amadey | cadc29e99c605f729d7a3ec16ccbbcaa5820d22eece53ae8e5fbf0561985f04a

Analysis

max time kernel
201s
max time network
294s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
25/08/2023, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cadc29e99c605f729d7a3ec16ccbbcaa5820d22eece53ae8e5fbf0561985f04a.exe
Size

253KB
MD5

b955cc0b487310f74862013e698c8265
SHA1

b9e63acf13ef819da69fa77fb1e3727c4634d078
SHA256

cadc29e99c605f729d7a3ec16ccbbcaa5820d22eece53ae8e5fbf0561985f04a
SHA512

0fcd6002eccd98b49cd55deb829991e31dac1c53583b754e93dcd3cab41223f4c72c9f1e601bf1fdf59944df1f04c9cf72aa7a85db36de6d3732893d65ae706f
SSDEEP

3072:qzaFzZvaldnqbzvCOBdc8qf4ZUZMYWVrQOiQQsGde31vxbL:8QzvtBdBFlYW51ysGdA1vxbL

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://taibi.at/tmp/

http://01stroy.ru/tmp/

http://mal-net.com/tmp/

http://gromograd.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/raud/get.php

http://zexeq.com/lancer/get.php

Attributes

extension
.wztt
offline_id
pGPY4MKNHaEeN9pLKNW37rI0mblzUZFtPsjZ8Ht1
payload_url
http://colisumy.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-E3ktviSmlG Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0768zSjfr

rsa_pubkey.plain

Extracted

Family

redline

Botnet

lux3

176.123.9.142:14845

Attributes

auth_value
e94dff9a76da90d6b000642c4a52574b

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

149.202.0.242:31728

Attributes

auth_value
3a050df92d0cf082b2cdaf87863616be

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

vidar

Version

5.3

Botnet

562ce294a991b18054802a17b24ce0f9

https://t.me/buukcay

https://steamcommunity.com/profiles/76561199544211655

Attributes

profile_id_v2
562ce294a991b18054802a17b24ce0f9

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

amadey

Version

3.87

79.137.192.18/9bDc8sQ/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 50 IoCs

resource	yara_rule
behavioral2/memory/4484-17-0x00000000040F0000-0x000000000420B000-memory.dmp	family_djvu
behavioral2/memory/2988-18-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2988-20-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2988-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2988-27-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4604-58-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4604-63-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4604-65-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2324-56-0x0000000004080000-0x000000000419B000-memory.dmp	family_djvu
behavioral2/memory/4208-71-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4208-75-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4208-76-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4604-68-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4208-87-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2988-86-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4604-93-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4604-97-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/668-127-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2424-124-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2424-132-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-129-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2424-121-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/668-118-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-119-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-114-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/668-112-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-153-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-154-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2424-155-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-161-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/668-157-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2424-162-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/668-163-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/668-172-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2424-171-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-169-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-185-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/668-183-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2424-179-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-196-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/668-195-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2424-197-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-215-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2424-209-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2424-234-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/668-240-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5036-265-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-282-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/668-281-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2424-287-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 4136 created 3240	4136	setup.exe	52
PID 4136 created 3240	4136	setup.exe	52
PID 4136 created 3240	4136	setup.exe	52
PID 4136 created 3240	4136	setup.exe	52
PID 4136 created 3240	4136	setup.exe	52

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	setup.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
292	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
3240	Explorer.EXE

Executes dropped EXE 47 IoCs

pid	Process
4484	599.exe
2988	599.exe
220	7AD.exe
2324	B86.exe
1240	DAA.exe
4604	B86.exe
4208	DAA.exe
5068	12FA.exe
3960	1899.exe
2532	DAA.exe
4192	599.exe
2288	B86.exe
668	DAA.exe
3944	599.exe
2424	B86.exe
96	666C.exe
4248	Conhost.exe
4160	build2.exe
5100	build2.exe
5008	build2.exe
4624	221D.exe
2196	build3.exe
2820	build3.exe
4536	build3.exe
5036	9E26.exe
1132	build2.exe
3088	build2.exe
8	build2.exe
3412	aafg31.exe
4188	toolspub2.exe
2744	31839b57a4f11171d6abc8bbc4451ee4.exe
3572	toolspub2.exe
5052	latestplayer.exe
4500	yiueea.exe
3048	9E26.exe
572	9E26.exe
2696	build2.exe
3076	build2.exe
4940	build3.exe
400	cli.exe
4084	mi.exe
4136	setup.exe
1464	31839b57a4f11171d6abc8bbc4451ee4.exe
4948	mstsca.exe
4808	yiueea.exe
4032	updater.exe
4880	csrss.exe

