6a62f45b7020ef76cee148589acdb0b2748b0f38fd31f1098dca35

SHA512
425b110f324534680af1f7cd8fafde9b9ca2aeb695d2ec3971c33080e43d44444e40ed1f3a05ff20490e8abf5adc5fac1d192f7478fa358dfe54adcc7b85dd23

Download Submit
C:\Users\Admin\AppData\Local\Temp\R1RGM26tCuoG.bat

Filesize
208B

MD5
70383a6d454ad5f247e473cfa8d3027d

SHA1
6fcfe07cbd6f54a0d3ea782905e35026f2def581

SHA256
8e38173ec42da1a04a32be3662823bfb753592a15dcecedabd748d7e92151bfe

SHA512
a18d729b2caf86baf5943cbaf94248c5e36083db6ed424d7849657f4c182c9dbd2109afbf5a92b8b252cfc83064ed366b572bf12213acfc59f064de746d494f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB11C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows.exe

Filesize
63KB

MD5
9eb074e0713a33f7a6e499b0fbf2484c

SHA1
132ca59a5fb654c3d0794f92f05eaf43e3a7af94

SHA256
519f3ceedba4471f3d5178451c1007911145fb6eaf4e259a2c29b8e3483dabb1

SHA512
367fbbf6f058ef21367e329c8b0373d482c9c97dfbb42a67b17c9b1dc1d0139ae879c8ddb87b0960c5545746610d2c5690343abb458818c2dea9dbca66f39794

Download Submit
C:\Users\Admin\AppData\Local\Temp\XvcTxjDdRLAB.bat

Filesize
208B

MD5
38b987cef8fefc1ac28086c7be55b659

SHA1
6b02f5a8f666a8e782453ba0c8eeac8ce3e54502

SHA256
9afe1ca2fc903056e2401dc3ec2d420914d8e2d424d72504899c18014e8ffcd2

SHA512
438e829e8d1f6e49ff597bda2b9bc43f6194a88fbe1f30d909a41fb3b3e231992aa3c009356f1a87a17a6121aaa6888fbcadf8732b60bfdbdd0d3ff9eb726ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PJ15M.tmp\fe481e02-0f2a-455e-bd53-88e6728ccaed.exe

Filesize
30.9MB

MD5
9caba83c6a8f41a82eb4d10ff41cd571

SHA1
0f70e0d0b83d2be7de46d2907e89856c9493f95d

SHA256
901503fd14bb222ab332722421bf02e7f533eee647dba5fbb0dda33e5e171f37

SHA512
ba8b86d5660eb10369dc584fc92c74be14e7f02ac3559b4c1be0fe8db94de69108aca5868c7d24e8dd7d9362794a098ceb3c949fd59905388d2fbe66abe9bb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\njkHVpelMWw2.bat

Filesize
208B

MD5
d17842dd0dec51178f8e20fdc266f267

SHA1
902cf5cf6478b70e6ed207bd35c6bff7ef807d6b

SHA256
64a63ba59390df6765e7e23b0c4745366d3c4a45b3f4edcc6a0842888bcbc4b5

SHA512
1ff756ecf0d293dba4950e426fd8f6bf8f694369348c9a7cb097455e857f0d28bea6908517d8d0e6576561566f10431fc7828c4b9fd71f4917b4ab816b8a6f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rZ6jv7boBS44.bat

Filesize
208B

MD5
b81189b1ca14b2344636820c8ed3d7cd

SHA1
9b81f09c429287320546ad5fd71a9bce11fd4163

SHA256
8f668a1fe28bc0ae964f31c763ca06c9d168d19a73eaf758300cc60b0dc244ef

SHA512
637748a769892748973c7c74da976fd8a089432e6ef63b1381660171a27d18d4fb1b1b6c4947c83c5774b70d7a8a766f59addd27e65739fb4e4ba8abbe93c127

