amadey | b09f2a17a609ca4e7ea83b3d4b7526df56cee30f0e5a18db63068e62608d59ef

Analysis

max time kernel
107s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2023, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

178KB
MD5

cb0cd0a8f3e0886c11e27e4fada4006a
SHA1

1e6a0874347c6984cb7d7d4c32c93a2d99e9acb4
SHA256

b09f2a17a609ca4e7ea83b3d4b7526df56cee30f0e5a18db63068e62608d59ef
SHA512

3ef9943a63e5b45dc639b562e7287e29c4f62ccd35860edcec8b635e5fa8ef30d9c771ed898df310da8f4944c61ccc1bccba11839363c0e3133d2b2d70fa11e9
SSDEEP

3072:6I1F6AcTzsjCQNWXGhQsaCk2gFCGq7T9sZ:V6AcfaR6/Ck2g7q7T

Score

10^/10

amadey djvu rhadamanthys smokeloader vidar pub1 sprg backdoor discovery persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/test2/get.php

http://zexeq.com/lancer/get.php

Attributes

extension
.dapo
offline_id
8EM6M9LqEzIk18qaQ87WiPQ1u84RRdej5V1ovht1
payload_url
http://uaery.top/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-vbVkogQdu2 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0667JOsie

rsa_pubkey.plain

Extracted

Family

amadey

Version

3.65

77.73.134.27/8bmdh3Slb2/index.php

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

vidar

https://steamcommunity.com/profiles/76561199472266392

Extracted

Family

vidar

Version

�#�#

https://steamcommunity.com/profiles/76561199472266392

Extracted

Family

vidar

Version

�+�+

https://steamcommunity.com/profiles/76561199472266392

Extracted

Family

vidar

Version

��

https://steamcommunity.com/profiles/76561199472266392

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect rhadamanthys stealer shellcode 4 IoCs

resource	yara_rule
behavioral2/memory/4480-569-0x0000000001FE0000-0x0000000001FFC000-memory.dmp	family_rhadamanthys
behavioral2/memory/4480-649-0x0000000001FE0000-0x0000000001FFC000-memory.dmp	family_rhadamanthys
behavioral2/memory/3296-658-0x0000000002100000-0x000000000211C000-memory.dmp	family_rhadamanthys
behavioral2/memory/3296-687-0x0000000002100000-0x000000000211C000-memory.dmp	family_rhadamanthys

Detected Djvu ransomware 35 IoCs

resource	yara_rule
behavioral2/memory/4468-174-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4468-176-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/560-178-0x0000000002240000-0x000000000235B000-memory.dmp	family_djvu
behavioral2/memory/4468-182-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4468-184-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/452-190-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/452-192-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/452-199-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4768-195-0x0000000002230000-0x000000000234B000-memory.dmp	family_djvu
behavioral2/memory/452-202-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4468-261-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5080-284-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5080-288-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3436-293-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3436-292-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5080-324-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5080-325-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5080-315-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3436-313-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5080-333-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/452-337-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5080-349-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3436-340-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5080-336-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5080-339-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5080-367-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4372-380-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4372-381-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4372-387-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4372-389-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4372-390-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4372-391-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4372-393-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/452-397-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4372-567-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	4600	rundll32.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	4600	rundll32.exe	70

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Blocklisted process makes network request 2 IoCs

flow	pid	Process
135	1704	rundll32.exe
157	1704	rundll32.exe

Downloads MZ/PE file

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\reviews_joined\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows NT\\TableTextService\\reviews_joined.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\reviews_joined\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\reviews_joined\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService뀀"	rundll32.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	FEC7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	7E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	7E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	liwen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	liwen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	189F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	FEC7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	189F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	292.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	build2.exe

Executes dropped EXE 41 IoCs

pid	Process
560	FEC7.exe
4768	7E.exe
4900	292.exe
4468	FEC7.exe
3820	429.exe
4892	7F3.exe
452	7E.exe
4596	91D.exe
2024	7E.exe
1228	Player3.exe
1548	liwen.exe
3300	liwen.exe
3852	ss31.exe
1724	ss31.exe
784	nbveek.exe
2608	liwen.exe
2928	liwen.exe
5048	FEC7.exe
4788	189F.exe
5080	FEC7.exe
4480	1F47.exe
3436	189F.exe
3296	2B6D.exe
5084	2DFE.exe
3044	3022.exe
2160	189F.exe
2408	build2.exe
3316	build3.exe
4372	189F.exe
2704	build2.exe
4964	nbveek.exe
3760	jwebaee
4844	7E.exe
2024	7E.exe
1380	build2.exe
4192	build3.exe
436	build2.exe
1564	build2.exe
1208	build3.exe
680	build2.exe
3120	99DA.exe

Loads dropped DLL 14 IoCs

pid	Process
3820	rundll32.exe
436	build2.exe
2704	build2.exe
2704	build2.exe
436	build2.exe
436	build2.exe
1704	rundll32.exe
680	build2.exe
680	build2.exe
2324	rundll32.exe
4024	rundll32.exe
4808	rundll32.exe
3824	svchost.exe
3824	svchost.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4380	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4b4c76a7-1efc-4a9c-ada3-dd7d3f72e214\\7E.exe\" --AutoStart"	7E.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
44	api.2ip.ua
73	api.2ip.ua
75	api.2ip.ua
97	api.2ip.ua
103	api.2ip.ua
38	api.2ip.ua
39	api.2ip.ua

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
4480	1F47.exe
4480	1F47.exe
4480	1F47.exe
3296	2B6D.exe
3296	2B6D.exe
3296	2B6D.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 560 set thread context of 4468	560	FEC7.exe	92
PID 4768 set thread context of 452	4768	7E.exe	96
PID 5048 set thread context of 5080	5048	FEC7.exe	139
PID 4788 set thread context of 3436	4788	189F.exe	121
PID 2160 set thread context of 4372	2160	189F.exe	149
PID 2408 set thread context of 2704	2408	build2.exe	150
PID 1380 set thread context of 436	1380	build2.exe	160
PID 1564 set thread context of 680	1564	build2.exe	165

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\icucnv40.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\main-high-contrast.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp	rundll32.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\eula.ini	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeLinguistic.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv40.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css	rundll32.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\ADelRCP.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\CollectSignatures.aapp	rundll32.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\AdobeLinguistic.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\reviews_joined.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png	rundll32.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\Home.aapp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4932	4596	WerFault.exe	97
2196	436	WerFault.exe
1500	3820	WerFault.exe	93
4704	3044	WerFault.exe	132
2912	3760	WerFault.exe	143
1716	4480	WerFault.exe	120
4356	3120	WerFault.exe	167
4248	3296	WerFault.exe	126
3992	4808	WerFault.exe	191

Checks SCSI registry key(s) 3 TTPs 19 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7F3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2DFE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	1F47.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7F3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2DFE.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2DFE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	1F47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2B6D.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2B6D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1F47.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1F47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	2B6D.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2B6D.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7F3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1F47.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	2B6D.exe

Checks processor information in registry 2 TTPs 29 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4568	schtasks.exe
5096	schtasks.exe
1500	schtasks.exe
3372	schtasks.exe
1552	schtasks.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
4172	timeout.exe
4812	timeout.exe
1728	timeout.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}"	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0"	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\ = "sqltest.Application"	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\ = "sqltest"	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwen.exe"	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwen.exe"	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest"	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ = "sqltest.Application"	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwen.exe"	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS\ = "0"	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0"	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwen.exe"	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR\	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest"	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwen.exe"	liwen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}"	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib	liwen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32	liwen.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	66	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	70	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4248	setup.exe
4248	setup.exe
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2568	Process not Found

Suspicious behavior: MapViewOfSection 21 IoCs

pid	Process
4248	setup.exe
4892	7F3.exe
5084	2DFE.exe
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found
2568	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found
Token: SeShutdownPrivilege	2568	Process not Found
Token: SeCreatePagefilePrivilege	2568	Process not Found