Loads dropped DLL 8 IoCs

pid	Process
1132	build2.exe
1132	build2.exe
8	build2.exe
8	build2.exe
3076	build2.exe
3076	build2.exe
3088	build2.exe
3088	build2.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4412	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000700000001b022-2416.dat	themida

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3232710d-0070-4784-a2e6-1e2674e693a6\\599.exe\" --AutoStart"	599.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 10 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	api.2ip.ua
29	api.2ip.ua
30	api.2ip.ua
31	api.2ip.ua
84	api.2ip.ua
8	api.2ip.ua
9	api.2ip.ua
21	api.2ip.ua
61	api.2ip.ua
131	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4136	setup.exe
4032	updater.exe

Suspicious use of SetThreadContext 16 IoCs

description	pid	Process	procid_target
PID 4484 set thread context of 2988	4484	599.exe	71
PID 2324 set thread context of 4604	2324	B86.exe	78
PID 1240 set thread context of 4208	1240	DAA.exe	77
PID 5068 set thread context of 4008	5068	12FA.exe	93
PID 4192 set thread context of 3944	4192	599.exe	88
PID 2532 set thread context of 668	2532	DAA.exe	92
PID 2288 set thread context of 2424	2288	B86.exe	91
PID 3960 set thread context of 1684	3960	1899.exe	89
PID 4248 set thread context of 5036	4248	Conhost.exe	105
PID 5100 set thread context of 1132	5100	build2.exe	109
PID 4160 set thread context of 3088	4160	cmd.exe	107
PID 5008 set thread context of 8	5008	build2.exe	108
PID 4188 set thread context of 3572	4188	toolspub2.exe	113
PID 3048 set thread context of 572	3048	9E26.exe	121
PID 2696 set thread context of 3076	2696	build2.exe	129
PID 400 set thread context of 532	400	cli.exe	146

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2472	sc.exe
2116	sc.exe
3416	sc.exe
2288	sc.exe
2108	sc.exe
2276	sc.exe
684	sc.exe
660	sc.exe
3400	sc.exe
2376	sc.exe
4164	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1728	schtasks.exe
1368	schtasks.exe
3636	schtasks.exe
4628	schtasks.exe
4116	schtasks.exe
4132	schtasks.exe
3004	schtasks.exe
2536	schtasks.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
3420	timeout.exe
1504	timeout.exe
888	timeout.exe
356	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4924	cadc29e99c605f729d7a3ec16ccbbcaa5820d22eece53ae8e5fbf0561985f04a.exe
4924	cadc29e99c605f729d7a3ec16ccbbcaa5820d22eece53ae8e5fbf0561985f04a.exe
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3240	Explorer.EXE

