netwire | e01bb0869c559b895adf1e203a1e3498aa86e676731ff810183c8a0432559fee

Analysis

max time kernel
118s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Set-up.exe
Size

3.5MB
MD5

6600434532f969d8fb24ee51fef331b7
SHA1

f3dc4329ded8a0ef1292bebf97611c4ad2e552fe
SHA256

e01bb0869c559b895adf1e203a1e3498aa86e676731ff810183c8a0432559fee
SHA512

109655ea6989bb15ff5f912ea37a5f92e17af52f1b5d23775d9b2a5b384e0bb9edbe7b19b77d27165b1cf1fe9dbd82fd11d68524333f3cced3d5d75e0635f394
SSDEEP

98304:kAI+zy/rv/dDXsN3RUDF/QY0VJkXZf8Bomxl3:jtzyTvVDchRsUMXZfCj3

Score

10^/10

netwire revengerat nyancatrevenge botnet discovery evasion persistence rat stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

alice2019.myftp.biz:7575

Mutex

a4765021d3

Extracted

Family

netwire

alice2019.myftp.biz:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
TEST_0000
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1420-178-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1420-180-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1420-182-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

dwm.exeLogonUI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\_0xHSei3ure3\svchost.exe = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\dwm.exe = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\04df\svchost.exe = "0"	LogonUI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\LogonUI.exe = "0"	LogonUI.exe

Executes dropped EXE 4 IoCs

Processes:

Set-up.exedwm.exedwm.exeLogonUI.exe

pid process

5116 Set-up.exe
528 dwm.exe
4640 dwm.exe
5008 LogonUI.exe

pid	process
5116	Set-up.exe
528	dwm.exe
4640	dwm.exe
5008	LogonUI.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exeLogonUI.exeSet-up.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	LogonUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Set-up.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

dwm.exeLogonUI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\_0xHSei3ure3\svchost.exe = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\dwm.exe = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\04df\svchost.exe = "0"	LogonUI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\LogonUI.exe = "0"	LogonUI.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dwm.exeLogonUI.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\_0xHM2sbehave = "C:\\Program Files\\Common Files\\System\\_0xHSei3ure3\\svchost.exe"	dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14cb = "C:\\Program Files\\Common Files\\System\\04df\\svchost.exe"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\14cb = "C:\\Program Files\\Common Files\\System\\04df\\svchost.exe"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\_0xHM2sbehave = "C:\\Program Files\\Common Files\\System\\_0xHSei3ure3\\svchost.exe"	dwm.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 2 IoCs

Processes:

dwm.exeLogonUI.exe

description pid process target process

PID 528 set thread context of 4640 528 dwm.exe dwm.exe
PID 5008 set thread context of 1420 5008 LogonUI.exe ROUTE.EXE

description	pid	process	target process
PID 528 set thread context of 4640	528	dwm.exe	dwm.exe
PID 5008 set thread context of 1420	5008	LogonUI.exe	ROUTE.EXE

Drops file in Program Files directory 7 IoCs

Processes:

Set-up.exedwm.exeLogonUI.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.ini	Set-up.exe
File created	C:\Program Files\Common Files\System\_0xHSei3ure3\svchost.exe	dwm.exe
File opened for modification	C:\Program Files\Common Files\System\_0xHSei3ure3	dwm.exe
File created	C:\Program Files\Common Files\System\04df\svchost.exe	LogonUI.exe
File opened for modification	C:\Program Files\Common Files\System\04df	LogonUI.exe
File opened for modification	C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe	Set-up.exe
File opened for modification	C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.exe	Set-up.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dwm.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Set-up.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Set-up.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001"	Set-up.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Set-up.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Set-up.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Set-up.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Set-up.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

dwm.exepowershell.exepowershell.exepowershell.exeLogonUI.exepowershell.exepowershell.exepowershell.exe

pid	process
528	dwm.exe
528	dwm.exe
528	dwm.exe
528	dwm.exe
2676	powershell.exe
4780	powershell.exe
5072	powershell.exe
2676	powershell.exe
4780	powershell.exe
5072	powershell.exe
528	dwm.exe
528	dwm.exe
528	dwm.exe
528	dwm.exe
528	dwm.exe
528	dwm.exe
5008	LogonUI.exe
5008	LogonUI.exe
5008	LogonUI.exe
5008	LogonUI.exe
1548	powershell.exe
2356	powershell.exe
4568	powershell.exe
5008	LogonUI.exe
5008	LogonUI.exe
5008	LogonUI.exe
5008	LogonUI.exe
1548	powershell.exe
2356	powershell.exe
4568	powershell.exe
5008	LogonUI.exe
5008	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

dwm.exepowershell.exepowershell.exepowershell.exeLogonUI.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	528	dwm.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	5008	LogonUI.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

