laplas | 96b92223396da25f949fa4f8f39057db933c3567886f57aa40e6cda3a3d48d96

Analysis

max time kernel
92s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2023, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

213KB
MD5

22a06350369a20eabe5a60f29b10409e
SHA1

fd12766bc8caf43cd0318933eb9cdd34e8d86bef
SHA256

96b92223396da25f949fa4f8f39057db933c3567886f57aa40e6cda3a3d48d96
SHA512

8a43318243d6b466193b07996de24cac596bb72740a56937df8e5398bebf11a58e012affa557f31f4dfefa4319938f9e9c70d4be511db992ddd5e64872024be7
SSDEEP

3072:aP24+4p4p77GD5qwrQzVKAJ7TDVeSGTUkbCVZ0NXO7WbYbsh5NvJ:4L+4peGDQLzUG7TJNGTUhqOpAxv

Score

10^/10

laplas redline smokeloader vidar build03 e749025c61b2caca10aa829a9e1a65a1 sprg backdoor clipper discovery evasion infostealer persistence spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32

Extracted

Family

vidar

Version

3.4

Botnet

e749025c61b2caca10aa829a9e1a65a1

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes

profile_id_v2
e749025c61b2caca10aa829a9e1a65a1
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Extracted

Family

redline

Botnet

build03

65.21.3.192:32845

Attributes

auth_value
688766d7eb9d4a5fde1dec6cdf7c3d9e

Extracted

Family

laplas

http://185.106.92.74

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 2772 created 3204	2772	Tzairumea840.exe	23
PID 2772 created 3204	2772	Tzairumea840.exe	23
PID 2772 created 3204	2772	Tzairumea840.exe	23
PID 2772 created 3204	2772	Tzairumea840.exe	23

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	Tzairumea840.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	85906762675035264924.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	D595.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	C0B5.exe

Executes dropped EXE 7 IoCs

pid	Process
4232	C0B5.exe
4332	D595.exe
4536	17433733360249395485.exe
1352	85906762675035264924.exe
2760	svcservice.exe
2772	Tzairumea840.exe
3836	D595.exe

Loads dropped DLL 2 IoCs

pid	Process
4232	C0B5.exe
4232	C0B5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002317c-286.dat	upx
behavioral2/files/0x000600000002317c-288.dat	upx
behavioral2/files/0x000600000002317c-289.dat	upx
behavioral2/memory/4536-292-0x0000000000DB0000-0x0000000001C13000-memory.dmp	upx
behavioral2/memory/4536-295-0x0000000000DB0000-0x0000000001C13000-memory.dmp	upx

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	85906762675035264924.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xrdsu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ygpxl\\Xrdsu.exe\""	D595.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1352	85906762675035264924.exe
1352	85906762675035264924.exe
2760	svcservice.exe
2760	svcservice.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4332 set thread context of 3836	4332	D595.exe	115

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4472	sc.exe
2224	sc.exe
620	sc.exe
3972	sc.exe
336	sc.exe
2084	sc.exe
4732	sc.exe
4284	sc.exe
3272	sc.exe
1164	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4656	4232	WerFault.exe	88

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	C0B5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	C0B5.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4644	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1188	setup.exe
1188	setup.exe
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3204	Explorer.EXE

