glupteba | b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8

Target

EB7233922891E1DAD0434FBD52623647.exe
Size

7.9MB
MD5

eb7233922891e1dad0434fbd52623647
SHA1

331126b108532ab9a1e932141bff55a38656bce9
SHA256

b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8
SHA512

597fbb0f397c45c8a2c5f63893c6d6bd4641e952510dfcac05dadb7afaaf4e005df1261649d4e79951979bad0be1fb09feebac7a6d23c31679590cbf40e1d4ac

Score

10^/10

glupteba metasploit raccoon 7f2d7476ae0c3559a3dfab1f6e354e488b2429a1 backdoor discovery dropper evasion loader persistence spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

raccoon

Botnet

7f2d7476ae0c3559a3dfab1f6e354e488b2429a1

Attributes

url4cnc
https://t.me/gishsunsetman

rc4.plain

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/804-209-0x0000000001610000-0x0000000001F36000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 4780 rUNdlL32.eXe
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	4780	rUNdlL32.eXe

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 1476 created 1252	1476	WerFault.exe	rundll32.exe
PID 1896 created 804	1896	WerFault.exe	Info.exe
PID 4512 created 2180	4512	WerFault.exe	pub2.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 15 IoCs

Processes:

KRSetp.exeFolder.exeFolder.exeInfo.exeInstallation.exemd9_1sjm.exepub2.exemysetold.exerun.exerun2.exeFiles.exejfiag3g_gg.exejfiag3g_gg.exeMicrosoftApi.exejfiag3g_gg.exe

pid	process
4568	KRSetp.exe
3456	Folder.exe
4912	Folder.exe
804	Info.exe
1140	Installation.exe
5832	md9_1sjm.exe
2180	pub2.exe
5480	mysetold.exe
2272	run.exe
2152	run2.exe
2328	Files.exe
2712	jfiag3g_gg.exe
3480	jfiag3g_gg.exe
6092	MicrosoftApi.exe
4016	jfiag3g_gg.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe	vmprotect
behavioral2/memory/5832-233-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

run2.exeMicrosoftApi.exerun.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	run2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	run.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	run.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	run2.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

run.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Wine run.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exerun.exe

pid process

1252 rundll32.exe
2272 run.exe
2272 run.exe
2272 run.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Wine	run.exe

pid	process
1252	rundll32.exe
2272	run.exe
2272	run.exe
2272	run.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exeFiles.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	Files.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

run.exe

pid process

2272 run.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
15	ip-api.com

pid	process
2272	run.exe

autoit_exe 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mysetold.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mysetold.exe	autoit_exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

584 1252 WerFault.exe rundll32.exe
2880 804 WerFault.exe Info.exe
5148 2180 WerFault.exe pub2.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	pid_target	process	target process
584	1252	WerFault.exe	rundll32.exe
2880	804	WerFault.exe	Info.exe
5148	2180	WerFault.exe	pub2.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5500 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1264 timeout.exe
4896 timeout.exe

pid	process
5500	schtasks.exe

pid	process
1264	timeout.exe
4896	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exemsedge.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

sihclient.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

WerFault.exemsedge.exemsedge.exeWerFault.exeidentity_helper.exeWerFault.exerun.exejfiag3g_gg.exemsedge.exejfiag3g_gg.exe

pid	process
584	WerFault.exe
584	WerFault.exe
1848	msedge.exe
1848	msedge.exe
2984	msedge.exe
2984	msedge.exe
2880	WerFault.exe
2880	WerFault.exe
3576	identity_helper.exe
3576	identity_helper.exe
5148	WerFault.exe
5148	WerFault.exe
2272	run.exe
2272	run.exe
3480	jfiag3g_gg.exe
3480	jfiag3g_gg.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4016	jfiag3g_gg.exe
4016	jfiag3g_gg.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