Set-up.exedwm.exeLogonUI.exe

description	pid	process	target process
PID 4876 wrote to memory of 5116	4876	Set-up.exe	Set-up.exe
PID 4876 wrote to memory of 5116	4876	Set-up.exe	Set-up.exe
PID 4876 wrote to memory of 5116	4876	Set-up.exe	Set-up.exe
PID 4876 wrote to memory of 528	4876	Set-up.exe	dwm.exe
PID 4876 wrote to memory of 528	4876	Set-up.exe	dwm.exe
PID 4876 wrote to memory of 528	4876	Set-up.exe	dwm.exe
PID 528 wrote to memory of 2676	528	dwm.exe	powershell.exe
PID 528 wrote to memory of 2676	528	dwm.exe	powershell.exe
PID 528 wrote to memory of 2676	528	dwm.exe	powershell.exe
PID 528 wrote to memory of 5072	528	dwm.exe	powershell.exe
PID 528 wrote to memory of 5072	528	dwm.exe	powershell.exe
PID 528 wrote to memory of 5072	528	dwm.exe	powershell.exe
PID 528 wrote to memory of 4780	528	dwm.exe	powershell.exe
PID 528 wrote to memory of 4780	528	dwm.exe	powershell.exe
PID 528 wrote to memory of 4780	528	dwm.exe	powershell.exe
PID 528 wrote to memory of 4640	528	dwm.exe	dwm.exe
PID 528 wrote to memory of 4640	528	dwm.exe	dwm.exe
PID 528 wrote to memory of 4640	528	dwm.exe	dwm.exe
PID 528 wrote to memory of 4640	528	dwm.exe	dwm.exe
PID 528 wrote to memory of 4640	528	dwm.exe	dwm.exe
PID 528 wrote to memory of 4640	528	dwm.exe	dwm.exe
PID 528 wrote to memory of 4640	528	dwm.exe	dwm.exe
PID 528 wrote to memory of 4640	528	dwm.exe	dwm.exe
PID 4876 wrote to memory of 5008	4876	Set-up.exe	LogonUI.exe
PID 4876 wrote to memory of 5008	4876	Set-up.exe	LogonUI.exe
PID 4876 wrote to memory of 5008	4876	Set-up.exe	LogonUI.exe
PID 5008 wrote to memory of 1548	5008	LogonUI.exe	powershell.exe
PID 5008 wrote to memory of 1548	5008	LogonUI.exe	powershell.exe
PID 5008 wrote to memory of 1548	5008	LogonUI.exe	powershell.exe
PID 5008 wrote to memory of 2356	5008	LogonUI.exe	powershell.exe
PID 5008 wrote to memory of 2356	5008	LogonUI.exe	powershell.exe
PID 5008 wrote to memory of 2356	5008	LogonUI.exe	powershell.exe
PID 5008 wrote to memory of 4568	5008	LogonUI.exe	powershell.exe
PID 5008 wrote to memory of 4568	5008	LogonUI.exe	powershell.exe
PID 5008 wrote to memory of 4568	5008	LogonUI.exe	powershell.exe
PID 5008 wrote to memory of 1420	5008	LogonUI.exe	ROUTE.EXE
PID 5008 wrote to memory of 1420	5008	LogonUI.exe	ROUTE.EXE
PID 5008 wrote to memory of 1420	5008	LogonUI.exe	ROUTE.EXE
PID 5008 wrote to memory of 1420	5008	LogonUI.exe	ROUTE.EXE
PID 5008 wrote to memory of 1420	5008	LogonUI.exe	ROUTE.EXE
PID 5008 wrote to memory of 1420	5008	LogonUI.exe	ROUTE.EXE
PID 5008 wrote to memory of 1420	5008	LogonUI.exe	ROUTE.EXE
PID 5008 wrote to memory of 1420	5008	LogonUI.exe	ROUTE.EXE
PID 5008 wrote to memory of 1420	5008	LogonUI.exe	ROUTE.EXE
PID 5008 wrote to memory of 1420	5008	LogonUI.exe	ROUTE.EXE
PID 5008 wrote to memory of 1420	5008	LogonUI.exe	ROUTE.EXE

C:\Users\Admin\AppData\Local\Temp\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4876

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
"C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
PID:5116

C:\Users\Admin\AppData\Local\Temp\dwm.exe
"C:\Users\Admin\AppData\Local\Temp\dwm.exe"
2⤵
- Windows security bypass
- Executes dropped EXE
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\_0xHSei3ure3\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dwm.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\_0xHSei3ure3\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Users\Admin\AppData\Local\Temp\dwm.exe
"C:\Users\Admin\AppData\Local\Temp\dwm.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4640

