asyncrat | 04c164391efcedd93b5c04dc137e8b80336265246fa15318a67d4b2d20bf257f

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
11-09-2021 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Size

770KB
MD5

2f087c02e5a65fc3a150ba96ddde8a0f
SHA1

d8b02d1cd0d582b93866ea2e2da10cb148828566
SHA256

04c164391efcedd93b5c04dc137e8b80336265246fa15318a67d4b2d20bf257f
SHA512

86b078abb4270864802f0056c5657c82c2f375472d821fd888aa0252c10e270cba8beb5bc5063236d7c1192ccf573d7df7dec83ddf753638e96aa6d06f5c0edd

Score

10^/10

asyncrat darkcomet default sazan persistence rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

marbeyli.duckdns.org:6606

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%
pastebin_config
null

aes.plain

Extracted

Family

darkcomet

Botnet

Sazan

marbeyli.duckdns.org:1604

Mutex

DC_MUTEX-D2KTVT9

Attributes

InstallPath
MSDCSC\svchost.exe
gencode
iGJFx2jaJsy3
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\svchost.exe"	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1042

Processes:

SVCHOST.EXE

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" SVCHOST.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	SVCHOST.EXE

Async RAT payload 12 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE	asyncrat
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE	asyncrat
C:\Users\Admin\AppData\Local\Temp\3582-490\SVCHOST.EXE	asyncrat
C:\Users\Admin\AppData\Local\Temp\3582-490\SVCHOST.EXE	asyncrat
C:\Users\Admin\DOCUME~1\MSDCSC\svchost.exe	asyncrat
C:\Users\Admin\DOCUME~1\MSDCSC\svchost.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE	asyncrat
C:\Users\Admin\AppData\Local\Temp\3582-490\SVCHOST.EXE	asyncrat
C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Temp\04C164~1.EXE	asyncrat
C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Temp\3582-490\SVCHOST.EXE	asyncrat
C:\Users\Admin\AppData\Roaming\svchost.exe	asyncrat
C:\Users\Admin\AppData\Roaming\svchost.exe	asyncrat

Executes dropped EXE 13 IoCs

Processes:

CHROME.EXESVCHOST.EXESVCHOST.EXEsvchost.comsvchost.exesvchost.comCHROME.EXEsvchost.comSVCHOST.EXEsvchost.comSVCHOST.EXEsvchost.comsvchost.exe

pid	process
844	CHROME.EXE
1156	SVCHOST.EXE
1364	SVCHOST.EXE
1764	svchost.com
1876	svchost.exe
2300	svchost.com
2468	CHROME.EXE
2508	svchost.com
2912	SVCHOST.EXE
4080	svchost.com
2000	SVCHOST.EXE
796	svchost.com
1584	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe

Drops startup file 2 IoCs

Processes:

CHROME.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	CHROME.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	CHROME.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CHROME.EXE04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CHROME.EXE\" .."	CHROME.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\svchost.exe"	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CHROME.EXE\" .."	CHROME.EXE

Drops file in Program Files directory 64 IoCs

Processes:

SVCHOST.EXEsvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Temp\GUM18A1.tmp\GOFB2B~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~4.EXE	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GO664E~1.EXE	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOF5E2~1.EXE	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~3.EXE	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOF5E2~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~2.EXE	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~1.EXE	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Temp\GUM18A1.tmp\GOFB2B~1.EXE	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	SVCHOST.EXE
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	SVCHOST.EXE

Drops file in Windows directory 13 IoCs

Processes:

SVCHOST.EXEsvchost.comsvchost.comsvchost.comsvchost.comSVCHOST.EXEsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	SVCHOST.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	SVCHOST.EXE
File opened for modification	C:\Windows\svchost.com	SVCHOST.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4020 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

416 timeout.exe

pid	process
4020	schtasks.exe

pid	process
416	timeout.exe

Modifies registry class 6 IoCs

Processes:

04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exesvchost.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	SVCHOST.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	SVCHOST.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

SVCHOST.EXE

pid	process
1364	SVCHOST.EXE
1364	SVCHOST.EXE
1364	SVCHOST.EXE
1364	SVCHOST.EXE
1364	SVCHOST.EXE
1364	SVCHOST.EXE
1364	SVCHOST.EXE
1364	SVCHOST.EXE
1364	SVCHOST.EXE
1364	SVCHOST.EXE
1364	SVCHOST.EXE
1364	SVCHOST.EXE
1364	SVCHOST.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