Download Submit
C:\Users\Admin\AppData\Local\Temp\tG1oVEjjnPng.bat

Filesize
208B

MD5
c7d9c28d334b554d58deca38e19ce7be

SHA1
29c21c7da86d88c69a1ef0cefc8cb0013cd7658d

SHA256
dd7192a63fd5f2495d3eebf5b2837253e35815fa6418419b6eebc49f20b34dcb

SHA512
35ed1b20e784081a6c14456a951389ee081127d56eeb3f69d4f3d1d91b10c4f2dea544f4355f368d5b76858e69be04e8fac0b38170d17d571b08d9c13cf08e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA4D7.tmp.bat

Filesize
154B

MD5
e483502976c87695666eda85a9c89d97

SHA1
7c11f19486a02eeb4989c630b5a6279e4a78b76b

SHA256
8462790f1713671b0e01f8a0c089d3660eac0884bcf3fb11aa16418f1ea2cfb0

SHA512
499e8ec6eb0304628d9427f7877c4fe6cef8b3336c44d7c8f3cf88b2f45399fd4c5ba1ad8d71e388b714274153bffd8fbf948dfa9b2f7b56ae570665c64018ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.mp4

Filesize
81KB

MD5
d2774b188ab5dde3e2df5033a676a0b4

SHA1
6e8f668cba211f1c3303e4947676f2fc9e4a1bcc

SHA256
95374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443

SHA512
3047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zDKZ0bvw69tJ.bat

Filesize
208B

MD5
fafef87ca6cedd2cff33540b1e3bb952

SHA1
39265f9e9af4737536065dad1b2a404b884fdaef

SHA256
08e5ec8d95cac80230732ebd553605567dafdfb4d01ad99212a2a9e576fe94b2

SHA512
2ed5cb9766d67390bb78b2cf59da372a3eb9b88e2ba081611ae24b6f5e696b19d9c37d422c44f77a29868aa920ae774a5c00723a32bf124f0275b9f0212d9fa8

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
6a0bb84dcd837e83638f4292180bf5ab

SHA1
20e31ccffe1ac806e75ea839ea90b4c91e4322c5

SHA256
e119fe767f3d10a387df1951d4b356384c5a9d0441b4034ddf7293c389a410b4

SHA512
d0d61815c1ca73e4d1b8d5c3ea61e0572bfa9f6e984247b8e66c22e5591d61f766c6476c2686ce611917a56f2d4d8b8ddb4efcdbed707855e4190a2404eedcc5

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe

Filesize
502KB

MD5
a9c9735f6e34482c1cdd09e347a98787

SHA1
6214e43cdc3fd17978955abf9c01a8d8c3ea791e

SHA256
533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc

SHA512
084b40e683d88e8eda7a60047f1a640310455986629a63382b3b6ffa6a91f295b47963e2ba52115cb113f57f1f727f2adb98f910a9adca1596af242f266b4a50

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
5.0MB

MD5
6a696257bd624ea0cdde713ff447b134

SHA1
fa17806195d1fb5a2077a7d43827f58832d57c35

SHA256
c2234864d3687f6eb397fc0fe4c81d2c54dbcf74161ab38b48a1150df753c573

SHA512
b49ac9b20ab4f1c8b7793f1c007ee7985f9c11c0c5c67cf99436f22275efca504a20480a0d6cf52c793060eb78f090a66d33a5f37bffe678591b16a55d7d94ae

Download Submit
\??\c:\users\admin\appdata\local\temp\files\system32.exe

Filesize
300KB

MD5
c368cb0e4cc65cbdc012e449de37d973

SHA1
ae04d634ff3078e1912dc71d44c893c1dd47c399

SHA256
57a8157689acab60874b086408091b4369f3f5f9d62bcc306c9e77ff9f3c5b7e

SHA512
e823a91ee1f8901ebc844d16ed1c585bd78fcf6fa143433649c1295f3724ddd29679949ec7b97485505b259e4ce7d012948f971451f0bde6b525cc915e3ed18a

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe

Filesize
748KB

MD5
3b4ed97de29af222837095a7c411b8a1

SHA1
ea003f86db4cf74e4348e7e43e4732597e04db96

SHA256
74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a

SHA512
2e1d1365163b08310e5112063be8ebd0ec1aa8c20a0872eef021978d6eb04a7b3d50af0a6472c246443585e665df2daa1e1a44a166780a8bf01de098a016e572