KRSetp.exeWerFault.exesvchost.exemd9_1sjm.exe

description	pid	process
Token: SeDebugPrivilege	4568	KRSetp.exe
Token: SeRestorePrivilege	584	WerFault.exe
Token: SeBackupPrivilege	584	WerFault.exe
Token: SeBackupPrivilege	584	WerFault.exe
Token: SeTcbPrivilege	3788	svchost.exe
Token: SeTcbPrivilege	3788	svchost.exe
Token: SeTcbPrivilege	3788	svchost.exe
Token: SeTcbPrivilege	3788	svchost.exe
Token: SeTcbPrivilege	3788	svchost.exe
Token: SeTcbPrivilege	3788	svchost.exe
Token: SeManageVolumePrivilege	5832	md9_1sjm.exe
Token: SeManageVolumePrivilege	5832	md9_1sjm.exe
Token: SeManageVolumePrivilege	5832	md9_1sjm.exe
Token: SeManageVolumePrivilege	5832	md9_1sjm.exe
Token: SeManageVolumePrivilege	5832	md9_1sjm.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

msedge.exemysetold.exe

pid process

2984 msedge.exe
5480 mysetold.exe
5480 mysetold.exe
5480 mysetold.exe
5480 mysetold.exe
5480 mysetold.exe
5480 mysetold.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

mysetold.exe

pid process

5480 mysetold.exe
5480 mysetold.exe
5480 mysetold.exe
5480 mysetold.exe
5480 mysetold.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Installation.exe

pid process

1140 Installation.exe

pid	process
2984	msedge.exe
5480	mysetold.exe
5480	mysetold.exe
5480	mysetold.exe
5480	mysetold.exe
5480	mysetold.exe
5480	mysetold.exe

pid	process
5480	mysetold.exe
5480	mysetold.exe
5480	mysetold.exe
5480	mysetold.exe
5480	mysetold.exe

pid	process
1140	Installation.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EB7233922891E1DAD0434FBD52623647.exemsedge.exeFolder.exerUNdlL32.eXeWerFault.exe