CHROME.EXE

pid process

2468 CHROME.EXE

pid	process
2468	CHROME.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exesvchost.exeSVCHOST.EXECHROME.EXEsvchost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeSecurityPrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeTakeOwnershipPrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeLoadDriverPrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeSystemProfilePrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeSystemtimePrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeProfSingleProcessPrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeIncBasePriorityPrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeCreatePagefilePrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeBackupPrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeRestorePrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeShutdownPrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeDebugPrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeSystemEnvironmentPrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeChangeNotifyPrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeRemoteShutdownPrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeUndockPrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeManageVolumePrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeImpersonatePrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeCreateGlobalPrivilege	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: 33	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: 34	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: 35	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: 36	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Token: SeIncreaseQuotaPrivilege	1876	svchost.exe
Token: SeSecurityPrivilege	1876	svchost.exe
Token: SeTakeOwnershipPrivilege	1876	svchost.exe
Token: SeLoadDriverPrivilege	1876	svchost.exe
Token: SeSystemProfilePrivilege	1876	svchost.exe
Token: SeSystemtimePrivilege	1876	svchost.exe
Token: SeProfSingleProcessPrivilege	1876	svchost.exe
Token: SeIncBasePriorityPrivilege	1876	svchost.exe
Token: SeCreatePagefilePrivilege	1876	svchost.exe
Token: SeBackupPrivilege	1876	svchost.exe
Token: SeRestorePrivilege	1876	svchost.exe
Token: SeShutdownPrivilege	1876	svchost.exe
Token: SeDebugPrivilege	1876	svchost.exe
Token: SeSystemEnvironmentPrivilege	1876	svchost.exe
Token: SeChangeNotifyPrivilege	1876	svchost.exe
Token: SeRemoteShutdownPrivilege	1876	svchost.exe
Token: SeUndockPrivilege	1876	svchost.exe
Token: SeManageVolumePrivilege	1876	svchost.exe
Token: SeImpersonatePrivilege	1876	svchost.exe
Token: SeCreateGlobalPrivilege	1876	svchost.exe
Token: 33	1876	svchost.exe
Token: 34	1876	svchost.exe
Token: 35	1876	svchost.exe
Token: 36	1876	svchost.exe
Token: SeDebugPrivilege	1364	SVCHOST.EXE
Token: SeDebugPrivilege	2468	CHROME.EXE
Token: 33	2468	CHROME.EXE
Token: SeIncBasePriorityPrivilege	2468	CHROME.EXE
Token: 33	2468	CHROME.EXE
Token: SeIncBasePriorityPrivilege	2468	CHROME.EXE
Token: SeDebugPrivilege	1584	svchost.exe
Token: 33	2468	CHROME.EXE
Token: SeIncBasePriorityPrivilege	2468	CHROME.EXE
Token: 33	2468	CHROME.EXE
Token: SeIncBasePriorityPrivilege	2468	CHROME.EXE
Token: 33	2468	CHROME.EXE
Token: SeIncBasePriorityPrivilege	2468	CHROME.EXE
Token: 33	2468	CHROME.EXE
Token: SeIncBasePriorityPrivilege	2468	CHROME.EXE
Token: 33	2468	CHROME.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

1876 svchost.exe

pid	process
1876	svchost.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exeSVCHOST.EXEsvchost.comsvchost.exesvchost.comsvchost.comSVCHOST.EXEsvchost.comSVCHOST.EXEsvchost.comcmd.execmd.exe