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4924	cadc29e99c605f729d7a3ec16ccbbcaa5820d22eece53ae8e5fbf0561985f04a.exe
96	666C.exe
3572	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeDebugPrivilege	220	7AD.exe
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	1684	AppLaunch.exe
Token: SeDebugPrivilege	4008	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 4484	3240	Explorer.EXE	70
PID 3240 wrote to memory of 4484	3240	Explorer.EXE	70
PID 3240 wrote to memory of 4484	3240	Explorer.EXE	70
PID 4484 wrote to memory of 2988	4484	599.exe	71
PID 4484 wrote to memory of 2988	4484	599.exe	71
PID 4484 wrote to memory of 2988	4484	599.exe	71
PID 4484 wrote to memory of 2988	4484	599.exe	71
PID 4484 wrote to memory of 2988	4484	599.exe	71
PID 4484 wrote to memory of 2988	4484	599.exe	71
PID 4484 wrote to memory of 2988	4484	599.exe	71
PID 4484 wrote to memory of 2988	4484	599.exe	71
PID 4484 wrote to memory of 2988	4484	599.exe	71
PID 4484 wrote to memory of 2988	4484	599.exe	71
PID 3240 wrote to memory of 220	3240	Explorer.EXE	72
PID 3240 wrote to memory of 220	3240	Explorer.EXE	72
PID 3240 wrote to memory of 220	3240	Explorer.EXE	72
PID 3240 wrote to memory of 2324	3240	Explorer.EXE	74
PID 3240 wrote to memory of 2324	3240	Explorer.EXE	74
PID 3240 wrote to memory of 2324	3240	Explorer.EXE	74
PID 2988 wrote to memory of 4412	2988	599.exe	75
PID 2988 wrote to memory of 4412	2988	599.exe	75
PID 2988 wrote to memory of 4412	2988	599.exe	75
PID 3240 wrote to memory of 1240	3240	Explorer.EXE	76
PID 3240 wrote to memory of 1240	3240	Explorer.EXE	76
PID 3240 wrote to memory of 1240	3240	Explorer.EXE	76
PID 2324 wrote to memory of 4604	2324	B86.exe	78
PID 2324 wrote to memory of 4604	2324	B86.exe	78
PID 2324 wrote to memory of 4604	2324	B86.exe	78
PID 2324 wrote to memory of 4604	2324	B86.exe	78
PID 2324 wrote to memory of 4604	2324	B86.exe	78
PID 2324 wrote to memory of 4604	2324	B86.exe	78
PID 2324 wrote to memory of 4604	2324	B86.exe	78
PID 2324 wrote to memory of 4604	2324	B86.exe	78
PID 2324 wrote to memory of 4604	2324	B86.exe	78
PID 2324 wrote to memory of 4604	2324	B86.exe	78
PID 1240 wrote to memory of 4208	1240	DAA.exe	77
PID 1240 wrote to memory of 4208	1240	DAA.exe	77
PID 1240 wrote to memory of 4208	1240	DAA.exe	77
PID 1240 wrote to memory of 4208	1240	DAA.exe	77
PID 1240 wrote to memory of 4208	1240	DAA.exe	77
PID 1240 wrote to memory of 4208	1240	DAA.exe	77
PID 1240 wrote to memory of 4208	1240	DAA.exe	77
PID 1240 wrote to memory of 4208	1240	DAA.exe	77
PID 1240 wrote to memory of 4208	1240	DAA.exe	77
PID 1240 wrote to memory of 4208	1240	DAA.exe	77
PID 3240 wrote to memory of 5068	3240	Explorer.EXE	82
PID 3240 wrote to memory of 5068	3240	Explorer.EXE	82
PID 3240 wrote to memory of 5068	3240	Explorer.EXE	82
PID 2988 wrote to memory of 4192	2988	599.exe	80
PID 2988 wrote to memory of 4192	2988	599.exe	80
PID 2988 wrote to memory of 4192	2988	599.exe	80
PID 4208 wrote to memory of 2532	4208	DAA.exe	83
PID 4208 wrote to memory of 2532	4208	DAA.exe	83
PID 4208 wrote to memory of 2532	4208	DAA.exe	83
PID 3240 wrote to memory of 3960	3240	Explorer.EXE	84
PID 3240 wrote to memory of 3960	3240	Explorer.EXE	84
PID 3240 wrote to memory of 3960	3240	Explorer.EXE	84
PID 4604 wrote to memory of 2288	4604	B86.exe	86
PID 4604 wrote to memory of 2288	4604	B86.exe	86
PID 4604 wrote to memory of 2288	4604	B86.exe	86
PID 5068 wrote to memory of 2468	5068	12FA.exe	87
PID 5068 wrote to memory of 2468	5068	12FA.exe	87
PID 5068 wrote to memory of 2468	5068	12FA.exe	87
PID 5068 wrote to memory of 4008	5068	12FA.exe	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\Temp\cadc29e99c605f729d7a3ec16ccbbcaa5820d22eece53ae8e5fbf0561985f04a.exe
  "C:\Users\Admin\AppData\Local\Temp\cadc29e99c605f729d7a3ec16ccbbcaa5820d22eece53ae8e5fbf0561985f04a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\599.exe
  C:\Users\Admin\AppData\Local\Temp\599.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\599.exe
    C:\Users\Admin\AppData\Local\Temp\599.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\3232710d-0070-4784-a2e6-1e2674e693a6" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      4⤵
      Modifies file permissions
      PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\599.exe
      "C:\Users\Admin\AppData\Local\Temp\599.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4192
    - - C:\Users\Admin\AppData\Local\Temp\599.exe
        
        "C:\Users\Admin\AppData\Local\Temp\599.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        Executes dropped EXE
        
        PID:3944
      - C:\Users\Admin\AppData\Local\cc02aee1-d6f4-408f-abfd-44e1f48c9b00\build2.exe
        
        "C:\Users\Admin\AppData\Local\cc02aee1-d6f4-408f-abfd-44e1f48c9b00\build2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\cc02aee1-d6f4-408f-abfd-44e1f48c9b00\build2.exe
        
        "C:\Users\Admin\AppData\Local\cc02aee1-d6f4-408f-abfd-44e1f48c9b00\build2.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\cc02aee1-d6f4-408f-abfd-44e1f48c9b00\build2.exe" & exit
        8⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:888
      - C:\Users\Admin\AppData\Local\cc02aee1-d6f4-408f-abfd-44e1f48c9b00\build3.exe
        
        "C:\Users\Admin\AppData\Local\cc02aee1-d6f4-408f-abfd-44e1f48c9b00\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:4628
- C:\Users\Admin\AppData\Local\Temp\7AD.exe
  C:\Users\Admin\AppData\Local\Temp\7AD.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Users\Admin\AppData\Local\Temp\B86.exe
  C:\Users\Admin\AppData\Local\Temp\B86.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\B86.exe
    C:\Users\Admin\AppData\Local\Temp\B86.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\B86.exe
      "C:\Users\Admin\AppData\Local\Temp\B86.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:2288
    - - C:\Users\Admin\AppData\Local\Temp\B86.exe
        
        "C:\Users\Admin\AppData\Local\Temp\B86.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        Executes dropped EXE
        
        PID:2424
      - C:\Users\Admin\AppData\Local\66da0ab2-131d-47ea-9eb9-99c8e418d6c8\build2.exe
        
        "C:\Users\Admin\AppData\Local\66da0ab2-131d-47ea-9eb9-99c8e418d6c8\build2.exe"
        6⤵
        Executes dropped EXE
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\66da0ab2-131d-47ea-9eb9-99c8e418d6c8\build2.exe
        
        "C:\Users\Admin\AppData\Local\66da0ab2-131d-47ea-9eb9-99c8e418d6c8\build2.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\66da0ab2-131d-47ea-9eb9-99c8e418d6c8\build2.exe" & exit
        8⤵
        Suspicious use of SetThreadContext
        
        PID:4160
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:1504
      - C:\Users\Admin\AppData\Local\66da0ab2-131d-47ea-9eb9-99c8e418d6c8\build3.exe
        
        "C:\Users\Admin\AppData\Local\66da0ab2-131d-47ea-9eb9-99c8e418d6c8\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:2820
- C:\Users\Admin\AppData\Local\Temp\DAA.exe
  C:\Users\Admin\AppData\Local\Temp\DAA.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\DAA.exe
    C:\Users\Admin\AppData\Local\Temp\DAA.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Users\Admin\AppData\Local\Temp\DAA.exe
      "C:\Users\Admin\AppData\Local\Temp\DAA.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:2532
    - - C:\Users\Admin\AppData\Local\Temp\DAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DAA.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        Executes dropped EXE
        
        PID:668
      - C:\Users\Admin\AppData\Local\93e1c8ef-3d31-4960-bb99-c4682bf80835\build2.exe
        
        "C:\Users\Admin\AppData\Local\93e1c8ef-3d31-4960-bb99-c4682bf80835\build2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\93e1c8ef-3d31-4960-bb99-c4682bf80835\build2.exe
        
        "C:\Users\Admin\AppData\Local\93e1c8ef-3d31-4960-bb99-c4682bf80835\build2.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\93e1c8ef-3d31-4960-bb99-c4682bf80835\build2.exe" & exit
        8⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:356
      - C:\Users\Admin\AppData\Local\93e1c8ef-3d31-4960-bb99-c4682bf80835\build3.exe
        
        "C:\Users\Admin\AppData\Local\93e1c8ef-3d31-4960-bb99-c4682bf80835\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:4536
- C:\Users\Admin\AppData\Local\Temp\12FA.exe
  C:\Users\Admin\AppData\Local\Temp\12FA.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\mi.exe
      "C:\Users\Admin\AppData\Local\Temp\mi.exe"
      4⤵
      Executes dropped EXE
      PID:4084
    - - C:\Windows\Temp\setup.exe
        
        "C:\Windows\Temp\setup.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Program Files directory
        
        PID:4136
- C:\Users\Admin\AppData\Local\Temp\1899.exe
  C:\Users\Admin\AppData\Local\Temp\1899.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3960
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\cli.exe
      "C:\Users\Admin\AppData\Local\Temp\cli.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:400
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:776
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:532
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "Start-Process <#czbprhdvwdnfvdrp#> powershell <#czbprhdvwdnfvdrp#> -Verb <#czbprhdvwdnfvdrp#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'
        6⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force
        7⤵
        
        PID:4244
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle hidden Add-MpPreference -ExclusionPath "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe" -Force
        6⤵
        
        PID:2072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:660
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc daily /st 11:20 /f /tn "AppLaunch" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2536
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc daily /st 11:20 /f /tn OneDriveUpdateTask_MTA1 /tr "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:1728
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:3476
- C:\Users\Admin\AppData\Local\Temp\666C.exe
  C:\Users\Admin\AppData\Local\Temp\666C.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: MapViewOfSection
  PID:96
- C:\Users\Admin\AppData\Local\Temp\9E26.exe
  C:\Users\Admin\AppData\Local\Temp\9E26.exe
  2⤵
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\9E26.exe
    C:\Users\Admin\AppData\Local\Temp\9E26.exe
    3⤵
    - Executes dropped EXE
    PID:5036
  - - C:\Users\Admin\AppData\Local\Temp\9E26.exe
      "C:\Users\Admin\AppData\Local\Temp\9E26.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3048
    - - C:\Users\Admin\AppData\Local\Temp\9E26.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9E26.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        Executes dropped EXE
        
        PID:572
      - C:\Users\Admin\AppData\Local\5f6063ab-747c-449b-b542-4c49c2f764d4\build2.exe
        
        "C:\Users\Admin\AppData\Local\5f6063ab-747c-449b-b542-4c49c2f764d4\build2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\5f6063ab-747c-449b-b542-4c49c2f764d4\build2.exe
        
        "C:\Users\Admin\AppData\Local\5f6063ab-747c-449b-b542-4c49c2f764d4\build2.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\5f6063ab-747c-449b-b542-4c49c2f764d4\build2.exe" & exit
        8⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:3420
      - C:\Users\Admin\AppData\Local\5f6063ab-747c-449b-b542-4c49c2f764d4\build3.exe
        
        "C:\Users\Admin\AppData\Local\5f6063ab-747c-449b-b542-4c49c2f764d4\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:4132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4248
- C:\Users\Admin\AppData\Local\Temp\221D.exe
  C:\Users\Admin\AppData\Local\Temp\221D.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\aafg31.exe
    "C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
    3⤵
    - Executes dropped EXE
    PID:3412
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: MapViewOfSection
      PID:3572
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:2744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:596
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:1464
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4348
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:4328
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:292
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1556
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:684
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        
        PID:4880
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Modifies data under HKEY_USERS
        