description	pid	process	target process
PID 3832 wrote to memory of 4568	3832	EB7233922891E1DAD0434FBD52623647.exe	KRSetp.exe
PID 3832 wrote to memory of 4568	3832	EB7233922891E1DAD0434FBD52623647.exe	KRSetp.exe
PID 3832 wrote to memory of 2984	3832	EB7233922891E1DAD0434FBD52623647.exe	msedge.exe
PID 3832 wrote to memory of 2984	3832	EB7233922891E1DAD0434FBD52623647.exe	msedge.exe
PID 3832 wrote to memory of 3456	3832	EB7233922891E1DAD0434FBD52623647.exe	Folder.exe
PID 3832 wrote to memory of 3456	3832	EB7233922891E1DAD0434FBD52623647.exe	Folder.exe
PID 3832 wrote to memory of 3456	3832	EB7233922891E1DAD0434FBD52623647.exe	Folder.exe
PID 2984 wrote to memory of 3900	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3900	2984	msedge.exe	msedge.exe
PID 3456 wrote to memory of 4912	3456	Folder.exe	Folder.exe
PID 3456 wrote to memory of 4912	3456	Folder.exe	Folder.exe
PID 3456 wrote to memory of 4912	3456	Folder.exe	Folder.exe
PID 3832 wrote to memory of 804	3832	EB7233922891E1DAD0434FBD52623647.exe	Info.exe
PID 3832 wrote to memory of 804	3832	EB7233922891E1DAD0434FBD52623647.exe	Info.exe
PID 3832 wrote to memory of 804	3832	EB7233922891E1DAD0434FBD52623647.exe	Info.exe
PID 1140 wrote to memory of 1252	1140	rUNdlL32.eXe	rundll32.exe
PID 1140 wrote to memory of 1252	1140	rUNdlL32.eXe	rundll32.exe
PID 1140 wrote to memory of 1252	1140	rUNdlL32.eXe	rundll32.exe
PID 1476 wrote to memory of 1252	1476	WerFault.exe	rundll32.exe
PID 1476 wrote to memory of 1252	1476	WerFault.exe	rundll32.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 3932	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 1848	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 1848	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 1860	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 1860	2984	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe
"C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/19Pfw7
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xc4,0x10c,0x7ffb539c46f8,0x7ffb539c4708,0x7ffb539c4718
    3⤵
    PID:3900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,2483645590566921469,8081194664067765121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:3932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,2483645590566921469,8081194664067765121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,2483645590566921469,8081194664067765121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
    3⤵
    PID:1860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2483645590566921469,8081194664067765121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
    3⤵
    PID:2352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2483645590566921469,8081194664067765121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    PID:3124
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2483645590566921469,8081194664067765121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
    3⤵
    PID:2880
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2483645590566921469,8081194664067765121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2483645590566921469,8081194664067765121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
    3⤵
    PID:5152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2483645590566921469,8081194664067765121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
    3⤵
    PID:5168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,2483645590566921469,8081194664067765121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:8
    3⤵
    PID:572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,2483645590566921469,8081194664067765121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1752 /prefetch:8
    3⤵
    PID:744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,2483645590566921469,8081194664067765121,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3432 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,2483645590566921469,8081194664067765121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5324 /prefetch:8
    3⤵
    PID:1396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,2483645590566921469,8081194664067765121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 /prefetch:8
    3⤵
    PID:1000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,2483645590566921469,8081194664067765121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4556 /prefetch:8
    3⤵
    PID:2580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,2483645590566921469,8081194664067765121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5308 /prefetch:8
    3⤵
    PID:3988
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe" -a
    3⤵
    - Executes dropped EXE
    PID:4912
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"
  2⤵
  - Executes dropped EXE
  PID:804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 240
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2880
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1140
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  PID:5832
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub2.exe"
  2⤵
  - Executes dropped EXE
  PID:2180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 244
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:5148
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\mysetold.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mysetold.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5480
- - C:\Users\Public\run.exe
    C:\Users\Public\run.exe
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2272
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\pduTvT0WZT.dll
      4⤵
      PID:3796
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\run.exe"
      4⤵
      PID:4552
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:1264
- - C:\Users\Public\run2.exe
    C:\Users\Public\run2.exe
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    PID:2152
  - - C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
      "C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      PID:6092
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9E25.tmp.cmd""
        5⤵
        
        PID:1068
      - C:\Windows\system32\timeout.exe
        
        timeout 4
        6⤵
        Delays execution with timeout.exe
        
        PID:4896
      - C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /f /sc MINUTE /mo 1 /tn "MicrosoftApi" /tr "'C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:5500
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:2712
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3480
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4016

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv yKasnM7UgUqICmWI3CBItg.0.2
1⤵
- Modifies data under HKEY_USERS
PID:4460

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Loads dropped DLL
  PID:1252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 448
    3⤵
    - Drops file in Windows directory
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1252 -ip 1252
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 804 -ip 804
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:5632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2180 -ip 2180
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\aD1rF3aM8r\mozglue.dll

MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
C:\Users\Admin\AppData\LocalLow\aD1rF3aM8r\nss3.dll

MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

MD5
2a2447accb6eba8eaaf44a1cf96e830e

SHA1
ad7fec854b65eecfde12570d0340a11b5063ed2b

SHA256
204f007e4bfd637ed91451e9b949ae28fcbfe071507561bcfdb0d89e641c6000

SHA512
7a45f2b4740d898d03e617e1a48af408014c6c05f1a4e7faf046e982274b6178fff3d92e6dc8f3ac3842c0355a13c199a627fef60c632150cf72a926d8f9e58a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5
c781b6f68e4ad36319c51cc134bb0d1a