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1548	liwen.exe
3300	liwen.exe
1548	liwen.exe
3300	liwen.exe
2608	liwen.exe
2608	liwen.exe
2928	liwen.exe
2928	liwen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 560	2568	Process not Found	88
PID 2568 wrote to memory of 560	2568	Process not Found	88
PID 2568 wrote to memory of 560	2568	Process not Found	88
PID 2568 wrote to memory of 4768	2568	Process not Found	90
PID 2568 wrote to memory of 4768	2568	Process not Found	90
PID 2568 wrote to memory of 4768	2568	Process not Found	90
PID 2568 wrote to memory of 4900	2568	Process not Found	91
PID 2568 wrote to memory of 4900	2568	Process not Found	91
PID 2568 wrote to memory of 4900	2568	Process not Found	91
PID 560 wrote to memory of 4468	560	FEC7.exe	92
PID 560 wrote to memory of 4468	560	FEC7.exe	92
PID 560 wrote to memory of 4468	560	FEC7.exe	92
PID 560 wrote to memory of 4468	560	FEC7.exe	92
PID 560 wrote to memory of 4468	560	FEC7.exe	92
PID 560 wrote to memory of 4468	560	FEC7.exe	92
PID 560 wrote to memory of 4468	560	FEC7.exe	92
PID 560 wrote to memory of 4468	560	FEC7.exe	92
PID 560 wrote to memory of 4468	560	FEC7.exe	92
PID 560 wrote to memory of 4468	560	FEC7.exe	92
PID 2568 wrote to memory of 3820	2568	Process not Found	93
PID 2568 wrote to memory of 3820	2568	Process not Found	93
PID 2568 wrote to memory of 3820	2568	Process not Found	93
PID 2568 wrote to memory of 4892	2568	Process not Found	95
PID 2568 wrote to memory of 4892	2568	Process not Found	95
PID 2568 wrote to memory of 4892	2568	Process not Found	95
PID 4768 wrote to memory of 452	4768	7E.exe	96
PID 4768 wrote to memory of 452	4768	7E.exe	96
PID 4768 wrote to memory of 452	4768	7E.exe	96
PID 4768 wrote to memory of 452	4768	7E.exe	96
PID 4768 wrote to memory of 452	4768	7E.exe	96
PID 4768 wrote to memory of 452	4768	7E.exe	96
PID 4768 wrote to memory of 452	4768	7E.exe	96
PID 4768 wrote to memory of 452	4768	7E.exe	96
PID 4768 wrote to memory of 452	4768	7E.exe	96
PID 4768 wrote to memory of 452	4768	7E.exe	96
PID 2568 wrote to memory of 4596	2568	Process not Found	97
PID 2568 wrote to memory of 4596	2568	Process not Found	97
PID 2568 wrote to memory of 4596	2568	Process not Found	97
PID 3820 wrote to memory of 2024	3820	rundll32.exe	153
PID 3820 wrote to memory of 2024	3820	rundll32.exe	153
PID 3820 wrote to memory of 2024	3820	rundll32.exe	153
PID 4900 wrote to memory of 1228	4900	Process not Found	102
PID 4900 wrote to memory of 1228	4900	Process not Found	102
PID 4900 wrote to memory of 1228	4900	Process not Found	102
PID 4900 wrote to memory of 1548	4900	Process not Found	103
PID 4900 wrote to memory of 1548	4900	Process not Found	103
PID 4900 wrote to memory of 1548	4900	Process not Found	103
PID 3820 wrote to memory of 3300	3820	rundll32.exe	104
PID 3820 wrote to memory of 3300	3820	rundll32.exe	104
PID 3820 wrote to memory of 3300	3820	rundll32.exe	104
PID 452 wrote to memory of 4380	452	7E.exe	107
PID 452 wrote to memory of 4380	452	7E.exe	107
PID 452 wrote to memory of 4380	452	7E.exe	107
PID 4900 wrote to memory of 3852	4900	Process not Found	108
PID 4900 wrote to memory of 3852	4900	Process not Found	108
PID 3820 wrote to memory of 1724	3820	rundll32.exe	106
PID 3820 wrote to memory of 1724	3820	rundll32.exe	106
PID 4468 wrote to memory of 5048	4468	FEC7.exe	109
PID 4468 wrote to memory of 5048	4468	FEC7.exe	109
PID 4468 wrote to memory of 5048	4468	FEC7.exe	109
PID 2024 wrote to memory of 784	2024	7E.exe	111
PID 2024 wrote to memory of 784	2024	7E.exe	111
PID 2024 wrote to memory of 784	2024	7E.exe	111
PID 3300 wrote to memory of 2608	3300	liwen.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4248

C:\Users\Admin\AppData\Local\Temp\FEC7.exe
C:\Users\Admin\AppData\Local\Temp\FEC7.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:560
- C:\Users\Admin\AppData\Local\Temp\FEC7.exe
  C:\Users\Admin\AppData\Local\Temp\FEC7.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Users\Admin\AppData\Local\Temp\FEC7.exe
    "C:\Users\Admin\AppData\Local\Temp\FEC7.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\FEC7.exe
      "C:\Users\Admin\AppData\Local\Temp\FEC7.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:5080
    - - C:\Users\Admin\AppData\Local\e561b516-e660-4d46-a276-9b329ded675f\build2.exe
        
        "C:\Users\Admin\AppData\Local\e561b516-e660-4d46-a276-9b329ded675f\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2408
      - C:\Users\Admin\AppData\Local\e561b516-e660-4d46-a276-9b329ded675f\build2.exe
        
        "C:\Users\Admin\AppData\Local\e561b516-e660-4d46-a276-9b329ded675f\build2.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\e561b516-e660-4d46-a276-9b329ded675f\build2.exe" & exit
        7⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:4172
    - - C:\Users\Admin\AppData\Local\e561b516-e660-4d46-a276-9b329ded675f\build3.exe
        
        "C:\Users\Admin\AppData\Local\e561b516-e660-4d46-a276-9b329ded675f\build3.exe"
        5⤵
        Executes dropped EXE
        
        PID:3316

C:\Users\Admin\AppData\Local\Temp\7E.exe
C:\Users\Admin\AppData\Local\Temp\7E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\7E.exe
  C:\Users\Admin\AppData\Local\Temp\7E.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\4b4c76a7-1efc-4a9c-ada3-dd7d3f72e214" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4380
- - C:\Users\Admin\AppData\Local\Temp\7E.exe
    "C:\Users\Admin\AppData\Local\Temp\7E.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\7E.exe
      "C:\Users\Admin\AppData\Local\Temp\7E.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\Users\Admin\AppData\Local\61203b82-aa96-426d-9971-96e5e8cef38c\build2.exe
        
        "C:\Users\Admin\AppData\Local\61203b82-aa96-426d-9971-96e5e8cef38c\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1564
      - C:\Users\Admin\AppData\Local\61203b82-aa96-426d-9971-96e5e8cef38c\build2.exe
        
        "C:\Users\Admin\AppData\Local\61203b82-aa96-426d-9971-96e5e8cef38c\build2.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\61203b82-aa96-426d-9971-96e5e8cef38c\build2.exe" & exit
        7⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:1728
    - - C:\Users\Admin\AppData\Local\61203b82-aa96-426d-9971-96e5e8cef38c\build3.exe
        
        "C:\Users\Admin\AppData\Local\61203b82-aa96-426d-9971-96e5e8cef38c\build3.exe"
        5⤵
        Executes dropped EXE
        
