raccoon | 46fc72077df7ddc1d3e744d3ebf8e48fb1814e242694970c1c5c3481b696a4b1

Target

2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
Size

179KB
MD5

2a0c06cec3ab6b1f26e0f6574f25f0cc
SHA1

048a78112e33d2c9baf547b9481b0d9a6afefc30
SHA256

46fc72077df7ddc1d3e744d3ebf8e48fb1814e242694970c1c5c3481b696a4b1
SHA512

bcca037c7a126f60e118e67b9e5910271caed2af17b012055bbf8aac27c328713f25fea7a3d9ce6605de5a3c5125951711ef21eaa9a621d982833571864c93cc

Score

10^/10

raccoon redline smokeloader vidar 1 471c70de3b4f9e4d493e418d1f60a90659057de0 936 backdoor discovery evasion infostealer persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes

url4cnc
https://telete.in/p1rosto100xx

rc4.plain

Extracted

Family

redline

Botnet

135.181.123.52:52101

Extracted

Family

vidar

Version

Botnet

936

https://lenak513.tumblr.com/

Attributes

profile_id
936

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4656-192-0x00000000049E0000-0x0000000004A71000-memory.dmp	family_raccoon
behavioral1/memory/4188-238-0x0000000000000000-mapping.dmp	family_raccoon
behavioral1/memory/4188-239-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral1/memory/4188-241-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1196-246-0x0000000000000000-mapping.dmp	family_redline
behavioral1/memory/1196-247-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 1540 created 4656 1540 WerFault.exe 117F.exe
PID 2088 created 1940 2088 WerFault.exe explorer.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata

description	pid	process	target process
PID 1540 created 4656	1540	WerFault.exe	117F.exe
PID 2088 created 1940	2088	WerFault.exe	explorer.exe

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2464-276-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar
behavioral1/memory/2464-278-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

E0.exe527.exe97D.exeE03.exeF2C.exe117F.exe1336.exehhhhhhhhhhh.exewinappmgr.exe527.exe1336.exe97D.exe

pid	process
4456	E0.exe
5084	527.exe
3204	97D.exe
480	E03.exe
1104	F2C.exe
4656	117F.exe
1184	1336.exe
4680	hhhhhhhhhhh.exe
824	winappmgr.exe
4188	527.exe
1196	1336.exe
2464	97D.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 3 IoCs

Processes:

527.exe

pid process

4188 527.exe
4188 527.exe
4188 527.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4188	527.exe
4188	527.exe
4188	527.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hhhhhhhhhhh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Application Manager = "C:\\Users\\Admin\\Windows Application Manager\\winappmgr.exe"	hhhhhhhhhhh.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

Processes:

utilman.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_0AFC7597BD6F4013B7AD2DEB31626D61.dat	utilman.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_0AFC7597BD6F4013B7AD2DEB31626D61.dat	utilman.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

2a0c06cec3ab6b1f26e0f6574f25f0cc.exe527.exe1336.exe97D.exe

description	pid	process	target process
PID 5008 set thread context of 1432	5008	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
PID 5084 set thread context of 4188	5084	527.exe	527.exe
PID 1184 set thread context of 1196	1184	1336.exe	1336.exe
PID 3204 set thread context of 2464	3204	97D.exe	97D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1944 4656 WerFault.exe 117F.exe
4664 1940 WerFault.exe explorer.exe

pid	pid_target	process	target process
1944	4656	WerFault.exe	117F.exe
4664	1940	WerFault.exe	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2a0c06cec3ab6b1f26e0f6574f25f0cc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe97D.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	97D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	97D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4668 timeout.exe
500 timeout.exe

pid	process
4668	timeout.exe
500	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1092 taskkill.exe