SHA1
c145f704eddc4e07d1444a1ca1d6f8d7821b1c72

SHA256
0fc388e9b21907e5cc5fee4491fea0d32fce6f92e18e1966e497993d178e2150

SHA512
ffa7c8e517471f5d9d1b03ab58da21212ae00beddd4dfbbd58de11344e6bb66e8a14bdbceabe1ff02171de9abfd74371d970ac20c3e584bed026e4cedfb83470

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files.exe

MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files.exe

MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe

MD5
bda0c64936b09cfb76fda98e37f5b6a4

SHA1
8ee82a7dee86562cb7b1732dafe4c5a9f16f51b8

SHA256
4f5a67a18795c134aa846250f5e88b5fafd28f329fd1742d02b141e1095f9783

SHA512
cf1c0d7a5345ad68887a4f6328db54d3119935aad66544e466a002ec9491990da05614c0457c94e7545924b159afc0bc68f350342cc7f7335406c30ba0be362e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe

MD5
bda0c64936b09cfb76fda98e37f5b6a4

SHA1
8ee82a7dee86562cb7b1732dafe4c5a9f16f51b8

SHA256
4f5a67a18795c134aa846250f5e88b5fafd28f329fd1742d02b141e1095f9783

SHA512
cf1c0d7a5345ad68887a4f6328db54d3119935aad66544e466a002ec9491990da05614c0457c94e7545924b159afc0bc68f350342cc7f7335406c30ba0be362e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe

MD5
cbafd60beffb18c666ff85f1517a76f9

SHA1
9e015cba7168b610969bfc299a4ffe4763f4fd5f

SHA256
d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d

SHA512
ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe

MD5
cbafd60beffb18c666ff85f1517a76f9

SHA1
9e015cba7168b610969bfc299a4ffe4763f4fd5f

SHA256
d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d

SHA512
ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe

MD5
5af9f5b4e531fab8417a2f137350c842

SHA1
644e6ea394ba94830101d4aeb7d9d23c690b0b83

SHA256
a8543cfdbca49e47db17342a882732ae5889601ab06c56927ec1761ba09bfbc4

SHA512
8a0fd77bb8dac23e84e559624c812326184145b7add8ea502c8c11a5c8ba68d5b69878311c41981d75a163ee428e7969e9dd5c4fef955e43913a1e037d4b7b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe

MD5
5af9f5b4e531fab8417a2f137350c842

SHA1
644e6ea394ba94830101d4aeb7d9d23c690b0b83

SHA256
a8543cfdbca49e47db17342a882732ae5889601ab06c56927ec1761ba09bfbc4

SHA512
8a0fd77bb8dac23e84e559624c812326184145b7add8ea502c8c11a5c8ba68d5b69878311c41981d75a163ee428e7969e9dd5c4fef955e43913a1e037d4b7b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe

MD5
9b55bffb97ebd2c51834c415982957b4

SHA1
728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16

SHA256
a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11

SHA512
4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe

MD5
9b55bffb97ebd2c51834c415982957b4

SHA1
728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16

SHA256
a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11

SHA512
4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mysetold.exe

MD5
96cf21aab98bc02dbc797e9d15ad4170

SHA1
86107ee6defd4fd8656187b2ebcbd58168639579

SHA256
35d3aec171b80d770f671e626024482017c5f4831208aa42032cea4c55983caf

SHA512
d0543a570376c198a326ff8c143f9de0b8e42b1bff5eb2f65e4307f144fe60ecf5987c72ae9819bafe5cb1207f3fbb81c05a5e48d85867f7438c5dfe70eb4a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mysetold.exe

MD5
96cf21aab98bc02dbc797e9d15ad4170

SHA1
86107ee6defd4fd8656187b2ebcbd58168639579

SHA256
35d3aec171b80d770f671e626024482017c5f4831208aa42032cea4c55983caf

SHA512
d0543a570376c198a326ff8c143f9de0b8e42b1bff5eb2f65e4307f144fe60ecf5987c72ae9819bafe5cb1207f3fbb81c05a5e48d85867f7438c5dfe70eb4a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub2.exe