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
3.1MB

MD5
6efb136f01bd7beeec9603924b79f5d0

SHA1
8794dd0e858759eea062ebc227417f712a8d2af0

SHA256
3ad07a1878c8b77f9fc0143d8f88c240d8d0b986d015d4c0cd881ad9c0d572e1

SHA512
102ca624f0fefff74f4e9a6d5a173861b3887f24e608245370adabc11cd385805ed18f5208ab5a33f05131a42edf04d234b146184e954e9d83f40b8149353548

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Kerish_Doctor_Windows_XP.exe

Filesize
32.7MB

MD5
2a2cd98d2b3ccf19e0802f13c7bf7a6e

SHA1
0e6b8f163ccb4cf2907ac7d43f7ed62d83eb93ee

SHA256
769ee91047d5a9e79db96b9cb4d9310278c40918a2eccf147451db97391f5319

SHA512
9553c62eecb17dad0f3f31670ea90b722dc456d10a0f478b3a0cfa7e4b669e85002029a309ea0b5421ffe741df13975b4ee25fdb486b34458379a33c1b3b35d4

Download Submit
\Users\Admin\AppData\Local\Temp\Files\System32.exe

Filesize
5.3MB

MD5
d4817ea043beaf35d19fa6a5adaa179c

SHA1
bf5c75100142731e737c04b55769c4479bef0c01

SHA256
da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d

SHA512
98d2f67523de2260cad45ce2b3f0e6edd5322ad4d2d78854983c3410398079f1a0dd3f8b3dc69d3e0f052c566de3eb89d1de9a086378f542b1a2096ce0730277

Download Submit
\Users\Admin\AppData\Local\Temp\Files\TCP.exe

Filesize
45KB

MD5
f127aef5829703426ff8399a76c1852c

SHA1
17e72d081ceb20119abe7bef8c640d5db48276f6

SHA256
6907ab3a0f4e69bf6dcb8c03a18bd8402afa701ade8863a0e15808614ffb1b17

SHA512
c3125920567b59119b86e284ed96c3860b1998f9d6b6078b5c2a18aa6b4c56274124fd2f77710bbbf972a6387ef20cb4a5d19c96be2131fb02f6d5692c2384c0

Download Submit
\Users\Admin\AppData\Local\Temp\is-5A308.tmp\fe481e02-0f2a-455e-bd53-88e6728ccaed.tmp

Filesize
911KB

MD5
aa7c1fe493a562c91f69607015620441

SHA1
dd93cdc63f76a1fd9cfd6469a92c70056432a0da

SHA256
7d10b8e42072ee79ed2aff4ebea63cf6da352b559ab8adb240c858bcf2a68901

SHA512
3bb313ea015b65e53691d998e2b07bf0160f5ee9085bd835281351ac29efeb094302bfcbe2daf958f7b449ce5d5dd6ec63b8593373b31834541b08edb558f6c5

Download Submit
\Users\Admin\AppData\Local\Temp\is-PJ15M.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
\Users\Admin\AppData\Local\Temp\is-PJ15M.tmp\yb.exe

Filesize
203KB

MD5
b9314504e592d42cb36534415a62b3af

SHA1
059d2776f68bcc4d074619a3614a163d37df8b62

SHA256
c60c3a7d20b575fdeeb723e12a11c2602e73329dc413fc6d88f72e6f87e38b49

SHA512
e50adb690e2f6767001031e83f40cc067c9351d466051e45a40a9e7ff49049e35609f1e70dd7bb4a4721a112479f79090decca6896deac2680e7d107e3355dae

Download Submit
\Users\Admin\AppData\Local\Temp\is-V6TI6.tmp\Kerish_Doctor_Windows_XP.tmp