pid	process
1092	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

sihclient.exeutilman.exeLogonUI.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\AudioOutput	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Persist Language Model Adaptation = "0"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-SW\DataFile = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-SW\Attributes\Language = "409"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "73"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Japanese\PhoneMap = "309C 309C 30A1 30A1 30A2 30A2 30A3 30A3 30A4 30A4 30A5 30A5 30A6 30A6 30A7 30A7 30A8 30A8 30A9 30A9 30AA 30AA 30AB 30AB 30AC 30AC 30AD 30AD 30AE 30AE 30AF 30AF 30B0 30B0 30B1 30B1 30B2 30B2 30B3 30B3 30B4 30B4 30B5 30B5 30B6 30B6 30B7 30B7 30B8 30B8 30B9 30B9 30BA 30BA 30BB 30BB 30BC 30BC 30BD 30BD 30BE 30BE 30BF 30BF 30C0 30C0 30C1 30C1 30C2 30C2 30C3 30C3 30C4 30C4 30C5 30C5 30C6 30C6 30C7 30C7 30C8 30C8 30C9 30C9 30CA 30CA 30CB 30CB 30CC 30CC 30CD 30CD 30CE 30CE 30CF 30CF 30D0 30D0 30D1 30D1 30D2 30D2 30D3 30D3 30D4 30D4 30D5 30D5 30D6 30D6 30D7 30D7 30D8 30D8 30D9 30D9 30DA 30DA 30DB 30DB 30DC 30DC 30DD 30DD 30DE 30DE 30DF 30DF 30E0 30E0 30E1 30E1 30E2 30E2 30E3 30E3 30E4 30E4 30E5 30E5 30E6 30E6 30E7 30E7 30E8 30E8 30E9 30E9 30EA 30EA 30EB 30EB 30EC 30EC 30ED 30ED 30EE 30EE 30EF 30EF 30F0 30F0 30F1 30F1 30F2 30F2 30F3 30F3 30F4 30F4 30F5 30F5 30F6 30F6 30F7 30F7 30F8 30F8 30F9 30F9 30FA 30FA 30FB 30FB 30FC 30FC 30FD 30FD 30FE 30FE 0021 0021 0027 0027 002B 002B 002E 002E 003F 003F 005F 005F 007C 007C"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_MarkM\LangDataPath = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-SW	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\CLSID = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}"	utilman.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Spanish	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Universal	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\UXLanguages\Tokens\en-US\CortanaVoice = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\CortanaVoices\\Tokens\\MSTTS_V110_enUS_EvaM"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Attributes\Revision = "1"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Lookup\Datafile = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Spanish\CLSID = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\Attributes\Version = "11.0"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM\VoicePath = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033David"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\German\ = "German Phone Converter"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\UXLanguages\Tokens\en-US\Language = "1033"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Attributes\VendorPreferred	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\TextNorm	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM\Attributes\Version = "11.0"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_MarkM\Attributes\SharedPronunciation	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\Attributes\SampleText = "You have selected %1 as the default voice."	utilman.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\AudioOutput\TokenEnums\MMAudioOut	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Japanese\ = "Japanese Phone Converter"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\UXLanguages\Tokens\en-US\CortanaVoiceGender = "1"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Models\1033\ = "L1033"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\Attributes\Age = "Adult"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\French\ = "French Phone Converter"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM\Attributes\Vendor = "Microsoft"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-HW\DataFile = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_HW_en-US.dat"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Quick Actions\Pinned	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech\Voices\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\Voices\\Tokens\\TTS_MS_EN-US_DAVID_11.0"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Chinese\Attributes\Language = "804"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\German\CLSID = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Attributes\Vendor = "Microsoft"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_CURRENT_USER	utilman.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_MarkM\Attributes\SampleText = "You have selected %1 as the default voice."	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM\ = "Microsoft David - English (United States)"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM\Attributes\SharedPronunciation	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\Attributes\Language = "409"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-SW\Attributes\VAEngineType = "SW"	utilman.exe

Modifies registry class 5 IoCs

Processes:

hhhhhhhhhhh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	hhhhhhhhhhh.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

winappmgr.exe

pid process

824 winappmgr.exe
824 winappmgr.exe

pid	process
824	winappmgr.exe
824	winappmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2a0c06cec3ab6b1f26e0f6574f25f0cc.exe

pid	process
1432	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
1432	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208

Suspicious behavior: LoadsDriver 9 IoCs

Processes:

pid

4
4
4
4
4
4
4
4
4
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

2a0c06cec3ab6b1f26e0f6574f25f0cc.exe

pid process

1432 2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208

pid
4
4
4
4
4
4
4
4
4

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LogonUI.exeWerFault.exe527.exe1336.exe1336.exetaskkill.exe

description	pid	process
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3572	LogonUI.exe
Token: SeCreatePagefilePrivilege	3572	LogonUI.exe
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeRestorePrivilege	1944	WerFault.exe
Token: SeBackupPrivilege	1944	WerFault.exe
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeDebugPrivilege	5084	527.exe
Token: SeDebugPrivilege	1184	1336.exe
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeDebugPrivilege	1196	1336.exe
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3572	LogonUI.exe
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