description	pid	process	target process
PID 644 wrote to memory of 844	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe	CHROME.EXE
PID 644 wrote to memory of 844	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe	CHROME.EXE
PID 644 wrote to memory of 1156	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe	SVCHOST.EXE
PID 644 wrote to memory of 1156	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe	SVCHOST.EXE
PID 644 wrote to memory of 1156	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe	SVCHOST.EXE
PID 1156 wrote to memory of 1364	1156	SVCHOST.EXE	SVCHOST.EXE
PID 1156 wrote to memory of 1364	1156	SVCHOST.EXE	SVCHOST.EXE
PID 1156 wrote to memory of 1364	1156	SVCHOST.EXE	SVCHOST.EXE
PID 644 wrote to memory of 1764	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe	svchost.com
PID 644 wrote to memory of 1764	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe	svchost.com
PID 644 wrote to memory of 1764	644	04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe	svchost.com
PID 1764 wrote to memory of 1876	1764	svchost.com	svchost.exe
PID 1764 wrote to memory of 1876	1764	svchost.com	svchost.exe
PID 1764 wrote to memory of 1876	1764	svchost.com	svchost.exe
PID 1876 wrote to memory of 2300	1876	svchost.exe	svchost.com
PID 1876 wrote to memory of 2300	1876	svchost.exe	svchost.com
PID 1876 wrote to memory of 2300	1876	svchost.exe	svchost.com
PID 2300 wrote to memory of 2468	2300	svchost.com	CHROME.EXE
PID 2300 wrote to memory of 2468	2300	svchost.com	CHROME.EXE
PID 1876 wrote to memory of 2508	1876	svchost.exe	svchost.com
PID 1876 wrote to memory of 2508	1876	svchost.exe	svchost.com
PID 1876 wrote to memory of 2508	1876	svchost.exe	svchost.com
PID 2508 wrote to memory of 2912	2508	svchost.com	SVCHOST.EXE
PID 2508 wrote to memory of 2912	2508	svchost.com	SVCHOST.EXE
PID 2508 wrote to memory of 2912	2508	svchost.com	SVCHOST.EXE
PID 2912 wrote to memory of 4080	2912	SVCHOST.EXE	svchost.com
PID 2912 wrote to memory of 4080	2912	SVCHOST.EXE	svchost.com
PID 2912 wrote to memory of 4080	2912	SVCHOST.EXE	svchost.com
PID 4080 wrote to memory of 2000	4080	svchost.com	SVCHOST.EXE
PID 4080 wrote to memory of 2000	4080	svchost.com	SVCHOST.EXE
PID 4080 wrote to memory of 2000	4080	svchost.com	SVCHOST.EXE
PID 1364 wrote to memory of 796	1364	SVCHOST.EXE	svchost.com
PID 1364 wrote to memory of 796	1364	SVCHOST.EXE	svchost.com
PID 1364 wrote to memory of 796	1364	SVCHOST.EXE	svchost.com
PID 796 wrote to memory of 3108	796	svchost.com	cmd.exe
PID 796 wrote to memory of 3108	796	svchost.com	cmd.exe
PID 796 wrote to memory of 3108	796	svchost.com	cmd.exe
PID 1364 wrote to memory of 3864	1364	SVCHOST.EXE	cmd.exe
PID 1364 wrote to memory of 3864	1364	SVCHOST.EXE	cmd.exe
PID 1364 wrote to memory of 3864	1364	SVCHOST.EXE	cmd.exe
PID 3108 wrote to memory of 4020	3108	cmd.exe	schtasks.exe
PID 3108 wrote to memory of 4020	3108	cmd.exe	schtasks.exe
PID 3108 wrote to memory of 4020	3108	cmd.exe	schtasks.exe
PID 3864 wrote to memory of 416	3864	cmd.exe	timeout.exe
PID 3864 wrote to memory of 416	3864	cmd.exe	timeout.exe
PID 3864 wrote to memory of 416	3864	cmd.exe	timeout.exe
PID 3864 wrote to memory of 1584	3864	cmd.exe	svchost.exe
PID 3864 wrote to memory of 1584	3864	cmd.exe	svchost.exe
PID 3864 wrote to memory of 1584	3864	cmd.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
"C:\Users\Admin\AppData\Local\Temp\04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\CHROME.EXE
"C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"
2⤵
- Executes dropped EXE
PID:844

C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
"C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\SVCHOST.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\SVCHOST.EXE"
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c schtasks /create /f /sc onlogon /rl highest /tn svchost /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn svchost /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
6⤵
- Creates scheduled task(s)
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDD56.tmp.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:416

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\DOCUME~1\MSDCSC\svchost.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\DOCUME~1\MSDCSC\svchost.exe
C:\Users\Admin\DOCUME~1\MSDCSC\svchost.exe
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\CHROME.EXE
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE
5⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2508

C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SVCHOST.EXE"
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4080

C:\Users\Admin\AppData\Local\Temp\3582-490\SVCHOST.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\SVCHOST.EXE
7⤵
- Executes dropped EXE
PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
MD5
8dbf1ff260efc8b7da8d1770ac7d22c0

SHA1
63caecab96c4b5361321f09800e6c63efdcc190f

SHA256
e9b49e4ca8a65ead25a4873d1b36b256fddc31015f4a277a7f1625aec3804f88

SHA512
a7b85cc892d3b7990c6489f1b7e653c6ca8a45d0c819ad63785b704cff6938a61703fb07097b22a5bfd3f6369c6ed5cc1131da723d61282b53687aab79c61b48

Download Submit
C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
MD5
b38d3dbb9687fc614d22e72e016bf5f0

SHA1
79a7f59d311b3ba8238cbc99ae921bcd9005088f

SHA256
ef0a018061cee0ec72240d670a061c76775a80187ecd4b005e4dcf4aa0aeec14

SHA512
63b9dd78401577343da4942be2b5124495f1be9a685adb40147a41813782b299484c606ad69be624b509429d9bf912fdee4f7d7e2c2bab5d8ddb33aaa89e7c4e

Download Submit
C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{F4220~1\VC_RED~1.EXE
MD5
da3c04a3711676a02796b0889d1c9b7d

SHA1
57767fe6cfcb577355a67829b0e7b1e511013d89

SHA256
f3747e60d2d295072426554d2c9eafc9ee90207236f29fa8125b9560b64befa6

SHA512
949cee8054499c177708d52a932908ae8bba72170167f6b5b2344903ef5811f7b6f2253d9bcc9ea480ead4f73bf7d09cc4dc66837d931718d17c6b3a0273aecc

Download Submit
C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
MD5
b70abe9b09e12f85429a9997dc9d05f9

SHA1
929f59a175b053369f5ec29132fd603eda2c7c4e

SHA256
51d9e10c35e667db044f466b9b80dd2eb2a4cff40a2d7a580382dcb634701ac3

SHA512
c508bf968fd8ac85797b03f226d88fc52cf66cd7850807e6fe16af754695b0be120b9a8187f128ca1ecefe5dfaa407cf97644d5619e8b47277229c0cc5a36792

Download Submit
C:\DOCUME~1\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
MD5
ccd720430dd36083b793ef3f6253741b

SHA1
43fa43be3cf9779f81f759f6f1da32e467cb28d3

SHA256
5d57ef01fa223a31a1590586f2b5d7229e9a528c6a4bca46c985c710d455c7b4

SHA512
ce0a92340ce24a6a340ac72e997c73b3fe0041848807ae46398ad83612c0cc146ee54f246982006f103486e8296ce9db20eba81e9102cd0f35be58d5e708faf1

Download Submit
C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Temp\423599~1\zmstage.exe
MD5
5718a2edcc5e713d0d614986bf5053dc

SHA1
cd7f5b9a60570a2bd09072a0b4e72d65488348ab

SHA256
0c76c709ad5a08d5eb86a3568318efc8a7991ea94ffacb97578ce6fdc170a661

SHA512
e4620950bc86d56143f7aa00ccd1b910796a179992226439b515d1c0dda21e6acdc8fdf4fa34b198f5c831794261b9452af127863c341edf692448ada6c4545d

Download Submit
C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\OneDrive\OneDrive.exe
MD5
c5e4dd62f418325ff8b0dd09546503a3

SHA1
580ee472837720100354481b5e9d7ac15a1953a2

SHA256
d941d4e00290d09a0d61b1ec863270391b831b196aff33113fbff02ca6adfecb

SHA512
ae690ad07c4f0b9b5e436d80925af95d12ce6ce272bdda6ade0a4f4567576e422c54ce0c86b24b00b5595cf0781f4710b6b45be62224b852b6d6183146ca2bc3

Download Submit
C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\OneDrive\181510~1.001\FILECO~1.EXE
MD5
b36a67f99444ecb0b8b5bcc4ab33c5f4

SHA1
0051f36ad41bcef1ced60390b4fef885fdcf3c25

SHA256
e87ae77d07251ebbf166a63790bc664f0163cf45d4c5aa073e10895c7ee9a240

SHA512
0901b73ae2302416a3f3b4f3997c5ac5951a1b4c4680d18b05ecbdf0f4a21d1f9f614a09596ba715a4526e1d7cb274d80276299b3319c6174598feb7e518e528

Download Submit
C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE
MD5
b39c0661b4223efa2af3dd01101cd364

SHA1
a23bb212a2e74ed09748a7243b9626c8d3b7b733

SHA256
9e03b1f1528e39447706acd016baf69f6d3d4ad535d3d9b43171779ed0a03272

SHA512
394e1284c9a9d2213cd51dfc09ce99c53df38e60e6b05f3df086c73d9bf9a7153ea486cbd0cd6821a2842235745326ec0dc5941966c820445aba3053139f71fc

Download Submit
C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\OneDrive\ONEDRI~1.EXE
MD5
e5a2400e51bb558c8f40990344d0991b

SHA1
46842629b9131a9679799d0f304500950d577fe2

SHA256
80627b24637d984003ad2572c3af36ffc6aaad8faa7ddea82c8a3a1e37d95675

SHA512
2761b3c02b644454aa59e184046fab6848df15ad5281b52941df9aefdc00a5c9d06d4e6db2780bbe054996a945d338ed7c7819ab7534dc980aeac8e443674e46

Download Submit
C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Temp\04C164~1.EXE
MD5
67c515a7f181fe4726f22312cc3cc804

SHA1
a727ba87a8571b5ffecf4ecdc08c8926e6562ab5

SHA256
41d87ee547228320fa719a792cd0370a8c9805e81d5afda39412c6c23efa9e3a

SHA512
8a8914381c7173b7fe079f5d52df7aaf7a2d6476d1894ffb41b966fa4eac396bb261018052f537b76de7534d180be5f3f27bd3c11123380d4d0c3769fb23c40f

Download Submit
C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Temp\3582-490\SVCHOST.EXE
MD5
ce8e5e20faffa3f97563dc1e3dcc6a9f

SHA1
8aede7675ff8f2327444508f422ff36b880010bd

SHA256
532ba2016715098393504e4439193ba82d715e61972e80707497f0a2164edb05

SHA512
287836b0c7a962e84de0c51ce384709f590cf4695a7bc86808cff3d3e304cd87db0d91391696ab8533294680dbaf2717c02c8783548c872c87045c4f380b4f7f

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE
MD5
d2e44d63e3b4a7cf89e3f56d25e40302

SHA1
90b9a98a0d242b3c815a542f2377ba3d24b31442

SHA256
66f42b31f8718738535dd67363bbd80e644e0d88f06a52ed0b253e1b2bd9e794

SHA512
6e7deaf165ce9a589544fc73f71953f1819915b916b9128aab0ea281bf582cdf8129dedac685b625f71c5cbea5a573eacdc8654923ff7301a478a0550cbf4b82

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
MD5
855290cbd8447baf99e548c0a63e2e12

SHA1
cd483e39abefe13cedf952b5c2b5e86b421c43f8

SHA256
798928380cdca1bb76a6e99a9401acfd9e112422940b189b581da7e568dd5006

SHA512
c3600e79d66e6f353a6e13562d6e8bc5a1a6a8d9a44c48390ad41fb38b08048c84323e72b0fb77c1fb96a5a949ba1140dba941fd63b5889d75ff19ce21045416

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
MD5
9fcb9e544bafb9f4e1985a6ba8655b06

SHA1
799e70867d92aa235062dec5ad441d5f386017b2

SHA256
5d9a886a092843fc50143ad567635496dc1057463a5d527c228334cde83e6e74

SHA512
a51786f373b3fda1d7e4b0e8413a758deeb19371e5fcf3b1bbe5e65b9598989d3f67ff0d7fb80c5336893480231b574d42a137041ff12485441b80c0c804cd46

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
MD5
a74c17616449f8ce7039c60f01b8b0db

SHA1
e19158c0bfcd13e411ad853caf07dbe9af0a7f02

SHA256
7e35f178ca0bcfdc588ec787fcd68ab394d7d5c6158397a5b187bcafd67dfa62

SHA512
b21d33953087684368b2c5266975d93dde1a0d5c1e2f9933a8146b3ddca8c28bfc0c9447cbc9d9f7f1ef8a564ba1a47d1beb23fc662b83366376276bd12188f3

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
MD5
cdf58a3e027bde8e16e642a00866017b

SHA1
78a6274f17ab43c74f1b82a2ddf3986f0c7e3761

SHA256
585f2ddfae7f8a8be57b1fe951ec4af9c76e208dfc8156f15181ecc9dd85b142

SHA512
fec1af433b3caab29420f44c83b7be6808229e531983d1ec54cf9f668392e1c1f9399a151b1df4e0139abc0ad1139908db1a31d7cdda1d9528332e79ca125ce6

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe
MD5
6eef3acf257f9258a30b93b953e5b39e

SHA1
38f4cdaf388ee9502ddf7b77906e8e3162d3539a

SHA256
8843fda2b8f949e54caacd445dacb54625d905ae2590715dd22dec02ee26bd03

SHA512
2f08b043cb3613be53130cc177ae96eedc6002066194b7e13716705b90bd86c84bff02b50aed86ab68d7ae9983a594479c45322b5676091c90566d0ce9bcb4ef

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe
MD5
02b648da1ab9525cfd54b58664e69feb

SHA1
f65546647eb56295f222026c9e9053eb58de4b20

SHA256
9fb7a3a026da9d8ae1ef6bcf3b3339903d9b8b517f852ba916322cb0f708e080

SHA512
555e2e7dd58e7d933744fe74a0ed8371d5a0ed1449076662841db57a2e13758c570c52c4ce0d93a3b1b050ba53be162223efad10c2311bd54ef8ee97974f7569

Download Submit
C:\PROGRA~2\Google\Temp\GUM18A1.tmp\GOFB2B~1.EXE
MD5
fb3388888c7c1c1a9229a918840987fb

SHA1
582183889d83ef2be203ce9e647ac47310cea911

SHA256
d4784c3525037c7c2b6be02f2e2cd456c33a3a63437b384e321cdc12c1c9e0d8

SHA512
e2696ec4473da77a25be0cd9b969a887811f22b1f2bcf62f4ba880d1e5535307e883eaeaadb95410095606ad12018c44de8ffecbbbaec19cb28ff52b3fbabc6d

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE
MD5
332ff69cbe091da713d8ca7d3b1e43d9

SHA1
1691681ff85f7361de5d04aaf3ef34edb6afe70d

SHA256
3dcf9c1512c8fd52bf51f3b9bb9c31c872be1175c92cc3c3c77ce850cf503258

SHA512
45ca50094ac4ea4be3552be8d8e65605e62a35bd84ef660f38e4fb73e0c94a7bc4938f812161066b25b2d17c6912efe08e59e123bf64944199ba13c61da467f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SVCHOST.EXE.log
MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\SVCHOST.EXE
MD5
95f69fe43718d6b72d899d2244e900d7

SHA1
b0a133a5dd0df62866134fb2b7572b10c82087ba

SHA256
78ce771c86069a93fd76c1e3fa924f2091cecc92775dd7bf0a96bde0b53ed860

SHA512
563509679b88c98fd5e25347ea19b775a391bf31035fe82cb0bc2eceeb1b1b4b6968808908095a5c82564ebfa1e6bbdf4954e85a9d62366a60c53c9d8c4f2b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\SVCHOST.EXE
MD5
95f69fe43718d6b72d899d2244e900d7

SHA1
b0a133a5dd0df62866134fb2b7572b10c82087ba

SHA256
78ce771c86069a93fd76c1e3fa924f2091cecc92775dd7bf0a96bde0b53ed860

SHA512
563509679b88c98fd5e25347ea19b775a391bf31035fe82cb0bc2eceeb1b1b4b6968808908095a5c82564ebfa1e6bbdf4954e85a9d62366a60c53c9d8c4f2b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\SVCHOST.EXE
MD5
95f69fe43718d6b72d899d2244e900d7

SHA1
b0a133a5dd0df62866134fb2b7572b10c82087ba

SHA256
78ce771c86069a93fd76c1e3fa924f2091cecc92775dd7bf0a96bde0b53ed860

SHA512
563509679b88c98fd5e25347ea19b775a391bf31035fe82cb0bc2eceeb1b1b4b6968808908095a5c82564ebfa1e6bbdf4954e85a9d62366a60c53c9d8c4f2b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE
MD5
d1d6425ccba33570499fb0d3d9aa1f6e

SHA1
a6853192836c6f7c3bca0d04a1f8b8e11f568995

SHA256
3bbbd396ae02ea971a90f47f466a8c544fc279a78db6bc9ae2c500d76678ee76

SHA512
4a39f10380a85eb72e669e91172bef53df2b737f7c33f53712b6f5d6b187eb681b1211333fee5bb34b6ccccefd812e4b9839dff2cfea9eb7e7d0561047425947

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE
MD5
d1d6425ccba33570499fb0d3d9aa1f6e

SHA1
a6853192836c6f7c3bca0d04a1f8b8e11f568995

SHA256
3bbbd396ae02ea971a90f47f466a8c544fc279a78db6bc9ae2c500d76678ee76

SHA512
4a39f10380a85eb72e669e91172bef53df2b737f7c33f53712b6f5d6b187eb681b1211333fee5bb34b6ccccefd812e4b9839dff2cfea9eb7e7d0561047425947

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE
MD5
d1d6425ccba33570499fb0d3d9aa1f6e

SHA1
a6853192836c6f7c3bca0d04a1f8b8e11f568995

SHA256
3bbbd396ae02ea971a90f47f466a8c544fc279a78db6bc9ae2c500d76678ee76

SHA512
4a39f10380a85eb72e669e91172bef53df2b737f7c33f53712b6f5d6b187eb681b1211333fee5bb34b6ccccefd812e4b9839dff2cfea9eb7e7d0561047425947

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
MD5
ce8e5e20faffa3f97563dc1e3dcc6a9f

SHA1
8aede7675ff8f2327444508f422ff36b880010bd

SHA256
532ba2016715098393504e4439193ba82d715e61972e80707497f0a2164edb05

SHA512
287836b0c7a962e84de0c51ce384709f590cf4695a7bc86808cff3d3e304cd87db0d91391696ab8533294680dbaf2717c02c8783548c872c87045c4f380b4f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
MD5
ce8e5e20faffa3f97563dc1e3dcc6a9f

SHA1
8aede7675ff8f2327444508f422ff36b880010bd

SHA256
532ba2016715098393504e4439193ba82d715e61972e80707497f0a2164edb05

SHA512
287836b0c7a962e84de0c51ce384709f590cf4695a7bc86808cff3d3e304cd87db0d91391696ab8533294680dbaf2717c02c8783548c872c87045c4f380b4f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
MD5
ce8e5e20faffa3f97563dc1e3dcc6a9f

SHA1
8aede7675ff8f2327444508f422ff36b880010bd

SHA256
532ba2016715098393504e4439193ba82d715e61972e80707497f0a2164edb05

SHA512
287836b0c7a962e84de0c51ce384709f590cf4695a7bc86808cff3d3e304cd87db0d91391696ab8533294680dbaf2717c02c8783548c872c87045c4f380b4f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
MD5
beefa67ed8e26434577612f4219ac6ae

SHA1
2a30ef1a0a596165cac1a60780d28c440379ce4f

SHA256
abdbeedbf19937d0ed18bc53aa84a36bbdad42ee7d883204a37315373a8101d4

SHA512
81660e3987309b0bcab6beefb0c9d5c46dff5d5eaa1674f405744abfe8ef53ea9afc8526ef86d746ecd81c3d0f20a15664eab3f562b4e8b2115827e680943319

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDD56.tmp.bat
MD5
1408fefe8d4010a4e1b831a000a87bcb

SHA1
bdf3161806d60c64b1dcba42bf26d9bc045b19d4

SHA256
80727ca536d532cc2ac03d9a79a5c36268c29c506055ecff5fa9f4a240999522

SHA512
0ad4764b2f4d1f57b80025605b79642e7da1a5fe30c9e369e9f2c6c0473f2ac6859549776393dab265c2a5822e0c062adf7aa763b6d719700c6fb62646ed533f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
95f69fe43718d6b72d899d2244e900d7

SHA1
b0a133a5dd0df62866134fb2b7572b10c82087ba

SHA256
78ce771c86069a93fd76c1e3fa924f2091cecc92775dd7bf0a96bde0b53ed860

SHA512
563509679b88c98fd5e25347ea19b775a391bf31035fe82cb0bc2eceeb1b1b4b6968808908095a5c82564ebfa1e6bbdf4954e85a9d62366a60c53c9d8c4f2b18