        PID:1208
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3372

C:\Users\Admin\AppData\Local\Temp\292.exe
C:\Users\Admin\AppData\Local\Temp\292.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4900
- C:\Users\Admin\AppData\Local\Temp\Player3.exe
  "C:\Users\Admin\AppData\Local\Temp\Player3.exe"
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\liwen.exe
  "C:\Users\Admin\AppData\Local\Temp\liwen.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\liwen.exe
    "C:\Users\Admin\AppData\Local\Temp\liwen.exe" -h
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2928
- C:\Users\Admin\AppData\Local\Temp\ss31.exe
  "C:\Users\Admin\AppData\Local\Temp\ss31.exe"
  2⤵
  - Executes dropped EXE
  PID:3852

C:\Users\Admin\AppData\Local\Temp\429.exe
C:\Users\Admin\AppData\Local\Temp\429.exe
1⤵
- Executes dropped EXE
PID:3820
- C:\Users\Admin\AppData\Local\Temp\Player3.exe
  "C:\Users\Admin\AppData\Local\Temp\Player3.exe"
  2⤵
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
    "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:784
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4568
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
      4⤵
      PID:752
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\16de06bfb4" /P "Admin:R" /E
        5⤵
        
        PID:4384
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\16de06bfb4" /P "Admin:N"
        5⤵
        
        PID:3120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2096
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:R" /E
        5⤵
        
        PID:4796
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:N"
        5⤵
        
        PID:1456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2408
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4024
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:4808
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4808 -s 644
        6⤵
        Program crash
        
        PID:3992
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2324
- C:\Users\Admin\AppData\Local\Temp\liwen.exe
  "C:\Users\Admin\AppData\Local\Temp\liwen.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\liwen.exe
    "C:\Users\Admin\AppData\Local\Temp\liwen.exe" -h
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2608
- C:\Users\Admin\AppData\Local\Temp\ss31.exe
  "C:\Users\Admin\AppData\Local\Temp\ss31.exe"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 600
  2⤵
  - Program crash
  PID:1500

C:\Users\Admin\AppData\Local\Temp\7F3.exe
C:\Users\Admin\AppData\Local\Temp\7F3.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4892

C:\Users\Admin\AppData\Local\Temp\91D.exe
C:\Users\Admin\AppData\Local\Temp\91D.exe
1⤵
- Executes dropped EXE
PID:4596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 340
  2⤵
  - Program crash
  PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4596 -ip 4596
1⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\189F.exe
C:\Users\Admin\AppData\Local\Temp\189F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4788
- C:\Users\Admin\AppData\Local\Temp\189F.exe
  C:\Users\Admin\AppData\Local\Temp\189F.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\189F.exe
    "C:\Users\Admin\AppData\Local\Temp\189F.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\189F.exe
      "C:\Users\Admin\AppData\Local\Temp\189F.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:4372
    - - C:\Users\Admin\AppData\Local\36b2a3b2-2199-4b37-9071-3ad53d22cca4\build2.exe
        
        "C:\Users\Admin\AppData\Local\36b2a3b2-2199-4b37-9071-3ad53d22cca4\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1380
      - C:\Users\Admin\AppData\Local\36b2a3b2-2199-4b37-9071-3ad53d22cca4\build2.exe
        
        "C:\Users\Admin\AppData\Local\36b2a3b2-2199-4b37-9071-3ad53d22cca4\build2.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\36b2a3b2-2199-4b37-9071-3ad53d22cca4\build2.exe" & exit
        7⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:4812
    - - C:\Users\Admin\AppData\Local\36b2a3b2-2199-4b37-9071-3ad53d22cca4\build3.exe
        
        "C:\Users\Admin\AppData\Local\36b2a3b2-2199-4b37-9071-3ad53d22cca4\build3.exe"
        5⤵
        Executes dropped EXE
        
        PID:4192
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:1500

C:\Users\Admin\AppData\Local\Temp\1F47.exe
C:\Users\Admin\AppData\Local\Temp\1F47.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
PID:4480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 808
  2⤵
  - Program crash
  PID:1716

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:4976
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 600
1⤵
- Program crash
PID:2196

C:\Users\Admin\AppData\Local\Temp\2DFE.exe
C:\Users\Admin\AppData\Local\Temp\2DFE.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5084

C:\Users\Admin\AppData\Local\Temp\2B6D.exe
C:\Users\Admin\AppData\Local\Temp\2B6D.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
PID:3296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 668
  2⤵
  - Program crash
  PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 436 -ip 436
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3820 -ip 3820
1⤵
PID:1320

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3820

C:\Users\Admin\AppData\Local\Temp\3022.exe
C:\Users\Admin\AppData\Local\Temp\3022.exe
1⤵
- Executes dropped EXE
PID:3044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 340
  2⤵
  - Program crash
  PID:4704

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:404

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Users\Admin\AppData\Roaming\jwebaee
C:\Users\Admin\AppData\Roaming\jwebaee
1⤵
- Executes dropped EXE
PID:3760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 340
  2⤵
  - Program crash
  PID:2912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2096

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3044 -ip 3044
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3760 -ip 3760
1⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\99DA.exe
C:\Users\Admin\AppData\Local\Temp\99DA.exe
1⤵
- Executes dropped EXE
PID:3120
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Defftihu.dll,start
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Checks processor information in registry
  PID:1704
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14078
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:652
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1904
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14078
    3⤵
    PID:3048
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14078
    3⤵
    PID:1656
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14078
    3⤵
    PID:3984
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14078
    3⤵
    PID:1228
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14078
    3⤵
    PID:3316
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14078
    3⤵
    PID:4452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 400
  2⤵
  - Program crash
  PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4480 -ip 4480
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3120 -ip 3120
1⤵
PID:4424

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2976

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3296 -ip 3296
1⤵
PID:2868

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3340

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1560

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1104

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:212

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1880

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3624

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 4808 -ip 4808
1⤵
PID:2380

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4552

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
PID:3824
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows nt\tabletextservice\reviews_joined.dll",djw6
  2⤵
  PID:2604

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
PID:4356

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:4248
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\21514401281660943275475624

Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\ProgramData\43630631598099314584109854

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\50334693350610924909014676

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\50334693350610924909014676

Filesize
5.0MB

MD5
6c97cd89a2d7449409eaafca65b040da

SHA1
d3af334b39bae95375d8bfa9cb372100ded40fd3

SHA256
2b4634efe70d47b1fa2e4d8f5488ff187265a3f9cbb3fcb36782c7ab0b162387

SHA512
b2f68fa71c815a7524da47322a3a9da0234064911ea9ed545254f1ad839a8fe1b053deb13fe9b0e9402bb19e49c59f8b4c01b32ac5073147f5672cbf8bdf8143

Download Submit
C:\ProgramData\87969424608726428906192291

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\91150945657697252374816709

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\92788044328201458475549686

Filesize
92KB

MD5
988b3b69326285fe3025cafc08a1bc8b

SHA1
3cf978d7e8f6281558c2c34fa60d13882edfd81e

SHA256
0acbaf311f2539bdf907869f7b8e75c614597d7d0084e2073ac002cf7e5437f4

SHA512
6fcc3acea7bee90489a23f76d4090002a10d8c735174ad90f8641a310717cfceb9b063dc700a88fcb3f9054f0c28b86f31329759f71c8eaf15620cefa87a17d4

Download Submit
C:\ProgramData\92788044328201458475549686

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\ProgramData\96141282947142269137464604

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\{D0EF9B73-EF3E-7E3E-C566-664CAE5520F0}\Fowyps.tmp

Filesize
3.5MB

MD5
989088c121fc20f50cda620d6167dff0

SHA1
a01853e3ac919ad59963c8aa1559aea6da799398

SHA256
10850a929a2b827e21867d2752467ab240b084849f5a3b46bd271127ce7a4de3

SHA512
113cf2730a57f549411a9a2b4a4c75c8accc18294f0a0dbf0da4e6c23bac042bce31fac0abbd0cd7172fd50cb88a02b78c93b131c5b968efd4e957eb004ff767

Download Submit
C:\ProgramData\{D0EF9B73-EF3E-7E3E-C566-664CAE5520F0}\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe.xml

Filesize
6KB

MD5
e2a07f037256d69937145aea357735fe

SHA1
07ce3d26f68b90604543f441bf75f57fbf6f5f99

SHA256
0f20839ad81a013e9700e22a629e7284a5b817adff6d992d4b761b6875ace257

SHA512
f78e8d10675b7c8d3fd8af0780fb979c1cca6b5ccfd1422529d7837f34f9973dc26a174f4b86587f7a1e1dbe1a3fe59cc0342379332a2e726a41c180a0dbad7d

Download Submit
C:\ProgramData\{D0EF9B73-EF3E-7E3E-C566-664CAE5520F0}\resource.xml

Filesize
1KB

MD5
74371c7c6436c5599c4533dcc895760f

SHA1
8d37bece96e25ab522809539395d138d38dd6114

SHA256
c636384cf084f5df312cd9d33fccaa58058a3b2c6481e90cf9c71616c004d938

SHA512
689c7d02f15728f3823667fa4b2754b1bda40f35c5baaf250f6aa17638950f9e9135eb273d4108967253a728edb3418d09e636ca0f0599343375c4b56cfd0afe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
84770e5e2da7dbc35f74f1301910fea1

SHA1
bd6156f63c93c2bc668dbd796d27474700cbff84

SHA256
97a616430f4f8b8a76004f3ffab182f6a01870267c53387960f71f56c3dae1c5

SHA512
6241fec66ad5219fa31ad47fdd93dea2ef079cfd600d3ec1ca48fe64d028d76a82984113a5052b74de8d678d183e2bafb965f3c6111f3cdf139239b07dfee941

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
84770e5e2da7dbc35f74f1301910fea1

SHA1
bd6156f63c93c2bc668dbd796d27474700cbff84

SHA256
97a616430f4f8b8a76004f3ffab182f6a01870267c53387960f71f56c3dae1c5

SHA512
6241fec66ad5219fa31ad47fdd93dea2ef079cfd600d3ec1ca48fe64d028d76a82984113a5052b74de8d678d183e2bafb965f3c6111f3cdf139239b07dfee941

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
46695bc8561a32e1833a6d99a77181a0

SHA1
b3c30e212f13fe612567d1a0d590ea400225bde2

SHA256
8acf929c15a9d787e72809586a1c01d53cd344207ed8f5b5d2f325f4a25f708e

SHA512
59a20f6594e628fb465ca887c4987656757d6b479c9fc72995c1bbe4c7ab89a8e60969aa68d7472b8a06bbfa99c01fdd0e87608fef95133463034bc21744e304

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
46695bc8561a32e1833a6d99a77181a0

SHA1
b3c30e212f13fe612567d1a0d590ea400225bde2

SHA256
8acf929c15a9d787e72809586a1c01d53cd344207ed8f5b5d2f325f4a25f708e

SHA512
59a20f6594e628fb465ca887c4987656757d6b479c9fc72995c1bbe4c7ab89a8e60969aa68d7472b8a06bbfa99c01fdd0e87608fef95133463034bc21744e304

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
94bd9c14574f3cdcb96435d3d6edf4ea

SHA1
1398d9237db0d8e99db0e12f86a4f535fef8b4b8

SHA256
48b3032cd4e613236dc9a65e49303a6ee48e2b7d2c209254b530a661ada8b74c

SHA512
4c024b6982edc56f2a449a88d82d92a8ad4c6a521253b46c7a1531370f1936443489eee62d9c780152fa19837eecb0c28e0455e36b7e34a1e7886692c2eefe7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
94bd9c14574f3cdcb96435d3d6edf4ea

SHA1
1398d9237db0d8e99db0e12f86a4f535fef8b4b8

SHA256
48b3032cd4e613236dc9a65e49303a6ee48e2b7d2c209254b530a661ada8b74c

SHA512
4c024b6982edc56f2a449a88d82d92a8ad4c6a521253b46c7a1531370f1936443489eee62d9c780152fa19837eecb0c28e0455e36b7e34a1e7886692c2eefe7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
ef6b72292c4b7c17407e67b40d0406cd

SHA1
4fa4df4538ffcbb35215daec519ca6940471f099

SHA256
63b420b477388b0a3793e35cdef0b48c60603f79cedb19c76d5da05498a6ddfb

SHA512
225c4571daf949f05bbc530b08951146b927c77bb79cdfb522553f21279882f30a4a388b2d1eb3eac69e1e6b2644b2927c1289e17a0f7314bb2969a05ece7cea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
cef05c33eb4dca8ecc95b41923b638e9

SHA1
9324f8b66be8d20185060ba62f19b4ef899af712

SHA256
2a06487591578fd102825d91acb56997adc0adcf3126c00f489f44abb24075c2

SHA512
5e3a6be30127edfc0eb724c28126b3c39d1cb65a7c64c2462a26d69ae97862671deaabcf657aea2670696ee4fdaae7856264e0466c0c3b032aaeb6c76bbb92c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
cef05c33eb4dca8ecc95b41923b638e9

SHA1
9324f8b66be8d20185060ba62f19b4ef899af712

SHA256
2a06487591578fd102825d91acb56997adc0adcf3126c00f489f44abb24075c2

SHA512
5e3a6be30127edfc0eb724c28126b3c39d1cb65a7c64c2462a26d69ae97862671deaabcf657aea2670696ee4fdaae7856264e0466c0c3b032aaeb6c76bbb92c5

Download Submit
C:\Users\Admin\AppData\Local\4b4c76a7-1efc-4a9c-ada3-dd7d3f72e214\7E.exe

Filesize
686KB

MD5
44cecf304afdbabbb699760c42b352d7

SHA1
c32ac05f89a470b75a62e425907b2dd6bd03680c

SHA256
5c6c4a615ac0d8458c059ab5847d68997769ae87f717c1d8dd1cdda2999ab405

SHA512
649e47957417b497c0512727f0d9b4431bd713e46be844dc52a54193cb42e2406e920fbfb27919c3a2eb559e1d6b4c3e4d44185461279d12fa432b5c0455bb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\189F.exe

Filesize
689KB

MD5
dd7a8f0edb368f011b21c42e100f6d26

SHA1
dd207af191d2933ea2b17d300ced6d056279b378

SHA256
2ce91204b673b3c0360214b643985f771eee4386ece95517de94fdceed182e71

SHA512
bec8040617e4fb0681bedb31d75199798c99042b8087ee83810a2053479a50d742f0ec78449b9dddca1f10283d9e86a2a30de2303786583b8588d25767a026ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\189F.exe

Filesize
689KB

MD5
dd7a8f0edb368f011b21c42e100f6d26

SHA1
dd207af191d2933ea2b17d300ced6d056279b378

SHA256
2ce91204b673b3c0360214b643985f771eee4386ece95517de94fdceed182e71

SHA512
bec8040617e4fb0681bedb31d75199798c99042b8087ee83810a2053479a50d742f0ec78449b9dddca1f10283d9e86a2a30de2303786583b8588d25767a026ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\189F.exe

Filesize
689KB

MD5
dd7a8f0edb368f011b21c42e100f6d26

SHA1
dd207af191d2933ea2b17d300ced6d056279b378

SHA256
2ce91204b673b3c0360214b643985f771eee4386ece95517de94fdceed182e71

SHA512
bec8040617e4fb0681bedb31d75199798c99042b8087ee83810a2053479a50d742f0ec78449b9dddca1f10283d9e86a2a30de2303786583b8588d25767a026ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\189F.exe

Filesize
689KB

MD5
dd7a8f0edb368f011b21c42e100f6d26

SHA1
dd207af191d2933ea2b17d300ced6d056279b378

SHA256
2ce91204b673b3c0360214b643985f771eee4386ece95517de94fdceed182e71

SHA512
bec8040617e4fb0681bedb31d75199798c99042b8087ee83810a2053479a50d742f0ec78449b9dddca1f10283d9e86a2a30de2303786583b8588d25767a026ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F47.exe

Filesize
3.2MB

MD5
12c9ffd6da618549ff72192b588354b1

SHA1
b5686190f602449fe4db14da7a31e541d29aad49

SHA256
cc551bcb062e26f7f34be3e568f915b3bcb2927ba89797e55780e0ed99ff8655

SHA512
668ab1e02d1a18d5a94bf350024a7c88f0c7c6e0a64483332663075fbfa605ed1cf99928f982996577e0964d7cec7a1be1ee4b6041a84c10185017a2d0054c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F47.exe

Filesize
3.2MB

MD5
12c9ffd6da618549ff72192b588354b1

SHA1
b5686190f602449fe4db14da7a31e541d29aad49

SHA256
cc551bcb062e26f7f34be3e568f915b3bcb2927ba89797e55780e0ed99ff8655

SHA512
668ab1e02d1a18d5a94bf350024a7c88f0c7c6e0a64483332663075fbfa605ed1cf99928f982996577e0964d7cec7a1be1ee4b6041a84c10185017a2d0054c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\238149048355

Filesize
85KB

MD5
e34a85e864a56c9c567a6ac602c22304

SHA1
3302de309ef70ccabc5b70dde37092054d6fb165

SHA256
c58759e97f3b9961f09501c16b246272aa512d159ff25dc1d31b9ff51f06590d

SHA512
b79e30a9bfb4007ef2c0713d0159049ea62b8e66c3b9285a7f4e6f121b5e246eba072d23d6d13615a1be9b99106c7b62ccb7455a6b07423be402ad036448a3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\292.exe

Filesize
1.4MB

MD5
0de84a66b983d2f407390473dd1e37de

SHA1
21de93ab0f4e6706403e0bd3167be9aa8178018b

SHA256
e8f0e3fe795f96909d2ce54434a20f0c87a8bde815e790a7de9fd48b7eb11969

SHA512
37fc3f31dbb2721565c56974638e483cf3700779b4bbe324c26dbf4f45721211516b041b519b63bd8feb653b8b1de6bda8c52736085f72ff597d5fcb8d839a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\292.exe

Filesize
1.4MB

MD5
0de84a66b983d2f407390473dd1e37de

SHA1
21de93ab0f4e6706403e0bd3167be9aa8178018b

SHA256
e8f0e3fe795f96909d2ce54434a20f0c87a8bde815e790a7de9fd48b7eb11969

SHA512
37fc3f31dbb2721565c56974638e483cf3700779b4bbe324c26dbf4f45721211516b041b519b63bd8feb653b8b1de6bda8c52736085f72ff597d5fcb8d839a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\292.exe

Filesize
1.4MB

MD5
0de84a66b983d2f407390473dd1e37de

SHA1
21de93ab0f4e6706403e0bd3167be9aa8178018b

SHA256
e8f0e3fe795f96909d2ce54434a20f0c87a8bde815e790a7de9fd48b7eb11969

SHA512
37fc3f31dbb2721565c56974638e483cf3700779b4bbe324c26dbf4f45721211516b041b519b63bd8feb653b8b1de6bda8c52736085f72ff597d5fcb8d839a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B6D.exe

Filesize
3.2MB

MD5
12c9ffd6da618549ff72192b588354b1

SHA1
b5686190f602449fe4db14da7a31e541d29aad49

SHA256
cc551bcb062e26f7f34be3e568f915b3bcb2927ba89797e55780e0ed99ff8655

SHA512
668ab1e02d1a18d5a94bf350024a7c88f0c7c6e0a64483332663075fbfa605ed1cf99928f982996577e0964d7cec7a1be1ee4b6041a84c10185017a2d0054c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B6D.exe

Filesize
3.2MB

MD5
12c9ffd6da618549ff72192b588354b1

SHA1
b5686190f602449fe4db14da7a31e541d29aad49

SHA256
cc551bcb062e26f7f34be3e568f915b3bcb2927ba89797e55780e0ed99ff8655

SHA512
668ab1e02d1a18d5a94bf350024a7c88f0c7c6e0a64483332663075fbfa605ed1cf99928f982996577e0964d7cec7a1be1ee4b6041a84c10185017a2d0054c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DFE.exe

Filesize
180KB

MD5
d7161c737b05961694b37258471dc116

SHA1
3701abcff17fed286ac22eaedec81e53d56be539

SHA256
09323b762a216ece584496962ffcf0f8394b613af412f8c5556b60d61b138d1b

SHA512
30142b30a9e409682e934b746cfee22d032d0097880112fa10b9bc0fe77e461122a1694de1fa3a7900f1f84d4dbb5260a254bbc25205068590834f8571db7686

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DFE.exe

Filesize
180KB

MD5
d7161c737b05961694b37258471dc116

SHA1
3701abcff17fed286ac22eaedec81e53d56be539

SHA256
09323b762a216ece584496962ffcf0f8394b613af412f8c5556b60d61b138d1b

SHA512
30142b30a9e409682e934b746cfee22d032d0097880112fa10b9bc0fe77e461122a1694de1fa3a7900f1f84d4dbb5260a254bbc25205068590834f8571db7686

Download Submit
C:\Users\Admin\AppData\Local\Temp\3022.exe

Filesize
180KB

MD5
2a236aef0c1084668ad33b92002588ca

SHA1
0307db9045cce9f2c216f4a342ef85ab4888abb2

SHA256
6186e7fa3b6101df3ee4a721a5f5b8609f90dd8d39159a501c91a485ca406d19

SHA512
ea374aecc55563656f29d2556c4a41ac91bbbd2fcb011db0f7738878b70ccb444968b7605a721e8fd054656a3297c3703c1dae88e511a28866cb208377f4bc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3022.exe

Filesize
180KB

MD5
2a236aef0c1084668ad33b92002588ca

SHA1
0307db9045cce9f2c216f4a342ef85ab4888abb2

SHA256
6186e7fa3b6101df3ee4a721a5f5b8609f90dd8d39159a501c91a485ca406d19

SHA512
ea374aecc55563656f29d2556c4a41ac91bbbd2fcb011db0f7738878b70ccb444968b7605a721e8fd054656a3297c3703c1dae88e511a28866cb208377f4bc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\429.exe

Filesize
1.4MB

MD5
0de84a66b983d2f407390473dd1e37de

SHA1
21de93ab0f4e6706403e0bd3167be9aa8178018b

SHA256
e8f0e3fe795f96909d2ce54434a20f0c87a8bde815e790a7de9fd48b7eb11969

SHA512
37fc3f31dbb2721565c56974638e483cf3700779b4bbe324c26dbf4f45721211516b041b519b63bd8feb653b8b1de6bda8c52736085f72ff597d5fcb8d839a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\429.exe

Filesize
1.4MB

MD5
0de84a66b983d2f407390473dd1e37de

SHA1
21de93ab0f4e6706403e0bd3167be9aa8178018b

SHA256
e8f0e3fe795f96909d2ce54434a20f0c87a8bde815e790a7de9fd48b7eb11969

SHA512
37fc3f31dbb2721565c56974638e483cf3700779b4bbe324c26dbf4f45721211516b041b519b63bd8feb653b8b1de6bda8c52736085f72ff597d5fcb8d839a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\7737a2b1-6fc2-4642-99fc-97d1aa9f5df5.tmp

Filesize
242KB

MD5
541f52e24fe1ef9f8e12377a6ccae0c0

SHA1
189898bb2dcae7d5a6057bc2d98b8b450afaebb6

SHA256
81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82

SHA512
d779d78a15c5efca51ebd6b96a7ccb6d718741bdf7d9a37f53b2eb4b98aa1a78bc4cfa57d6e763aab97276c8f9088940ac0476690d4d46023ff4bf52f3326c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E.exe

Filesize
686KB

MD5
44cecf304afdbabbb699760c42b352d7

SHA1
c32ac05f89a470b75a62e425907b2dd6bd03680c

SHA256
5c6c4a615ac0d8458c059ab5847d68997769ae87f717c1d8dd1cdda2999ab405

SHA512
649e47957417b497c0512727f0d9b4431bd713e46be844dc52a54193cb42e2406e920fbfb27919c3a2eb559e1d6b4c3e4d44185461279d12fa432b5c0455bb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E.exe

Filesize
686KB

MD5
44cecf304afdbabbb699760c42b352d7

SHA1
c32ac05f89a470b75a62e425907b2dd6bd03680c

SHA256
5c6c4a615ac0d8458c059ab5847d68997769ae87f717c1d8dd1cdda2999ab405

SHA512
649e47957417b497c0512727f0d9b4431bd713e46be844dc52a54193cb42e2406e920fbfb27919c3a2eb559e1d6b4c3e4d44185461279d12fa432b5c0455bb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E.exe

Filesize
686KB

MD5
44cecf304afdbabbb699760c42b352d7

SHA1
c32ac05f89a470b75a62e425907b2dd6bd03680c

SHA256
5c6c4a615ac0d8458c059ab5847d68997769ae87f717c1d8dd1cdda2999ab405

SHA512
649e47957417b497c0512727f0d9b4431bd713e46be844dc52a54193cb42e2406e920fbfb27919c3a2eb559e1d6b4c3e4d44185461279d12fa432b5c0455bb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F3.exe

Filesize
181KB

MD5
b0f75f680837d8cc1f19f1ad403fde6e

SHA1
0550cac9aa2fd98a96843b3c8afb33fc8b3ea605

SHA256
abbaf23c4f23258268d09240aa044d4df406f72e1cb88fcc2cff89dc191cd821

SHA512
441047e4e74e27d7578550b04ab1a9d5afd31f4d4c78d3bf4c9d0647878f8c4ac768802fdc8aa3542e878b209760aa429fe0b886c9bb0b5f66e1f4e3084db851

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F3.exe

Filesize
181KB

MD5
b0f75f680837d8cc1f19f1ad403fde6e

SHA1
0550cac9aa2fd98a96843b3c8afb33fc8b3ea605

SHA256
abbaf23c4f23258268d09240aa044d4df406f72e1cb88fcc2cff89dc191cd821

SHA512
441047e4e74e27d7578550b04ab1a9d5afd31f4d4c78d3bf4c9d0647878f8c4ac768802fdc8aa3542e878b209760aa429fe0b886c9bb0b5f66e1f4e3084db851

Download Submit
C:\Users\Admin\AppData\Local\Temp\91D.exe

Filesize
178KB

MD5
d7acab2d90611a1ba64c52fcb795b668

SHA1
e03096a1e263085c037c18c588946a2a3afe5ec4

SHA256
5b25066fa2e302fbc8614c191e2a5f4ac2d1724873ed459b6f46da1a643f1376

SHA512
e374e714c193f4d27db70a195a973a2bf5ee727ee87c3903c0cb2cdd0b4104e7d7e5a5808cbf2945de03061b6cf0ff6e4edda6506d63d5aff602f92545ea9dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\91D.exe

Filesize
178KB

MD5
d7acab2d90611a1ba64c52fcb795b668

SHA1
e03096a1e263085c037c18c588946a2a3afe5ec4

SHA256
5b25066fa2e302fbc8614c191e2a5f4ac2d1724873ed459b6f46da1a643f1376

SHA512
e374e714c193f4d27db70a195a973a2bf5ee727ee87c3903c0cb2cdd0b4104e7d7e5a5808cbf2945de03061b6cf0ff6e4edda6506d63d5aff602f92545ea9dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Arfwoffrpyehp

Filesize
92KB

MD5
bae565bc385845e730347df331491051

SHA1
5da4a3def18f75d007cee6ee334f8e36b0c377bc

SHA256
c6aeae82d3a49e6ce016e1f02fa93c918d50934f93847ae371816e5fdeb79dd5

SHA512
6e9120dca1ec8acadbccff6c99bf81ccb6e91b53019be1b5bda35fa5a5be8e18fd001fcda8f01096123d3aae1e71e0262910dad846f756c513493c92387232a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEC7.exe

Filesize
689KB

MD5
dd7a8f0edb368f011b21c42e100f6d26

SHA1
dd207af191d2933ea2b17d300ced6d056279b378

SHA256
2ce91204b673b3c0360214b643985f771eee4386ece95517de94fdceed182e71

SHA512
bec8040617e4fb0681bedb31d75199798c99042b8087ee83810a2053479a50d742f0ec78449b9dddca1f10283d9e86a2a30de2303786583b8588d25767a026ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEC7.exe

Filesize
689KB

MD5
dd7a8f0edb368f011b21c42e100f6d26

SHA1
dd207af191d2933ea2b17d300ced6d056279b378

SHA256
2ce91204b673b3c0360214b643985f771eee4386ece95517de94fdceed182e71

SHA512
bec8040617e4fb0681bedb31d75199798c99042b8087ee83810a2053479a50d742f0ec78449b9dddca1f10283d9e86a2a30de2303786583b8588d25767a026ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEC7.exe

Filesize
689KB

MD5
dd7a8f0edb368f011b21c42e100f6d26

SHA1
dd207af191d2933ea2b17d300ced6d056279b378

SHA256
2ce91204b673b3c0360214b643985f771eee4386ece95517de94fdceed182e71

SHA512
bec8040617e4fb0681bedb31d75199798c99042b8087ee83810a2053479a50d742f0ec78449b9dddca1f10283d9e86a2a30de2303786583b8588d25767a026ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEC7.exe

Filesize
689KB

MD5
dd7a8f0edb368f011b21c42e100f6d26

SHA1
dd207af191d2933ea2b17d300ced6d056279b378

SHA256
2ce91204b673b3c0360214b643985f771eee4386ece95517de94fdceed182e71

SHA512
bec8040617e4fb0681bedb31d75199798c99042b8087ee83810a2053479a50d742f0ec78449b9dddca1f10283d9e86a2a30de2303786583b8588d25767a026ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEC7.exe

Filesize
689KB

MD5
dd7a8f0edb368f011b21c42e100f6d26

SHA1
dd207af191d2933ea2b17d300ced6d056279b378

SHA256
2ce91204b673b3c0360214b643985f771eee4386ece95517de94fdceed182e71

SHA512
bec8040617e4fb0681bedb31d75199798c99042b8087ee83810a2053479a50d742f0ec78449b9dddca1f10283d9e86a2a30de2303786583b8588d25767a026ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log

Filesize
25KB

MD5
37621e5fb2c5ee512493e1a29311452e

SHA1
f36bd6ef7981c73fdd2698f7609e19631757eef9

SHA256
cfd5c93c9de4b4f637652e7a716cd7f65733db33905e3886b942dd6101baffe7

SHA512
a53a6865fcca739e14cf014afcaf39667633c14c8f18f705c8f8834830b8c70887f60a670dcfbd3159b384a3de172ee8fa03557ffce3bb4322a17449f2dcb840

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
ee5d452cc4ee71e1f544582bf6fca143

SHA1
a193952075b2b4a83759098754e814a931b8ba90

SHA256
f5cb9476e4b5576bb94eae1d278093b6470b0238226d4c05ec8c76747d57cbfe

SHA512
7a935ae3df65b949c5e7f1ed93bd2173165ef4e347ceb5879725fbb995aedeef853b5b1dc4c4155d423f34d004f8a0df59258cefdad5f49e617d0a74764c896b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
ee5d452cc4ee71e1f544582bf6fca143