MD5
5e8856c0eaac948c6245109413df2cd3

SHA1
36cdf54f902f59530f5b555cc1d3726418dd1e12

SHA256
b9d5320c2f8baa3fba95bf4467e4160a4fd8096417bf3675be649a865461aa21

SHA512
6bd31da0979e1664808f473d68fcca458705f83f49d3a6b3b71a3b916c6fc0f8479677edba4caadac1cb97ec1de994067391f24b040a6d7f8d42a6010d932d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub2.exe

MD5
5e8856c0eaac948c6245109413df2cd3

SHA1
36cdf54f902f59530f5b555cc1d3726418dd1e12

SHA256
b9d5320c2f8baa3fba95bf4467e4160a4fd8096417bf3675be649a865461aa21

SHA512
6bd31da0979e1664808f473d68fcca458705f83f49d3a6b3b71a3b916c6fc0f8479677edba4caadac1cb97ec1de994067391f24b040a6d7f8d42a6010d932d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat

MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_2984_1027502508\1d71b726-bb6c-499c-bc59-57a82a35d8d6

MD5
1b091fbe5d7937e50c27fc48d9a7b50e

SHA1
6477774d4abff26ab4944b4c627c92907817c9c9

SHA256
b45fc5f3479dc7b07e8e5822a11785819b7f1c249c9b47dcffcb28edbbc2d706

SHA512
2ee60c4408ebcec951570cdf0d6d49fd287febde607ef94128519fa2424823010e9fca080175f6f0e7e197232721def033ee82f9b4d9be9cdab6fb7e27526399

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_2984_1447707747\0a5f110e-e0a3-4b12-a860-a8e62e3be71f

MD5
43456ea826951e20c9d0694a01f1886b

SHA1
9c848aa393d9ea2fd63873381e3af72b7a2e03f4

SHA256
68715ca8cdd03437049d6d9d2ceb47584b886a7807bc9b2b483e3faa174694df

SHA512
1c102ac415d393754e3ab07b5ffe6ebc60ad4888072bf194d85c57da07eef58fa7ba21ee2a6a45a287540325da1a72c9de362526fc62f122c340021d80ea0d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_2984_369295607\b22f5f18-f7ea-4290-929d-b13c03908334

MD5
a36d70bcd9333175811c53122f7d2c1d

SHA1
9a9a0c0ac2fc1db6e7b78868c8d4c96d747b8f1c

SHA256
26123bef7d73536450862d2c4d44963d720aa80b6fc2d8496f559cb9c1fdeb00

SHA512
e69aee2d91c50dd63030bd64cd12b5120c1db9871caf3c26b2cbf29ff96891b5f2e7d1388e4b731f77d7fb24904f379a6a8d5c1b2aacf8a8501fd0111ab0caf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_2984_399954097\1d147c3b-6a51-425f-a960-c0159921df27

MD5
22351f8e29208582a8c4a3be256433d7

SHA1
f05a56b94cfaf46b1c74f815cc9b9d80784ffb7e

SHA256
9ab1dc1c2c03aa5b274e583dc42891bc07dcceea577ac348940e112b48fa6006

SHA512
e13bf84d66b5f067508f5a8fb92cbea9bde8ffa3cca9a72ef1baf30d4675807de90fb2b461ea8f5ede9e13003c9fa5f3f56213aa09e4d8a2294f1f08c110a731

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_2984_487411909\320fa221-fff7-48f5-b84b-2dd6068ee237