Filesize
3.1MB

MD5
82d64dcf24952bbed7f525f14b7b9930

SHA1
29352ed94f63e547e032b8a5128bbdc7fb4420cf

SHA256
fed1b907d2e5ff80f8010749e901fcedd3015cb72d9fa355612f90b972f5d04b

SHA512
0008b12ea57209fbc2b4ae7ee6f30d4413072032200b1b1dc82361e1a73a803da4a18b6aeff5dd74ab91c3d7f276f4f779c5e76653d7ea7cde64862008f497e4

Download Submit
\Users\Admin\AppData\Local\Temp\is-VH0F0.tmp\ISTask.dll

Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
\Users\Admin\AppData\Local\Temp\is-VH0F0.tmp\VclStylesInno.dll

Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
\Users\Admin\AppData\Local\Temp\is-VH0F0.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
5.6MB

MD5
e8c5d89ca292ebd9aea6ba98792af038

SHA1
38de9ee579e08e04ab8bdcfe2fd7a3bbe3f8e5ce

SHA256
6d6f01c5bdcc0dcfdbb3d585854412da59b9d90d08c3386c47bc3871a8139b86

SHA512
fc297bd96e999e0eabd3f26fcf67b22f384059e117fc2613c5dce8b7af3fc3402aa16f57be412f5b5f2bd02e16b207413f97821224836a4976f8993c06215572

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
5.6MB

MD5
b508ef48fac9962a029e885b451c9cb3

SHA1
2c57e5a43486e2098d552a6027b649ba0429f648

SHA256
b2a0d961cfc223bb96a156a1edf85f5c2948b0fb655b6b6a8e8f01da4a54777e

SHA512
ad3adad5fbb47d12c9b3a6eee13a66f9db570dbe2dd2cc702b285577169b644fda9f7129966d8cd579dfa2de02216cfa3dbcbb1562d3805554b57df3f16b15a1

Download Submit
memory/332-961-0x0000000000400000-0x0000000000FE2000-memory.dmp

Filesize
11.9MB

Download
memory/332-879-0x0000000000400000-0x0000000000FE2000-memory.dmp

Filesize
11.9MB

Download
memory/332-908-0x0000000000400000-0x0000000000FE2000-memory.dmp

Filesize
11.9MB

Download
memory/376-1305-0x00000000001C0000-0x0000000000244000-memory.dmp

Filesize
528KB

Download
memory/532-1325-0x00000000011E0000-0x0000000001264000-memory.dmp

Filesize
528KB

Download
memory/764-1392-0x0000000000D50000-0x0000000000DD4000-memory.dmp

Filesize
528KB

Download
memory/772-940-0x0000000000400000-0x0000000000FE2000-memory.dmp

Filesize
11.9MB

Download
memory/772-957-0x0000000000400000-0x0000000000FE2000-memory.dmp

Filesize
11.9MB

Download
memory/828-1556-0x0000000000350000-0x00000000003D4000-memory.dmp

Filesize
528KB

Download
memory/848-1289-0x0000000000090000-0x0000000000114000-memory.dmp

Filesize
528KB

Download
memory/1120-1589-0x0000000000400000-0x0000000000FE2000-memory.dmp

Filesize
11.9MB

Download
memory/1120-925-0x0000000000400000-0x0000000000FE2000-memory.dmp

Filesize
11.9MB

Download
memory/1120-938-0x0000000003A10000-0x00000000045F2000-memory.dmp

Filesize
11.9MB

Download
memory/1120-963-0x0000000000400000-0x0000000000FE2000-memory.dmp

Filesize
11.9MB

Download
memory/1164-1210-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/1164-1211-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/1388-1354-0x0000000001010000-0x0000000001308000-memory.dmp

Filesize
3.0MB

Download
memory/1460-1447-0x0000000005B70000-0x0000000005E94000-memory.dmp

Filesize
3.1MB

Download
memory/1476-899-0x0000000000D70000-0x0000000000DC2000-memory.dmp

Filesize
328KB

Download
memory/1560-863-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1684-893-0x0000000000820000-0x000000000086E000-memory.dmp