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
1188	setup.exe
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4332	D595.exe
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeShutdownPrivilege	3784	powercfg.exe
Token: SeCreatePagefilePrivilege	3784	powercfg.exe
Token: SeShutdownPrivilege	3372	powercfg.exe
Token: SeCreatePagefilePrivilege	3372	powercfg.exe
Token: SeShutdownPrivilege	216	powercfg.exe
Token: SeCreatePagefilePrivilege	216	powercfg.exe
Token: SeShutdownPrivilege	3912	powercfg.exe
Token: SeCreatePagefilePrivilege	3912	powercfg.exe
Token: SeDebugPrivilege	3836	D595.exe
Token: SeIncreaseQuotaPrivilege	3228	powershell.exe
Token: SeSecurityPrivilege	3228	powershell.exe
Token: SeTakeOwnershipPrivilege	3228	powershell.exe
Token: SeLoadDriverPrivilege	3228	powershell.exe
Token: SeSystemProfilePrivilege	3228	powershell.exe
Token: SeSystemtimePrivilege	3228	powershell.exe
Token: SeProfSingleProcessPrivilege	3228	powershell.exe
Token: SeIncBasePriorityPrivilege	3228	powershell.exe
Token: SeCreatePagefilePrivilege	3228	powershell.exe
Token: SeBackupPrivilege	3228	powershell.exe
Token: SeRestorePrivilege	3228	powershell.exe
Token: SeShutdownPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeSystemEnvironmentPrivilege	3228	powershell.exe
Token: SeRemoteShutdownPrivilege	3228	powershell.exe
Token: SeUndockPrivilege	3228	powershell.exe
Token: SeManageVolumePrivilege	3228	powershell.exe
Token: 33	3228	powershell.exe
Token: 34	3228	powershell.exe
Token: 35	3228	powershell.exe
Token: 36	3228	powershell.exe
Token: SeIncreaseQuotaPrivilege	3228	powershell.exe
Token: SeSecurityPrivilege	3228	powershell.exe
Token: SeTakeOwnershipPrivilege	3228	powershell.exe
Token: SeLoadDriverPrivilege	3228	powershell.exe
Token: SeSystemProfilePrivilege	3228	powershell.exe
Token: SeSystemtimePrivilege	3228	powershell.exe
Token: SeProfSingleProcessPrivilege	3228	powershell.exe
Token: SeIncBasePriorityPrivilege	3228	powershell.exe
Token: SeCreatePagefilePrivilege	3228	powershell.exe
Token: SeBackupPrivilege	3228	powershell.exe
Token: SeRestorePrivilege	3228	powershell.exe
Token: SeShutdownPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeSystemEnvironmentPrivilege	3228	powershell.exe
Token: SeRemoteShutdownPrivilege	3228	powershell.exe
Token: SeUndockPrivilege	3228	powershell.exe
Token: SeManageVolumePrivilege	3228	powershell.exe
Token: 33	3228	powershell.exe
Token: 34	3228	powershell.exe
Token: 35	3228	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 4232	3204	Explorer.EXE	88
PID 3204 wrote to memory of 4232	3204	Explorer.EXE	88
PID 3204 wrote to memory of 4232	3204	Explorer.EXE	88
PID 3204 wrote to memory of 4332	3204	Explorer.EXE	90
PID 3204 wrote to memory of 4332	3204	Explorer.EXE	90
PID 3204 wrote to memory of 4332	3204	Explorer.EXE	90
PID 3204 wrote to memory of 4404	3204	Explorer.EXE	91
PID 3204 wrote to memory of 4404	3204	Explorer.EXE	91
PID 3204 wrote to memory of 4404	3204	Explorer.EXE	91
PID 3204 wrote to memory of 4404	3204	Explorer.EXE	91
PID 3204 wrote to memory of 724	3204	Explorer.EXE	92
PID 3204 wrote to memory of 724	3204	Explorer.EXE	92
PID 3204 wrote to memory of 724	3204	Explorer.EXE	92
PID 3204 wrote to memory of 956	3204	Explorer.EXE	93
PID 3204 wrote to memory of 956	3204	Explorer.EXE	93
PID 3204 wrote to memory of 956	3204	Explorer.EXE	93
PID 3204 wrote to memory of 956	3204	Explorer.EXE	93
PID 3204 wrote to memory of 1908	3204	Explorer.EXE	94
PID 3204 wrote to memory of 1908	3204	Explorer.EXE	94
PID 3204 wrote to memory of 1908	3204	Explorer.EXE	94
PID 4332 wrote to memory of 3876	4332	D595.exe	95
PID 4332 wrote to memory of 3876	4332	D595.exe	95
PID 4332 wrote to memory of 3876	4332	D595.exe	95
PID 3204 wrote to memory of 5072	3204	Explorer.EXE	97
PID 3204 wrote to memory of 5072	3204	Explorer.EXE	97
PID 3204 wrote to memory of 5072	3204	Explorer.EXE	97
PID 3204 wrote to memory of 5072	3204	Explorer.EXE	97
PID 3204 wrote to memory of 2092	3204	Explorer.EXE	98
PID 3204 wrote to memory of 2092	3204	Explorer.EXE	98
PID 3204 wrote to memory of 2092	3204	Explorer.EXE	98
PID 3204 wrote to memory of 2092	3204	Explorer.EXE	98
PID 3204 wrote to memory of 2336	3204	Explorer.EXE	99
PID 3204 wrote to memory of 2336	3204	Explorer.EXE	99
PID 3204 wrote to memory of 2336	3204	Explorer.EXE	99
PID 3204 wrote to memory of 2336	3204	Explorer.EXE	99
PID 4232 wrote to memory of 4536	4232	C0B5.exe	100
PID 4232 wrote to memory of 4536	4232	C0B5.exe	100
PID 3204 wrote to memory of 3884	3204	Explorer.EXE	102
PID 3204 wrote to memory of 3884	3204	Explorer.EXE	102
PID 3204 wrote to memory of 3884	3204	Explorer.EXE	102
PID 4536 wrote to memory of 540	4536	17433733360249395485.exe	103
PID 4536 wrote to memory of 540	4536	17433733360249395485.exe	103
PID 3204 wrote to memory of 1828	3204	Explorer.EXE	105
PID 3204 wrote to memory of 1828	3204	Explorer.EXE	105
PID 3204 wrote to memory of 1828	3204	Explorer.EXE	105
PID 3204 wrote to memory of 1828	3204	Explorer.EXE	105
PID 540 wrote to memory of 4624	540	cmd.exe	106
PID 540 wrote to memory of 4624	540	cmd.exe	106
PID 4232 wrote to memory of 1352	4232	C0B5.exe	107
PID 4232 wrote to memory of 1352	4232	C0B5.exe	107
PID 4232 wrote to memory of 1352	4232	C0B5.exe	107
PID 4232 wrote to memory of 2020	4232	C0B5.exe	108
PID 4232 wrote to memory of 2020	4232	C0B5.exe	108
PID 4232 wrote to memory of 2020	4232	C0B5.exe	108
PID 2020 wrote to memory of 4644	2020	cmd.exe	111
PID 2020 wrote to memory of 4644	2020	cmd.exe	111
PID 2020 wrote to memory of 4644	2020	cmd.exe	111
PID 1352 wrote to memory of 2760	1352	85906762675035264924.exe	113
PID 1352 wrote to memory of 2760	1352	85906762675035264924.exe	113
PID 1352 wrote to memory of 2760	1352	85906762675035264924.exe	113
PID 4332 wrote to memory of 2772	4332	D595.exe	114
PID 4332 wrote to memory of 2772	4332	D595.exe	114
PID 4332 wrote to memory of 3836	4332	D595.exe	115
PID 4332 wrote to memory of 3836	4332	D595.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1188
- C:\Users\Admin\AppData\Local\Temp\C0B5.exe
  C:\Users\Admin\AppData\Local\Temp\C0B5.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\ProgramData\17433733360249395485.exe
    "C:\ProgramData\17433733360249395485.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\17433733360249395485.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        5⤵
        