        PID:3948
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1368
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:4116
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:984
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4556
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:224
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:3636
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:4164
- - C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
    "C:\Users\Admin\AppData\Local\Temp\latestplayer.exe"
    3⤵
    - Executes dropped EXE
    PID:5052
  - - C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
      "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
      4⤵
      Executes dropped EXE
      PID:4500
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:3236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:1012
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "yiueea.exe" /P "Admin:N"
        6⤵
        
        PID:888
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "yiueea.exe" /P "Admin:R" /E
        6⤵
        
        PID:2640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:204
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\577f58beff" /P "Admin:N"
        6⤵
        
        PID:2712
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\577f58beff" /P "Admin:R" /E
        6⤵
        
        PID:3548
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5076
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:428
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2472
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2276
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:684
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:660
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3400
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2740
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4480
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:1368
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4360
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xltha#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:3564
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:428
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:764
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2376
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3416
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2116
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2288
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2108
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3812
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4012
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:3956
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:1028
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xltha#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:364
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:4216
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:4888

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:4948
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3004

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
1⤵
- Executes dropped EXE
PID:4808

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4032

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
1⤵
PID:4784

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
1⤵
PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
9.8MB

MD5
7c1ebb0b3b7c23edc344b7611bcd3429

SHA1
d57f470d8a9dc2d0fbc8937cdaee43c107304b19

SHA256
86cec75b580d98e14037cfe43b07ed10b7194353a6c8a2033aad696e815ca567

SHA512
aa75de8f32b76f71090f6761281abee3cf2171014dad93b2697bb3829e5014ed64c357f990da26d20c8ea09b1886c6ae2d90dc1ba828c0505ae30f2dd771f0be

Download Submit
C:\ProgramData\56696949623564832218358161

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\64864111448317462867991436

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\68812303988028290142982263

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\SystemID\PersonalID.txt

Filesize
42B

MD5
324770a7653f940b6e66d90455f6e1a8

SHA1
5b9edb85029710a458f7a77f474721307d2fb738

SHA256
9dda9cd8e2b81a8d0d46e39f4495130246582b673b7ddddef4ebecfeeb6bbc30

SHA512
48ae3a8b8a45881285ff6117edd0ca42fe2b06b0d868b2d535f82a9c26157d3c434535d91b7a9f33cf3c627bc49e469bf997077edcfff6b83e4d7e30cf9dea23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
2047c5276498695b2aae5fab09708b18

SHA1
e6e47381a8f7ad1d552ca6e587a38c68cc4eb5a7

SHA256
ef854bb906dc4d7d50d2c8cf812999276848c574c35bd342762b2fe2305db9bf

SHA512
4266e74e941befc8e51f377f1025554d2b82de50a7883d9d326420134253d8584b7133ca503476a1336e924e4d987f5f957e5d2379e9dc40e906eba97f3eb239

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
ce12199317d03aeb98e9ab4deb8a2400

SHA1
83c807a97e94c4a5c943711282434fcaa52f23b0

SHA256
9bac42ac5078f27a66f09d9c94507ba81716ae946080673963ddca4c70f04688

SHA512
041bbf8cdd894eec2a2430625c6072778149684d86d274c5e307b2ca3d1964063ca50e9df7df7da3f5a93949dc053d8eb80d35661b905571a517e58c437b963e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
a0c7a97d71f837d5b443901f31a72664

SHA1
7550d5cb03e07752d31b8dac9ef6653c97c04f39

SHA256
5102b86aba22abb333d057a473d80734178044bced0cc0a5cb23486186245626

SHA512
bf8b34b0cbd65002807078d0e24766cd9f2bbbc4d804264d55840688696365e58d585d0cf80cc1887a3c6a2885b541e4569bec91a515bf88225ca0dc3368ed32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
b115aaf4c011e66b03d70be0153bdc93

SHA1
0bce334c7cdfd0748906a3c8b274e779e04ffe56

SHA256
ebfe3cebef08042e8c2b2dc511ee1140ca5edec8578a57336d14bf5dab139898

SHA512
4cad10af08e20d908b5b7baf4d7cfa9ea752f1245f2a71110bdb1ba257569acd820d68d510972f64061db09a389c5d8113204e4649b5fbe29fdee2192e0e6414

Download Submit
C:\Users\Admin\AppData\Local\3232710d-0070-4784-a2e6-1e2674e693a6\599.exe

Filesize
775KB

MD5
deb916db19f8a4d4f291de914eca547e

SHA1
3ea35373a838ea611c9b777a99cb4e2373223d07

SHA256
f1efdfc8078af1d91c857359f41c4167c34d32f0c14bc90ea657078a2360927b

SHA512
013240c55c94b39cc539939758e04ff2d4deddfb047996e6448563afa688e864d96c26eaa68821a8a03216ba692804db77a4994774281ac3544cbc9cc762e434

Download Submit
C:\Users\Admin\AppData\Local\66da0ab2-131d-47ea-9eb9-99c8e418d6c8\build2.exe

Filesize
361KB

MD5
9545d2c1b9c67ae6c7536fa637f6e8dc

SHA1
b2654f52dfde5ae8791588d224fe707784a3c6fd

SHA256
44f9e81a2e056d24c0da23b8be38d37eceefe06e5bc6dbf67df2b18caf6223b8

SHA512
6eef0a2feec33e8bf1a6ede2fc62ee531299ce49759df07a463e8c5476617184d9b8e5a21fbb4b6641131a7130474f39800839c3d0127ba84b8f5a7b3fdffa4c

Download Submit
C:\Users\Admin\AppData\Local\66da0ab2-131d-47ea-9eb9-99c8e418d6c8\build2.exe

Filesize
361KB

MD5
9545d2c1b9c67ae6c7536fa637f6e8dc

SHA1
b2654f52dfde5ae8791588d224fe707784a3c6fd

SHA256
44f9e81a2e056d24c0da23b8be38d37eceefe06e5bc6dbf67df2b18caf6223b8

SHA512
6eef0a2feec33e8bf1a6ede2fc62ee531299ce49759df07a463e8c5476617184d9b8e5a21fbb4b6641131a7130474f39800839c3d0127ba84b8f5a7b3fdffa4c

Download Submit
C:\Users\Admin\AppData\Local\66da0ab2-131d-47ea-9eb9-99c8e418d6c8\build2.exe

Filesize
361KB

MD5
9545d2c1b9c67ae6c7536fa637f6e8dc

SHA1
b2654f52dfde5ae8791588d224fe707784a3c6fd

SHA256
44f9e81a2e056d24c0da23b8be38d37eceefe06e5bc6dbf67df2b18caf6223b8

SHA512
6eef0a2feec33e8bf1a6ede2fc62ee531299ce49759df07a463e8c5476617184d9b8e5a21fbb4b6641131a7130474f39800839c3d0127ba84b8f5a7b3fdffa4c

Download Submit
C:\Users\Admin\AppData\Local\66da0ab2-131d-47ea-9eb9-99c8e418d6c8\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\66da0ab2-131d-47ea-9eb9-99c8e418d6c8\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\66da0ab2-131d-47ea-9eb9-99c8e418d6c8\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\93e1c8ef-3d31-4960-bb99-c4682bf80835\build2.exe

Filesize
361KB

MD5
9545d2c1b9c67ae6c7536fa637f6e8dc

SHA1
b2654f52dfde5ae8791588d224fe707784a3c6fd

SHA256
44f9e81a2e056d24c0da23b8be38d37eceefe06e5bc6dbf67df2b18caf6223b8

SHA512
6eef0a2feec33e8bf1a6ede2fc62ee531299ce49759df07a463e8c5476617184d9b8e5a21fbb4b6641131a7130474f39800839c3d0127ba84b8f5a7b3fdffa4c

Download Submit
C:\Users\Admin\AppData\Local\93e1c8ef-3d31-4960-bb99-c4682bf80835\build2.exe