SHA1
a193952075b2b4a83759098754e814a931b8ba90

SHA256
f5cb9476e4b5576bb94eae1d278093b6470b0238226d4c05ec8c76747d57cbfe

SHA512
7a935ae3df65b949c5e7f1ed93bd2173165ef4e347ceb5879725fbb995aedeef853b5b1dc4c4155d423f34d004f8a0df59258cefdad5f49e617d0a74764c896b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI3BF5.txt

Filesize
427KB

MD5
9371e650276e4d26f46eda70ac6bca94

SHA1
b259e7c667a81e634bacbd870e8e6d4ede92ba02

SHA256
55ca1798227b80c2626484a8a6e3080d7e30de957904e4f668f7f547397c1934

SHA512
4826b68496dc4c01a4683c0417f57838d31ac05a8be6e64e2d0d9f53dc8ef4d2149919ce0a160151ecd9abeb929c1418b96522d74a5afca4a50078b418145af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI3C23.txt

Filesize
11KB

MD5
e3d7b207b220df9e848965308b538403

SHA1
029d361413a5c27c3401f4062af5e6c7c3fcaf67

SHA256
8ebbc7d5541e10e3d68af2153ee26667eca11d5a4783b2061e91e0cceb02f4e8

SHA512
4be7fd03d02a4baed53a29242619c1602d93333ade29bf1a5ec2e76d83036883d5c7afd89fd5d27bd51425a84143e5ff6a2d67ce8d228150b4582bcba95e9afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html

Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
266KB

MD5
69baf97022e1dbdb2f1eabdc3773eb1a

SHA1
c1cecbb728ec2dfc27950b9ed87726cb18dabad1

SHA256
13b0ea4aaf8e1dcbe9f2ce8f40ad1f50ea22ad139f806fc02f4090e6a0f8c382

SHA512
d5ca1a9154c2861b809e07da1eb08657ff952cc935955e1d43af52597c99e8a8286e2c7e413cefe304a6fe85231c4bfe056efc2ed9dd8a0739a78ea07b711d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\liwen.exe

Filesize
328KB

MD5
bbaa394e6b0ecb7808722986b90d290c

SHA1
682e835d7ea19c9aa3d464436d673e5c89ab2bb6

SHA256
baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

SHA512
2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\liwen.exe

Filesize
328KB

MD5
bbaa394e6b0ecb7808722986b90d290c

SHA1
682e835d7ea19c9aa3d464436d673e5c89ab2bb6

SHA256
baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

SHA512
2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\liwen.exe

Filesize
328KB

MD5
bbaa394e6b0ecb7808722986b90d290c

SHA1
682e835d7ea19c9aa3d464436d673e5c89ab2bb6

SHA256
baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

SHA512
2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\liwen.exe

Filesize
328KB

MD5
bbaa394e6b0ecb7808722986b90d290c

SHA1
682e835d7ea19c9aa3d464436d673e5c89ab2bb6

SHA256
baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

SHA512
2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\liwen.exe

Filesize
328KB

MD5
bbaa394e6b0ecb7808722986b90d290c

SHA1
682e835d7ea19c9aa3d464436d673e5c89ab2bb6

SHA256
baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

SHA512
2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\liwen.exe

Filesize
328KB

MD5
bbaa394e6b0ecb7808722986b90d290c

SHA1
682e835d7ea19c9aa3d464436d673e5c89ab2bb6

SHA256
baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

SHA512
2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\liwen.exe

Filesize
328KB

MD5
bbaa394e6b0ecb7808722986b90d290c

SHA1
682e835d7ea19c9aa3d464436d673e5c89ab2bb6

SHA256
baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

SHA512
2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log

Filesize
3KB

MD5
142a0ebbbbcb85e5eb5f9e6664529af4

SHA1
15cb4048f5a70b9cd41d6d3b5461832c49edcde7

SHA256
b076e0120aae7c1918d6e2da29b885c6db83f1937e968676a6476c7a6a8918a1

SHA512
256ee049c36a998ed57c216e009b8d8711a4bb8346d4c9fe21efe0c5004a5ea7356da018a7e298090c99aba1fc172b2eca4fd16d17fab72317bdeb91e1bc6044

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
900KB

MD5
635d7aef53ed843b44be739c2b6d0c43

SHA1
abbf9fd908d4d2a2c4c87366552fc7d75ae474ef

SHA256
55c1e82d5fd4c19b79e692d6a869f41f65c5014e0f5122c5da52a3c5e64e54e8

SHA512
8ab908305fa3ccad0a51658c3c94965cd342ce9e1fd300660088bfa60c95aad353af639540aaf22acf711bc254b9ae38654aa043e7e2e0c0cdfd352cde74df20

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
900KB

MD5
635d7aef53ed843b44be739c2b6d0c43

SHA1
abbf9fd908d4d2a2c4c87366552fc7d75ae474ef

SHA256
55c1e82d5fd4c19b79e692d6a869f41f65c5014e0f5122c5da52a3c5e64e54e8

SHA512
8ab908305fa3ccad0a51658c3c94965cd342ce9e1fd300660088bfa60c95aad353af639540aaf22acf711bc254b9ae38654aa043e7e2e0c0cdfd352cde74df20

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
900KB

MD5
635d7aef53ed843b44be739c2b6d0c43

SHA1
abbf9fd908d4d2a2c4c87366552fc7d75ae474ef

SHA256
55c1e82d5fd4c19b79e692d6a869f41f65c5014e0f5122c5da52a3c5e64e54e8

SHA512
8ab908305fa3ccad0a51658c3c94965cd342ce9e1fd300660088bfa60c95aad353af639540aaf22acf711bc254b9ae38654aa043e7e2e0c0cdfd352cde74df20

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
900KB

MD5
635d7aef53ed843b44be739c2b6d0c43

SHA1
abbf9fd908d4d2a2c4c87366552fc7d75ae474ef

SHA256
55c1e82d5fd4c19b79e692d6a869f41f65c5014e0f5122c5da52a3c5e64e54e8

SHA512
8ab908305fa3ccad0a51658c3c94965cd342ce9e1fd300660088bfa60c95aad353af639540aaf22acf711bc254b9ae38654aa043e7e2e0c0cdfd352cde74df20

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctAB8D.tmp

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\e561b516-e660-4d46-a276-9b329ded675f\build2.exe

Filesize
299KB

MD5
6b343cd7dea3ae28d0819bc55a2f86fe

SHA1
cedd49849a5dd678d0a55da607e9b28a9680073c

SHA256
4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49

SHA512
7c28ba260fe53879b6e8f69d65c4263d454d75033889162d000c421695e634aeb13f4d4c2b999934f8eb2e58d62913764f1590689925e120600155d8390d0a48

Download Submit
C:\Users\Admin\AppData\Local\e561b516-e660-4d46-a276-9b329ded675f\build2.exe

Filesize
299KB

MD5
6b343cd7dea3ae28d0819bc55a2f86fe

SHA1
cedd49849a5dd678d0a55da607e9b28a9680073c

SHA256
4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49

SHA512
7c28ba260fe53879b6e8f69d65c4263d454d75033889162d000c421695e634aeb13f4d4c2b999934f8eb2e58d62913764f1590689925e120600155d8390d0a48

Download Submit
C:\Users\Admin\AppData\Local\e561b516-e660-4d46-a276-9b329ded675f\build2.exe

Filesize
299KB

MD5
6b343cd7dea3ae28d0819bc55a2f86fe

SHA1
cedd49849a5dd678d0a55da607e9b28a9680073c

SHA256
4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49

SHA512
7c28ba260fe53879b6e8f69d65c4263d454d75033889162d000c421695e634aeb13f4d4c2b999934f8eb2e58d62913764f1590689925e120600155d8390d0a48