Filesize
312KB

Download
memory/1700-200-0x00000000010D0000-0x00000000011A3000-memory.dmp

Filesize
844KB

Download
memory/1700-215-0x00000000010D0000-0x00000000011A3000-memory.dmp

Filesize
844KB

Download
memory/1736-161-0x0000000000F00000-0x0000000000F5A000-memory.dmp

Filesize
360KB

Download
memory/2104-1555-0x0000000001030000-0x0000000001354000-memory.dmp

Filesize
3.1MB

Download
memory/2256-216-0x00000000001C0000-0x00000000004F2000-memory.dmp

Filesize
3.2MB

Download
memory/2256-239-0x00000000001C0000-0x00000000004F2000-memory.dmp

Filesize
3.2MB

Download
memory/2328-1407-0x00000000010B0000-0x0000000001134000-memory.dmp

Filesize
528KB

Download
memory/2348-959-0x0000000000400000-0x0000000000FE2000-memory.dmp

Filesize
11.9MB

Download
memory/2348-924-0x0000000003C80000-0x0000000004862000-memory.dmp

Filesize
11.9MB

Download
memory/2348-913-0x0000000000400000-0x0000000000FE2000-memory.dmp

Filesize
11.9MB

Download
memory/2384-1282-0x0000000000980000-0x0000000000996000-memory.dmp

Filesize
88KB

Download
memory/2448-1448-0x0000000001180000-0x0000000001204000-memory.dmp

Filesize
528KB

Download
memory/2484-0-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/2484-2-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2484-905-0x00000000071D0000-0x0000000007DB2000-memory.dmp

Filesize
11.9MB

Download
memory/2484-1-0x0000000001340000-0x0000000001348000-memory.dmp

Filesize
32KB

Download
memory/2484-878-0x00000000071D0000-0x0000000007DB2000-memory.dmp

Filesize
11.9MB

Download
memory/2484-162-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/2484-2451-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2484-163-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2604-1561-0x0000000000BE0000-0x0000000000F04000-memory.dmp

Filesize
3.1MB

Download
memory/2652-1468-0x0000000000180000-0x0000000000204000-memory.dmp

Filesize
528KB

Download
memory/2656-1484-0x0000000000990000-0x0000000000A14000-memory.dmp

Filesize
528KB

Download
memory/2720-1225-0x0000000000810000-0x0000000000894000-memory.dmp

Filesize
528KB

Download
memory/2744-1223-0x0000000000C30000-0x0000000000C46000-memory.dmp

Filesize
88KB

Download
memory/2748-826-0x0000000000E00000-0x0000000001124000-memory.dmp

Filesize
3.1MB

Download
memory/2752-821-0x0000000001240000-0x0000000001564000-memory.dmp

Filesize
3.1MB

Download
memory/2756-234-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-1371-0x0000000000100000-0x0000000000184000-memory.dmp

Filesize
528KB

Download
memory/2860-306-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2860-284-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-262-0x00000000074F0000-0x000000000780A000-memory.dmp

Filesize
3.1MB

Download
memory/2860-264-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2860-265-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-266-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-267-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2860-268-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-269-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-270-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2860-271-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-272-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-273-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2860-274-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-275-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-276-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2860-277-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-278-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-279-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2860-280-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-281-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-282-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2860-283-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-285-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2860-286-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-287-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-288-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2860-289-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-290-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-291-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2860-292-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-293-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-294-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2860-295-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-296-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-297-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/2860-298-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-299-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-300-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/2860-301-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-302-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-303-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2860-304-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-307-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-308-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-309-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2860-310-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-311-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-312-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2860-313-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-314-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-305-0x00000000026E0000-0x0000000002820000-memory.dmp

Filesize
1.2MB

Download
memory/2860-258-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/3016-193-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3016-192-0x0000000000230000-0x00000000002F0000-memory.dmp

Filesize
768KB

Download
memory/3024-1570-0x00000000002D0000-0x000000000097E000-memory.dmp

Filesize
6.7MB

Download
memory/3036-1204-0x0000000000FE0000-0x0000000001064000-memory.dmp

Filesize
528KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads