azorult | 63cff2624610c0ba77145f4ca69ca649dd063e5da23b6f9534ffc643fe30b203

Analysis

max time kernel
144s
max time network
147s
platform
windows10_x64
resource
win10-en-20210920
submitted
05-10-2021 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d907de96adcb7c400834d974754ece57.exe
Size

2.1MB
MD5

d907de96adcb7c400834d974754ece57
SHA1

89cf58eb2fb76d42a1283c8068ac36adcc9d66c9
SHA256

63cff2624610c0ba77145f4ca69ca649dd063e5da23b6f9534ffc643fe30b203
SHA512

02c1fe42f9729539d1181542899399cb779764f178dd0fff005a44e20f50cecd7b3a09e8d36488a192c68f6783973b9b62614e948513dc29df77ca4866b0783e

Score

10^/10

azorult oski raccoon e16d9c3413a8d3bc552d87560e5a14148908608d discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Version

1.8.1

Botnet

e16d9c3413a8d3bc552d87560e5a14148908608d

Attributes

url4cnc
https://t.me/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

milsom.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

Jscxuucrnkfaconsoleapp17.exeWribeBSX0s.exeJscxuucrnkfaconsoleapp17.exeGhbauogxqhiavkucqejhjxjfoconsoleapp14.exeGGK4W9aXcB.exeWribeBSX0s.exeGhbauogxqhiavkucqejhjxjfoconsoleapp14.exeGhbauogxqhiavkucqejhjxjfoconsoleapp14.exeaspnet_compiler.exefodhelper.exefodhelper.exe

pid	process
1156	Jscxuucrnkfaconsoleapp17.exe
604	WribeBSX0s.exe
2584	Jscxuucrnkfaconsoleapp17.exe
3564	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
2676	GGK4W9aXcB.exe
688	WribeBSX0s.exe
1260	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
356	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
1568	aspnet_compiler.exe
864	fodhelper.exe
3084	fodhelper.exe

Loads dropped DLL 9 IoCs

Processes:

d907de96adcb7c400834d974754ece57.exeGhbauogxqhiavkucqejhjxjfoconsoleapp14.exe

pid	process
3768	d907de96adcb7c400834d974754ece57.exe
3768	d907de96adcb7c400834d974754ece57.exe
3768	d907de96adcb7c400834d974754ece57.exe
3768	d907de96adcb7c400834d974754ece57.exe
3768	d907de96adcb7c400834d974754ece57.exe
3768	d907de96adcb7c400834d974754ece57.exe
356	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
356	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
356	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GGK4W9aXcB.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\winda = "\"C:\\Users\\Admin\\AppData\\Roaming\\winda.exe\""	GGK4W9aXcB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

d907de96adcb7c400834d974754ece57.exeJscxuucrnkfaconsoleapp17.exeWribeBSX0s.exeGhbauogxqhiavkucqejhjxjfoconsoleapp14.exeGGK4W9aXcB.exefodhelper.exe

description	pid	process	target process
PID 2384 set thread context of 3768	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 1156 set thread context of 2584	1156	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 604 set thread context of 688	604	WribeBSX0s.exe	WribeBSX0s.exe
PID 3564 set thread context of 356	3564	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
PID 2676 set thread context of 1568	2676	GGK4W9aXcB.exe	aspnet_compiler.exe
PID 864 set thread context of 3084	864	fodhelper.exe	fodhelper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 1 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3644 schtasks.exe
3672 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

520 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1692 taskkill.exe

pid	process
3644	schtasks.exe
3672	schtasks.exe

pid	process
520	timeout.exe

pid	process
1692	taskkill.exe

Modifies registry class 2 IoCs

Processes:

d907de96adcb7c400834d974754ece57.exeJscxuucrnkfaconsoleapp17.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	d907de96adcb7c400834d974754ece57.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	Jscxuucrnkfaconsoleapp17.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

3488 reg.exe
2668 reg.exe
3704 reg.exe

pid	process
3488	reg.exe
2668	reg.exe
3704	reg.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

powershell.exepowershell.exed907de96adcb7c400834d974754ece57.exepowershell.exepowershell.exeJscxuucrnkfaconsoleapp17.exepowershell.exepowershell.exepowershell.exepowershell.exeGhbauogxqhiavkucqejhjxjfoconsoleapp14.exeGGK4W9aXcB.exeaspnet_compiler.exe