MD5
3c6861d6e575eebddfbc882af631e81e

SHA1
801ed776129028dfc70256707252682d07ab7cb1

SHA256
ac709ac32c42d190b315519bfdf8b1b7cfdd136bf13ec17f66b9a119d62e6604

SHA512
f4c74ee2a793b437d1a263ff1dac06bfb13b7bb3b1ccdf5768f3518c1fdcb39dc45df15ba9d14cb512d1cebd991648497ecb9c1041ebc428aec62c88f6773a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_2984_550855590\73488d35-4a20-45e5-a813-40b10aec38a5

MD5
30de66cb327e7099a99792617f0d2ee2

SHA1
477a8b9bebd09a70483f605e5e946a41c7cc11c1

SHA256
2b9686f8469e6fa45d1b911dbce40dd84a569f702c6d52586503ef8aa3cbc8d1

SHA512
d408e1d6b045aecfd40738b8344a9393a2a4a0e14e83c74710605a4c319a8c7655130885adf92656f7c81c9cd82388db5d39caf1b5eb3d4c3c6926b5516d0e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5
a174d42aebd9b07b023f7508e05c279b

SHA1
f70cd24ba0b5b801a04111a9c5b5ec324926c7c3

SHA256
fef48e8c21cc4c8f7ebf5580d2488df5793dba5589c7e042934ea1a0b4c9beb2

SHA512
4897e43aedf30651a450ed3e978c35e76e51d9f001ddf9353d62a8f375cb2f5caf203603dc463a9bf6f1f866b0943acd00734a222fce17721705d7e3329825ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5
a174d42aebd9b07b023f7508e05c279b

SHA1
f70cd24ba0b5b801a04111a9c5b5ec324926c7c3

SHA256
fef48e8c21cc4c8f7ebf5580d2488df5793dba5589c7e042934ea1a0b4c9beb2

SHA512
4897e43aedf30651a450ed3e978c35e76e51d9f001ddf9353d62a8f375cb2f5caf203603dc463a9bf6f1f866b0943acd00734a222fce17721705d7e3329825ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9E25.tmp.cmd

MD5
0d7cd92dc1b2cb14cf4df3cb5a26cf6e

SHA1
7514bee694e1ef60c749aa0c1f97d0326b87a99a

SHA256
762f267ea6a0e01ad84db230e22874f72986ee7e00de3bd9311bb6f0c1e76130

SHA512
2e950da0a19c1b8630c3d197864517d5d1530e97370c5942cd7891cafeaf30e8891cb7369f1fe41453bce81add4a256f54e72b78e6cba3b59831642bf213564e

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe

MD5
0540b5dab84c17985b3f8733d427f715

SHA1
9b5e46c0ca5e030b05fdb71de68a304498756e5a

SHA256
514243e9c21c9bf51e40af6f9d8ad0db11ed79d4b4009d1c0b104a410a9b30d6

SHA512
fcddce3889fbd52984c29ef61d7218b494dbe15528b7b402ba8ecbeb164dc43917f30d635a1e3aaf5eaea90d09cb0bad7b71d12ea5249cb37e7a5f9de962e162

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe

MD5
0540b5dab84c17985b3f8733d427f715

SHA1
9b5e46c0ca5e030b05fdb71de68a304498756e5a

SHA256
514243e9c21c9bf51e40af6f9d8ad0db11ed79d4b4009d1c0b104a410a9b30d6

SHA512
fcddce3889fbd52984c29ef61d7218b494dbe15528b7b402ba8ecbeb164dc43917f30d635a1e3aaf5eaea90d09cb0bad7b71d12ea5249cb37e7a5f9de962e162

Download Submit
C:\Users\Public\run.exe

MD5
a8192caf36675e4df1183edad5729339

SHA1
1e446c838e5f7577f31a7143afbdf0789a23563e

SHA256
030835b911a792bc95541c70aedd715590b4a33b740d3007e3d37334edcd103c

SHA512
38c7f513d93183e1e0e912f461d2a7ba502cb9afa887793dabfe0e208b8394741cb60b6338e21ee5fbe7747a4f4f029f7afb73bde46b397442d0079100e3afff