LogonUI.exeE0.exeutilman.exe

pid process

3572 LogonUI.exe
4456 E0.exe
3984 utilman.exe
3572 LogonUI.exe

pid	process
3572	LogonUI.exe
4456	E0.exe
3984	utilman.exe
3572	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2a0c06cec3ab6b1f26e0f6574f25f0cc.exeWerFault.exeWerFault.exeE03.exehhhhhhhhhhh.exe

description	pid	process	target process
PID 5008 wrote to memory of 1432	5008	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
PID 5008 wrote to memory of 1432	5008	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
PID 5008 wrote to memory of 1432	5008	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
PID 5008 wrote to memory of 1432	5008	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
PID 5008 wrote to memory of 1432	5008	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
PID 5008 wrote to memory of 1432	5008	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
PID 3208 wrote to memory of 4456	3208		E0.exe
PID 3208 wrote to memory of 4456	3208		E0.exe
PID 3208 wrote to memory of 4456	3208		E0.exe
PID 3208 wrote to memory of 5084	3208		527.exe
PID 3208 wrote to memory of 5084	3208		527.exe
PID 3208 wrote to memory of 5084	3208		527.exe
PID 3208 wrote to memory of 3204	3208		97D.exe
PID 3208 wrote to memory of 3204	3208		97D.exe
PID 3208 wrote to memory of 3204	3208		97D.exe
PID 3208 wrote to memory of 480	3208		E03.exe
PID 3208 wrote to memory of 480	3208		E03.exe
PID 3208 wrote to memory of 480	3208		E03.exe
PID 3208 wrote to memory of 1104	3208		F2C.exe
PID 3208 wrote to memory of 1104	3208		F2C.exe
PID 3208 wrote to memory of 1104	3208		F2C.exe
PID 3208 wrote to memory of 4656	3208		117F.exe
PID 3208 wrote to memory of 4656	3208		117F.exe
PID 3208 wrote to memory of 4656	3208		117F.exe
PID 3208 wrote to memory of 1184	3208		1336.exe
PID 3208 wrote to memory of 1184	3208		1336.exe
PID 3208 wrote to memory of 1184	3208		1336.exe
PID 1540 wrote to memory of 4656	1540	WerFault.exe	117F.exe
PID 1540 wrote to memory of 4656	1540	WerFault.exe	117F.exe
PID 3208 wrote to memory of 1940	3208		explorer.exe
PID 3208 wrote to memory of 1940	3208		explorer.exe
PID 3208 wrote to memory of 1940	3208		explorer.exe
PID 3208 wrote to memory of 1940	3208		explorer.exe
PID 3208 wrote to memory of 4648	3208		explorer.exe
PID 3208 wrote to memory of 4648	3208		explorer.exe
PID 3208 wrote to memory of 4648	3208		explorer.exe
PID 2088 wrote to memory of 1940	2088	WerFault.exe	explorer.exe
PID 2088 wrote to memory of 1940	2088	WerFault.exe	explorer.exe
PID 480 wrote to memory of 4680	480	E03.exe	hhhhhhhhhhh.exe
PID 480 wrote to memory of 4680	480	E03.exe	hhhhhhhhhhh.exe
PID 480 wrote to memory of 4680	480	E03.exe	hhhhhhhhhhh.exe
PID 3208 wrote to memory of 5036	3208		explorer.exe
PID 3208 wrote to memory of 5036	3208		explorer.exe
PID 3208 wrote to memory of 5036	3208		explorer.exe
PID 3208 wrote to memory of 5036	3208		explorer.exe
PID 3208 wrote to memory of 4112	3208		explorer.exe
PID 3208 wrote to memory of 4112	3208		explorer.exe
PID 3208 wrote to memory of 4112	3208		explorer.exe
PID 3208 wrote to memory of 4124	3208		explorer.exe
PID 3208 wrote to memory of 4124	3208		explorer.exe
PID 3208 wrote to memory of 4124	3208		explorer.exe
PID 3208 wrote to memory of 4124	3208		explorer.exe
PID 3208 wrote to memory of 4252	3208		explorer.exe
PID 3208 wrote to memory of 4252	3208		explorer.exe
PID 3208 wrote to memory of 4252	3208		explorer.exe
PID 3208 wrote to memory of 4612	3208		explorer.exe
PID 3208 wrote to memory of 4612	3208		explorer.exe
PID 3208 wrote to memory of 4612	3208		explorer.exe
PID 3208 wrote to memory of 4612	3208		explorer.exe
PID 4680 wrote to memory of 824	4680	hhhhhhhhhhh.exe	winappmgr.exe
PID 4680 wrote to memory of 824	4680	hhhhhhhhhhh.exe	winappmgr.exe
PID 4680 wrote to memory of 824	4680	hhhhhhhhhhh.exe	winappmgr.exe
PID 3208 wrote to memory of 3896	3208		explorer.exe
PID 3208 wrote to memory of 3896	3208		explorer.exe

C:\Users\Admin\AppData\Local\Temp\2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
"C:\Users\Admin\AppData\Local\Temp\2a0c06cec3ab6b1f26e0f6574f25f0cc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5008

C:\Users\Admin\AppData\Local\Temp\2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
"C:\Users\Admin\AppData\Local\Temp\2a0c06cec3ab6b1f26e0f6574f25f0cc.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1432

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 8PFJ7Xr/RkiQhw851r/usQ.0.2
1⤵
- Modifies data under HKEY_USERS
PID:4648

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a46855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3572

C:\Users\Admin\AppData\Local\Temp\E0.exe
C:\Users\Admin\AppData\Local\Temp\E0.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4456

C:\Users\Admin\AppData\Local\Temp\527.exe
C:\Users\Admin\AppData\Local\Temp\527.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Users\Admin\AppData\Local\Temp\527.exe
C:\Users\Admin\AppData\Local\Temp\527.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4188

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\527.exe"
3⤵
PID:2572

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:4668

C:\Users\Admin\AppData\Local\Temp\97D.exe
C:\Users\Admin\AppData\Local\Temp\97D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3204

C:\Users\Admin\AppData\Local\Temp\97D.exe
"C:\Users\Admin\AppData\Local\Temp\97D.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 97D.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\97D.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:2068

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 97D.exe /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:500

C:\Users\Admin\AppData\Local\Temp\E03.exe
C:\Users\Admin\AppData\Local\Temp\E03.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:480

C:\Users\Admin\AppData\Local\Temp\hhhhhhhhhhh.exe
C:\Users\Admin\AppData\Local\Temp\hhhhhhhhhhh.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4680

C:\Users\Admin\Windows Application Manager\winappmgr.exe
"C:\Users\Admin\Windows Application Manager\winappmgr.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule name="c:\users\admin\windows application manager\winappmgr.exe" || netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\admin\windows application manager\winappmgr.exe" program="C:\Users\Admin\Windows Application Manager\winappmgr.exe"
4⤵
PID:1712

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall show rule name="c:\users\admin\windows application manager\winappmgr.exe"
5⤵
PID:1824

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\admin\windows application manager\winappmgr.exe" program="C:\Users\Admin\Windows Application Manager\winappmgr.exe"
5⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule "Port 64164 c:\users\admin\windows application manager\winappmgr.exe" || netsh advfirewall firewall add rule name="Port 64164 c:\users\admin\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=64164
4⤵
PID:344

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall show rule "Port 64164 c:\users\admin\windows application manager\winappmgr.exe"
5⤵
PID:836

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port 64164 c:\users\admin\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=64164
5⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c netsh firewall set service type= upnp mode = enable
4⤵
PID:1824

C:\Windows\SysWOW64\netsh.exe
netsh firewall set service type= upnp mode = enable
5⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\F2C.exe
C:\Users\Admin\AppData\Local\Temp\F2C.exe
1⤵
- Executes dropped EXE
PID:1104

C:\Users\Admin\AppData\Local\Temp\117F.exe
C:\Users\Admin\AppData\Local\Temp\117F.exe
1⤵
- Executes dropped EXE
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 272
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4656 -ip 4656
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Temp\1336.exe
C:\Users\Admin\AppData\Local\Temp\1336.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Users\Admin\AppData\Local\Temp\1336.exe
C:\Users\Admin\AppData\Local\Temp\1336.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 880
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4664

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1940 -ip 1940
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5036

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4112

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4124

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4252

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4612

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3896

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3752

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SstpSvc
1⤵
PID:1952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs
1⤵
PID:4424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs
1⤵
PID:4336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
C:\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
C:\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1336.exe.log
MD5
0e0e02fac754d41a204705d9b9e1afd4

SHA1
f84d677ede9e0580f665c3540a2ca78ce6474fa7

SHA256
94358c8beac6ab8893034fc15216847e2dfd2d73c8fb0bedc9885a654843c29e

SHA512
d2d5dfc35bfd0a42e70418ba75dbb482b2794ba9b665417322b880c78f720ae189dfb56b9480737db59ba111c454bfe53875c32ef23f92a55e2c25016b3a167a

Download Submit
C:\Users\Admin\AppData\Local\Temp\117F.exe
MD5
ed20a01ec2d93943bd0664fafb76daa6

SHA1
4736f0170c32b4757e062eb6b1d47d46c7d5ab29

SHA256
5bc02ebc009910c9625991d64f2170d0c1ddd2b403d34674e3b48e8fd0f22242

SHA512
b22360f22bb48529b2b986f7ef37eb9d1cdb42eaaea7fa44b93fc48a0f2b02ee4d4029d1d0e80867ce0a8d8a322f9c463182910c83cc36d4b53fb2c50c470ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\117F.exe
MD5
ed20a01ec2d93943bd0664fafb76daa6

SHA1
4736f0170c32b4757e062eb6b1d47d46c7d5ab29

SHA256
5bc02ebc009910c9625991d64f2170d0c1ddd2b403d34674e3b48e8fd0f22242

SHA512
b22360f22bb48529b2b986f7ef37eb9d1cdb42eaaea7fa44b93fc48a0f2b02ee4d4029d1d0e80867ce0a8d8a322f9c463182910c83cc36d4b53fb2c50c470ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1336.exe
MD5
82a1aa6c82a14a805d2f1ff6ca9a9a12

SHA1
8143c1eadfae4f93f75e775166d977c7cf36701e

SHA256
dc5dea9424adb16a7f03f34b5c7de6683fc17f7a777a5cb32ffbd64adb1c44ff

SHA512
bbaf94ba3cdd708ce519d6e8d54a159f5da930d3698c825958fa8433371f89d6cf0d9019cb4b76169a46fd26eb234252d7e5c2a8cc1752702a08e0e950cec4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1336.exe
MD5
82a1aa6c82a14a805d2f1ff6ca9a9a12

SHA1
8143c1eadfae4f93f75e775166d977c7cf36701e

SHA256
dc5dea9424adb16a7f03f34b5c7de6683fc17f7a777a5cb32ffbd64adb1c44ff

SHA512
bbaf94ba3cdd708ce519d6e8d54a159f5da930d3698c825958fa8433371f89d6cf0d9019cb4b76169a46fd26eb234252d7e5c2a8cc1752702a08e0e950cec4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1336.exe
MD5
82a1aa6c82a14a805d2f1ff6ca9a9a12

SHA1
8143c1eadfae4f93f75e775166d977c7cf36701e

SHA256
dc5dea9424adb16a7f03f34b5c7de6683fc17f7a777a5cb32ffbd64adb1c44ff

SHA512
bbaf94ba3cdd708ce519d6e8d54a159f5da930d3698c825958fa8433371f89d6cf0d9019cb4b76169a46fd26eb234252d7e5c2a8cc1752702a08e0e950cec4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\527.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\527.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\527.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\97D.exe
MD5
675cac5a0a63741b250f3df91e6fe9fd

SHA1
49cfc0d1e3dc3bd5e3bc03cd4fca69859b704bbf

SHA256
73941896953c4d0bd666528dec6582d784957b50db6c9c399b5163bc26c1579a

SHA512
a58e600f4fbc316203ce34cae7282ff8df479a568b21ac1b2bb4172f5508f15c17b7e5d1bb8abdfb5cb6428df956a264e7bb692900d83d07effe79af07d863b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\97D.exe
MD5
675cac5a0a63741b250f3df91e6fe9fd

SHA1
49cfc0d1e3dc3bd5e3bc03cd4fca69859b704bbf

SHA256
73941896953c4d0bd666528dec6582d784957b50db6c9c399b5163bc26c1579a

SHA512
a58e600f4fbc316203ce34cae7282ff8df479a568b21ac1b2bb4172f5508f15c17b7e5d1bb8abdfb5cb6428df956a264e7bb692900d83d07effe79af07d863b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\97D.exe
MD5
675cac5a0a63741b250f3df91e6fe9fd

SHA1
49cfc0d1e3dc3bd5e3bc03cd4fca69859b704bbf

SHA256
73941896953c4d0bd666528dec6582d784957b50db6c9c399b5163bc26c1579a

SHA512
a58e600f4fbc316203ce34cae7282ff8df479a568b21ac1b2bb4172f5508f15c17b7e5d1bb8abdfb5cb6428df956a264e7bb692900d83d07effe79af07d863b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\E03.exe
MD5
627fc88e4e32885ef3eb655f353d3d73

SHA1
d41f2cd39501c8df8f71e64cf0b45d0ff6931ec6

SHA256
789a247aac003f6562a3809a60d214843d77f8c0e0fa24ba479a229a4b86cf69

SHA512
c5113af91da5df84108ffb14af33167a54b793789a0eb1aa2ec03d7282dcd05b8a6d10ebe3646102c9d430a2f785fd7bccf58fd22b45d73c1e74bbc93677d4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\E03.exe
MD5
627fc88e4e32885ef3eb655f353d3d73

SHA1
d41f2cd39501c8df8f71e64cf0b45d0ff6931ec6

SHA256
789a247aac003f6562a3809a60d214843d77f8c0e0fa24ba479a229a4b86cf69

SHA512
c5113af91da5df84108ffb14af33167a54b793789a0eb1aa2ec03d7282dcd05b8a6d10ebe3646102c9d430a2f785fd7bccf58fd22b45d73c1e74bbc93677d4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2C.exe
MD5
627fc88e4e32885ef3eb655f353d3d73

SHA1
d41f2cd39501c8df8f71e64cf0b45d0ff6931ec6

SHA256
789a247aac003f6562a3809a60d214843d77f8c0e0fa24ba479a229a4b86cf69

SHA512
c5113af91da5df84108ffb14af33167a54b793789a0eb1aa2ec03d7282dcd05b8a6d10ebe3646102c9d430a2f785fd7bccf58fd22b45d73c1e74bbc93677d4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2C.exe
MD5
627fc88e4e32885ef3eb655f353d3d73

SHA1
d41f2cd39501c8df8f71e64cf0b45d0ff6931ec6

SHA256
789a247aac003f6562a3809a60d214843d77f8c0e0fa24ba479a229a4b86cf69

SHA512
c5113af91da5df84108ffb14af33167a54b793789a0eb1aa2ec03d7282dcd05b8a6d10ebe3646102c9d430a2f785fd7bccf58fd22b45d73c1e74bbc93677d4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhhhhhhhhhh.exe
MD5
39d6ec1892af37c0fd5c5c2ea89ea782

SHA1
8ec2c72146cbb96c940b6b1d1057b2eb72fc36d0

SHA256
439386a1dfa86c57251f8ee7eeafe15170f6999a97dfeb257ea139829af601c7

SHA512
fd6260b87cfe54a1d81d88d57a49754c6c39bc9c11cd6dbe515fe845958f97a9a2abb3ecd08ed65e8eaec541056b4a7dfe50598b5bd2c807270617a94bec6102

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhhhhhhhhhh.exe
MD5
39d6ec1892af37c0fd5c5c2ea89ea782

SHA1
8ec2c72146cbb96c940b6b1d1057b2eb72fc36d0

SHA256
439386a1dfa86c57251f8ee7eeafe15170f6999a97dfeb257ea139829af601c7

SHA512
fd6260b87cfe54a1d81d88d57a49754c6c39bc9c11cd6dbe515fe845958f97a9a2abb3ecd08ed65e8eaec541056b4a7dfe50598b5bd2c807270617a94bec6102

Download Submit
C:\Users\Admin\Windows Application Manager\winappmgr.exe
MD5
39d6ec1892af37c0fd5c5c2ea89ea782