        PID:4624
- - C:\ProgramData\85906762675035264924.exe
    "C:\ProgramData\85906762675035264924.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\C0B5.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6
      4⤵
      Delays execution with timeout.exe
      PID:4644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 2116
    3⤵
    - Program crash
    PID:4656
- C:\Users\Admin\AppData\Local\Temp\D595.exe
  C:\Users\Admin\AppData\Local\Temp\D595.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3876
- - C:\Users\Admin\AppData\Local\Temp\Tzairumea840.exe
    "C:\Users\Admin\AppData\Local\Temp\Tzairumea840.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    PID:2772
- - C:\Users\Admin\AppData\Local\Temp\D595.exe
    C:\Users\Admin\AppData\Local\Temp\D595.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3836
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:4404
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:724
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:956
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1908
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:5072
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2092
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2336
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:3884
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mmwusnu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3228
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4104
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3784
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3372
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:216
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3912
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:2740
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2224
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:620
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3972
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4732
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4284
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4368
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:2308
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:748
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:2180
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yqhkxrl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  PID:3800
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:3180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:4728
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:3520
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:336
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3272
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2084
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4472
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1164
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4184
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:4580
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:4508
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:3420
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4388
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2680
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4584
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:4916
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:388
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mmwusnu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4232 -ip 4232
1⤵
PID:4120

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:4532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
3.6MB

MD5
58fe5c1f5bb97d2ab8c07d9b2165d291

SHA1
7fa1fd096e3e299a1d12620afb5f0e8bbac501fc

SHA256
9ec7b6c726d9cafca8ab233f83133e06adf5a8af6898197ffc7c5ef54b402694

SHA512
ee7532ef1d4903eb4a6fddca47774358a67904ec49cbc700a2161c9f1f372bd02679fbeb4bada5cb6d940946084b080f7bbc138d4a8202fdbed5b9a8bc377e01

Download Submit
C:\ProgramData\17433733360249395485.exe

Filesize
4.3MB

MD5
c4ab3149ef02a36d663699a8c541933e

SHA1
67088f5eff9ec575775b711c9e3650d12d7f4d5c

SHA256
0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

SHA512
88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

Download Submit
C:\ProgramData\17433733360249395485.exe

Filesize
4.3MB

MD5
c4ab3149ef02a36d663699a8c541933e

SHA1
67088f5eff9ec575775b711c9e3650d12d7f4d5c

SHA256
0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

SHA512
88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

Download Submit
C:\ProgramData\17433733360249395485.exe

Filesize
4.3MB

MD5
c4ab3149ef02a36d663699a8c541933e

SHA1
67088f5eff9ec575775b711c9e3650d12d7f4d5c

SHA256
0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

SHA512
88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

Download Submit
C:\ProgramData\85906762675035264924.exe

Filesize
7.2MB

MD5
c5e0fb4ecaa8a7481a283099d604f7a0

SHA1
df4b0c0cc823da2b0443076650c292b43dd9de33

SHA256
c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42

SHA512
375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57

Download Submit
C:\ProgramData\85906762675035264924.exe

Filesize
7.2MB

MD5
c5e0fb4ecaa8a7481a283099d604f7a0

SHA1
df4b0c0cc823da2b0443076650c292b43dd9de33

SHA256
c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42

SHA512
375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57

Download Submit
C:\ProgramData\85906762675035264924.exe

Filesize
7.2MB

MD5
c5e0fb4ecaa8a7481a283099d604f7a0

SHA1
df4b0c0cc823da2b0443076650c292b43dd9de33

SHA256
c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42

SHA512
375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
622bf737a997b9a257f15dc3b9ee9da5

SHA1
6beba023f9c081393b64de079969e948a47be8be

SHA256
bcefb9a5dbc47579f8b52cc37fd7591a0e20f00f0a7867df0232088db90273d7

SHA512
c1833c09ef0b3e643b8657874e8a99d7d154ac255c326d85fccba53aa57679e7dad93e61b3b8419937cb7ad936eab727c5edd6c4be6b988982c1d61505305e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\D595.exe.log

Filesize
1KB

MD5
13b08803e0bb671919478d178f19d6e2

SHA1
9f8c1d2a16446f9ee1e3244f48d372aecccf4dd9

SHA256
bab001392f6a9fc257a302cf557c9f571c7b352f41aedda14b049976ee5fd1c9

SHA512
2fe208b9958329734a5c6ce6aa526ee20d2c02d351927e75f85f27c2ffdc3c9e3413c17dc6e0dd9eefc3fb379e936b6bef2984a6e44ffafdc7600f590398016f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
68d213788e7ead9edd268f3f2dc0b164

SHA1
ce040fe30a823e058322edd7783ded9587aaa384

SHA256
50d8435b639de5637238ca7e93855f50b5cdd97a5348741e59a5f746f1e239b1

SHA512
b3b04202fd76981ccae9158b950daa668dd3e6fa41081b94342e166571a911fbb2960369d6bdb77481c1c3c59de4f351cf6ab34e1c171f13acd8d79936175801

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
41ac47e52d901688f4c46823eb12c6ae

SHA1
c80f6ae3584d3ebd94b753dd7ef1039ed541f078

SHA256
ab4a7be7634267aaf9c5db321924ee34f6e8c97267bf0844138bde233c409c8f

SHA512
1ccb1c694c6d61027b223cf7c79ce5fdc6046a4a32dc15f22b722d6f063c127f4b5f5f3740f2c8b2447504f54d6e0d9afa47d202a61946e29bbcbac41d83c5b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
58f473558345c4d2feab48d4999b148a

SHA1
a58fec1ddadb3cb692cd1bac3d21d09592ec58ee

SHA256
69496654c76a65ba517bb7ee3bacb598a1e778aa7ee7807bf7318087d8d39d22

SHA512
f19f50701c05d050fa114e29544e77ce620c4f05619262781eb5a12906f3e4a0219d79ea574e2ace3bdad8c25346f2dad71e9768f64361321e9299061b7b87d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0B5.exe

Filesize
322KB

MD5
cafc8351bc21c41083793db0f57b6aa8

SHA1
8cb45d0e477aac3f7efdef9226c295a1fffde756

SHA256
77cd68e6328a5b58a625e6190b56713e62b37db8fcae04d9b6f7021745c4603f

SHA512
2fcff8f290c4c4c1ec5c33e7bad4db731d3a9f2106df92e8ceeaaf1ab6d4ada5957cee3b5e5f0cce2c5e2e8afb6f408e2fc37a437a77972950e49b489a2be514

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0B5.exe

Filesize
322KB

MD5
cafc8351bc21c41083793db0f57b6aa8

SHA1
8cb45d0e477aac3f7efdef9226c295a1fffde756

SHA256
77cd68e6328a5b58a625e6190b56713e62b37db8fcae04d9b6f7021745c4603f

SHA512
2fcff8f290c4c4c1ec5c33e7bad4db731d3a9f2106df92e8ceeaaf1ab6d4ada5957cee3b5e5f0cce2c5e2e8afb6f408e2fc37a437a77972950e49b489a2be514

Download Submit
C:\Users\Admin\AppData\Local\Temp\D595.exe

Filesize
1.4MB

MD5
04a05e3080aba5e333c816493ef2635d

SHA1
28d558491a0756f871b986130f0e7f86639877a2

SHA256
95aee7feb92f8e8f236f65399712ed5be9ca5f52c6dbec65ab650c6db63f24fb

SHA512
a5316921db7096ca827d48b42c6aafd18dedfc6f5f4ccff73cec2bbd860f1ad2abefc6d97251ba3bff5d73f3ac72bd31ee092fec40d747a893baf614fd0ff498

Download Submit
C:\Users\Admin\AppData\Local\Temp\D595.exe

Filesize
1.4MB

MD5
04a05e3080aba5e333c816493ef2635d

SHA1
28d558491a0756f871b986130f0e7f86639877a2

SHA256
95aee7feb92f8e8f236f65399712ed5be9ca5f52c6dbec65ab650c6db63f24fb

SHA512
a5316921db7096ca827d48b42c6aafd18dedfc6f5f4ccff73cec2bbd860f1ad2abefc6d97251ba3bff5d73f3ac72bd31ee092fec40d747a893baf614fd0ff498

Download Submit
C:\Users\Admin\AppData\Local\Temp\D595.exe

Filesize
1.4MB

MD5
04a05e3080aba5e333c816493ef2635d

SHA1
28d558491a0756f871b986130f0e7f86639877a2

SHA256
95aee7feb92f8e8f236f65399712ed5be9ca5f52c6dbec65ab650c6db63f24fb

SHA512
a5316921db7096ca827d48b42c6aafd18dedfc6f5f4ccff73cec2bbd860f1ad2abefc6d97251ba3bff5d73f3ac72bd31ee092fec40d747a893baf614fd0ff498

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tzairumea840.exe

Filesize
3.6MB

MD5
58fe5c1f5bb97d2ab8c07d9b2165d291

SHA1
7fa1fd096e3e299a1d12620afb5f0e8bbac501fc

SHA256
9ec7b6c726d9cafca8ab233f83133e06adf5a8af6898197ffc7c5ef54b402694

SHA512
ee7532ef1d4903eb4a6fddca47774358a67904ec49cbc700a2161c9f1f372bd02679fbeb4bada5cb6d940946084b080f7bbc138d4a8202fdbed5b9a8bc377e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tzairumea840.exe

Filesize
3.6MB

MD5
58fe5c1f5bb97d2ab8c07d9b2165d291

SHA1
7fa1fd096e3e299a1d12620afb5f0e8bbac501fc

SHA256
9ec7b6c726d9cafca8ab233f83133e06adf5a8af6898197ffc7c5ef54b402694

SHA512
ee7532ef1d4903eb4a6fddca47774358a67904ec49cbc700a2161c9f1f372bd02679fbeb4bada5cb6d940946084b080f7bbc138d4a8202fdbed5b9a8bc377e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tzairumea840.exe

Filesize
3.6MB

MD5
58fe5c1f5bb97d2ab8c07d9b2165d291

SHA1
7fa1fd096e3e299a1d12620afb5f0e8bbac501fc

SHA256
9ec7b6c726d9cafca8ab233f83133e06adf5a8af6898197ffc7c5ef54b402694

SHA512
ee7532ef1d4903eb4a6fddca47774358a67904ec49cbc700a2161c9f1f372bd02679fbeb4bada5cb6d940946084b080f7bbc138d4a8202fdbed5b9a8bc377e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pxo4zw1n.iy0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
740.2MB

MD5
983e49c8c9adeb484670bc71e9eefaed

SHA1
6d786c52134ab51def3d42eb3475338228e55f42

SHA256
011cfb6a659e78e53c3ebb28d530e68637720e7d9fb67d918c34af0e17126ee3

SHA512
8c8a4be1fe0f03e3876f636656d8182bdb4525f84f18bf4646a353aa0330a19fd0158bf76277d51de7587ed7b22292aab0ce56a5ea10f5e3168cfe1add7a6ef3

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
740.2MB

MD5
983e49c8c9adeb484670bc71e9eefaed

SHA1
6d786c52134ab51def3d42eb3475338228e55f42

SHA256
011cfb6a659e78e53c3ebb28d530e68637720e7d9fb67d918c34af0e17126ee3

SHA512
8c8a4be1fe0f03e3876f636656d8182bdb4525f84f18bf4646a353aa0330a19fd0158bf76277d51de7587ed7b22292aab0ce56a5ea10f5e3168cfe1add7a6ef3

Download Submit
memory/724-319-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/724-240-0x00000000005D0000-0x00000000005DF000-memory.dmp

Filesize
60KB

Download
memory/724-241-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/724-242-0x00000000005D0000-0x00000000005DF000-memory.dmp