pid	process
2676	powershell.exe
2676	powershell.exe
2676	powershell.exe
3184	powershell.exe
3184	powershell.exe
3184	powershell.exe
2384	d907de96adcb7c400834d974754ece57.exe
2384	d907de96adcb7c400834d974754ece57.exe
2384	d907de96adcb7c400834d974754ece57.exe
2384	d907de96adcb7c400834d974754ece57.exe
2384	d907de96adcb7c400834d974754ece57.exe
2384	d907de96adcb7c400834d974754ece57.exe
2384	d907de96adcb7c400834d974754ece57.exe
2384	d907de96adcb7c400834d974754ece57.exe
2384	d907de96adcb7c400834d974754ece57.exe
2384	d907de96adcb7c400834d974754ece57.exe
2384	d907de96adcb7c400834d974754ece57.exe
2384	d907de96adcb7c400834d974754ece57.exe
2384	d907de96adcb7c400834d974754ece57.exe
2384	d907de96adcb7c400834d974754ece57.exe
2384	d907de96adcb7c400834d974754ece57.exe
1788	powershell.exe
1788	powershell.exe
1788	powershell.exe
1468	powershell.exe
1468	powershell.exe
1468	powershell.exe
1156	Jscxuucrnkfaconsoleapp17.exe
1156	Jscxuucrnkfaconsoleapp17.exe
1156	Jscxuucrnkfaconsoleapp17.exe
3772	powershell.exe
3772	powershell.exe
3772	powershell.exe
3748	powershell.exe
3748	powershell.exe
3748	powershell.exe
1248	powershell.exe
1248	powershell.exe
1248	powershell.exe
2164	powershell.exe
2164	powershell.exe
2164	powershell.exe
3564	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
3564	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
3564	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
3564	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
3564	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
3564	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
3564	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
2676	GGK4W9aXcB.exe
2676	GGK4W9aXcB.exe
2676	GGK4W9aXcB.exe
1568	aspnet_compiler.exe
1568	aspnet_compiler.exe
1568	aspnet_compiler.exe
1568	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	2384	d907de96adcb7c400834d974754ece57.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1156	Jscxuucrnkfaconsoleapp17.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	3564	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	2676	GGK4W9aXcB.exe
Token: SeDebugPrivilege	1568	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d907de96adcb7c400834d974754ece57.exeWScript.exeJscxuucrnkfaconsoleapp17.exed907de96adcb7c400834d974754ece57.exeWScript.exeGhbauogxqhiavkucqejhjxjfoconsoleapp14.execmd.exe

description	pid	process	target process
PID 2384 wrote to memory of 2676	2384	d907de96adcb7c400834d974754ece57.exe	powershell.exe
PID 2384 wrote to memory of 2676	2384	d907de96adcb7c400834d974754ece57.exe	powershell.exe
PID 2384 wrote to memory of 2676	2384	d907de96adcb7c400834d974754ece57.exe	powershell.exe
PID 2384 wrote to memory of 3184	2384	d907de96adcb7c400834d974754ece57.exe	powershell.exe
PID 2384 wrote to memory of 3184	2384	d907de96adcb7c400834d974754ece57.exe	powershell.exe
PID 2384 wrote to memory of 3184	2384	d907de96adcb7c400834d974754ece57.exe	powershell.exe
PID 2384 wrote to memory of 3280	2384	d907de96adcb7c400834d974754ece57.exe	WScript.exe
PID 2384 wrote to memory of 3280	2384	d907de96adcb7c400834d974754ece57.exe	WScript.exe
PID 2384 wrote to memory of 3280	2384	d907de96adcb7c400834d974754ece57.exe	WScript.exe
PID 2384 wrote to memory of 3340	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 2384 wrote to memory of 3340	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 2384 wrote to memory of 3340	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 2384 wrote to memory of 356	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 2384 wrote to memory of 356	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 2384 wrote to memory of 356	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 2384 wrote to memory of 1640	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 2384 wrote to memory of 1640	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 2384 wrote to memory of 1640	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 2384 wrote to memory of 3768	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 2384 wrote to memory of 3768	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 2384 wrote to memory of 3768	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 2384 wrote to memory of 3768	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 2384 wrote to memory of 3768	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 2384 wrote to memory of 3768	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 2384 wrote to memory of 3768	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 2384 wrote to memory of 3768	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 2384 wrote to memory of 3768	2384	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 3280 wrote to memory of 1156	3280	WScript.exe	Jscxuucrnkfaconsoleapp17.exe
PID 3280 wrote to memory of 1156	3280	WScript.exe	Jscxuucrnkfaconsoleapp17.exe
PID 3280 wrote to memory of 1156	3280	WScript.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1156 wrote to memory of 1788	1156	Jscxuucrnkfaconsoleapp17.exe	powershell.exe
PID 1156 wrote to memory of 1788	1156	Jscxuucrnkfaconsoleapp17.exe	powershell.exe
PID 1156 wrote to memory of 1788	1156	Jscxuucrnkfaconsoleapp17.exe	powershell.exe
PID 1156 wrote to memory of 1468	1156	Jscxuucrnkfaconsoleapp17.exe	powershell.exe
PID 1156 wrote to memory of 1468	1156	Jscxuucrnkfaconsoleapp17.exe	powershell.exe
PID 1156 wrote to memory of 1468	1156	Jscxuucrnkfaconsoleapp17.exe	powershell.exe
PID 3768 wrote to memory of 604	3768	d907de96adcb7c400834d974754ece57.exe	WribeBSX0s.exe
PID 3768 wrote to memory of 604	3768	d907de96adcb7c400834d974754ece57.exe	WribeBSX0s.exe
PID 3768 wrote to memory of 604	3768	d907de96adcb7c400834d974754ece57.exe	WribeBSX0s.exe
PID 1156 wrote to memory of 2744	1156	Jscxuucrnkfaconsoleapp17.exe	WScript.exe
PID 1156 wrote to memory of 2744	1156	Jscxuucrnkfaconsoleapp17.exe	WScript.exe
PID 1156 wrote to memory of 2744	1156	Jscxuucrnkfaconsoleapp17.exe	WScript.exe
PID 1156 wrote to memory of 2584	1156	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1156 wrote to memory of 2584	1156	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1156 wrote to memory of 2584	1156	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1156 wrote to memory of 2584	1156	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1156 wrote to memory of 2584	1156	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1156 wrote to memory of 2584	1156	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1156 wrote to memory of 2584	1156	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1156 wrote to memory of 2584	1156	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1156 wrote to memory of 2584	1156	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 2744 wrote to memory of 3564	2744	WScript.exe	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
PID 2744 wrote to memory of 3564	2744	WScript.exe	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
PID 2744 wrote to memory of 3564	2744	WScript.exe	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
PID 3564 wrote to memory of 3772	3564	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe	powershell.exe
PID 3564 wrote to memory of 3772	3564	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe	powershell.exe
PID 3564 wrote to memory of 3772	3564	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe	powershell.exe
PID 3768 wrote to memory of 2676	3768	d907de96adcb7c400834d974754ece57.exe	GGK4W9aXcB.exe
PID 3768 wrote to memory of 2676	3768	d907de96adcb7c400834d974754ece57.exe	GGK4W9aXcB.exe
PID 3768 wrote to memory of 2748	3768	d907de96adcb7c400834d974754ece57.exe	cmd.exe
PID 3768 wrote to memory of 2748	3768	d907de96adcb7c400834d974754ece57.exe	cmd.exe
PID 3768 wrote to memory of 2748	3768	d907de96adcb7c400834d974754ece57.exe	cmd.exe
PID 2748 wrote to memory of 520	2748	cmd.exe	timeout.exe
PID 2748 wrote to memory of 520	2748	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\d907de96adcb7c400834d974754ece57.exe
"C:\Users\Admin\AppData\Local\Temp\d907de96adcb7c400834d974754ece57.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 10
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 10
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Yfqxiynzbvwsbkccphx.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:3280

C:\Users\Admin\AppData\Local\Temp\Jscxuucrnkfaconsoleapp17.exe
"C:\Users\Admin\AppData\Local\Temp\Jscxuucrnkfaconsoleapp17.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 10
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 10
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Cwlbjrmtqffwwhsmok.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
"C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 10
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 10
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
6⤵
- Executes dropped EXE
PID:1260

C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 356 & erase C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe & RD /S /Q C:\\ProgramData\\909953782322121\\* & exit
7⤵
PID:3868

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 356
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Users\Admin\AppData\Local\Temp\Jscxuucrnkfaconsoleapp17.exe
C:\Users\Admin\AppData\Local\Temp\Jscxuucrnkfaconsoleapp17.exe
4⤵
- Executes dropped EXE
PID:2584

C:\Users\Admin\AppData\Local\Temp\d907de96adcb7c400834d974754ece57.exe
C:\Users\Admin\AppData\Local\Temp\d907de96adcb7c400834d974754ece57.exe
2⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\d907de96adcb7c400834d974754ece57.exe
C:\Users\Admin\AppData\Local\Temp\d907de96adcb7c400834d974754ece57.exe
2⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\d907de96adcb7c400834d974754ece57.exe
C:\Users\Admin\AppData\Local\Temp\d907de96adcb7c400834d974754ece57.exe
2⤵
PID:356

C:\Users\Admin\AppData\Local\Temp\d907de96adcb7c400834d974754ece57.exe
C:\Users\Admin\AppData\Local\Temp\d907de96adcb7c400834d974754ece57.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3768

C:\Users\Admin\AppData\Local\Temp\WribeBSX0s.exe
"C:\Users\Admin\AppData\Local\Temp\WribeBSX0s.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:604

C:\Users\Admin\AppData\Local\Temp\WribeBSX0s.exe
C:\Users\Admin\AppData\Local\Temp\WribeBSX0s.exe
4⤵
- Executes dropped EXE
PID:688

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
5⤵
- Creates scheduled task(s)
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Trast.bat" "
4⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
5⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
6⤵
- Modifies registry key
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
6⤵
- Modifies registry key
PID:2668

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
6⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nest.bat" "
4⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
5⤵
- Modifies registry key
PID:3704

C:\Users\Admin\AppData\Local\Temp\GGK4W9aXcB.exe
"C:\Users\Admin\AppData\Local\Temp\GGK4W9aXcB.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 10
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 10
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\d907de96adcb7c400834d974754ece57.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:520

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:864

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
2⤵
- Executes dropped EXE
PID:3084

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
3⤵
- Creates scheduled task(s)
PID:3644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
68ed33a33777722790ece359cc9156de

SHA1
b17415b035ae8ed0381bc13ac029fe540902d55d

SHA256
d32116cbe3e5e0c92fbacebd2ef313f53be10467ab472b3a7abe2a39bb8170f1

SHA512
7442fb67b170dc3007b10eb25295c8ea0c0936b55e31009993a66e550fd7935be4d21882d11c2424ca380cfd9beec2a78fe556c6018d27e0560d628308758314

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
142d102adce559630ddece84e7ece5da

SHA1
50937135443c8ae08e6e706261f0b1297fb81904

SHA256
c44090fb5a6853468d535667d1931a5e97bbc0b143ce97f5732804e5be07d44f

SHA512
201efeedc99b59bb6b5fd0154997b30fc5110d33d90f50d2e442e184482515fc310bce2d2434308c89370235e0e1d6d21f8b99140aa4a6dd1db832c174e559bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
66382a4ca6c4dcf75ce41417d44be93e

SHA1
8132cbef1c12f8a89a68a6153ade4286bf130812

SHA256
a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

SHA512
2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HBPS4WXS\Vxkzvyenhhdutpegiomnlymgtxfnofq[1]
MD5
a0caa4c99a726b750c79f082b5441e8e

SHA1
4fd12491bf2eee5fb78e02096bce15c631296caf

SHA256
59933fd4b6ed3ccdcb8a89b1aa2beffe4c5fc9f63466eca956f60d2112eb29af

SHA512
af542c31f9a4003a0f92880972be0fa72c2cd67e5303a15df0d295be58f330fbe4e23a7583ded4e08d22de5df4846397aa741ed6cfb1609bdfdd241aba540053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
70ea6b3e1b06db22184ed2430a743e7d

SHA1
58d1c8bcad2f85d444bdeb0f5bee1bc479195289

SHA256
8a626eae3d88817b051164390c92928fca90cbd1a912188b5e28abee0b688416

SHA512
e1c72372a777a23562f3b663a42a319dbdc8598b0f6cadc2b2adf179d621613e7d90f58551c62a3030f605bf714bb32007a310a95a8a72a0c3aa98131a980265

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5afa0b98c30ae69053f68b929e9338a6

SHA1
88587ceed1e50c018e4f79209c281fa78d0dd5b8

SHA256
5caf57e696a7193c38fe86df190204ea702df8ff1d0a125efc3f2ad7eaa6885d

SHA512
9b07a96ba08a8ae7eae262a46cf3ac18a09eeef45fb43e5c6dfbd634b24c2d795f5bc3c70104115cdc3ee652076a925fb2673972f148a6fee831332a8f80d34f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4ae0e8d37fa7ffc2a4597308d66c734d

SHA1
d4bfeaedf1529ee746ad7a7ae1b921f45a9d83d6

SHA256
c07507eb226d46a37ff39ea40e38a42d64475d0f7c956315f292f9cac65c81a9

SHA512
d271db0b9520146fc50c45a63738d7a1fb8d0945647b8b3056f806b7ad252790ef2608dfa25f425fe5e9230f53cb9ab90f2908c419a9ef5b808dc3497a2553c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e3f0adcf03d8380d0b57c1be5c68400a

SHA1
c3638d16bb1e6cb7a3d890e987989de5853ab149

SHA256
1d503b983debd52000bef763a3b8fc46cbef64ba965c92b656df6df4d54d6855

SHA512
c5c3abae2bb4e644ab4cfe41177101c8ce29ec2091289f86277aa8eff13bfc2e59952fe939490002a86ef8c25e46c34b7de3f75ab443c0352fd9f7b280e08d0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3692dd4c7b03e59bb131aca6cd7a47c0

SHA1
564572adca129716f55f42722f2f72a863736519

SHA256
5695e5aad11211b572fd150aa98d5c80f415bddbe99a4bc87f90db1f69e3090a

SHA512
8465514fb40e3f3918ff0df2d40a0751180f46c68b5343a43a02ae4db51c90e5871f58e4975c7dda0aa7a85eb3e6d61ecde91e157074eb79dea86f5d65eea8d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
230f46b2540fecd6f2047fd5dc7d55ae

SHA1
d2a61b6288ac3e471b03c01f971d9dcbd6daa9c4

SHA256
b2b6b6a5e742712d84a7d649c14f024364848d489d9b32ee7120cdfe833c2995

SHA512
de9969ccce26fc58410e8de2a6d1e286a289f8d9440042f57afd82cf48f462b43afa2aff54309811bdebd65204bd024e013656539ba18c815617c567635bd2d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e702b0d8a3f7e49c4ef4c48fa089d315

SHA1
4075995068989c83639f5ab3ffbb4a865d4483ec

SHA256
2183596757210a81693f43a3a449673c30f85d37f9c9e3f7a2de03f86b6c3665

SHA512
f495dfebaaafaa876f1233faa7d5c661dc82832c547dc01d56e173b23581e29650da26c2e9a3a10d55a90ec489166e54e0eaf43a7c27b89dd8fdbba8dc2b8b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cwlbjrmtqffwwhsmok.vbs
MD5
d607d837434d8a735db349c03e974fe8

SHA1
2a2150c2dc9f8daf480f4bd31990f5422cca5183

SHA256
5aba0566e48f9408c1d5f27997ed6e6cdefa33cc41f9254d8c9a4ec20b8ab056

SHA512
76bdc153ed888ab8806c0398dc6baa0f6b48cc90abbb1afea3a33cf6a606b84ddbe2cea7bc08e86b6ec2b2e96c9a75832f47172ab36161dff886d12378794d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGK4W9aXcB.exe
MD5
301162a7d36267688351ae32ce6326bc

SHA1
056645937b938d0845d03ffcd5890a13b58772bc

SHA256
906c931107ffb66c345dae2afa253b71ff21ae420348cc44f36de0bbe3921386

SHA512
54edb5ae082ace3d2d0bff67f9f2c3e6a067f665cf876d9d51e16d7ba0e3d120be9eb0e0fc626784cad6c833334072dc8b920a4688c0dc764faece11d7e67d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGK4W9aXcB.exe
MD5
301162a7d36267688351ae32ce6326bc

SHA1
056645937b938d0845d03ffcd5890a13b58772bc

SHA256
906c931107ffb66c345dae2afa253b71ff21ae420348cc44f36de0bbe3921386

SHA512
54edb5ae082ace3d2d0bff67f9f2c3e6a067f665cf876d9d51e16d7ba0e3d120be9eb0e0fc626784cad6c833334072dc8b920a4688c0dc764faece11d7e67d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
MD5
6c4640762a587011c9afbe5d9431e187

SHA1
4fce7fc0f242de8201b46f10b209b27041cc9ef6

SHA256
d51879fd5d54afb39fe027677503d46058b0dfbd8b8c8f6eafc891b05b7a3aef

SHA512
28c4f6e855b03fc7e770c8bedf1c7fd6e685c2b7275dfd8aae48b3ea106007f39df5bea596b44005fb9f3058fcabc51739d62932ce27f8392e5c3273bc2bc7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
MD5
6c4640762a587011c9afbe5d9431e187

SHA1
4fce7fc0f242de8201b46f10b209b27041cc9ef6

SHA256
d51879fd5d54afb39fe027677503d46058b0dfbd8b8c8f6eafc891b05b7a3aef

SHA512
28c4f6e855b03fc7e770c8bedf1c7fd6e685c2b7275dfd8aae48b3ea106007f39df5bea596b44005fb9f3058fcabc51739d62932ce27f8392e5c3273bc2bc7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
MD5
6c4640762a587011c9afbe5d9431e187

SHA1
4fce7fc0f242de8201b46f10b209b27041cc9ef6

SHA256
d51879fd5d54afb39fe027677503d46058b0dfbd8b8c8f6eafc891b05b7a3aef

SHA512
28c4f6e855b03fc7e770c8bedf1c7fd6e685c2b7275dfd8aae48b3ea106007f39df5bea596b44005fb9f3058fcabc51739d62932ce27f8392e5c3273bc2bc7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
MD5
6c4640762a587011c9afbe5d9431e187

SHA1
4fce7fc0f242de8201b46f10b209b27041cc9ef6

SHA256
d51879fd5d54afb39fe027677503d46058b0dfbd8b8c8f6eafc891b05b7a3aef

SHA512
28c4f6e855b03fc7e770c8bedf1c7fd6e685c2b7275dfd8aae48b3ea106007f39df5bea596b44005fb9f3058fcabc51739d62932ce27f8392e5c3273bc2bc7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jscxuucrnkfaconsoleapp17.exe
MD5
7f81c20b2808d92704fc8b4557114e6a

SHA1
3dc8bdc97f644739f560706ada6e3cc046bc5492

SHA256
c2002b69bedabbd48f0f0f1259ffe1928fe83671940587994c3bf46cbfdcfd07

SHA512
98377aff59a9ee0d4187d2b6dd6bb1da5b8501008233ec5aff402a2b6f4aa70a164e16cc39e43cc0b06024df67d1f62fd4549dc755c2122b0365cbd1e9d09be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jscxuucrnkfaconsoleapp17.exe
MD5
7f81c20b2808d92704fc8b4557114e6a

SHA1
3dc8bdc97f644739f560706ada6e3cc046bc5492

SHA256
c2002b69bedabbd48f0f0f1259ffe1928fe83671940587994c3bf46cbfdcfd07

SHA512
98377aff59a9ee0d4187d2b6dd6bb1da5b8501008233ec5aff402a2b6f4aa70a164e16cc39e43cc0b06024df67d1f62fd4549dc755c2122b0365cbd1e9d09be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jscxuucrnkfaconsoleapp17.exe
MD5
7f81c20b2808d92704fc8b4557114e6a

SHA1
3dc8bdc97f644739f560706ada6e3cc046bc5492

SHA256
c2002b69bedabbd48f0f0f1259ffe1928fe83671940587994c3bf46cbfdcfd07

SHA512
98377aff59a9ee0d4187d2b6dd6bb1da5b8501008233ec5aff402a2b6f4aa70a164e16cc39e43cc0b06024df67d1f62fd4549dc755c2122b0365cbd1e9d09be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WribeBSX0s.exe
MD5
9b2881f035d44765d0d5e27c542a1c62

SHA1
27c567657f1e41fe9e3d8d46bc6ae5243fa3d0bc

SHA256
352a416f0f48684c2694968f3752d11a98ba54b7e7739d2f91d1b49782954b07

SHA512
993e7be95f61bb37236c3ce6c9fbbad3e1c6438dd4185e5cd59648daf27e0f4967a33eed47b6fb645476b1ec55093e8301144d9c7e9f1702c1e7b5d52eada1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WribeBSX0s.exe
MD5
9b2881f035d44765d0d5e27c542a1c62

SHA1
27c567657f1e41fe9e3d8d46bc6ae5243fa3d0bc

SHA256
352a416f0f48684c2694968f3752d11a98ba54b7e7739d2f91d1b49782954b07

SHA512
993e7be95f61bb37236c3ce6c9fbbad3e1c6438dd4185e5cd59648daf27e0f4967a33eed47b6fb645476b1ec55093e8301144d9c7e9f1702c1e7b5d52eada1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WribeBSX0s.exe
MD5
9b2881f035d44765d0d5e27c542a1c62

SHA1
27c567657f1e41fe9e3d8d46bc6ae5243fa3d0bc

SHA256
352a416f0f48684c2694968f3752d11a98ba54b7e7739d2f91d1b49782954b07

SHA512
993e7be95f61bb37236c3ce6c9fbbad3e1c6438dd4185e5cd59648daf27e0f4967a33eed47b6fb645476b1ec55093e8301144d9c7e9f1702c1e7b5d52eada1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yfqxiynzbvwsbkccphx.vbs
MD5
5cf439cacfb9b463e1934e96e627d9c3

SHA1
82c194d1a7536ebbcd51bececc513b12d0a7b46f

SHA256
66d47ac86775468e2e4cb7b02025067660338ddaeb13cead03a21d68aec102e5

SHA512
fa7a1aa8cb40a802ebf7b0807d9b28423a64cbf9528df91d545857606eee2d34dc6fbeb55f6131a5cbeca9013c4602b91327859d1c67b8eb6bcec603b47d5333

Download Submit
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
MD5
843969865a92a4e82c26a2fa75ca4026

SHA1
c1046b49bc93cb3b37cebe1388d0b72bb66ab2e7

SHA256
3bd221cdc9867ee90ba3633f2266f298b4cb4fac98c70a0f208ce4afb6748637

SHA512
b9b30b9a69b5c7d536fe5d3c7d4615b2d9eec8410d20727c1ad17ba36c2876cb9ddbfe77353101fd80d92653724a176cd7f20c85cfaf69c6b74e95cf7de7440a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
MD5
843969865a92a4e82c26a2fa75ca4026

SHA1
c1046b49bc93cb3b37cebe1388d0b72bb66ab2e7

SHA256
3bd221cdc9867ee90ba3633f2266f298b4cb4fac98c70a0f208ce4afb6748637

SHA512
b9b30b9a69b5c7d536fe5d3c7d4615b2d9eec8410d20727c1ad17ba36c2876cb9ddbfe77353101fd80d92653724a176cd7f20c85cfaf69c6b74e95cf7de7440a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
9b2881f035d44765d0d5e27c542a1c62

