fabookie | a0497dde6d202b7dfe6d1b6b6a0493560bc3fc16a085b46097662aac3a44bd38

Analysis

max time kernel
76s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2023 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer.exe
Size

9.1MB
MD5

93e23e5bed552c0500856641d19729a8
SHA1

7e14cdf808dcd21d766a4054935c87c89c037445
SHA256

e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555
SHA512

3996d6144bd7dab401df7f95d4623ba91502619446d7c877c2ecb601f23433c9447168e959a90458e0fae3d9d39a03c25642f611dbc3114917cad48aca2594ff
SSDEEP

196608:PBXWySxHnUIYfGp0N6k7jn3R655p0aRnk6bAEzV1d:pXc6rf6Q3ipdnkqAEzVf

Score

10^/10

fabookie ffdroider gcleaner glupteba metasploit onlylogger privateloader smokeloader socelars pub2 backdoor dropper evasion loader main spyware stealer trojan

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.znsjis.top/

Extracted

Family

privateloader

http://45.133.1.182/proxies.txt

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp

https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://193.56.146.76/Proxytest.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

http://luminati-china.xyz/aman/casper2.exe

https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

http://185.215.113.208/ferrari.exe

https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://mnbuiy.pw/adsli/note8876.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://luminati-china.xyz/aman/casper2.exe

https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

ffdroider

http://186.2.171.3

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://govsurplusstore.com/upload/

http://best-forsale.com/upload/

http://chmxnautoparts.com/upload/

http://kwazone.com/upload/

rc4.i32

Extracted

Family

gcleaner

194.145.227.161

Signatures

Detect Fabookie payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000600000002320b-230.dat	family_fabookie
behavioral2/files/0x000600000002320b-246.dat	family_fabookie
behavioral2/files/0x000600000002320b-245.dat	family_fabookie

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 3 IoCs

resource	yara_rule
behavioral2/memory/1956-279-0x0000000000590000-0x0000000000B3C000-memory.dmp	family_ffdroider
behavioral2/memory/1956-318-0x0000000000590000-0x0000000000B3C000-memory.dmp	family_ffdroider
behavioral2/memory/1956-855-0x0000000000590000-0x0000000000B3C000-memory.dmp	family_ffdroider

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 12 IoCs

resource	yara_rule
behavioral2/memory/4608-280-0x0000000003970000-0x000000000428E000-memory.dmp	family_glupteba
behavioral2/memory/4608-284-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral2/memory/4608-288-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral2/memory/4608-319-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral2/memory/4608-460-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral2/memory/4608-507-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral2/memory/4552-552-0x00000000038A0000-0x00000000041BE000-memory.dmp	family_glupteba
behavioral2/memory/4552-576-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral2/memory/4552-856-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral2/memory/4552-868-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral2/memory/4272-870-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral2/memory/4272-880-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	File.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	File.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	File.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	File.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	File.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	File.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	File.exe

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	3972	rUNdlL32.eXe	103

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023208-200.dat	family_socelars
behavioral2/files/0x0006000000023208-209.dat	family_socelars
behavioral2/files/0x0006000000023208-216.dat	family_socelars

OnlyLogger payload 3 IoCs

resource	yara_rule
behavioral2/memory/4408-497-0x00000000020C0000-0x00000000020F0000-memory.dmp	family_onlylogger
behavioral2/memory/4408-499-0x0000000000400000-0x00000000004BF000-memory.dmp	family_onlylogger
behavioral2/memory/4408-613-0x00000000020C0000-0x00000000020F0000-memory.dmp	family_onlylogger

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
3804	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	File.exe

Executes dropped EXE 12 IoCs

pid	Process
1956	md9_1sjm.exe
4624	FoxSBrowser.exe
4992	Folder.exe
4608	Graphics.exe
3592	Updbdate.exe
3092	Install.exe
3472	File.exe
4548	pub2.exe
2084	Files.exe
4408	Details.exe
2576	Folder.exe
4552	Graphics.exe

Loads dropped DLL 1 IoCs

pid	Process
452	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
92	ipinfo.io
97	ipinfo.io
35	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	Graphics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
4816	452	WerFault.exe	107
540	4408	WerFault.exe	100
3360	4408	WerFault.exe	100
1420	4408	WerFault.exe	100
3680	4408	WerFault.exe	100
2560	4408	WerFault.exe	100
3228	4408	WerFault.exe	100
4472	4408	WerFault.exe	100

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1820	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2236	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	Graphics.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	md9_1sjm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	md9_1sjm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4548	pub2.exe
4548	pub2.exe
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3156	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4548	pub2.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3092	Install.exe
Token: SeAssignPrimaryTokenPrivilege	3092	Install.exe
Token: SeLockMemoryPrivilege	3092	Install.exe
Token: SeIncreaseQuotaPrivilege	3092	Install.exe
Token: SeMachineAccountPrivilege	3092	Install.exe
Token: SeTcbPrivilege	3092	Install.exe
Token: SeSecurityPrivilege	3092	Install.exe
Token: SeTakeOwnershipPrivilege	3092	Install.exe
Token: SeLoadDriverPrivilege	3092	Install.exe
Token: SeSystemProfilePrivilege	3092	Install.exe
Token: SeSystemtimePrivilege	3092	Install.exe
Token: SeProfSingleProcessPrivilege	3092	Install.exe
Token: SeIncBasePriorityPrivilege	3092	Install.exe
Token: SeCreatePagefilePrivilege	3092	Install.exe
Token: SeCreatePermanentPrivilege	3092	Install.exe
Token: SeBackupPrivilege	3092	Install.exe
Token: SeRestorePrivilege	3092	Install.exe
Token: SeShutdownPrivilege	3092	Install.exe
Token: SeDebugPrivilege	3092	Install.exe
Token: SeAuditPrivilege	3092	Install.exe
Token: SeSystemEnvironmentPrivilege	3092	Install.exe
Token: SeChangeNotifyPrivilege	3092	Install.exe
Token: SeRemoteShutdownPrivilege	3092	Install.exe
Token: SeUndockPrivilege	3092	Install.exe
Token: SeSyncAgentPrivilege	3092	Install.exe
Token: SeEnableDelegationPrivilege	3092	Install.exe
Token: SeManageVolumePrivilege	3092	Install.exe
Token: SeImpersonatePrivilege	3092	Install.exe
Token: SeCreateGlobalPrivilege	3092	Install.exe
Token: 31	3092	Install.exe
Token: 32	3092	Install.exe
Token: 33	3092	Install.exe
Token: 34	3092	Install.exe
Token: 35	3092	Install.exe
Token: SeDebugPrivilege	4624	FoxSBrowser.exe
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeManageVolumePrivilege	1956	md9_1sjm.exe
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeManageVolumePrivilege	1956	md9_1sjm.exe
Token: SeDebugPrivilege	4608	Graphics.exe
Token: SeImpersonatePrivilege	4608	Graphics.exe
Token: SeManageVolumePrivilege	1956	md9_1sjm.exe
Token: SeSystemEnvironmentPrivilege	4552	Graphics.exe
Token: SeManageVolumePrivilege	1956	md9_1sjm.exe
Token: SeManageVolumePrivilege	1956	md9_1sjm.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 1956	4612	installer.exe	86
PID 4612 wrote to memory of 1956	4612	installer.exe	86
PID 4612 wrote to memory of 1956	4612	installer.exe	86
PID 4612 wrote to memory of 4624	4612	installer.exe	89
PID 4612 wrote to memory of 4624	4612	installer.exe	89
PID 4612 wrote to memory of 4992	4612	installer.exe	90
PID 4612 wrote to memory of 4992	4612	installer.exe	90
PID 4612 wrote to memory of 4992	4612	installer.exe	90
PID 4612 wrote to memory of 4608	4612	installer.exe	91
PID 4612 wrote to memory of 4608	4612	installer.exe	91
PID 4612 wrote to memory of 4608	4612	installer.exe	91
PID 4612 wrote to memory of 3592	4612	installer.exe	92
PID 4612 wrote to memory of 3592	4612	installer.exe	92
PID 4612 wrote to memory of 3592	4612	installer.exe	92
PID 4612 wrote to memory of 3092	4612	installer.exe	94
PID 4612 wrote to memory of 3092	4612	installer.exe	94
PID 4612 wrote to memory of 3092	4612	installer.exe	94
PID 4612 wrote to memory of 3472	4612	installer.exe	97
PID 4612 wrote to memory of 3472	4612	installer.exe	97
PID 4612 wrote to memory of 3472	4612	installer.exe	97
PID 4612 wrote to memory of 4548	4612	installer.exe	98
PID 4612 wrote to memory of 4548	4612	installer.exe	98
PID 4612 wrote to memory of 4548	4612	installer.exe	98
PID 4612 wrote to memory of 2084	4612	installer.exe	99
PID 4612 wrote to memory of 2084	4612	installer.exe	99
PID 4612 wrote to memory of 4408	4612	installer.exe	100
PID 4612 wrote to memory of 4408	4612	installer.exe	100
PID 4612 wrote to memory of 4408	4612	installer.exe	100
PID 4992 wrote to memory of 2576	4992	Folder.exe	101
PID 4992 wrote to memory of 2576	4992	Folder.exe	101
PID 4992 wrote to memory of 2576	4992	Folder.exe	101
PID 3092 wrote to memory of 2044	3092	Install.exe	104
PID 3092 wrote to memory of 2044	3092	Install.exe	104
PID 3092 wrote to memory of 2044	3092	Install.exe	104
PID 2848 wrote to memory of 452	2848	rUNdlL32.eXe	107
PID 2848 wrote to memory of 452	2848	rUNdlL32.eXe	107
PID 2848 wrote to memory of 452	2848	rUNdlL32.eXe	107
PID 2044 wrote to memory of 2236	2044	cmd.exe	110
PID 2044 wrote to memory of 2236	2044	cmd.exe	110
PID 2044 wrote to memory of 2236	2044	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
  "C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4624
- C:\Users\Admin\AppData\Local\Temp\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\Folder.exe
    "C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
    3⤵
    - Executes dropped EXE
    PID:2576
- C:\Users\Admin\AppData\Local\Temp\Graphics.exe
  "C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\Graphics.exe
    "C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
    3⤵
    - Executes dropped EXE
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:340
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:3804
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe /202-202
      4⤵
      PID:4272
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:1820
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:2020
- C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
  "C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2236
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Checks computer location settings
  - Executes dropped EXE
  PID:3472
- C:\Users\Admin\AppData\Local\Temp\pub2.exe
  "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4548
- C:\Users\Admin\AppData\Local\Temp\Files.exe
  "C:\Users\Admin\AppData\Local\Temp\Files.exe"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Users\Admin\AppData\Local\Temp\Details.exe
  "C:\Users\Admin\AppData\Local\Temp\Details.exe"
  2⤵
  - Executes dropped EXE
  PID:4408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 460
    3⤵
    - Program crash
    PID:540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 620
    3⤵
    - Program crash
    PID:3360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 656
    3⤵
    - Program crash
    PID:1420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 756
    3⤵
    - Program crash
    PID:3680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 492
    3⤵
    - Program crash
    PID:2560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 828
    3⤵
    - Program crash
    PID:3228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1032
    3⤵
    - Program crash
    PID:4472

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Loads dropped DLL
  PID:452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 604
    3⤵
    - Program crash
    PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 452 -ip 452
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4408 -ip 4408
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4408 -ip 4408
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4408 -ip 4408
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4408 -ip 4408
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4408 -ip 4408
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4408 -ip 4408
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4408 -ip 4408
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4408 -ip 4408
1⤵
PID:680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Details.exe

Filesize
224KB

MD5
913fcca8aa37351d548fcb1ef3af9f10

SHA1
8955832408079abc33723d48135f792c9930b598

SHA256
2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9

SHA512
0283e875dfbc7b04eb5ce5a82e66fb99e945626ed7e2ed4f2bc90e54e4ef99c065e2f98464f0aec24c921bae020ff3a6f1b3a01bfd8bdcea8459113670519c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Details.exe

Filesize
224KB

MD5
913fcca8aa37351d548fcb1ef3af9f10

SHA1
8955832408079abc33723d48135f792c9930b598

SHA256
2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9

SHA512
0283e875dfbc7b04eb5ce5a82e66fb99e945626ed7e2ed4f2bc90e54e4ef99c065e2f98464f0aec24c921bae020ff3a6f1b3a01bfd8bdcea8459113670519c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Details.exe

Filesize
224KB

MD5
913fcca8aa37351d548fcb1ef3af9f10

SHA1
8955832408079abc33723d48135f792c9930b598

SHA256
2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9

SHA512
0283e875dfbc7b04eb5ce5a82e66fb99e945626ed7e2ed4f2bc90e54e4ef99c065e2f98464f0aec24c921bae020ff3a6f1b3a01bfd8bdcea8459113670519c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
426KB

MD5
ece476206e52016ed4e0553d05b05160

SHA1
baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

SHA256
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

SHA512
2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
426KB

MD5
ece476206e52016ed4e0553d05b05160

SHA1
baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

SHA256
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

SHA512
2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
426KB

MD5
ece476206e52016ed4e0553d05b05160

SHA1
baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

SHA256
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

SHA512
2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe

Filesize
1.3MB

MD5
37db6db82813ddc8eeb42c58553da2de

SHA1
9425c1937873bb86beb57021ed5e315f516a2bed

SHA256
65302460bbdccb8268bc6c23434bcd7d710d0e800fe11d87a1597fdedfc2a9c7

SHA512
0658f3b15a4084ae292a6c0640f4e88fe095a2b2471633ca97c78998ee664631156e9cea1bee3d5ac5428ca600c52495437468770fbda6143e11651e797298c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe

Filesize
1.3MB

MD5
37db6db82813ddc8eeb42c58553da2de

SHA1
9425c1937873bb86beb57021ed5e315f516a2bed

SHA256
65302460bbdccb8268bc6c23434bcd7d710d0e800fe11d87a1597fdedfc2a9c7

SHA512
0658f3b15a4084ae292a6c0640f4e88fe095a2b2471633ca97c78998ee664631156e9cea1bee3d5ac5428ca600c52495437468770fbda6143e11651e797298c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe

Filesize
1.3MB

MD5
37db6db82813ddc8eeb42c58553da2de

SHA1
9425c1937873bb86beb57021ed5e315f516a2bed

SHA256
65302460bbdccb8268bc6c23434bcd7d710d0e800fe11d87a1597fdedfc2a9c7

SHA512
0658f3b15a4084ae292a6c0640f4e88fe095a2b2471633ca97c78998ee664631156e9cea1bee3d5ac5428ca600c52495437468770fbda6143e11651e797298c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe

Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe

Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe

Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe

Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe

Filesize
153KB

MD5
849b899acdc4478c116340b86683a493

SHA1
e43f78a9b9b884e4230d009fafceb46711125534

SHA256
5f5eed76da09dc92090a6501de1f2a6cc7fb0c92e32053163b28f380f3b06631

SHA512
bdff9dbac1de6e1af7807a233c4e8c36ae8c45e0b277d78b636124b6ffe0df6ed16c78f2f3222eeb383501b2f3eec90c8736da540017b8b35592fa49eb3f720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe

Filesize
153KB

MD5
849b899acdc4478c116340b86683a493

SHA1
e43f78a9b9b884e4230d009fafceb46711125534

SHA256
5f5eed76da09dc92090a6501de1f2a6cc7fb0c92e32053163b28f380f3b06631

SHA512
bdff9dbac1de6e1af7807a233c4e8c36ae8c45e0b277d78b636124b6ffe0df6ed16c78f2f3222eeb383501b2f3eec90c8736da540017b8b35592fa49eb3f720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe

Filesize
153KB

MD5
849b899acdc4478c116340b86683a493

SHA1
e43f78a9b9b884e4230d009fafceb46711125534

SHA256
5f5eed76da09dc92090a6501de1f2a6cc7fb0c92e32053163b28f380f3b06631

SHA512
bdff9dbac1de6e1af7807a233c4e8c36ae8c45e0b277d78b636124b6ffe0df6ed16c78f2f3222eeb383501b2f3eec90c8736da540017b8b35592fa49eb3f720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe

Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe

Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe

Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe

Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
1.4MB

MD5
deeb8730435a83cb41ca5679429cb235

SHA1
c4eb99a6c3310e9b36c31b9572d57a210985b67d

SHA256
002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

SHA512
4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
1.4MB

MD5
deeb8730435a83cb41ca5679429cb235

SHA1
c4eb99a6c3310e9b36c31b9572d57a210985b67d

SHA256
002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

SHA512
4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
1.4MB

MD5
deeb8730435a83cb41ca5679429cb235

SHA1
c4eb99a6c3310e9b36c31b9572d57a210985b67d

SHA256
002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

SHA512
4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe

Filesize
359KB

MD5
3d09b651baa310515bb5df3c04506961

SHA1
e1e1cff9e8a5d4093dbdabb0b83c886601141575

SHA256
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

SHA512
8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe

Filesize
359KB

MD5
3d09b651baa310515bb5df3c04506961

SHA1
e1e1cff9e8a5d4093dbdabb0b83c886601141575

SHA256
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

SHA512
8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe

Filesize
359KB

MD5
3d09b651baa310515bb5df3c04506961

SHA1
e1e1cff9e8a5d4093dbdabb0b83c886601141575

SHA256
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

SHA512
8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat

Filesize
552KB

MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll

Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll

Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
4096734e6a77688e234ca0a17e7f43a4

SHA1
e7f6e2dbf03f232597774b5e69b136a3f353f1cf

SHA256
be0c19b58406fdb2a89911dd8b2ab9c98d07bae7c9eab59e37e8922f7e48a832

SHA512
14ccdced6b65bc033280a8a05ce1e993d3507d383e926ca8b6e4511ce06b170fb02df69c12588ac4892d051e501741d5576b428f497488c686e628ca88a78d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
61KB

MD5
d580bac434b0a93f34432cd5ffb67c01

SHA1
67737df7c5212d0f558ba2f41e172826a19f027e

SHA256
e827043370517ff3546c3f4eb92e67e8768f23ae7680199a3829b0a835b21123

SHA512
fbd9fc6c4e1a1587959a041a6fd5f1da899bf2ca6c1bbeacbf3fc0c1eb3b7438f95e29254b8a6ebb85da86f986b1ed9db39841510943092375c1c730353d6cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a43cd2be11292a983d3515c5fe04eb69

SHA1
c685f16eb1a13d62ca611e07dc01e21b3a55a5f4

SHA256
636bd541f0992d8ef54ead7509ed2f46b3c4aa5f363e5b5231f7cafca4e32d78

SHA512
7c8ade4465532e121cc98d99459ac20ce809c256b1c1da3687a3c676ac8290137eb699c5af0de710439fbdf073fa39440c31da17d843e7a7de76b6b30fbb0921

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0937ab66515d0648178ec98a86cfafd5

SHA1
4198d20942227baae1eebaf3ebaa2e07a9fd6a68

SHA256
b026f138f019e689cf3e6368910606df8d6aa0c4b571dd5c3c2c1bbdcd9bc12f

SHA512
d4b6b91555869ae5d81e44cd90103e34a41543c14437b516c0166f9720ecdc4d8ff6faf0b95b9836b1dad22df78feeb09326eefe775049e1db293fc822c67b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0937ab66515d0648178ec98a86cfafd5

SHA1
4198d20942227baae1eebaf3ebaa2e07a9fd6a68

SHA256
b026f138f019e689cf3e6368910606df8d6aa0c4b571dd5c3c2c1bbdcd9bc12f

SHA512
d4b6b91555869ae5d81e44cd90103e34a41543c14437b516c0166f9720ecdc4d8ff6faf0b95b9836b1dad22df78feeb09326eefe775049e1db293fc822c67b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c744788ce9559cf5d4851dc058c416dc

SHA1
f1652649b3e88b987e67ac350f0c0f7a6164021f

SHA256
de87a7d179e7b5c3d400deb2ceb7afa1fc1785e6d782d94cef761d3efd5e9235

SHA512
de226d10f459a771de94a3be1a178dd440cae4f54d06f93a9c7d54ed1409673cb383b370fb45a79678bacab90fcb35e939cec8e3d0f8336b5b0ca6b9734fe519

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e0343a09fac1b23094a3bc38d8696366

SHA1
ef582d78104bc1e71c6b39050655d824782417bc

SHA256
5581cc134082cd0910025e778d1c8bcd5a922333be9414734f1ffc584e9ad2d6

SHA512
34cc0cdf85e642c26b42fe6a0903139c4107a06a56a9c6a52c3c82896b6d12a184e39324c5ff42080e4a7ebe1c7aa117de9ce5f82720bc9625a13f70e0e00443

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
21bdb4db70bf219d9683a37731fd39b4

SHA1
22ad61569499ff91e708da832351155997e3dcc5

SHA256
d41e236d9f8cb4fdcfcf56089ffef052d5e95a12791b8d7f226eca3e99b15aa3

SHA512
eea980e0ee5f1b918feae3f25b7ccf8f1b861b5d7cbef9717b2d8fac8987931f0f21c459166930fe72afea11c83eb3ea994e68de19b4668c45f0c8971050fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
21bdb4db70bf219d9683a37731fd39b4

SHA1
22ad61569499ff91e708da832351155997e3dcc5

SHA256
d41e236d9f8cb4fdcfcf56089ffef052d5e95a12791b8d7f226eca3e99b15aa3

SHA512
eea980e0ee5f1b918feae3f25b7ccf8f1b861b5d7cbef9717b2d8fac8987931f0f21c459166930fe72afea11c83eb3ea994e68de19b4668c45f0c8971050fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1da0755c315e46ab494af587e0475bb4

SHA1
5323bcbb4b293658311fcae72657765b65511b61

SHA256
332db49a7567e17e7cd2dd0aa2547eec96420f3aa44c41e2da620a833d335f25

SHA512
c4dec38ddc315d8afadce9864e4a2a57855fb5bf4c39f11bc2217f84d67e32718437bdf9cf0600a9110e549b56a4a4022645725e8eb13c4bbdb490593ba9d878

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
38a4ba0fe9efeccea6dde4c0d0c4b6f8

SHA1
b5bcf5bd3ffd35f4bbfb1a7d96568cda6d795d45

SHA256
62a8f98f378f94e7235122f926b95afb6f565fc903535b69a85a46b761aef699

SHA512
f7dea93c62a4160da2c801b64f498dc6db0406f7104c116478b971465f69fe56a85cb5d0f2dcc2ef5df2ed5a07d3f47be69fd51404ab87fe742098f8812672cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
faad907f507bea10231e8b50b0dac390

SHA1
216a7bfd8a32300853d93b643f5abe59b16e5e43

SHA256
9b4213d57f8f72fccf95e04d625df840f0bdae3e48f1ac2f570eede7dd7c4bfd

SHA512
3fef9afb0900dcf108caaad2c39ff289f77ae5b90c130b527c6a4a80518312a60e155cf4e49f57751903af49239c223d51da9930de7dab9212a4fe8d01f358a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b05b9b055e4f16f606b985ba8b02e9f4

SHA1
965e678bed98e628944ed1b688abc8d2d2446bae

SHA256
cb3668e97b7f254fc794e2c07c5dc7ecb939ec05974edb51e3cc86772a28b521

SHA512
5177b4257ebbf4cd62c1f38b06e36c735cbe4d4ac4b0063936873ea9be5d14528d5587ab425d43b69a922e6ea5e886de211460fda8136b0945cea0a01a24d841

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3d46180692eca3d62036fc03da940fa5

SHA1
5fddd644c741531e999b1154a8a972e155971358

SHA256
5a6b2f30ffaa6d441fec307f6875217dd668aca517e033e99bc5f35a7efcfd04

SHA512
8e1c4313f59138192555eefff83ac006648f3b09e1289fc88098b6bdd02d4a5ea80a159e4c9fd9c6995efab0082ba09199561195003d529506a8c4d1ad6a21f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8b5a6d08ca1a4c9520b0fb5738b88de2

SHA1
0dc6175ea9f354b20c9537d0a7452abb22fbdc45

SHA256
03673f665f6af5a822c9ddd0b073e2e189dd64c04af5cfd8d5c5dae4e36d812b

SHA512
2be830dc237dbe4f5f1c6a57ac7e5e8426106aafa2b88c50cd9919f56e63d52a15876da243ac69513d935df0533e27ab88bedc3a50ac3b27c78bb47692237f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8b5a6d08ca1a4c9520b0fb5738b88de2

SHA1
0dc6175ea9f354b20c9537d0a7452abb22fbdc45

SHA256
03673f665f6af5a822c9ddd0b073e2e189dd64c04af5cfd8d5c5dae4e36d812b

SHA512
2be830dc237dbe4f5f1c6a57ac7e5e8426106aafa2b88c50cd9919f56e63d52a15876da243ac69513d935df0533e27ab88bedc3a50ac3b27c78bb47692237f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9009dd7b5b139bffa257ba9f5f4e7f5b

SHA1
9e27968730321ae766931e1bc0f2d5a112b64a80

SHA256
9b6c27cb567f4cd697a2e868a1e6d04cf1581826d1da81aeb2d6dbca35a1a310

SHA512
58f030c220885883eea6a1ca4710b439acf9e902777d467a28fc11bb8f59e3aaa87be6421ffebbbbd3f74a3997ac25e6f5104ede4a3d71ac17db42625ca0024a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6158564b3e38c7633643af0471c48141

SHA1
cc3f0400f9948df0d420652eded3d35e3b005168

SHA256
af4b631ebc8456fc921310cb97c01461f4e56db3a9fa4ee375d76e3e283bc070

SHA512
35f1504036d68c8d72f67c9f4b27bad912e22ffb7ba4865678a4dcb50963747a660bf5d1260dd9394d44ed3d1b904b10bec3f5b042d20097ccf07aa2614fe58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7fb15da2a579cc8de2fbfcc29aed603b

SHA1
8bd60706b8c18a801e599c54bc9c457d2669e25a

SHA256
0d30fad0fa949758a2e93ee4e3c433012175e282d931d646ff4004c191d7da0e

SHA512
2ce09b5a602460e36f2d0a22054658cbfd79dd9522088ab55bcfa0ab4dcb38387865688e85db840a2595d055ab57e88ec24cad5677f286919848c3100ec170d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ce47cfe47a2de34bd35d096cf3ad871f

SHA1
53a8bae39072ce9c17fc60e60652e456b73632a4

SHA256
f55cab5dd8813ca9d595331c76cf22b3a0193146b4f35b83ce3c4d014b76e5d9

SHA512
12caf3dda0c7c4928286bb21b69f59720a7b42f7c01f67b2a61e1687f2f33971a0c44c3180239a2ccf5e6f2ac39bb23d0abb80871eae8bbe1a53e190090d09f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ff372150470246121bec3d0df78f789a

SHA1
32a59242179e80f63289adce0ae9538c8f7424d0

SHA256
6d85b73bae0c94ad85bbe6a9dcf191e66c73a02501049318659c69ae9b0e96f6

SHA512
0c0a0c9f760783debf4ba3cce7decf9ceec9c1124b566f2d73d674f76c0f8dd0bbf161a6ea692ee73b52ff5ac0e834451bee82c47a6b0a305520b2690c672e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ff372150470246121bec3d0df78f789a

SHA1
32a59242179e80f63289adce0ae9538c8f7424d0

SHA256
6d85b73bae0c94ad85bbe6a9dcf191e66c73a02501049318659c69ae9b0e96f6

SHA512
0c0a0c9f760783debf4ba3cce7decf9ceec9c1124b566f2d73d674f76c0f8dd0bbf161a6ea692ee73b52ff5ac0e834451bee82c47a6b0a305520b2690c672e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6379beadccb1bc3d915e25e69b878fa0

SHA1
0b55489624cd4c5c12e0dc11551aca1cf7bef8d3

SHA256
aab3b075016b14678785f7f60f1738c0586e18062ffc064d357a570a6a1c4532

SHA512
c2cae6a7a70c89e610a87a98c53df8dd5f72afd6cd2a414eaacded651f02cc1bb2a34406177622fa6c1c836bc79928d9076e6fae6b5a877b7a7148b352cd1de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2a6873ef234a7dcd300ec25875aa73c6

SHA1
e1d805f86f620a425552ab2be164935ef1c8484f

SHA256
ab295977e0f9d5533e0031ce7dcdacb1d2817f14ed0197329f89b8e6ae1d23af

SHA512
bca1a62ae14759439d18dedbd1097ca2d1614155ade867d2573d545509c9df2eaf9abbb7695126ee33dda8d26483103bcf3d8f839b61dd866002387b5162ecc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
346f4fa524383c2c89126e4336bd72ac

SHA1
1e66441b3cdd41ae571edf0b1887d5d39933385a

SHA256
ca7c6010add9a54570960a37e8f3d29c751cd3d6c494b51f4daca67d327274cd

SHA512
de0cd7a9d72c100c2e8e8d605649f2ad2f3034e108eadea14e86ae15f94f2b54d56849ac25c4c1568c9fbbf60615532fff22ef89ad2597c0c186c9f6044784d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
346f4fa524383c2c89126e4336bd72ac

SHA1
1e66441b3cdd41ae571edf0b1887d5d39933385a

SHA256
ca7c6010add9a54570960a37e8f3d29c751cd3d6c494b51f4daca67d327274cd

SHA512
de0cd7a9d72c100c2e8e8d605649f2ad2f3034e108eadea14e86ae15f94f2b54d56849ac25c4c1568c9fbbf60615532fff22ef89ad2597c0c186c9f6044784d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4cea773a3df6cee67969e1d933740707

SHA1
acb87974bae772c92730528f43d82dd60e442977

SHA256
504292197b986d7aceabf112e9a8d236d962093e5af101986e0153a6fb055d67

SHA512
ea1b357994d3a52a07fcfa2d79040387cf03afd8303908890ff341bb9c77ac985cd5d996ec020dec896eacb8f7d0ba85182d2b62c1ca469cfbe426a42f78b633

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
049eace0834b501f289a10ca55d64948

SHA1
095dc9b7865ce92113aaaae1071488cee96af856

SHA256
d85c9d7b109fcc8bcdcf893d8652f5f0d0eda0ba59eb8e435c25f63d6cff5ed7

SHA512
eb1db7c55a52feda46bacdff6b855e821bc15fb70ab48d2ee43c9d7beae969d82c552cdca444f39c063931a5247258f9849a1d6e5b68b49b35d06f6fd37edce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
184615dad050f0652f2df34976b636a4

SHA1
95e227941601084320c027b8ae35d3a1d8db431e

SHA256
c9e61e30c360e7250cb443bc89217793683613b3cea0c3682a3fb0de467d4a0e

SHA512
58326c18eae9d0040d19dd3f17aa589f82e920d885fae168b32e1cf20350b8a43b533d8de3246232e019c487eadc2e23437bb4db9d23bb6193d3a7260a70e9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe

Filesize
2.1MB

MD5
3b3d48102a0d45a941f98d8aabe2dc43

SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240

SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe

Filesize
2.1MB

MD5
3b3d48102a0d45a941f98d8aabe2dc43

SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240

SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe

Filesize
2.1MB

MD5
3b3d48102a0d45a941f98d8aabe2dc43

SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240

SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe

Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe

Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe

Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
memory/1956-322-0x0000000005730000-0x0000000005738000-memory.dmp

Filesize
32KB

Download
memory/1956-361-0x0000000005250000-0x0000000005258000-memory.dmp

Filesize
32KB

Download
memory/1956-318-0x0000000000590000-0x0000000000B3C000-memory.dmp

Filesize
5.7MB

Download
memory/1956-321-0x0000000005850000-0x0000000005858000-memory.dmp

Filesize
32KB

Download
memory/1956-323-0x0000000005760000-0x0000000005768000-memory.dmp

Filesize
32KB

Download
memory/1956-170-0x0000000000590000-0x0000000000B3C000-memory.dmp

Filesize
5.7MB

Download
memory/1956-325-0x0000000005470000-0x0000000005478000-memory.dmp

Filesize
32KB

Download
memory/1956-317-0x0000000005460000-0x0000000005468000-memory.dmp

Filesize
32KB

Download
memory/1956-338-0x0000000005250000-0x0000000005258000-memory.dmp

Filesize
32KB

Download
memory/1956-316-0x0000000005440000-0x0000000005448000-memory.dmp

Filesize
32KB

Download
memory/1956-346-0x0000000005470000-0x0000000005478000-memory.dmp

Filesize
32KB

Download
memory/1956-348-0x00000000055A0000-0x00000000055A8000-memory.dmp

Filesize
32KB

Download
memory/1956-313-0x00000000052F0000-0x00000000052F8000-memory.dmp

Filesize
32KB

Download
memory/1956-279-0x0000000000590000-0x0000000000B3C000-memory.dmp

Filesize
5.7MB

Download
memory/1956-311-0x0000000005250000-0x0000000005258000-memory.dmp

Filesize
32KB

Download
memory/1956-369-0x00000000055A0000-0x00000000055A8000-memory.dmp

Filesize
32KB

Download
memory/1956-371-0x0000000005470000-0x0000000005478000-memory.dmp

Filesize
32KB

Download
memory/1956-310-0x0000000005230000-0x0000000005238000-memory.dmp

Filesize
32KB

Download
memory/1956-303-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/1956-410-0x0000000005670000-0x0000000005678000-memory.dmp

Filesize
32KB

Download
memory/1956-411-0x0000000005690000-0x0000000005698000-memory.dmp

Filesize
32KB

Download
memory/1956-171-0x0000000000F00000-0x0000000000F03000-memory.dmp

Filesize
12KB

Download
memory/1956-855-0x0000000000590000-0x0000000000B3C000-memory.dmp

Filesize
5.7MB

Download
memory/1956-320-0x0000000005700000-0x0000000005708000-memory.dmp

Filesize
32KB

Download
memory/3156-283-0x00000000034F0000-0x0000000003505000-memory.dmp

Filesize
84KB

Download
memory/3472-645-0x0000000003520000-0x0000000003774000-memory.dmp

Filesize
2.3MB

Download
memory/3472-589-0x0000000003520000-0x0000000003774000-memory.dmp

Filesize
2.3MB

Download
memory/3592-272-0x0000000002D80000-0x0000000002E80000-memory.dmp

Filesize
1024KB

Download
memory/3592-276-0x0000000007220000-0x000000000725C000-memory.dmp

Filesize
240KB

Download
memory/3592-269-0x0000000072540000-0x0000000072CF0000-memory.dmp

Filesize
7.7MB

Download
memory/3592-273-0x0000000007880000-0x0000000007E98000-memory.dmp

Filesize
6.1MB

Download
memory/3592-458-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/3592-274-0x0000000007200000-0x0000000007212000-memory.dmp

Filesize
72KB

Download
memory/3592-271-0x00000000072D0000-0x0000000007874000-memory.dmp

Filesize
5.6MB

Download
memory/3592-275-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

Filesize
1.0MB

Download
memory/3592-270-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/3592-433-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/3592-277-0x0000000000400000-0x0000000002BA2000-memory.dmp

Filesize
39.6MB

Download
memory/3592-423-0x0000000072540000-0x0000000072CF0000-memory.dmp

Filesize
7.7MB

Download
memory/3592-432-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/3592-281-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/3592-457-0x0000000002D80000-0x0000000002E80000-memory.dmp

Filesize
1024KB

Download
memory/3592-267-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/3592-278-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4272-869-0x0000000003A00000-0x0000000003F00000-memory.dmp

Filesize
5.0MB

Download
memory/4272-870-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/4272-879-0x0000000003A00000-0x0000000003F00000-memory.dmp

Filesize
5.0MB

Download
memory/4272-880-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/4408-499-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4408-613-0x00000000020C0000-0x00000000020F0000-memory.dmp

Filesize
192KB

Download
memory/4408-497-0x00000000020C0000-0x00000000020F0000-memory.dmp

Filesize
192KB

Download
memory/4408-495-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/4408-647-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/4548-260-0x0000000002EE0000-0x0000000002FE0000-memory.dmp

Filesize
1024KB

Download
memory/4548-264-0x0000000000400000-0x0000000002B8F000-memory.dmp

Filesize
39.6MB

Download
memory/4548-262-0x0000000002EB0000-0x0000000002EB9000-memory.dmp

Filesize
36KB

Download
memory/4548-287-0x0000000000400000-0x0000000002B8F000-memory.dmp

Filesize
39.6MB

Download
memory/4552-552-0x00000000038A0000-0x00000000041BE000-memory.dmp

Filesize
9.1MB

Download
memory/4552-550-0x0000000003460000-0x000000000389C000-memory.dmp

Filesize
4.2MB

Download
memory/4552-868-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/4552-782-0x0000000003460000-0x000000000389C000-memory.dmp

Filesize
4.2MB

Download
memory/4552-856-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/4552-576-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/4608-460-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/4608-288-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/4608-292-0x0000000003520000-0x0000000003961000-memory.dmp

Filesize
4.3MB

Download
memory/4608-507-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/4608-280-0x0000000003970000-0x000000000428E000-memory.dmp

Filesize
9.1MB

Download
memory/4608-319-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/4608-488-0x0000000003520000-0x0000000003961000-memory.dmp

Filesize
4.3MB

Download
memory/4608-284-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/4624-226-0x000000001BB40000-0x000000001BB50000-memory.dmp

Filesize
64KB

Download
memory/4624-261-0x00007FF9808C0000-0x00007FF981381000-memory.dmp

Filesize
10.8MB

Download
memory/4624-196-0x00007FF9808C0000-0x00007FF981381000-memory.dmp

Filesize
10.8MB

Download
memory/4624-195-0x0000000000CA0000-0x0000000000CCE000-memory.dmp

Filesize
184KB

Download