Download Submit
C:\Users\Public\run.exe

MD5
a8192caf36675e4df1183edad5729339

SHA1
1e446c838e5f7577f31a7143afbdf0789a23563e

SHA256
030835b911a792bc95541c70aedd715590b4a33b740d3007e3d37334edcd103c

SHA512
38c7f513d93183e1e0e912f461d2a7ba502cb9afa887793dabfe0e208b8394741cb60b6338e21ee5fbe7747a4f4f029f7afb73bde46b397442d0079100e3afff

Download Submit
C:\Users\Public\run2.exe

MD5
0540b5dab84c17985b3f8733d427f715

SHA1
9b5e46c0ca5e030b05fdb71de68a304498756e5a

SHA256
514243e9c21c9bf51e40af6f9d8ad0db11ed79d4b4009d1c0b104a410a9b30d6

SHA512
fcddce3889fbd52984c29ef61d7218b494dbe15528b7b402ba8ecbeb164dc43917f30d635a1e3aaf5eaea90d09cb0bad7b71d12ea5249cb37e7a5f9de962e162

Download Submit
C:\Users\Public\run2.exe

MD5
0540b5dab84c17985b3f8733d427f715

SHA1
9b5e46c0ca5e030b05fdb71de68a304498756e5a

SHA256
514243e9c21c9bf51e40af6f9d8ad0db11ed79d4b4009d1c0b104a410a9b30d6

SHA512
fcddce3889fbd52984c29ef61d7218b494dbe15528b7b402ba8ecbeb164dc43917f30d635a1e3aaf5eaea90d09cb0bad7b71d12ea5249cb37e7a5f9de962e162

Download Submit
\??\pipe\LOCAL\crashpad_2984_YSKGSXVQASNSAQRB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/572-272-0x0000000000000000-mapping.dmp

Download
memory/744-327-0x0000000000000000-mapping.dmp

Download
memory/804-209-0x0000000001610000-0x0000000001F36000-memory.dmp

Filesize
9.1MB

Download
memory/804-168-0x0000000000000000-mapping.dmp

Download
memory/1000-349-0x0000000000000000-mapping.dmp

Download
memory/1068-337-0x0000000000000000-mapping.dmp

Download
memory/1140-206-0x0000000000000000-mapping.dmp

Download
memory/1252-172-0x0000000000000000-mapping.dmp

Download
memory/1264-319-0x0000000000000000-mapping.dmp

Download
memory/1396-343-0x0000000000000000-mapping.dmp

Download
memory/1848-177-0x0000000000000000-mapping.dmp

Download
memory/1860-181-0x0000000000000000-mapping.dmp

Download
memory/2152-298-0x00007FF639E10000-0x00007FF639E11000-memory.dmp

Filesize
4KB

Download
memory/2152-279-0x0000000000000000-mapping.dmp

Download
memory/2180-263-0x0000000000000000-mapping.dmp

Download
memory/2180-266-0x0000000000BA0000-0x0000000000BA9000-memory.dmp

Filesize
36KB

Download
memory/2272-289-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/2272-295-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/2272-288-0x00000000001C0000-0x000000000069C000-memory.dmp

Filesize
4.9MB

Download
memory/2272-315-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/2272-290-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/2272-291-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/2272-292-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/2272-293-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/2272-294-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/2272-314-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/2272-308-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/2272-297-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/2272-299-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/2272-301-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/2272-296-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/2272-302-0x0000000004CD0000-0x0000000004CD2000-memory.dmp

Filesize
8KB

Download
memory/2272-303-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/2272-276-0x0000000000000000-mapping.dmp