Filesize
60KB

Download
memory/908-378-0x000001B97A040000-0x000001B97A062000-memory.dmp

Filesize
136KB

Download
memory/908-397-0x000001B97AB30000-0x000001B97AB4C000-memory.dmp

Filesize
112KB

Download
memory/908-401-0x000001B97AEB0000-0x000001B97AEB8000-memory.dmp

Filesize
32KB

Download
memory/908-402-0x000001B97AEC0000-0x000001B97AECA000-memory.dmp

Filesize
40KB

Download
memory/908-400-0x000001B97AEA0000-0x000001B97AEAA000-memory.dmp

Filesize
40KB

Download
memory/908-399-0x00007FF4A4530000-0x00007FF4A4540000-memory.dmp

Filesize
64KB

Download
memory/908-385-0x000001B97A090000-0x000001B97A0A0000-memory.dmp

Filesize
64KB

Download
memory/908-384-0x000001B97A090000-0x000001B97A0A0000-memory.dmp

Filesize
64KB

Download
memory/908-386-0x000001B97A090000-0x000001B97A0A0000-memory.dmp

Filesize
64KB

Download
memory/956-245-0x00000000010D0000-0x00000000010D5000-memory.dmp

Filesize
20KB

Download
memory/956-243-0x00000000010C0000-0x00000000010C9000-memory.dmp

Filesize
36KB

Download
memory/956-247-0x00000000010C0000-0x00000000010C9000-memory.dmp

Filesize
36KB

Download
memory/956-320-0x00000000010D0000-0x00000000010D5000-memory.dmp

Filesize
20KB

Download
memory/1188-134-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/1188-136-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1352-312-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/1352-314-0x0000000000380000-0x0000000000EBA000-memory.dmp

Filesize
11.2MB

Download
memory/1352-313-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/1828-300-0x0000000000F30000-0x0000000000F3B000-memory.dmp

Filesize
44KB

Download
memory/1828-339-0x0000000000F40000-0x0000000000F48000-memory.dmp

Filesize
32KB

Download
memory/1828-298-0x0000000000F30000-0x0000000000F3B000-memory.dmp

Filesize
44KB

Download
memory/1828-299-0x0000000000F40000-0x0000000000F48000-memory.dmp

Filesize
32KB

Download
memory/1908-322-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/1908-248-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/1908-246-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/1908-252-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/2092-277-0x0000000000740000-0x0000000000745000-memory.dmp

Filesize
20KB

Download
memory/2092-328-0x0000000000740000-0x0000000000745000-memory.dmp

Filesize
20KB

Download
memory/2092-278-0x0000000000730000-0x0000000000739000-memory.dmp

Filesize
36KB

Download
memory/2092-275-0x0000000000730000-0x0000000000739000-memory.dmp

Filesize
36KB

Download
memory/2336-282-0x00000000012C0000-0x00000000012CB000-memory.dmp

Filesize
44KB

Download
memory/2336-336-0x00000000012D0000-0x00000000012D6000-memory.dmp

Filesize
24KB

Download
memory/2336-284-0x00000000012C0000-0x00000000012CB000-memory.dmp

Filesize
44KB

Download
memory/2336-283-0x00000000012D0000-0x00000000012D6000-memory.dmp

Filesize
24KB

Download
memory/2760-351-0x00000000006E0000-0x000000000121A000-memory.dmp

Filesize
11.2MB

Download
memory/2760-348-0x0000000001730000-0x0000000001731000-memory.dmp

Filesize
4KB

Download
memory/2760-349-0x0000000001790000-0x0000000001791000-memory.dmp

Filesize
4KB

Download
memory/2772-367-0x00007FF7387E0000-0x00007FF738B78000-memory.dmp

Filesize
3.6MB

Download
memory/2772-437-0x00007FF7387E0000-0x00007FF738B78000-memory.dmp

Filesize
3.6MB

Download
memory/2772-398-0x00007FF7387E0000-0x00007FF738B78000-memory.dmp

Filesize
3.6MB

Download
memory/3204-135-0x0000000001180000-0x0000000001196000-memory.dmp

Filesize
88KB

Download
memory/3836-361-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3836-368-0x0000000005AB0000-0x00000000060C8000-memory.dmp

