nanocore | 56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe
Size

4.3MB
MD5

5b2f4e07e883c0b165daaba2127a589f
SHA1

c9edf782418140d7720f58d996dbcaeec965ee50
SHA256

56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f
SHA512

80be5d187ad54b8396fab7045bc7f15f1eb1434bfa2e30707b4f4b5e59548039f2ee2cc8f6b4f7edde01bfd680306fcd875bf653be8b88c6d67bd6fb26e84010

Score

10^/10

nanocore quasar public evasion keylogger persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

109.230.215.181:1604

127.0.0.1:1604

Mutex

7fa6e9c8-20ea-4047-9f02-2251015e4ea4

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-03-10T10:37:21.189476636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
1604
default_group
crypt authorized
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
7fa6e9c8-20ea-4047-9f02-2251015e4ea4
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
109.230.215.181
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

quasar

Version

1.4.0.0

Botnet

public

109.230.215.181:4782

Mutex

wrZ9bZkif6pZsmpibj

Attributes

encryption_key
OAlqwcOC5GAUaDQi56x4
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RDPBlox Agent
subdirectory
SubDir

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1912-94-0x0000000000A60000-0x0000000000AAE000-memory.dmp	family_quasar

suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Executes dropped EXE 16 IoCs

Processes:

lolll.exeTsexun.execonfiditial.exeSwiftProtector.execonfiditial.exe swiftprotector.exe RobloxAppLanucher.exerobloxapplanucher.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeClient.exeicsys.icn.exeexplorer.exe

pid	process
1912	lolll.exe
940	Tsexun.exe
1752	confiditial.exe
1692	SwiftProtector.exe
1720	confiditial.exe
900	swiftprotector.exe
1920	RobloxAppLanucher.exe
1536	robloxapplanucher.exe
1736	icsys.icn.exe
1652	explorer.exe
1660	spoolsv.exe
1892	svchost.exe
520	spoolsv.exe
1948	Client.exe
1116	icsys.icn.exe
1744	explorer.exe

Loads dropped DLL 29 IoCs

Processes:

56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.execonfiditial.exeSwiftProtector.execonfiditial.exe RobloxAppLanucher.exeWerFault.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exeicsys.icn.exe

pid	process
1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe
1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe
1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe
1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe
1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe
1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe
1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe
1752	confiditial.exe
1692	SwiftProtector.exe
1720	confiditial.exe
1720	confiditial.exe
1920	RobloxAppLanucher.exe
1944	WerFault.exe
1944	WerFault.exe
1944	WerFault.exe
1944	WerFault.exe
1692	SwiftProtector.exe
1692	SwiftProtector.exe
1736	icsys.icn.exe
1736	icsys.icn.exe
1652	explorer.exe
1652	explorer.exe
1660	spoolsv.exe
1660	spoolsv.exe
1892	svchost.exe
1892	svchost.exe
1944	WerFault.exe
1920	RobloxAppLanucher.exe
1116	icsys.icn.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeTsexun.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Monitor = "C:\\Program Files (x86)\\ARP Monitor\\arpmon.exe"	Tsexun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Tsexun.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Tsexun.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Tsexun.exe

flow	ioc
2	ip-api.com

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Program Files directory 4 IoCs

Processes:

Tsexun.exelolll.exe

description	ioc	process
File created	C:\Program Files (x86)\ARP Monitor\arpmon.exe	Tsexun.exe
File opened for modification	C:\Program Files (x86)\ARP Monitor\arpmon.exe	Tsexun.exe
File created	C:\Program Files (x86)\SubDir\Client.exe	lolll.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	lolll.exe

Drops file in Windows directory 7 IoCs

Processes:

confiditial.exeSwiftProtector.exeRobloxAppLanucher.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	confiditial.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	SwiftProtector.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	RobloxAppLanucher.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1944 1536 WerFault.exe robloxapplanucher.exe
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

756 schtasks.exe
1728 schtasks.exe
1780 schtasks.exe
1072 schtasks.exe
1916 schtasks.exe

pid	pid_target	process	target process
1944	1536	WerFault.exe	robloxapplanucher.exe

pid	process
756	schtasks.exe
1728	schtasks.exe
1780	schtasks.exe
1072	schtasks.exe
1916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

confiditial.exeSwiftProtector.exeRobloxAppLanucher.exeicsys.icn.exe

pid	process
1752	confiditial.exe
1692	SwiftProtector.exe
1752	confiditial.exe
1752	confiditial.exe
1752	confiditial.exe
1752	confiditial.exe
1752	confiditial.exe
1752	confiditial.exe
1752	confiditial.exe
1692	SwiftProtector.exe
1752	confiditial.exe
1752	confiditial.exe
1692	SwiftProtector.exe
1752	confiditial.exe
1692	SwiftProtector.exe
1752	confiditial.exe
1692	SwiftProtector.exe
1752	confiditial.exe
1692	SwiftProtector.exe
1752	confiditial.exe
1692	SwiftProtector.exe
1752	confiditial.exe
1752	confiditial.exe
1692	SwiftProtector.exe
1692	SwiftProtector.exe
1692	SwiftProtector.exe
1692	SwiftProtector.exe
1692	SwiftProtector.exe
1692	SwiftProtector.exe
1692	SwiftProtector.exe
1692	SwiftProtector.exe
1692	SwiftProtector.exe
1920	RobloxAppLanucher.exe
1920	RobloxAppLanucher.exe
1920	RobloxAppLanucher.exe
1920	RobloxAppLanucher.exe
1920	RobloxAppLanucher.exe
1920	RobloxAppLanucher.exe
1920	RobloxAppLanucher.exe
1920	RobloxAppLanucher.exe
1920	RobloxAppLanucher.exe
1920	RobloxAppLanucher.exe
1920	RobloxAppLanucher.exe
1920	RobloxAppLanucher.exe
1920	RobloxAppLanucher.exe
1920	RobloxAppLanucher.exe
1920	RobloxAppLanucher.exe
1920	RobloxAppLanucher.exe
1736	icsys.icn.exe
1736	icsys.icn.exe
1736	icsys.icn.exe
1736	icsys.icn.exe
1736	icsys.icn.exe
1736	icsys.icn.exe
1736	icsys.icn.exe
1736	icsys.icn.exe
1736	icsys.icn.exe
1736	icsys.icn.exe
1736	icsys.icn.exe
1736	icsys.icn.exe
1736	icsys.icn.exe
1736	icsys.icn.exe
1736	icsys.icn.exe
1736	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

explorer.exesvchost.exeTsexun.exe

pid process

1652 explorer.exe
1892 svchost.exe
940 Tsexun.exe

pid	process
1652	explorer.exe
1892	svchost.exe
940	Tsexun.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

swiftprotector.exe Tsexun.exelolll.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	900	swiftprotector.exe
Token: SeDebugPrivilege	940	Tsexun.exe
Token: SeDebugPrivilege	1912	lolll.exe
Token: SeDebugPrivilege	1948	Client.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

confiditial.exeSwiftProtector.exeRobloxAppLanucher.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeicsys.icn.exeexplorer.exe

pid	process
1752	confiditial.exe
1692	SwiftProtector.exe
1752	confiditial.exe
1692	SwiftProtector.exe
1920	RobloxAppLanucher.exe
1920	RobloxAppLanucher.exe
1736	icsys.icn.exe
1736	icsys.icn.exe
1652	explorer.exe
1652	explorer.exe
1660	spoolsv.exe
1660	spoolsv.exe
1892	svchost.exe
1892	svchost.exe
520	spoolsv.exe
520	spoolsv.exe
1116	icsys.icn.exe
1116	icsys.icn.exe
1744	explorer.exe
1744	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.execonfiditial.exeSwiftProtector.execonfiditial.exe cmd.exeRobloxAppLanucher.exerobloxapplanucher.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1904 wrote to memory of 1912	1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	lolll.exe
PID 1904 wrote to memory of 1912	1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	lolll.exe
PID 1904 wrote to memory of 1912	1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	lolll.exe
PID 1904 wrote to memory of 1912	1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	lolll.exe
PID 1904 wrote to memory of 940	1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	Tsexun.exe
PID 1904 wrote to memory of 940	1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	Tsexun.exe
PID 1904 wrote to memory of 940	1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	Tsexun.exe
PID 1904 wrote to memory of 940	1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	Tsexun.exe
PID 1904 wrote to memory of 1752	1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	confiditial.exe
PID 1904 wrote to memory of 1752	1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	confiditial.exe
PID 1904 wrote to memory of 1752	1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	confiditial.exe
PID 1904 wrote to memory of 1752	1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	confiditial.exe
PID 1904 wrote to memory of 1692	1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	SwiftProtector.exe
PID 1904 wrote to memory of 1692	1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	SwiftProtector.exe
PID 1904 wrote to memory of 1692	1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	SwiftProtector.exe
PID 1904 wrote to memory of 1692	1904	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	SwiftProtector.exe
PID 1752 wrote to memory of 1720	1752	confiditial.exe	confiditial.exe
PID 1752 wrote to memory of 1720	1752	confiditial.exe	confiditial.exe
PID 1752 wrote to memory of 1720	1752	confiditial.exe	confiditial.exe
PID 1752 wrote to memory of 1720	1752	confiditial.exe	confiditial.exe
PID 1692 wrote to memory of 900	1692	SwiftProtector.exe	swiftprotector.exe
PID 1692 wrote to memory of 900	1692	SwiftProtector.exe	swiftprotector.exe
PID 1692 wrote to memory of 900	1692	SwiftProtector.exe	swiftprotector.exe
PID 1692 wrote to memory of 900	1692	SwiftProtector.exe	swiftprotector.exe
PID 1720 wrote to memory of 1824	1720	confiditial.exe	cmd.exe
PID 1720 wrote to memory of 1824	1720	confiditial.exe	cmd.exe
PID 1720 wrote to memory of 1824	1720	confiditial.exe	cmd.exe
PID 1720 wrote to memory of 1824	1720	confiditial.exe	cmd.exe
PID 1824 wrote to memory of 1500	1824	cmd.exe	reg.exe
PID 1824 wrote to memory of 1500	1824	cmd.exe	reg.exe
PID 1824 wrote to memory of 1500	1824	cmd.exe	reg.exe
PID 1824 wrote to memory of 1500	1824	cmd.exe	reg.exe
PID 1720 wrote to memory of 1920	1720	confiditial.exe	RobloxAppLanucher.exe
PID 1720 wrote to memory of 1920	1720	confiditial.exe	RobloxAppLanucher.exe
PID 1720 wrote to memory of 1920	1720	confiditial.exe	RobloxAppLanucher.exe
PID 1720 wrote to memory of 1920	1720	confiditial.exe	RobloxAppLanucher.exe
PID 1920 wrote to memory of 1536	1920	RobloxAppLanucher.exe	robloxapplanucher.exe
PID 1920 wrote to memory of 1536	1920	RobloxAppLanucher.exe	robloxapplanucher.exe
PID 1920 wrote to memory of 1536	1920	RobloxAppLanucher.exe	robloxapplanucher.exe
PID 1920 wrote to memory of 1536	1920	RobloxAppLanucher.exe	robloxapplanucher.exe
PID 1536 wrote to memory of 1944	1536	robloxapplanucher.exe	WerFault.exe
PID 1536 wrote to memory of 1944	1536	robloxapplanucher.exe	WerFault.exe
PID 1536 wrote to memory of 1944	1536	robloxapplanucher.exe	WerFault.exe
PID 1536 wrote to memory of 1944	1536	robloxapplanucher.exe	WerFault.exe
PID 1692 wrote to memory of 1736	1692	SwiftProtector.exe	icsys.icn.exe
PID 1692 wrote to memory of 1736	1692	SwiftProtector.exe	icsys.icn.exe
PID 1692 wrote to memory of 1736	1692	SwiftProtector.exe	icsys.icn.exe
PID 1692 wrote to memory of 1736	1692	SwiftProtector.exe	icsys.icn.exe
PID 1736 wrote to memory of 1652	1736	icsys.icn.exe	explorer.exe
PID 1736 wrote to memory of 1652	1736	icsys.icn.exe	explorer.exe
PID 1736 wrote to memory of 1652	1736	icsys.icn.exe	explorer.exe
PID 1736 wrote to memory of 1652	1736	icsys.icn.exe	explorer.exe
PID 1652 wrote to memory of 1660	1652	explorer.exe	spoolsv.exe
PID 1652 wrote to memory of 1660	1652	explorer.exe	spoolsv.exe
PID 1652 wrote to memory of 1660	1652	explorer.exe	spoolsv.exe
PID 1652 wrote to memory of 1660	1652	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1892	1660	spoolsv.exe	svchost.exe
PID 1660 wrote to memory of 1892	1660	spoolsv.exe	svchost.exe
PID 1660 wrote to memory of 1892	1660	spoolsv.exe	svchost.exe
PID 1660 wrote to memory of 1892	1660	spoolsv.exe	svchost.exe
PID 1892 wrote to memory of 520	1892	svchost.exe	spoolsv.exe
PID 1892 wrote to memory of 520	1892	svchost.exe	spoolsv.exe
PID 1892 wrote to memory of 520	1892	svchost.exe	spoolsv.exe
PID 1892 wrote to memory of 520	1892	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe
"C:\Users\Admin\AppData\Local\Temp\56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\lolll.exe
"C:\Users\Admin\AppData\Local\Temp\lolll.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RDPBlox Agent" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\lolll.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1780

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RDPBlox Agent" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1072

C:\Users\Admin\AppData\Local\Temp\Tsexun.exe
"C:\Users\Admin\AppData\Local\Temp\Tsexun.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Users\Admin\AppData\Local\Temp\confiditial.exe
"C:\Users\Admin\AppData\Local\Temp\confiditial.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

\??\c:\users\admin\appdata\local\temp\confiditial.exe
c:\users\admin\appdata\local\temp\confiditial.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\RobloxAppLanucher.exe" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\RobloxAppLanucher.exe" /f
5⤵
PID:1500

C:\Users\Admin\AppData\Roaming\RobloxAppLanucher.exe
"C:\Users\Admin\AppData\Roaming\RobloxAppLanucher.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920

\??\c:\users\admin\appdata\roaming\robloxapplanucher.exe
c:\users\admin\appdata\roaming\robloxapplanucher.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 652
6⤵
- Loads dropped DLL
- Program crash
PID:1944

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1116

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Users\Admin\AppData\Local\Temp\SwiftProtector.exe
"C:\Users\Admin\AppData\Local\Temp\SwiftProtector.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692

\??\c:\users\admin\appdata\local\temp\swiftprotector.exe
c:\users\admin\appdata\local\temp\swiftprotector.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
6⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:520

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:04 /f
7⤵
- Creates scheduled task(s)
PID:1728

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:05 /f
7⤵
- Creates scheduled task(s)
PID:1916

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:06 /f
7⤵
- Creates scheduled task(s)
PID:756

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
5⤵
PID:1824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SubDir\Client.exe
Filesize
144KB

MD5
1a0448c47734940a92640e24fff2691a

SHA1
5a2871f19808a40004c7c8d08d77459e44dd4e89

SHA256
192a0440574068fd9297086e0cf05a57d8ae4af03045d6be4c0b4f21bd636a72

SHA512
9c5075d9961317c3a0495330707cf2515ce2ddde46503b34b03cd1e90c286b49baa8513b7ea5dceecfa0cbe880e133b6e245f22a8c0ce4f7f277547514ddcfd6

Download Submit
C:\Program Files (x86)\SubDir\Client.exe
Filesize
144KB

MD5
1a0448c47734940a92640e24fff2691a

SHA1
5a2871f19808a40004c7c8d08d77459e44dd4e89

SHA256
192a0440574068fd9297086e0cf05a57d8ae4af03045d6be4c0b4f21bd636a72

SHA512
9c5075d9961317c3a0495330707cf2515ce2ddde46503b34b03cd1e90c286b49baa8513b7ea5dceecfa0cbe880e133b6e245f22a8c0ce4f7f277547514ddcfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwiftProtector.exe
Filesize
3.9MB

MD5
67102e58d227ec190ffebcd885740da5

SHA1
a44d35c2fdcf52d7dc928bb8055bba719e0424d9

SHA256
eba20e95254ca56dbc8bb5c55adb85b058e17bcfa8d3acf8113a3824707b66ed

SHA512
7b42098b73db8e0206a19c13cd682d789c1f58449f0735f6dc7efe39e86bb8a33d23d7066a45c65204eb4f3623564582d37fd39ecfca97b897cee7619a930c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsexun.exe
Filesize
202KB

MD5
5c62a179832fc0df04addc93f9f9dd42

SHA1
64d6d19725e625fe8641dc8c4ae93b8a404712ff

SHA256
e7a79d110e0746b26523766a947fbe3eae5b6d38e0acadc743b8a9f3bb54eb31

SHA512
d1afcfd97e267620f0689abea903e2ef4a45b3eec448b6b1c0bf2600dec62250fac48e964a0447dfa04f9e2ef76b506b1113f1ff3746715b6f76dac36b0f910d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsexun.exe
Filesize
202KB

MD5
5c62a179832fc0df04addc93f9f9dd42

SHA1
64d6d19725e625fe8641dc8c4ae93b8a404712ff

SHA256
e7a79d110e0746b26523766a947fbe3eae5b6d38e0acadc743b8a9f3bb54eb31

SHA512
d1afcfd97e267620f0689abea903e2ef4a45b3eec448b6b1c0bf2600dec62250fac48e964a0447dfa04f9e2ef76b506b1113f1ff3746715b6f76dac36b0f910d

Download Submit
C:\Users\Admin\AppData\Local\Temp\confiditial.exe
Filesize
443KB

MD5
d5b6b17536612d87bdc78221c15785f8

SHA1
cd38f8f228bcbc76214fab1e653388c2b0d16e07

SHA256
66f50d0ee3976f06cfe75fd9f117528bc48a2083b947e166a307bd6bc5e959fc

SHA512
467988028cf1396cee1b04eadb6513a493b84bedb51d0b75df8c68320eb3f519ad4f54fe9aef4183e997d722e9fce1b641252e82b5d1b10f48611c22cde56906

Download Submit
C:\Users\Admin\AppData\Local\Temp\confiditial.exe
Filesize
236KB

MD5
52b8ea8dad39e992554154fd9eb1c88d

SHA1
fb48daaadb6e33b0032555a34e7b21a598f80407

SHA256
6efdf705c1f2a141e99c5a41468b5e07237ffff4e232925187b35b7c8b19e169

SHA512
ba7b35f8584247816042be6c2b02b9cc718efe314b56f8aaf3ca7b5640873c41981af599351e35e0cb4fc27bd6a1531fa165ccf461104b4c8b616d0a8053e097

Download Submit
C:\Users\Admin\AppData\Local\Temp\lolll.exe
Filesize
144KB

MD5
1a0448c47734940a92640e24fff2691a

SHA1
5a2871f19808a40004c7c8d08d77459e44dd4e89

SHA256
192a0440574068fd9297086e0cf05a57d8ae4af03045d6be4c0b4f21bd636a72

SHA512
9c5075d9961317c3a0495330707cf2515ce2ddde46503b34b03cd1e90c286b49baa8513b7ea5dceecfa0cbe880e133b6e245f22a8c0ce4f7f277547514ddcfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lolll.exe
Filesize
144KB

MD5
1a0448c47734940a92640e24fff2691a

SHA1
5a2871f19808a40004c7c8d08d77459e44dd4e89

SHA256
192a0440574068fd9297086e0cf05a57d8ae4af03045d6be4c0b4f21bd636a72

SHA512
9c5075d9961317c3a0495330707cf2515ce2ddde46503b34b03cd1e90c286b49baa8513b7ea5dceecfa0cbe880e133b6e245f22a8c0ce4f7f277547514ddcfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\swiftprotector.exe
Filesize
3.7MB

MD5
d74f68403eef6477b3337b7a2bec802d

SHA1
368e0511048175f0118d526008c5679af968af98

SHA256
ad083f18a81539b7ddef2c7da3533587f29c863e6633402c56a5d429a461e9af

SHA512
55bd1883a849fdbbf9397f7635f07b7a7fee9a7c949fe25af1335b70e89c96af8c3fb5014bc8cfa9dc7e66ee88e7a8764be7dcaa5f5028ba25ab4d96d6b5c4dd

Download Submit
C:\Users\Admin\AppData\Roaming\RobloxAppLanucher.exe
Filesize
443KB

MD5
d5b6b17536612d87bdc78221c15785f8

SHA1
cd38f8f228bcbc76214fab1e653388c2b0d16e07

SHA256
66f50d0ee3976f06cfe75fd9f117528bc48a2083b947e166a307bd6bc5e959fc

SHA512
467988028cf1396cee1b04eadb6513a493b84bedb51d0b75df8c68320eb3f519ad4f54fe9aef4183e997d722e9fce1b641252e82b5d1b10f48611c22cde56906

Download Submit
C:\Users\Admin\AppData\Roaming\robloxapplanucher.exe
Filesize
236KB

MD5
52b8ea8dad39e992554154fd9eb1c88d

SHA1
fb48daaadb6e33b0032555a34e7b21a598f80407

SHA256
6efdf705c1f2a141e99c5a41468b5e07237ffff4e232925187b35b7c8b19e169

SHA512
ba7b35f8584247816042be6c2b02b9cc718efe314b56f8aaf3ca7b5640873c41981af599351e35e0cb4fc27bd6a1531fa165ccf461104b4c8b616d0a8053e097

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
206KB

MD5
72d14310b3033a9ef2cc5270221dee45

SHA1
76e481d20fd426c3c1ad33fd8ebc169c4285c207

SHA256
f441fbbf984cdba520f349d60879e001faa0706e10b57b79595ef08532e0d2c5

SHA512
b3d1218596f724cc0268535db6d86ee04037626a2c1d8d722f476a5de85cb93391ad584ecf5bf81d951c64152d509a5c220810c624a83002144e43e6196279de

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
206KB

MD5
72d14310b3033a9ef2cc5270221dee45

SHA1
76e481d20fd426c3c1ad33fd8ebc169c4285c207

SHA256
f441fbbf984cdba520f349d60879e001faa0706e10b57b79595ef08532e0d2c5

SHA512
b3d1218596f724cc0268535db6d86ee04037626a2c1d8d722f476a5de85cb93391ad584ecf5bf81d951c64152d509a5c220810c624a83002144e43e6196279de

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
207KB

MD5
9d4a13eda8a705fa25dafae7a615ad65

SHA1
add11596a067c2c48945aa46b323acfbc365b3b1

SHA256
0642a28f43ae43c675e8407943d15905f6e7a8b1b1614a0ee18af1cf5fdebbee

SHA512
89716d5156ddb75a6aa28ce00000f2720ab1c26c9964eb099599d6b2ef7190e0ce5ef566d4f5249abfb70fd448d8248b90bf68e7a98b8c2f29b4290bebb5248e

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
207KB

MD5
9d4a13eda8a705fa25dafae7a615ad65

SHA1
add11596a067c2c48945aa46b323acfbc365b3b1

SHA256
0642a28f43ae43c675e8407943d15905f6e7a8b1b1614a0ee18af1cf5fdebbee

SHA512
89716d5156ddb75a6aa28ce00000f2720ab1c26c9964eb099599d6b2ef7190e0ce5ef566d4f5249abfb70fd448d8248b90bf68e7a98b8c2f29b4290bebb5248e

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
207KB

MD5
9d4a13eda8a705fa25dafae7a615ad65

SHA1
add11596a067c2c48945aa46b323acfbc365b3b1

SHA256
0642a28f43ae43c675e8407943d15905f6e7a8b1b1614a0ee18af1cf5fdebbee

SHA512
89716d5156ddb75a6aa28ce00000f2720ab1c26c9964eb099599d6b2ef7190e0ce5ef566d4f5249abfb70fd448d8248b90bf68e7a98b8c2f29b4290bebb5248e

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
207KB

MD5
9d4a13eda8a705fa25dafae7a615ad65

SHA1
add11596a067c2c48945aa46b323acfbc365b3b1

SHA256
0642a28f43ae43c675e8407943d15905f6e7a8b1b1614a0ee18af1cf5fdebbee

SHA512
89716d5156ddb75a6aa28ce00000f2720ab1c26c9964eb099599d6b2ef7190e0ce5ef566d4f5249abfb70fd448d8248b90bf68e7a98b8c2f29b4290bebb5248e

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
206KB

MD5
7a55ccbff8940a41a75535dcba624abe

SHA1
29d913ad44bbbf578ef4f5bbdee7f3bf800d05b7

SHA256
ab4271edf728785613d4f480edc598f02119bc7929bc5480a9ef05e6cef3c84f

SHA512
027c7e6d308d020ef06c23d901d0d611c13a17966c921bfba2b020b67b19bc8a662c9189eaecbf9845c56f11dc46f2ad822afe62cd0d93894661411e0c685242

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
206KB

MD5
7a55ccbff8940a41a75535dcba624abe

SHA1
29d913ad44bbbf578ef4f5bbdee7f3bf800d05b7

SHA256
ab4271edf728785613d4f480edc598f02119bc7929bc5480a9ef05e6cef3c84f

SHA512
027c7e6d308d020ef06c23d901d0d611c13a17966c921bfba2b020b67b19bc8a662c9189eaecbf9845c56f11dc46f2ad822afe62cd0d93894661411e0c685242

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
206KB

MD5
cdb035610f7884531d3bc7c6e01cb753

SHA1
6695f4c3d93ec79d2812db32821855478b5364bd

SHA256
8ffe42c25e9c0683ad315fecccf6e18385c9cbe04e22321a61772d457ee5c90a

SHA512
1fcbcbc69b72812075b2a64bd0f15fe8370267a8740d9d9f499e648e5772693d2ff5290e50048e10cc100e1700a3762341051a192a0e9898a8e34328da6d5eee

Download Submit
\??\c:\users\admin\appdata\local\temp\confiditial.exe
Filesize
443KB

MD5
d5b6b17536612d87bdc78221c15785f8

SHA1
cd38f8f228bcbc76214fab1e653388c2b0d16e07

SHA256
66f50d0ee3976f06cfe75fd9f117528bc48a2083b947e166a307bd6bc5e959fc

SHA512
467988028cf1396cee1b04eadb6513a493b84bedb51d0b75df8c68320eb3f519ad4f54fe9aef4183e997d722e9fce1b641252e82b5d1b10f48611c22cde56906

Download Submit
\??\c:\users\admin\appdata\local\temp\confiditial.exe
Filesize
236KB

MD5
52b8ea8dad39e992554154fd9eb1c88d

SHA1
fb48daaadb6e33b0032555a34e7b21a598f80407

SHA256
6efdf705c1f2a141e99c5a41468b5e07237ffff4e232925187b35b7c8b19e169

SHA512
ba7b35f8584247816042be6c2b02b9cc718efe314b56f8aaf3ca7b5640873c41981af599351e35e0cb4fc27bd6a1531fa165ccf461104b4c8b616d0a8053e097

Download Submit
\??\c:\users\admin\appdata\local\temp\swiftprotector.exe
Filesize
3.9MB

MD5
67102e58d227ec190ffebcd885740da5

SHA1
a44d35c2fdcf52d7dc928bb8055bba719e0424d9

SHA256
eba20e95254ca56dbc8bb5c55adb85b058e17bcfa8d3acf8113a3824707b66ed

SHA512
7b42098b73db8e0206a19c13cd682d789c1f58449f0735f6dc7efe39e86bb8a33d23d7066a45c65204eb4f3623564582d37fd39ecfca97b897cee7619a930c16

Download Submit
\??\c:\users\admin\appdata\roaming\robloxapplanucher.exe
Filesize
443KB

MD5
d5b6b17536612d87bdc78221c15785f8

SHA1
cd38f8f228bcbc76214fab1e653388c2b0d16e07

SHA256
66f50d0ee3976f06cfe75fd9f117528bc48a2083b947e166a307bd6bc5e959fc

SHA512
467988028cf1396cee1b04eadb6513a493b84bedb51d0b75df8c68320eb3f519ad4f54fe9aef4183e997d722e9fce1b641252e82b5d1b10f48611c22cde56906

Download Submit
\??\c:\users\admin\appdata\roaming\robloxapplanucher.exe
Filesize
236KB

MD5
52b8ea8dad39e992554154fd9eb1c88d

SHA1
fb48daaadb6e33b0032555a34e7b21a598f80407

SHA256
6efdf705c1f2a141e99c5a41468b5e07237ffff4e232925187b35b7c8b19e169

SHA512
ba7b35f8584247816042be6c2b02b9cc718efe314b56f8aaf3ca7b5640873c41981af599351e35e0cb4fc27bd6a1531fa165ccf461104b4c8b616d0a8053e097

Download Submit
\??\c:\windows\resources\spoolsv.exe
Filesize
206KB

MD5
7a55ccbff8940a41a75535dcba624abe

SHA1
29d913ad44bbbf578ef4f5bbdee7f3bf800d05b7

SHA256
ab4271edf728785613d4f480edc598f02119bc7929bc5480a9ef05e6cef3c84f

SHA512
027c7e6d308d020ef06c23d901d0d611c13a17966c921bfba2b020b67b19bc8a662c9189eaecbf9845c56f11dc46f2ad822afe62cd0d93894661411e0c685242

Download Submit
\??\c:\windows\resources\svchost.exe
Filesize
206KB

MD5
cdb035610f7884531d3bc7c6e01cb753

SHA1
6695f4c3d93ec79d2812db32821855478b5364bd

SHA256
8ffe42c25e9c0683ad315fecccf6e18385c9cbe04e22321a61772d457ee5c90a

SHA512
1fcbcbc69b72812075b2a64bd0f15fe8370267a8740d9d9f499e648e5772693d2ff5290e50048e10cc100e1700a3762341051a192a0e9898a8e34328da6d5eee

Download Submit
\??\c:\windows\resources\themes\explorer.exe
Filesize
206KB

MD5
72d14310b3033a9ef2cc5270221dee45

SHA1
76e481d20fd426c3c1ad33fd8ebc169c4285c207

SHA256
f441fbbf984cdba520f349d60879e001faa0706e10b57b79595ef08532e0d2c5

SHA512
b3d1218596f724cc0268535db6d86ee04037626a2c1d8d722f476a5de85cb93391ad584ecf5bf81d951c64152d509a5c220810c624a83002144e43e6196279de

Download Submit
\Users\Admin\AppData\Local\Temp\SwiftProtector.exe
Filesize
3.9MB

MD5
67102e58d227ec190ffebcd885740da5

SHA1
a44d35c2fdcf52d7dc928bb8055bba719e0424d9

SHA256
eba20e95254ca56dbc8bb5c55adb85b058e17bcfa8d3acf8113a3824707b66ed

SHA512
7b42098b73db8e0206a19c13cd682d789c1f58449f0735f6dc7efe39e86bb8a33d23d7066a45c65204eb4f3623564582d37fd39ecfca97b897cee7619a930c16

Download Submit
\Users\Admin\AppData\Local\Temp\SwiftProtector.exe
Filesize
3.9MB

MD5
67102e58d227ec190ffebcd885740da5

SHA1
a44d35c2fdcf52d7dc928bb8055bba719e0424d9

SHA256
eba20e95254ca56dbc8bb5c55adb85b058e17bcfa8d3acf8113a3824707b66ed

SHA512
7b42098b73db8e0206a19c13cd682d789c1f58449f0735f6dc7efe39e86bb8a33d23d7066a45c65204eb4f3623564582d37fd39ecfca97b897cee7619a930c16

Download Submit
\Users\Admin\AppData\Local\Temp\Tsexun.exe
Filesize
202KB

MD5
5c62a179832fc0df04addc93f9f9dd42

SHA1
64d6d19725e625fe8641dc8c4ae93b8a404712ff

SHA256
e7a79d110e0746b26523766a947fbe3eae5b6d38e0acadc743b8a9f3bb54eb31

SHA512
d1afcfd97e267620f0689abea903e2ef4a45b3eec448b6b1c0bf2600dec62250fac48e964a0447dfa04f9e2ef76b506b1113f1ff3746715b6f76dac36b0f910d

Download Submit
\Users\Admin\AppData\Local\Temp\Tsexun.exe
Filesize
202KB

MD5
5c62a179832fc0df04addc93f9f9dd42

SHA1
64d6d19725e625fe8641dc8c4ae93b8a404712ff

SHA256
e7a79d110e0746b26523766a947fbe3eae5b6d38e0acadc743b8a9f3bb54eb31

SHA512
d1afcfd97e267620f0689abea903e2ef4a45b3eec448b6b1c0bf2600dec62250fac48e964a0447dfa04f9e2ef76b506b1113f1ff3746715b6f76dac36b0f910d

Download Submit
\Users\Admin\AppData\Local\Temp\confiditial.exe
Filesize
443KB

MD5
d5b6b17536612d87bdc78221c15785f8

SHA1
cd38f8f228bcbc76214fab1e653388c2b0d16e07

SHA256
66f50d0ee3976f06cfe75fd9f117528bc48a2083b947e166a307bd6bc5e959fc

SHA512
467988028cf1396cee1b04eadb6513a493b84bedb51d0b75df8c68320eb3f519ad4f54fe9aef4183e997d722e9fce1b641252e82b5d1b10f48611c22cde56906

Download Submit
\Users\Admin\AppData\Local\Temp\confiditial.exe
Filesize
443KB

MD5
d5b6b17536612d87bdc78221c15785f8

SHA1
cd38f8f228bcbc76214fab1e653388c2b0d16e07

SHA256
66f50d0ee3976f06cfe75fd9f117528bc48a2083b947e166a307bd6bc5e959fc

SHA512
467988028cf1396cee1b04eadb6513a493b84bedb51d0b75df8c68320eb3f519ad4f54fe9aef4183e997d722e9fce1b641252e82b5d1b10f48611c22cde56906

Download Submit
\Users\Admin\AppData\Local\Temp\confiditial.exe
Filesize
236KB

MD5
52b8ea8dad39e992554154fd9eb1c88d

SHA1
fb48daaadb6e33b0032555a34e7b21a598f80407

SHA256
6efdf705c1f2a141e99c5a41468b5e07237ffff4e232925187b35b7c8b19e169

SHA512
ba7b35f8584247816042be6c2b02b9cc718efe314b56f8aaf3ca7b5640873c41981af599351e35e0cb4fc27bd6a1531fa165ccf461104b4c8b616d0a8053e097

Download Submit
\Users\Admin\AppData\Local\Temp\lolll.exe
Filesize
144KB

MD5
1a0448c47734940a92640e24fff2691a

SHA1
5a2871f19808a40004c7c8d08d77459e44dd4e89

SHA256
192a0440574068fd9297086e0cf05a57d8ae4af03045d6be4c0b4f21bd636a72

SHA512
9c5075d9961317c3a0495330707cf2515ce2ddde46503b34b03cd1e90c286b49baa8513b7ea5dceecfa0cbe880e133b6e245f22a8c0ce4f7f277547514ddcfd6

Download Submit
\Users\Admin\AppData\Local\Temp\swiftprotector.exe
Filesize
3.7MB

MD5
d74f68403eef6477b3337b7a2bec802d

SHA1
368e0511048175f0118d526008c5679af968af98

SHA256
ad083f18a81539b7ddef2c7da3533587f29c863e6633402c56a5d429a461e9af

SHA512
55bd1883a849fdbbf9397f7635f07b7a7fee9a7c949fe25af1335b70e89c96af8c3fb5014bc8cfa9dc7e66ee88e7a8764be7dcaa5f5028ba25ab4d96d6b5c4dd

Download Submit
\Users\Admin\AppData\Roaming\RobloxAppLanucher.exe
Filesize
443KB

MD5
d5b6b17536612d87bdc78221c15785f8

SHA1
cd38f8f228bcbc76214fab1e653388c2b0d16e07

SHA256
66f50d0ee3976f06cfe75fd9f117528bc48a2083b947e166a307bd6bc5e959fc

SHA512
467988028cf1396cee1b04eadb6513a493b84bedb51d0b75df8c68320eb3f519ad4f54fe9aef4183e997d722e9fce1b641252e82b5d1b10f48611c22cde56906

Download Submit
\Users\Admin\AppData\Roaming\RobloxAppLanucher.exe
Filesize
443KB

MD5
d5b6b17536612d87bdc78221c15785f8

SHA1
cd38f8f228bcbc76214fab1e653388c2b0d16e07

SHA256
66f50d0ee3976f06cfe75fd9f117528bc48a2083b947e166a307bd6bc5e959fc

SHA512
467988028cf1396cee1b04eadb6513a493b84bedb51d0b75df8c68320eb3f519ad4f54fe9aef4183e997d722e9fce1b641252e82b5d1b10f48611c22cde56906

Download Submit
\Users\Admin\AppData\Roaming\robloxapplanucher.exe
Filesize
236KB

MD5
52b8ea8dad39e992554154fd9eb1c88d

SHA1
fb48daaadb6e33b0032555a34e7b21a598f80407

SHA256
6efdf705c1f2a141e99c5a41468b5e07237ffff4e232925187b35b7c8b19e169

SHA512
ba7b35f8584247816042be6c2b02b9cc718efe314b56f8aaf3ca7b5640873c41981af599351e35e0cb4fc27bd6a1531fa165ccf461104b4c8b616d0a8053e097

Download Submit
\Users\Admin\AppData\Roaming\robloxapplanucher.exe
Filesize
236KB

MD5
52b8ea8dad39e992554154fd9eb1c88d

SHA1
fb48daaadb6e33b0032555a34e7b21a598f80407

SHA256
6efdf705c1f2a141e99c5a41468b5e07237ffff4e232925187b35b7c8b19e169

SHA512
ba7b35f8584247816042be6c2b02b9cc718efe314b56f8aaf3ca7b5640873c41981af599351e35e0cb4fc27bd6a1531fa165ccf461104b4c8b616d0a8053e097

Download Submit
\Users\Admin\AppData\Roaming\robloxapplanucher.exe
Filesize
236KB

MD5
52b8ea8dad39e992554154fd9eb1c88d

SHA1
fb48daaadb6e33b0032555a34e7b21a598f80407

SHA256
6efdf705c1f2a141e99c5a41468b5e07237ffff4e232925187b35b7c8b19e169

SHA512
ba7b35f8584247816042be6c2b02b9cc718efe314b56f8aaf3ca7b5640873c41981af599351e35e0cb4fc27bd6a1531fa165ccf461104b4c8b616d0a8053e097

Download Submit
\Users\Admin\AppData\Roaming\robloxapplanucher.exe
Filesize
236KB

MD5
52b8ea8dad39e992554154fd9eb1c88d

SHA1
fb48daaadb6e33b0032555a34e7b21a598f80407

SHA256
6efdf705c1f2a141e99c5a41468b5e07237ffff4e232925187b35b7c8b19e169

SHA512
ba7b35f8584247816042be6c2b02b9cc718efe314b56f8aaf3ca7b5640873c41981af599351e35e0cb4fc27bd6a1531fa165ccf461104b4c8b616d0a8053e097

Download Submit
\Users\Admin\AppData\Roaming\robloxapplanucher.exe
Filesize
236KB

MD5
52b8ea8dad39e992554154fd9eb1c88d

SHA1
fb48daaadb6e33b0032555a34e7b21a598f80407

SHA256
6efdf705c1f2a141e99c5a41468b5e07237ffff4e232925187b35b7c8b19e169

SHA512
ba7b35f8584247816042be6c2b02b9cc718efe314b56f8aaf3ca7b5640873c41981af599351e35e0cb4fc27bd6a1531fa165ccf461104b4c8b616d0a8053e097

Download Submit
\Users\Admin\AppData\Roaming\robloxapplanucher.exe
Filesize
236KB

MD5
52b8ea8dad39e992554154fd9eb1c88d

SHA1
fb48daaadb6e33b0032555a34e7b21a598f80407

SHA256
6efdf705c1f2a141e99c5a41468b5e07237ffff4e232925187b35b7c8b19e169

SHA512
ba7b35f8584247816042be6c2b02b9cc718efe314b56f8aaf3ca7b5640873c41981af599351e35e0cb4fc27bd6a1531fa165ccf461104b4c8b616d0a8053e097

Download Submit
\Windows\Resources\Themes\explorer.exe
Filesize
206KB

MD5
72d14310b3033a9ef2cc5270221dee45

SHA1
76e481d20fd426c3c1ad33fd8ebc169c4285c207

SHA256
f441fbbf984cdba520f349d60879e001faa0706e10b57b79595ef08532e0d2c5

SHA512
b3d1218596f724cc0268535db6d86ee04037626a2c1d8d722f476a5de85cb93391ad584ecf5bf81d951c64152d509a5c220810c624a83002144e43e6196279de

Download Submit
\Windows\Resources\Themes\explorer.exe
Filesize
206KB

MD5
72d14310b3033a9ef2cc5270221dee45

SHA1
76e481d20fd426c3c1ad33fd8ebc169c4285c207

SHA256
f441fbbf984cdba520f349d60879e001faa0706e10b57b79595ef08532e0d2c5

SHA512
b3d1218596f724cc0268535db6d86ee04037626a2c1d8d722f476a5de85cb93391ad584ecf5bf81d951c64152d509a5c220810c624a83002144e43e6196279de

Download Submit
\Windows\Resources\Themes\explorer.exe
Filesize
206KB

MD5
72d14310b3033a9ef2cc5270221dee45

SHA1
76e481d20fd426c3c1ad33fd8ebc169c4285c207

SHA256
f441fbbf984cdba520f349d60879e001faa0706e10b57b79595ef08532e0d2c5

SHA512
b3d1218596f724cc0268535db6d86ee04037626a2c1d8d722f476a5de85cb93391ad584ecf5bf81d951c64152d509a5c220810c624a83002144e43e6196279de

Download Submit
\Windows\Resources\Themes\icsys.icn.exe
Filesize
207KB

MD5
9d4a13eda8a705fa25dafae7a615ad65

SHA1
add11596a067c2c48945aa46b323acfbc365b3b1

SHA256
0642a28f43ae43c675e8407943d15905f6e7a8b1b1614a0ee18af1cf5fdebbee

SHA512
89716d5156ddb75a6aa28ce00000f2720ab1c26c9964eb099599d6b2ef7190e0ce5ef566d4f5249abfb70fd448d8248b90bf68e7a98b8c2f29b4290bebb5248e

Download Submit
\Windows\Resources\Themes\icsys.icn.exe
Filesize
207KB

MD5
9d4a13eda8a705fa25dafae7a615ad65

SHA1
add11596a067c2c48945aa46b323acfbc365b3b1

SHA256
0642a28f43ae43c675e8407943d15905f6e7a8b1b1614a0ee18af1cf5fdebbee

SHA512
89716d5156ddb75a6aa28ce00000f2720ab1c26c9964eb099599d6b2ef7190e0ce5ef566d4f5249abfb70fd448d8248b90bf68e7a98b8c2f29b4290bebb5248e

Download Submit
\Windows\Resources\Themes\icsys.icn.exe
Filesize
207KB

MD5
9d4a13eda8a705fa25dafae7a615ad65

SHA1
add11596a067c2c48945aa46b323acfbc365b3b1

SHA256
0642a28f43ae43c675e8407943d15905f6e7a8b1b1614a0ee18af1cf5fdebbee

SHA512
89716d5156ddb75a6aa28ce00000f2720ab1c26c9964eb099599d6b2ef7190e0ce5ef566d4f5249abfb70fd448d8248b90bf68e7a98b8c2f29b4290bebb5248e

Download Submit
\Windows\Resources\spoolsv.exe
Filesize
206KB

MD5
7a55ccbff8940a41a75535dcba624abe

SHA1
29d913ad44bbbf578ef4f5bbdee7f3bf800d05b7

SHA256
ab4271edf728785613d4f480edc598f02119bc7929bc5480a9ef05e6cef3c84f

SHA512
027c7e6d308d020ef06c23d901d0d611c13a17966c921bfba2b020b67b19bc8a662c9189eaecbf9845c56f11dc46f2ad822afe62cd0d93894661411e0c685242

Download Submit
\Windows\Resources\spoolsv.exe
Filesize
206KB

MD5
7a55ccbff8940a41a75535dcba624abe

SHA1
29d913ad44bbbf578ef4f5bbdee7f3bf800d05b7

SHA256
ab4271edf728785613d4f480edc598f02119bc7929bc5480a9ef05e6cef3c84f

SHA512
027c7e6d308d020ef06c23d901d0d611c13a17966c921bfba2b020b67b19bc8a662c9189eaecbf9845c56f11dc46f2ad822afe62cd0d93894661411e0c685242

Download Submit
\Windows\Resources\spoolsv.exe
Filesize
206KB

MD5
7a55ccbff8940a41a75535dcba624abe

SHA1
29d913ad44bbbf578ef4f5bbdee7f3bf800d05b7

SHA256
ab4271edf728785613d4f480edc598f02119bc7929bc5480a9ef05e6cef3c84f

SHA512
027c7e6d308d020ef06c23d901d0d611c13a17966c921bfba2b020b67b19bc8a662c9189eaecbf9845c56f11dc46f2ad822afe62cd0d93894661411e0c685242

Download Submit
\Windows\Resources\spoolsv.exe
Filesize
206KB

MD5
7a55ccbff8940a41a75535dcba624abe

SHA1
29d913ad44bbbf578ef4f5bbdee7f3bf800d05b7

SHA256
ab4271edf728785613d4f480edc598f02119bc7929bc5480a9ef05e6cef3c84f

SHA512
027c7e6d308d020ef06c23d901d0d611c13a17966c921bfba2b020b67b19bc8a662c9189eaecbf9845c56f11dc46f2ad822afe62cd0d93894661411e0c685242

Download Submit
\Windows\Resources\svchost.exe
Filesize
206KB

MD5
cdb035610f7884531d3bc7c6e01cb753

SHA1
6695f4c3d93ec79d2812db32821855478b5364bd

SHA256
8ffe42c25e9c0683ad315fecccf6e18385c9cbe04e22321a61772d457ee5c90a

SHA512
1fcbcbc69b72812075b2a64bd0f15fe8370267a8740d9d9f499e648e5772693d2ff5290e50048e10cc100e1700a3762341051a192a0e9898a8e34328da6d5eee

Download Submit
\Windows\Resources\svchost.exe
Filesize
206KB

MD5
cdb035610f7884531d3bc7c6e01cb753

SHA1
6695f4c3d93ec79d2812db32821855478b5364bd

SHA256
8ffe42c25e9c0683ad315fecccf6e18385c9cbe04e22321a61772d457ee5c90a

SHA512
1fcbcbc69b72812075b2a64bd0f15fe8370267a8740d9d9f499e648e5772693d2ff5290e50048e10cc100e1700a3762341051a192a0e9898a8e34328da6d5eee

Download Submit
memory/520-164-0x0000000000000000-mapping.dmp

Download
memory/520-169-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/756-204-0x0000000000000000-mapping.dmp

Download
memory/900-90-0x0000000000000000-mapping.dmp

Download
memory/900-95-0x00000000053C0000-0x000000000577E000-memory.dmp

Filesize
3.7MB

Download
memory/900-93-0x0000000005780000-0x0000000005B3E000-memory.dmp

Filesize
3.7MB

Download
memory/940-202-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/940-61-0x0000000000000000-mapping.dmp

Download
memory/940-96-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1072-186-0x0000000000000000-mapping.dmp

Download
memory/1116-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-188-0x0000000000000000-mapping.dmp

Download
memory/1500-102-0x0000000000000000-mapping.dmp

Download
memory/1536-115-0x0000000000000000-mapping.dmp

Download
memory/1536-118-0x0000000000960000-0x00000000009A0000-memory.dmp

Filesize
256KB

Download
memory/1652-177-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1652-178-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1652-135-0x0000000000000000-mapping.dmp

Download
memory/1652-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1660-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1660-148-0x0000000000000000-mapping.dmp

Download
memory/1692-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-71-0x0000000000000000-mapping.dmp

Download
memory/1692-137-0x00000000002B0000-0x00000000002DF000-memory.dmp

Filesize
188KB

Download
memory/1720-98-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/1720-84-0x0000000000000000-mapping.dmp

Download
memory/1720-92-0x0000000000F60000-0x0000000000FA0000-memory.dmp

Filesize
256KB

Download
memory/1720-107-0x0000000000AD0000-0x0000000000AFF000-memory.dmp

Filesize
188KB

Download
memory/1720-108-0x0000000000AD0000-0x0000000000AFF000-memory.dmp

Filesize
188KB

Download
memory/1728-175-0x0000000000000000-mapping.dmp

Download
memory/1736-128-0x0000000000000000-mapping.dmp

Download
memory/1736-142-0x0000000000320000-0x000000000034F000-memory.dmp

Filesize
188KB

Download
memory/1736-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-140-0x0000000000320000-0x000000000034F000-memory.dmp

Filesize
188KB

Download
memory/1744-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1744-194-0x0000000000000000-mapping.dmp

Download
memory/1752-66-0x0000000000000000-mapping.dmp

Download
memory/1752-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-100-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1780-181-0x0000000000000000-mapping.dmp

Download
memory/1824-170-0x0000000000000000-mapping.dmp

Download
memory/1824-101-0x0000000000000000-mapping.dmp

Download
memory/1824-173-0x000007FEFB671000-0x000007FEFB673000-memory.dmp

Filesize
8KB

Download
memory/1892-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1892-180-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/1892-156-0x0000000000000000-mapping.dmp

Download
memory/1904-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1912-56-0x0000000000000000-mapping.dmp

Download
memory/1912-94-0x0000000000A60000-0x0000000000AAE000-memory.dmp

Filesize
312KB

Download
memory/1912-76-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download
memory/1916-203-0x0000000000000000-mapping.dmp

Download
memory/1920-109-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1920-201-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1920-105-0x0000000000000000-mapping.dmp

Download
memory/1944-120-0x0000000000000000-mapping.dmp

Download
memory/1948-182-0x0000000000000000-mapping.dmp

Download
memory/1948-185-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download