C:\Users\Admin\AppData\Local\Temp\LogonUI.exe
"C:\Users\Admin\AppData\Local\Temp\LogonUI.exe"
2⤵
- Windows security bypass
- Executes dropped EXE
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\04df\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\04df\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\LogonUI.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\SysWOW64\ROUTE.EXE
"C:\Windows\SysWOW64\ROUTE.EXE"
3⤵
PID:1420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
Filesize
7.3MB

MD5
74ee6d49771e8c5dab119908e486add6

SHA1
c350d583c2d30f05e6243e7008a45a7c87836b17

SHA256
35eb5594af93361b530db8aff0d126d6f7da9ada30b0b8b000ea60e014e87375

SHA512
6362455e26b4bed0f20d5062914c1c07b4018957e8b4a237a51d6887f98dac68c207d1aa35c3806b705431caaa08eb1b61006ae8034e88b25c120db63e82c303

Download Submit
C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
Filesize
7.3MB

MD5
74ee6d49771e8c5dab119908e486add6

SHA1
c350d583c2d30f05e6243e7008a45a7c87836b17

SHA256
35eb5594af93361b530db8aff0d126d6f7da9ada30b0b8b000ea60e014e87375

SHA512
6362455e26b4bed0f20d5062914c1c07b4018957e8b4a237a51d6887f98dac68c207d1aa35c3806b705431caaa08eb1b61006ae8034e88b25c120db63e82c303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d1d366f50d1928935cc7e8d98aca1faf

SHA1
8f4a53754309c62e8417a227e1c8fb94ee63a072

SHA256
e4c4134db6adefc89d49c4c3902d0001fee41efb31d6dd4f2d0fa22f179bb79b

SHA512
22fc2cbef0855d7892bd19daa2c959ad52218d2b82829e15dcffe0b8da7345d1864c7d6b7c15508f938a175c0462cf86c9f90c01ed5318b722a494173acec811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d1d366f50d1928935cc7e8d98aca1faf

SHA1
8f4a53754309c62e8417a227e1c8fb94ee63a072

SHA256
e4c4134db6adefc89d49c4c3902d0001fee41efb31d6dd4f2d0fa22f179bb79b

SHA512
22fc2cbef0855d7892bd19daa2c959ad52218d2b82829e15dcffe0b8da7345d1864c7d6b7c15508f938a175c0462cf86c9f90c01ed5318b722a494173acec811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d1d366f50d1928935cc7e8d98aca1faf

SHA1
8f4a53754309c62e8417a227e1c8fb94ee63a072

SHA256
e4c4134db6adefc89d49c4c3902d0001fee41efb31d6dd4f2d0fa22f179bb79b

SHA512
22fc2cbef0855d7892bd19daa2c959ad52218d2b82829e15dcffe0b8da7345d1864c7d6b7c15508f938a175c0462cf86c9f90c01ed5318b722a494173acec811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
a42308d359d3c67a39c92bcbfc9e0126

SHA1
4aa1da0e7eea6687f242403910f490c3e3b4ec45

SHA256
faadc58828c6e0005a0990c747ad4de91bc9892fb154b639e85b1373fcb1dfa7

SHA512
a06383a2817a52dd7d26ef235105bd44ff97a9b18d6949867a78e4fe83850f29e4bed417af7b1a40f46c6628850704cccde79b9e45525bb91833363ad6f4bded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
a42308d359d3c67a39c92bcbfc9e0126

SHA1
4aa1da0e7eea6687f242403910f490c3e3b4ec45

SHA256
faadc58828c6e0005a0990c747ad4de91bc9892fb154b639e85b1373fcb1dfa7

SHA512
a06383a2817a52dd7d26ef235105bd44ff97a9b18d6949867a78e4fe83850f29e4bed417af7b1a40f46c6628850704cccde79b9e45525bb91833363ad6f4bded

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogonUI.exe
Filesize
1.1MB

MD5
8817c22f2d53f5070ce6c2ea96bad83b

SHA1
9cb05fb4b2fd727da8be5b37a26ffd61ad423643

SHA256
d76212a7613603d25a3df9c5286c5eaa9ae6152a2e3f39679eabf803a340c2f4

SHA512
99b9f1336844374cff16c9b8d7c8b0523a2351becdf8253c61cb0364c5b9a89e7cedc5c2d7ddaf6a4e4253434535e344993082d530c58575a73e291b09efc3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogonUI.exe
Filesize
1.1MB