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
95f69fe43718d6b72d899d2244e900d7

SHA1
b0a133a5dd0df62866134fb2b7572b10c82087ba

SHA256
78ce771c86069a93fd76c1e3fa924f2091cecc92775dd7bf0a96bde0b53ed860

SHA512
563509679b88c98fd5e25347ea19b775a391bf31035fe82cb0bc2eceeb1b1b4b6968808908095a5c82564ebfa1e6bbdf4954e85a9d62366a60c53c9d8c4f2b18

Download Submit
C:\Users\Admin\DOCUME~1\MSDCSC\svchost.exe
MD5
2f087c02e5a65fc3a150ba96ddde8a0f

SHA1
d8b02d1cd0d582b93866ea2e2da10cb148828566

SHA256
04c164391efcedd93b5c04dc137e8b80336265246fa15318a67d4b2d20bf257f

SHA512
86b078abb4270864802f0056c5657c82c2f375472d821fd888aa0252c10e270cba8beb5bc5063236d7c1192ccf573d7df7dec83ddf753638e96aa6d06f5c0edd

Download Submit
C:\Users\Admin\DOCUME~1\MSDCSC\svchost.exe
MD5
2f087c02e5a65fc3a150ba96ddde8a0f

SHA1
d8b02d1cd0d582b93866ea2e2da10cb148828566

SHA256
04c164391efcedd93b5c04dc137e8b80336265246fa15318a67d4b2d20bf257f

SHA512
86b078abb4270864802f0056c5657c82c2f375472d821fd888aa0252c10e270cba8beb5bc5063236d7c1192ccf573d7df7dec83ddf753638e96aa6d06f5c0edd

Download Submit
C:\Windows\directx.sys
MD5
de5a4102350b68cbc5c00a123f46db84

SHA1
4bfde242fdbfc7b136fb371dcf9bfe25fa7d7f9a

SHA256
8c4afb25c8e2f27fb8ec56be5affb786d9f2dbe4a58bf21792247bf826fc1fdd

SHA512
e36b2037d62742c998f62cb636e6c3d3deeb68b06103580dce78ffe46e7799c35315136ffd20870c53e212cb57935960a9f9788b083a06db2c60e2056d0f5c1a

Download Submit
C:\Windows\directx.sys
MD5
6c082757c46ed2e2447e3bb5b999753d

SHA1
d0a89714a0f62c7dde2c2ad66664d174523ce579

SHA256
af5a6bf0a833a475a8d659868cc569fcd785113525d5b7b726bf8d622fb834a8

SHA512
ad122c248e2bb28b010096f34e2e7566a81325e4dfeb509822a2aade6c5f3b51f666b8019dd081b7196d1029d0a2da4e991fcb0edc176fbe11787636e89f2b66

Download Submit
C:\Windows\directx.sys
MD5
ff435c88dfa119047e808f0151bf4f31

SHA1
f06c5901c9c0892708fcd6d6180647e3da6bf345

SHA256
fadb8b37dc01596d28dbe3074b0294bbc999dc6ea5bf869fd80bb8c21f6a690d

SHA512
55b1b1b207c2c27690bc2a06923b47b70178aecd39f797a311c8be6112ce034db9e32b220fb050a9681b32245982e3c95d3d549805aa69487cf668060eaeb561

Download Submit
C:\Windows\directx.sys
MD5
ff435c88dfa119047e808f0151bf4f31

SHA1
f06c5901c9c0892708fcd6d6180647e3da6bf345

SHA256
fadb8b37dc01596d28dbe3074b0294bbc999dc6ea5bf869fd80bb8c21f6a690d

SHA512
55b1b1b207c2c27690bc2a06923b47b70178aecd39f797a311c8be6112ce034db9e32b220fb050a9681b32245982e3c95d3d549805aa69487cf668060eaeb561

Download Submit
C:\Windows\directx.sys
MD5
8a8dde9f94492101895af2f488274565

SHA1
eee9d2cfda04279859ebf0dfcb5c81ffa95ae2e8

SHA256
6102a4466a69972788f60ac0b587e06acc036fc38d3a3450192ab94259707b05

SHA512
f43d9698a2ba7c850701ddb86ce7c160bf4f17de0b2bf8f3ba16a8a0b720962eab021dcb10b5d5307714acc73cf715475f1a890bd125041524f3cdcd4243dd75

Download Submit
C:\Windows\svchost.com
MD5
abffad0bc4a23c2e714664e883da1f42

SHA1
dc454761cccb1c2665761a84bd865e4dd508dfb6

SHA256
346811bcc435020a4dbe3857a683049ed59267584e30cafb5d540ae5dd5c1c96

SHA512
ed6683647f12d80cfaf216e38cf19f8698ee8fb0cd96f04c636a57a3343aa42257ce7901a3933a456f2922a0a40c51823c37facf4b4ea5afd44ef8aa4769dfb7