SHA1
8ec2c72146cbb96c940b6b1d1057b2eb72fc36d0

SHA256
439386a1dfa86c57251f8ee7eeafe15170f6999a97dfeb257ea139829af601c7

SHA512
fd6260b87cfe54a1d81d88d57a49754c6c39bc9c11cd6dbe515fe845958f97a9a2abb3ecd08ed65e8eaec541056b4a7dfe50598b5bd2c807270617a94bec6102

Download Submit
C:\Users\Admin\Windows Application Manager\winappmgr.exe
MD5
39d6ec1892af37c0fd5c5c2ea89ea782

SHA1
8ec2c72146cbb96c940b6b1d1057b2eb72fc36d0

SHA256
439386a1dfa86c57251f8ee7eeafe15170f6999a97dfeb257ea139829af601c7

SHA512
fd6260b87cfe54a1d81d88d57a49754c6c39bc9c11cd6dbe515fe845958f97a9a2abb3ecd08ed65e8eaec541056b4a7dfe50598b5bd2c807270617a94bec6102

Download Submit
memory/344-309-0x0000000000000000-mapping.dmp

Download
memory/480-178-0x0000000000000000-mapping.dmp

Download
memory/500-281-0x0000000000000000-mapping.dmp

Download
memory/824-223-0x0000000000000000-mapping.dmp

Download
memory/836-310-0x0000000000000000-mapping.dmp

Download
memory/1092-280-0x0000000000000000-mapping.dmp

Download
memory/1104-181-0x0000000000000000-mapping.dmp

Download
memory/1184-189-0x0000000000000000-mapping.dmp

Download
memory/1184-193-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1184-245-0x0000000005C00000-0x0000000005C1D000-memory.dmp

Filesize
116KB

Download
memory/1184-201-0x0000000005670000-0x0000000005C16000-memory.dmp

Filesize
5.6MB

Download
memory/1196-260-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1196-264-0x0000000006840000-0x0000000006841000-memory.dmp

Filesize
4KB

Download
memory/1196-256-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/1196-255-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/1196-253-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/1196-252-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/1196-265-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/1196-263-0x00000000064C0000-0x00000000064C1000-memory.dmp

Filesize
4KB

Download
memory/1196-247-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1196-271-0x0000000008320000-0x0000000008321000-memory.dmp

Filesize
4KB

Download
memory/1196-246-0x0000000000000000-mapping.dmp

Download
memory/1196-261-0x0000000004F30000-0x0000000005548000-memory.dmp

Filesize
6.1MB

Download
memory/1196-266-0x0000000006A10000-0x0000000006A11000-memory.dmp

Filesize
4KB

Download
memory/1196-262-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/1196-269-0x0000000006D00000-0x0000000006D01000-memory.dmp

Filesize
4KB

Download
memory/1196-270-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/1432-147-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1432-146-0x0000000000000000-mapping.dmp

Download
memory/1560-283-0x000001FBC6CE0000-0x000001FBC6CF0000-memory.dmp

Filesize
64KB

Download
memory/1560-282-0x000001FBC6C60000-0x000001FBC6C70000-memory.dmp

Filesize
64KB

Download
memory/1560-284-0x000001FBC92D0000-0x000001FBC92D4000-memory.dmp

Filesize
16KB

Download
memory/1712-234-0x0000000000000000-mapping.dmp

Download
memory/1824-312-0x0000000000000000-mapping.dmp

Download
memory/1824-235-0x0000000000000000-mapping.dmp

Download
memory/1940-203-0x0000000003200000-0x000000000326B000-memory.dmp

Filesize
428KB

Download
memory/1940-196-0x0000000000000000-mapping.dmp

Download
memory/1940-202-0x0000000003270000-0x00000000032E4000-memory.dmp

Filesize
464KB

Download
memory/2068-279-0x0000000000000000-mapping.dmp

Download
memory/2084-236-0x0000000000000000-mapping.dmp

Download
memory/2464-275-0x0000000000000000-mapping.dmp

Download
memory/2464-278-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2464-276-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2572-254-0x0000000000000000-mapping.dmp