Filesize
6.1MB

Download
memory/3836-369-0x00000000055A0000-0x00000000056AA000-memory.dmp

Filesize
1.0MB

Download
memory/3836-370-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/3836-371-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/3836-372-0x0000000005510000-0x000000000554C000-memory.dmp

Filesize
240KB

Download
memory/3836-412-0x0000000005820000-0x0000000005896000-memory.dmp

Filesize
472KB

Download
memory/3876-323-0x0000000002310000-0x0000000002320000-memory.dmp

Filesize
64KB

Download
memory/3876-297-0x0000000006150000-0x000000000616A000-memory.dmp

Filesize
104KB

Download
memory/3876-254-0x0000000002310000-0x0000000002320000-memory.dmp

Filesize
64KB

Download
memory/3876-251-0x0000000004D70000-0x0000000005398000-memory.dmp

Filesize
6.2MB

Download
memory/3876-337-0x0000000002310000-0x0000000002320000-memory.dmp

Filesize
64KB

Download
memory/3876-249-0x0000000002360000-0x0000000002396000-memory.dmp

Filesize
216KB

Download
memory/3876-265-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/3876-324-0x0000000002310000-0x0000000002320000-memory.dmp

Filesize
64KB

Download
memory/3876-270-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/3876-274-0x0000000005C50000-0x0000000005C6E000-memory.dmp

Filesize
120KB

Download
memory/3876-291-0x0000000002310000-0x0000000002320000-memory.dmp

Filesize
64KB

Download
memory/3876-253-0x0000000002310000-0x0000000002320000-memory.dmp

Filesize
64KB

Download
memory/3876-296-0x00000000074C0000-0x0000000007B3A000-memory.dmp

Filesize
6.5MB

Download
memory/3884-294-0x0000000000370000-0x000000000037D000-memory.dmp

Filesize
52KB

Download
memory/3884-290-0x0000000000370000-0x000000000037D000-memory.dmp

Filesize
52KB

Download
memory/3884-293-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/3884-338-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/4232-150-0x0000000000610000-0x0000000000667000-memory.dmp

Filesize
348KB

Download
memory/4232-160-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4232-321-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4232-276-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4332-220-0x0000000000260000-0x00000000003C4000-memory.dmp

Filesize
1.4MB

Download
memory/4332-244-0x0000000007010000-0x0000000007032000-memory.dmp

Filesize
136KB

Download
memory/4332-346-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/4332-239-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4332-318-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4332-347-0x00000000078E0000-0x0000000007E84000-memory.dmp

Filesize
5.6MB

Download
memory/4404-221-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/4404-237-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download
memory/4404-238-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/4404-317-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download
memory/4532-452-0x00007FF65F060000-0x00007FF65F3F8000-memory.dmp

Filesize
3.6MB

Download
memory/4532-453-0x00007FF65F060000-0x00007FF65F3F8000-memory.dmp

Filesize
3.6MB

Download
memory/4536-292-0x0000000000DB0000-0x0000000001C13000-memory.dmp

Filesize
14.4MB

Download
memory/4536-295-0x0000000000DB0000-0x0000000001C13000-memory.dmp

Filesize
14.4MB

Download
memory/5072-255-0x0000000000A50000-0x0000000000A72000-memory.dmp

Filesize
136KB

Download
memory/5072-250-0x0000000000A20000-0x0000000000A47000-memory.dmp

Filesize
156KB

Download
memory/5072-256-0x0000000000A20000-0x0000000000A47000-memory.dmp

Filesize
156KB

Download
memory/5072-325-0x0000000000A50000-0x0000000000A72000-memory.dmp

Filesize
136KB

Download