Download Submit
C:\Windows\svchost.com
MD5
abffad0bc4a23c2e714664e883da1f42

SHA1
dc454761cccb1c2665761a84bd865e4dd508dfb6

SHA256
346811bcc435020a4dbe3857a683049ed59267584e30cafb5d540ae5dd5c1c96

SHA512
ed6683647f12d80cfaf216e38cf19f8698ee8fb0cd96f04c636a57a3343aa42257ce7901a3933a456f2922a0a40c51823c37facf4b4ea5afd44ef8aa4769dfb7

Download Submit
C:\Windows\svchost.com
MD5
abffad0bc4a23c2e714664e883da1f42

SHA1
dc454761cccb1c2665761a84bd865e4dd508dfb6

SHA256
346811bcc435020a4dbe3857a683049ed59267584e30cafb5d540ae5dd5c1c96

SHA512
ed6683647f12d80cfaf216e38cf19f8698ee8fb0cd96f04c636a57a3343aa42257ce7901a3933a456f2922a0a40c51823c37facf4b4ea5afd44ef8aa4769dfb7

Download Submit
C:\Windows\svchost.com
MD5
abffad0bc4a23c2e714664e883da1f42

SHA1
dc454761cccb1c2665761a84bd865e4dd508dfb6

SHA256
346811bcc435020a4dbe3857a683049ed59267584e30cafb5d540ae5dd5c1c96

SHA512
ed6683647f12d80cfaf216e38cf19f8698ee8fb0cd96f04c636a57a3343aa42257ce7901a3933a456f2922a0a40c51823c37facf4b4ea5afd44ef8aa4769dfb7

Download Submit
C:\Windows\svchost.com
MD5
abffad0bc4a23c2e714664e883da1f42

SHA1
dc454761cccb1c2665761a84bd865e4dd508dfb6

SHA256
346811bcc435020a4dbe3857a683049ed59267584e30cafb5d540ae5dd5c1c96

SHA512
ed6683647f12d80cfaf216e38cf19f8698ee8fb0cd96f04c636a57a3343aa42257ce7901a3933a456f2922a0a40c51823c37facf4b4ea5afd44ef8aa4769dfb7

Download Submit
C:\Windows\svchost.com
MD5
abffad0bc4a23c2e714664e883da1f42

SHA1
dc454761cccb1c2665761a84bd865e4dd508dfb6

SHA256
346811bcc435020a4dbe3857a683049ed59267584e30cafb5d540ae5dd5c1c96

SHA512
ed6683647f12d80cfaf216e38cf19f8698ee8fb0cd96f04c636a57a3343aa42257ce7901a3933a456f2922a0a40c51823c37facf4b4ea5afd44ef8aa4769dfb7

Download Submit
C:\odt\OFFICE~1.EXE
MD5
3583a1dca8a996859a0f2c31fe688e78

SHA1
15e72e57b5843de75630529a0d8fc32d00b0a2e4

SHA256
c2cf6e5073cc78ca94730069c5deaebccd908d0366c46bdc14a7d1a0406929b6

SHA512
62bbb584618b005042170b12b3b37addf54036b6bed6be31f1369c8b4a05464abdd8380c5c4391287495041c4989a479b5f3e6322c4cda60b465ba9c938fa232

Download Submit
memory/416-171-0x0000000000000000-mapping.dmp

Download
memory/644-114-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/796-162-0x0000000000000000-mapping.dmp

Download
memory/844-115-0x0000000000000000-mapping.dmp

Download
memory/844-124-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

Filesize
8KB

Download
memory/1156-118-0x0000000000000000-mapping.dmp

Download
memory/1364-161-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/1364-121-0x0000000000000000-mapping.dmp

Download
memory/1364-159-0x0000000005B01000-0x0000000005B02000-memory.dmp

Filesize
4KB

Download
memory/1364-125-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1584-183-0x0000000005001000-0x0000000005002000-memory.dmp

Filesize
4KB

Download
memory/1584-177-0x0000000000000000-mapping.dmp

Download
memory/1764-127-0x0000000000000000-mapping.dmp

Download
memory/1876-131-0x0000000000000000-mapping.dmp

Download
memory/1876-138-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2000-153-0x0000000000000000-mapping.dmp

Download
memory/2000-160-0x0000000005B01000-0x0000000005B02000-memory.dmp

Filesize
4KB

Download
memory/2300-134-0x0000000000000000-mapping.dmp

Download
memory/2468-137-0x0000000000000000-mapping.dmp

Download
memory/2468-158-0x0000000001060000-0x0000000001062000-memory.dmp

Filesize
8KB

Download
memory/2508-140-0x0000000000000000-mapping.dmp

Download
memory/2912-144-0x0000000000000000-mapping.dmp

Download
memory/3108-165-0x0000000000000000-mapping.dmp

Download
memory/3864-166-0x0000000000000000-mapping.dmp

Download
memory/4020-170-0x0000000000000000-mapping.dmp

Download
memory/4080-149-0x0000000000000000-mapping.dmp

Download