SHA1
27c567657f1e41fe9e3d8d46bc6ae5243fa3d0bc

SHA256
352a416f0f48684c2694968f3752d11a98ba54b7e7739d2f91d1b49782954b07

SHA512
993e7be95f61bb37236c3ce6c9fbbad3e1c6438dd4185e5cd59648daf27e0f4967a33eed47b6fb645476b1ec55093e8301144d9c7e9f1702c1e7b5d52eada1b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
9b2881f035d44765d0d5e27c542a1c62

SHA1
27c567657f1e41fe9e3d8d46bc6ae5243fa3d0bc

SHA256
352a416f0f48684c2694968f3752d11a98ba54b7e7739d2f91d1b49782954b07

SHA512
993e7be95f61bb37236c3ce6c9fbbad3e1c6438dd4185e5cd59648daf27e0f4967a33eed47b6fb645476b1ec55093e8301144d9c7e9f1702c1e7b5d52eada1b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
9b2881f035d44765d0d5e27c542a1c62

SHA1
27c567657f1e41fe9e3d8d46bc6ae5243fa3d0bc

SHA256
352a416f0f48684c2694968f3752d11a98ba54b7e7739d2f91d1b49782954b07

SHA512
993e7be95f61bb37236c3ce6c9fbbad3e1c6438dd4185e5cd59648daf27e0f4967a33eed47b6fb645476b1ec55093e8301144d9c7e9f1702c1e7b5d52eada1b2

Download Submit
C:\Users\Public\Trast.bat
MD5
4068c9f69fcd8a171c67f81d4a952a54

SHA1
4d2536a8c28cdcc17465e20d6693fb9e8e713b36

SHA256
24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810

SHA512
a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d

Download Submit
C:\Users\Public\UKO.bat
MD5
eaf8d967454c3bbddbf2e05a421411f8

SHA1
6170880409b24de75c2dc3d56a506fbff7f6622c

SHA256
f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56

SHA512
fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9

Download Submit
C:\Users\Public\nest.bat
MD5
8ada51400b7915de2124baaf75e3414c

SHA1
1a7b9db12184ab7fd7fce1c383f9670a00adb081

SHA256
45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7

SHA512
9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
memory/356-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/356-358-0x0000000000417A8B-mapping.dmp

Download
memory/520-274-0x0000000000000000-mapping.dmp

Download
memory/604-226-0x0000000000000000-mapping.dmp

Download
memory/604-229-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/688-294-0x000000000040202B-mapping.dmp

Download
memory/688-298-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/864-388-0x00000000004E0000-0x000000000062A000-memory.dmp

Filesize
1.3MB

Download
memory/1156-241-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/1156-233-0x0000000004C50000-0x0000000004C6B000-memory.dmp

Filesize
108KB

Download
memory/1156-169-0x0000000000000000-mapping.dmp

Download
memory/1156-171-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1156-231-0x00000000057A0000-0x00000000058D8000-memory.dmp

Filesize
1.2MB

Download
memory/1248-321-0x0000000004612000-0x0000000004613000-memory.dmp

Filesize
4KB

Download
memory/1248-320-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/1248-360-0x0000000004613000-0x0000000004614000-memory.dmp

Filesize
4KB

Download
memory/1248-306-0x0000000000000000-mapping.dmp

Download
memory/1312-296-0x0000000000000000-mapping.dmp

Download
memory/1468-204-0x0000000000000000-mapping.dmp

Download
memory/1468-218-0x00000000049C2000-0x00000000049C3000-memory.dmp

Filesize
4KB

Download
memory/1468-240-0x00000000049C3000-0x00000000049C4000-memory.dmp

Filesize
4KB

Download
memory/1468-217-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/1476-350-0x0000000000000000-mapping.dmp

Download
memory/1568-373-0x0000000140000000-mapping.dmp

Download
memory/1568-397-0x000002A5370E2000-0x000002A5370E4000-memory.dmp

Filesize
8KB

Download
memory/1568-381-0x000002A5370E0000-0x000002A5370E2000-memory.dmp

Filesize
8KB

Download
memory/1692-367-0x0000000000000000-mapping.dmp

Download
memory/1788-190-0x0000000007212000-0x0000000007213000-memory.dmp

Filesize
4KB

Download
memory/1788-216-0x0000000007213000-0x0000000007214000-memory.dmp

Filesize
4KB

Download
memory/1788-184-0x00000000082B0000-0x00000000082B1000-memory.dmp

Filesize
4KB

Download
memory/1788-176-0x0000000000000000-mapping.dmp

Download
memory/1788-187-0x0000000008750000-0x0000000008751000-memory.dmp

Filesize
4KB

Download
memory/1788-189-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/2164-345-0x000001B548890000-0x000001B548892000-memory.dmp