Download
memory/3204-185-0x0000000009510000-0x0000000009528000-memory.dmp

Filesize
96KB

Download
memory/3204-272-0x0000000009710000-0x0000000009801000-memory.dmp

Filesize
964KB

Download
memory/3204-273-0x0000000009BF0000-0x0000000009CE4000-memory.dmp

Filesize
976KB

Download
memory/3204-177-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

Filesize
4KB

Download
memory/3204-182-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/3204-169-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/3204-167-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/3204-274-0x0000000009850000-0x00000000098ED000-memory.dmp

Filesize
628KB

Download
memory/3204-164-0x0000000000000000-mapping.dmp

Download
memory/3208-293-0x0000000007DF0000-0x0000000007E70000-memory.dmp

Filesize
512KB

Download
memory/3208-149-0x000000000EF40000-0x000000000EF56000-memory.dmp

Filesize
88KB

Download
memory/3752-231-0x0000000000000000-mapping.dmp

Download
memory/3752-232-0x0000000000500000-0x0000000000505000-memory.dmp

Filesize
20KB

Download
memory/3752-233-0x00000000004F0000-0x00000000004F9000-memory.dmp

Filesize
36KB

Download
memory/3896-230-0x0000000000A00000-0x0000000000A09000-memory.dmp

Filesize
36KB

Download
memory/3896-229-0x0000000000A10000-0x0000000000A15000-memory.dmp

Filesize
20KB

Download
memory/3896-228-0x0000000000000000-mapping.dmp

Download
memory/4112-213-0x0000000000000000-mapping.dmp

Download
memory/4112-214-0x0000000000F60000-0x0000000000F69000-memory.dmp

Filesize
36KB

Download
memory/4112-215-0x0000000000F50000-0x0000000000F5F000-memory.dmp

Filesize
60KB

Download
memory/4124-216-0x0000000000000000-mapping.dmp

Download
memory/4124-217-0x00000000032E0000-0x00000000032E5000-memory.dmp

Filesize
20KB

Download
memory/4124-218-0x00000000032D0000-0x00000000032D9000-memory.dmp

Filesize
36KB

Download
memory/4188-241-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4188-239-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4188-238-0x0000000000000000-mapping.dmp

Download
memory/4252-220-0x0000000000B10000-0x0000000000B16000-memory.dmp

Filesize
24KB

Download
memory/4252-219-0x0000000000000000-mapping.dmp

Download
memory/4252-221-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/4456-150-0x0000000000000000-mapping.dmp

Download
memory/4612-222-0x0000000000000000-mapping.dmp

Download
memory/4612-227-0x00000000009A0000-0x00000000009A9000-memory.dmp

Filesize
36KB

Download
memory/4612-226-0x00000000009B0000-0x00000000009B4000-memory.dmp

Filesize
16KB

Download
memory/4648-204-0x0000000000000000-mapping.dmp

Download
memory/4648-313-0x0000000000000000-mapping.dmp

Download
memory/4648-208-0x0000000000A80000-0x0000000000A87000-memory.dmp

Filesize
28KB

Download
memory/4648-209-0x00000000007F0000-0x00000000007FC000-memory.dmp

Filesize
48KB

Download
memory/4656-192-0x00000000049E0000-0x0000000004A71000-memory.dmp

Filesize
580KB

Download
memory/4656-186-0x0000000000000000-mapping.dmp

Download
memory/4668-257-0x0000000000000000-mapping.dmp

Download
memory/4680-205-0x0000000000000000-mapping.dmp

Download
memory/5008-148-0x0000000002ED0000-0x0000000002EDA000-memory.dmp

Filesize
40KB

Download
memory/5020-311-0x0000000000000000-mapping.dmp

Download
memory/5036-212-0x00000000007A0000-0x00000000007AB000-memory.dmp

Filesize
44KB

Download
memory/5036-210-0x0000000000000000-mapping.dmp

Download
memory/5036-211-0x00000000007B0000-0x00000000007B7000-memory.dmp

Filesize
28KB

Download
memory/5084-158-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/5084-155-0x0000000000000000-mapping.dmp

Download
memory/5084-160-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/5084-161-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/5084-162-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/5084-237-0x00000000058A0000-0x00000000058C1000-memory.dmp

Filesize
132KB

Download
memory/5084-175-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/5084-172-0x0000000005330000-0x00000000058D6000-memory.dmp

Filesize
5.6MB

Download
memory/5084-163-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download