Download Submit
C:\Users\Admin\AppData\Local\e561b516-e660-4d46-a276-9b329ded675f\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\e561b516-e660-4d46-a276-9b329ded675f\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\e561b516-e660-4d46-a276-9b329ded675f\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

Filesize
89KB

MD5
d3074d3a19629c3c6a533c86733e044e

SHA1
5b15823311f97036dbaf4a3418c6f50ffade0eb9

SHA256
b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401

SHA512
7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\grebaee

Filesize
180KB

MD5
d7161c737b05961694b37258471dc116

SHA1
3701abcff17fed286ac22eaedec81e53d56be539

SHA256
09323b762a216ece584496962ffcf0f8394b613af412f8c5556b60d61b138d1b

SHA512
30142b30a9e409682e934b746cfee22d032d0097880112fa10b9bc0fe77e461122a1694de1fa3a7900f1f84d4dbb5260a254bbc25205068590834f8571db7686

Download Submit
C:\Users\Admin\AppData\Roaming\wbebaee

Filesize
181KB

MD5
b0f75f680837d8cc1f19f1ad403fde6e

SHA1
0550cac9aa2fd98a96843b3c8afb33fc8b3ea605

SHA256
abbaf23c4f23258268d09240aa044d4df406f72e1cb88fcc2cff89dc191cd821

SHA512
441047e4e74e27d7578550b04ab1a9d5afd31f4d4c78d3bf4c9d0647878f8c4ac768802fdc8aa3542e878b209760aa429fe0b886c9bb0b5f66e1f4e3084db851

Download Submit
memory/212-752-0x0000000000350000-0x0000000000377000-memory.dmp

Filesize
156KB

Download
memory/212-765-0x0000000001290000-0x0000000001299000-memory.dmp

Filesize
36KB

Download
memory/436-670-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/436-467-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/436-650-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/452-337-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/452-199-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/452-202-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/452-190-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/452-397-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/452-192-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/560-178-0x0000000002240000-0x000000000235B000-memory.dmp

Filesize
1.1MB

Download
memory/680-834-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/680-657-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/680-555-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1104-746-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/1104-748-0x0000000000350000-0x0000000000377000-memory.dmp

Filesize
156KB

Download
memory/1560-692-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/1724-535-0x000001F4CCE40000-0x000001F4CCF74000-memory.dmp

Filesize
1.2MB

Download
memory/1724-275-0x000001F4CCE40000-0x000001F4CCF74000-memory.dmp

Filesize
1.2MB

Download
memory/1880-770-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/1880-769-0x0000000001290000-0x0000000001299000-memory.dmp

Filesize
36KB

Download
memory/2028-686-0x0000000000D80000-0x0000000000D8F000-memory.dmp

Filesize
60KB

Download
memory/2028-860-0x00000000003A0000-0x00000000003AB000-memory.dmp

Filesize
44KB

Download
memory/2028-685-0x00000000003A0000-0x00000000003AB000-memory.dmp

Filesize
44KB

Download
memory/2408-385-0x0000000000610000-0x0000000000667000-memory.dmp

Filesize
348KB

Download
memory/2568-156-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2568-140-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2568-143-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2568-144-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2568-145-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2568-146-0x0000000008420000-0x0000000008430000-memory.dmp

Filesize
64KB

Download
memory/2568-155-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2568-152-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2568-872-0x0000000009690000-0x0000000009692000-memory.dmp

Filesize
8KB

Download
memory/2568-153-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2568-141-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2568-154-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2568-150-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2568-147-0x0000000008DB0000-0x0000000008DC0000-memory.dmp

Filesize
64KB

Download
memory/2568-148-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2568-149-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2568-142-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2568-151-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2568-314-0x00000000033B0000-0x00000000033C6000-memory.dmp

Filesize
88KB

Download
memory/2568-157-0x0000000008DB0000-0x0000000008DC0000-memory.dmp

Filesize
64KB

Download
memory/2568-234-0x0000000008DB0000-0x0000000008DC0000-memory.dmp

Filesize
64KB

Download
memory/2568-139-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2568-135-0x00000000032D0000-0x00000000032E6000-memory.dmp

Filesize
88KB

Download
memory/2568-468-0x0000000008E30000-0x0000000008E32000-memory.dmp

Filesize
8KB

Download
memory/2704-575-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2704-388-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2704-382-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2704-384-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2704-568-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2704-383-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2976-837-0x00000000004C0000-0x00000000004C3000-memory.dmp

Filesize
12KB

Download
memory/2976-679-0x00000000003A0000-0x00000000003AB000-memory.dmp

Filesize
44KB

Download
memory/2976-678-0x00000000004C0000-0x00000000004C3000-memory.dmp

Filesize
12KB

Download
memory/3044-392-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/3120-577-0x00000000027E0000-0x0000000002B10000-memory.dmp

Filesize
3.2MB

Download
memory/3296-658-0x0000000002100000-0x000000000211C000-memory.dmp

Filesize
112KB

Download
memory/3296-664-0x00000000004C0000-0x00000000004C3000-memory.dmp

Filesize
12KB

Download
memory/3296-659-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/3296-373-0x00000000020D0000-0x00000000020FE000-memory.dmp

Filesize
184KB

Download
memory/3296-687-0x0000000002100000-0x000000000211C000-memory.dmp

Filesize
112KB

Download
memory/3340-690-0x00000000005A0000-0x00000000005A9000-memory.dmp

Filesize
36KB

Download
memory/3340-689-0x0000000000D80000-0x0000000000D8F000-memory.dmp

Filesize
60KB

Download
memory/3436-340-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3436-292-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3436-313-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3436-293-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3624-826-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/3624-827-0x0000000000A10000-0x0000000000A1D000-memory.dmp

Filesize
52KB

Download
memory/3820-183-0x0000000000EB0000-0x000000000102A000-memory.dmp

Filesize
1.5MB

Download
memory/3852-273-0x000001AFD7A40000-0x000001AFD7BB3000-memory.dmp

Filesize
1.4MB

Download
memory/3852-534-0x000001AFD7BC0000-0x000001AFD7CF4000-memory.dmp

Filesize
1.2MB

Download
memory/3852-274-0x000001AFD7BC0000-0x000001AFD7CF4000-memory.dmp

Filesize
1.2MB

Download
memory/4248-136-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4248-134-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/4372-391-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4372-390-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4372-387-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4372-393-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4372-567-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4372-380-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4372-389-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4372-381-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4468-176-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4468-184-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4468-174-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4468-261-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4468-182-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4480-354-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4480-571-0x0000000002000000-0x000000000201A000-memory.dmp

Filesize
104KB

Download
memory/4480-570-0x0000000002000000-0x000000000201A000-memory.dmp

Filesize
104KB

Download
memory/4480-569-0x0000000001FE0000-0x0000000001FFC000-memory.dmp

Filesize
112KB

Download
memory/4480-649-0x0000000001FE0000-0x0000000001FFC000-memory.dmp

Filesize
112KB

Download
memory/4480-317-0x0000000001FB0000-0x0000000001FDE000-memory.dmp

Filesize
184KB

Download
memory/4552-829-0x0000000000A10000-0x0000000000A1D000-memory.dmp

Filesize
52KB

Download
memory/4552-830-0x0000000000110000-0x000000000011B000-memory.dmp

Filesize
44KB

Download
memory/4596-290-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4768-195-0x0000000002230000-0x000000000234B000-memory.dmp

Filesize
1.1MB

Download
memory/4892-318-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4892-243-0x0000000000700000-0x0000000000709000-memory.dmp

Filesize
36KB

Download
memory/5080-367-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5080-349-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5080-324-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5080-339-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5080-325-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5080-333-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5080-336-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5080-288-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5080-284-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5080-315-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5084-375-0x00000000004B0000-0x00000000004B9000-memory.dmp

Filesize
36KB

Download