Filesize
8KB

Download
memory/2164-378-0x000001B548896000-0x000001B548898000-memory.dmp

Filesize
8KB

Download
memory/2164-347-0x000001B548893000-0x000001B548895000-memory.dmp

Filesize
8KB

Download
memory/2164-329-0x0000000000000000-mapping.dmp

Download
memory/2384-174-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/2384-162-0x0000000005B40000-0x0000000005D56000-memory.dmp

Filesize
2.1MB

Download
memory/2384-164-0x0000000002950000-0x00000000029A7000-memory.dmp

Filesize
348KB

Download
memory/2384-115-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2584-236-0x000000000041A684-mapping.dmp

Download
memory/2584-235-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2584-243-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2592-304-0x0000000000000000-mapping.dmp

Download
memory/2656-300-0x0000000000000000-mapping.dmp

Download
memory/2668-303-0x0000000000000000-mapping.dmp

Download
memory/2676-149-0x0000000004503000-0x0000000004504000-memory.dmp

Filesize
4KB

Download
memory/2676-123-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/2676-125-0x0000000007940000-0x0000000007941000-memory.dmp

Filesize
4KB

Download
memory/2676-120-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/2676-126-0x0000000007D50000-0x0000000007D51000-memory.dmp

Filesize
4KB

Download
memory/2676-127-0x0000000008260000-0x0000000008261000-memory.dmp

Filesize
4KB

Download
memory/2676-117-0x0000000000000000-mapping.dmp

Download
memory/2676-128-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/2676-268-0x0000000000000000-mapping.dmp

Download
memory/2676-379-0x000000001C0D0000-0x000000001C0D2000-memory.dmp

Filesize
8KB

Download
memory/2676-129-0x0000000004502000-0x0000000004503000-memory.dmp

Filesize
4KB

Download
memory/2676-130-0x0000000008070000-0x0000000008071000-memory.dmp

Filesize
4KB

Download
memory/2676-121-0x00000000070C0000-0x00000000070C1000-memory.dmp

Filesize
4KB

Download
memory/2676-135-0x00000000097D0000-0x00000000097D1000-memory.dmp

Filesize
4KB

Download
memory/2676-136-0x0000000008D70000-0x0000000008D71000-memory.dmp

Filesize
4KB

Download
memory/2676-124-0x00000000076F0000-0x00000000076F1000-memory.dmp

Filesize
4KB

Download
memory/2676-122-0x0000000006EB0000-0x0000000006EB1000-memory.dmp

Filesize
4KB

Download
memory/2744-232-0x0000000000000000-mapping.dmp

Download
memory/2748-271-0x0000000000000000-mapping.dmp

Download
memory/3084-394-0x000000000040202B-mapping.dmp

Download
memory/3184-138-0x0000000000000000-mapping.dmp

Download
memory/3184-151-0x00000000067F2000-0x00000000067F3000-memory.dmp

Filesize
4KB

Download
memory/3184-150-0x00000000067F0000-0x00000000067F1000-memory.dmp

Filesize
4KB

Download
memory/3184-173-0x00000000067F3000-0x00000000067F4000-memory.dmp

Filesize
4KB

Download
memory/3280-163-0x0000000000000000-mapping.dmp

Download
memory/3488-302-0x0000000000000000-mapping.dmp

Download
memory/3564-361-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/3564-239-0x0000000000000000-mapping.dmp

Download
memory/3564-244-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/3644-396-0x0000000000000000-mapping.dmp

Download
memory/3672-297-0x0000000000000000-mapping.dmp

Download
memory/3704-352-0x0000000000000000-mapping.dmp

Download
memory/3748-292-0x000001CB5BCA3000-0x000001CB5BCA5000-memory.dmp

Filesize
8KB

Download
memory/3748-275-0x0000000000000000-mapping.dmp

Download
memory/3748-291-0x000001CB5BCA0000-0x000001CB5BCA2000-memory.dmp

Filesize
8KB

Download
memory/3748-343-0x000001CB5BCA6000-0x000001CB5BCA8000-memory.dmp

Filesize
8KB

Download
memory/3768-167-0x00000000004407D8-mapping.dmp

Download
memory/3768-166-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3768-175-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3772-247-0x0000000000000000-mapping.dmp

Download
memory/3772-307-0x0000000004E63000-0x0000000004E64000-memory.dmp

Filesize
4KB

Download
memory/3772-259-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/3772-260-0x0000000004E62000-0x0000000004E63000-memory.dmp

Filesize
4KB

Download
memory/3868-366-0x0000000000000000-mapping.dmp

Download