Download
memory/2328-282-0x0000000000000000-mapping.dmp

Download
memory/2352-193-0x0000000000000000-mapping.dmp

Download
memory/2580-357-0x0000000000000000-mapping.dmp

Download
memory/2712-285-0x0000000000000000-mapping.dmp

Download
memory/2984-157-0x0000000000000000-mapping.dmp

Download
memory/3124-196-0x0000000000000000-mapping.dmp

Download
memory/3456-158-0x0000000000000000-mapping.dmp

Download
memory/3480-309-0x0000000000000000-mapping.dmp

Download
memory/3576-210-0x0000000000000000-mapping.dmp

Download
memory/3796-317-0x0000000000000000-mapping.dmp

Download
memory/3900-162-0x0000000000000000-mapping.dmp

Download
memory/3932-178-0x00007FFB74890000-0x00007FFB74891000-memory.dmp

Filesize
4KB

Download
memory/3932-176-0x0000000000000000-mapping.dmp

Download
memory/3988-363-0x0000000000000000-mapping.dmp

Download
memory/4016-373-0x0000000000000000-mapping.dmp

Download
memory/4224-331-0x0000000000000000-mapping.dmp

Download
memory/4552-318-0x0000000000000000-mapping.dmp

Download
memory/4568-156-0x00000000013E0000-0x00000000013E2000-memory.dmp

Filesize
8KB

Download
memory/4568-151-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/4568-153-0x00000000013B0000-0x00000000013B1000-memory.dmp

Filesize
4KB

Download
memory/4568-154-0x00000000013C0000-0x00000000013DC000-memory.dmp

Filesize
112KB

Download
memory/4568-148-0x0000000000000000-mapping.dmp

Download
memory/4568-155-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/4896-339-0x0000000000000000-mapping.dmp

Download
memory/4912-166-0x0000000000000000-mapping.dmp

Download
memory/5152-214-0x0000000000000000-mapping.dmp

Download
memory/5168-216-0x0000000000000000-mapping.dmp

Download
memory/5480-267-0x0000000000000000-mapping.dmp

Download
memory/5500-340-0x0000000000000000-mapping.dmp

Download
memory/5632-354-0x000002CC1CE80000-0x000002CC1CE84000-memory.dmp

Filesize
16KB

Download
memory/5632-371-0x000002CC1CAE0000-0x000002CC1CAE4000-memory.dmp

Filesize
16KB

Download
memory/5632-229-0x000002CC1CAC0000-0x000002CC1CAC4000-memory.dmp

Filesize
16KB

Download
memory/5632-372-0x000002CC1A7C0000-0x000002CC1A7C1000-memory.dmp

Filesize
4KB

Download
memory/5632-227-0x000002CC1A460000-0x000002CC1A470000-memory.dmp

Filesize
64KB

Download
memory/5632-353-0x000002CC1CE80000-0x000002CC1CE84000-memory.dmp

Filesize
16KB

Download
memory/5632-228-0x000002CC1A4E0000-0x000002CC1A4F0000-memory.dmp

Filesize
64KB

Download
memory/5632-367-0x000002CC1CE00000-0x000002CC1CE04000-memory.dmp

Filesize
16KB

Download
memory/5632-368-0x000002CC1CDD0000-0x000002CC1CDD1000-memory.dmp

Filesize
4KB

Download
memory/5632-369-0x000002CC1CAF0000-0x000002CC1CAF4000-memory.dmp

Filesize
16KB

Download
memory/5632-370-0x000002CC1CAE0000-0x000002CC1CAE1000-memory.dmp

Filesize
4KB

Download
memory/5832-247-0x0000000003AB0000-0x0000000003B30000-memory.dmp

Filesize
512KB

Download
memory/5832-255-0x0000000003C70000-0x0000000003CF0000-memory.dmp

Filesize
512KB

Download
memory/5832-233-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/5832-230-0x0000000000000000-mapping.dmp

Download
memory/6092-320-0x0000000000000000-mapping.dmp

Download
memory/6092-323-0x00007FF7B4EB0000-0x00007FF7B4EB1000-memory.dmp

Filesize
4KB

Download