MD5
8817c22f2d53f5070ce6c2ea96bad83b

SHA1
9cb05fb4b2fd727da8be5b37a26ffd61ad423643

SHA256
d76212a7613603d25a3df9c5286c5eaa9ae6152a2e3f39679eabf803a340c2f4

SHA512
99b9f1336844374cff16c9b8d7c8b0523a2351becdf8253c61cb0364c5b9a89e7cedc5c2d7ddaf6a4e4253434535e344993082d530c58575a73e291b09efc3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwm.exe
Filesize
419KB

MD5
36199d74da34290f87be389bb6bb9515

SHA1
7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

SHA256
393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

SHA512
7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwm.exe
Filesize
419KB

MD5
36199d74da34290f87be389bb6bb9515

SHA1
7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

SHA256
393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

SHA512
7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwm.exe
Filesize
419KB

MD5
36199d74da34290f87be389bb6bb9515

SHA1
7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

SHA256
393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

SHA512
7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

Download Submit
memory/528-140-0x0000000007BC0000-0x0000000008164000-memory.dmp

Filesize
5.6MB

Download
memory/528-139-0x0000000004E60000-0x0000000004EFC000-memory.dmp

Filesize
624KB

Download
memory/528-145-0x00000000076B0000-0x0000000007742000-memory.dmp

Filesize
584KB

Download
memory/528-138-0x00000000005C0000-0x0000000000630000-memory.dmp

Filesize
448KB

Download
memory/528-147-0x0000000007610000-0x000000000761A000-memory.dmp

Filesize
40KB

Download
memory/528-135-0x0000000000000000-mapping.dmp

Download
memory/1420-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-177-0x0000000000000000-mapping.dmp

Download
memory/1420-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-174-0x0000000000000000-mapping.dmp

Download
memory/1548-184-0x000000006EF80000-0x000000006EFCC000-memory.dmp

Filesize
304KB

Download
memory/2356-175-0x0000000000000000-mapping.dmp

Download
memory/2356-183-0x000000006EF80000-0x000000006EFCC000-memory.dmp

Filesize
304KB

Download
memory/2676-144-0x0000000002C40000-0x0000000002C76000-memory.dmp

Filesize
216KB

Download
memory/2676-150-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/2676-163-0x0000000006AA0000-0x0000000006ABE000-memory.dmp

Filesize
120KB

Download
memory/2676-160-0x000000006EFF0000-0x000000006F03C000-memory.dmp

Filesize
304KB

Download
memory/2676-141-0x0000000000000000-mapping.dmp

Download
memory/2676-149-0x0000000005E60000-0x0000000005EC6000-memory.dmp

Filesize
408KB

Download
memory/2676-154-0x00000000052A0000-0x00000000052BE000-memory.dmp

Filesize
120KB

Download
memory/2676-166-0x00000000078B0000-0x00000000078BA000-memory.dmp

Filesize
40KB

Download
memory/4568-185-0x000000006EF80000-0x000000006EFCC000-memory.dmp

Filesize
304KB

Download
memory/4568-176-0x0000000000000000-mapping.dmp

Download
memory/4640-152-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4640-151-0x0000000000000000-mapping.dmp

Download
memory/4780-161-0x000000006EFF0000-0x000000006F03C000-memory.dmp

Filesize
304KB

Download
memory/4780-168-0x0000000007720000-0x000000000772E000-memory.dmp

Filesize
56KB

Download
memory/4780-170-0x0000000007810000-0x0000000007818000-memory.dmp

Filesize
32KB

Download
memory/4780-159-0x00000000071C0000-0x00000000071F2000-memory.dmp

Filesize
200KB

Download
memory/4780-143-0x0000000000000000-mapping.dmp

Download
memory/4780-148-0x0000000005190000-0x00000000051B2000-memory.dmp

Filesize
136KB

Download
memory/4780-164-0x00000000074F0000-0x000000000750A000-memory.dmp

Filesize
104KB

Download
memory/5008-158-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download
memory/5008-155-0x0000000000000000-mapping.dmp

Download
memory/5072-165-0x00000000081E0000-0x000000000885A000-memory.dmp

Filesize
6.5MB

Download
memory/5072-146-0x0000000005BE0000-0x0000000006208000-memory.dmp

Filesize
6.2MB

Download
memory/5072-167-0x0000000007E00000-0x0000000007E96000-memory.dmp

Filesize
600KB

Download
memory/5072-169-0x0000000007EC0000-0x0000000007EDA000-memory.dmp

Filesize
104KB

Download
memory/5072-142-0x0000000000000000-mapping.dmp

Download
memory/5072-162-0x000000006EFF0000-0x000000006F03C000-memory.dmp

Filesize
304KB

Download
memory/5116-132-0x0000000000000000-mapping.dmp

Download