Filesize
361KB

MD5
9545d2c1b9c67ae6c7536fa637f6e8dc

SHA1
b2654f52dfde5ae8791588d224fe707784a3c6fd

SHA256
44f9e81a2e056d24c0da23b8be38d37eceefe06e5bc6dbf67df2b18caf6223b8

SHA512
6eef0a2feec33e8bf1a6ede2fc62ee531299ce49759df07a463e8c5476617184d9b8e5a21fbb4b6641131a7130474f39800839c3d0127ba84b8f5a7b3fdffa4c

Download Submit
C:\Users\Admin\AppData\Local\93e1c8ef-3d31-4960-bb99-c4682bf80835\build2.exe

Filesize
361KB

MD5
9545d2c1b9c67ae6c7536fa637f6e8dc

SHA1
b2654f52dfde5ae8791588d224fe707784a3c6fd

SHA256
44f9e81a2e056d24c0da23b8be38d37eceefe06e5bc6dbf67df2b18caf6223b8

SHA512
6eef0a2feec33e8bf1a6ede2fc62ee531299ce49759df07a463e8c5476617184d9b8e5a21fbb4b6641131a7130474f39800839c3d0127ba84b8f5a7b3fdffa4c

Download Submit
C:\Users\Admin\AppData\Local\93e1c8ef-3d31-4960-bb99-c4682bf80835\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\93e1c8ef-3d31-4960-bb99-c4682bf80835\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R7LFADWO\build2[1].exe

Filesize
361KB

MD5
9545d2c1b9c67ae6c7536fa637f6e8dc

SHA1
b2654f52dfde5ae8791588d224fe707784a3c6fd

SHA256
44f9e81a2e056d24c0da23b8be38d37eceefe06e5bc6dbf67df2b18caf6223b8

SHA512
6eef0a2feec33e8bf1a6ede2fc62ee531299ce49759df07a463e8c5476617184d9b8e5a21fbb4b6641131a7130474f39800839c3d0127ba84b8f5a7b3fdffa4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\12FA.exe

Filesize
1.4MB

MD5
c8ea6b5b15cb9a80ac43eb6fbd995d88

SHA1
9ba4841a610f8b54fb6f9fa131c273111617aafb

SHA256
b6dbf44a855da2e09df2862a403af7e16307cdcfd05e5bb73246bdb2aa5c9b01

SHA512
5ec305621d5b5b8a8a6206c95c5b7735d2010748592ed0c64ef5a7cff7eb49149e36bb21a922bbc26a6a7e5c98e366f88e20323632b4a7accb158e37d4f1ffcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\12FA.exe

Filesize
1.4MB

MD5
c8ea6b5b15cb9a80ac43eb6fbd995d88

SHA1
9ba4841a610f8b54fb6f9fa131c273111617aafb

SHA256
b6dbf44a855da2e09df2862a403af7e16307cdcfd05e5bb73246bdb2aa5c9b01

SHA512
5ec305621d5b5b8a8a6206c95c5b7735d2010748592ed0c64ef5a7cff7eb49149e36bb21a922bbc26a6a7e5c98e366f88e20323632b4a7accb158e37d4f1ffcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1899.exe

Filesize
1.4MB

MD5
c8ea6b5b15cb9a80ac43eb6fbd995d88

SHA1
9ba4841a610f8b54fb6f9fa131c273111617aafb

SHA256
b6dbf44a855da2e09df2862a403af7e16307cdcfd05e5bb73246bdb2aa5c9b01

SHA512
5ec305621d5b5b8a8a6206c95c5b7735d2010748592ed0c64ef5a7cff7eb49149e36bb21a922bbc26a6a7e5c98e366f88e20323632b4a7accb158e37d4f1ffcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1899.exe

Filesize
1.4MB

MD5
c8ea6b5b15cb9a80ac43eb6fbd995d88

SHA1
9ba4841a610f8b54fb6f9fa131c273111617aafb

SHA256
b6dbf44a855da2e09df2862a403af7e16307cdcfd05e5bb73246bdb2aa5c9b01

SHA512
5ec305621d5b5b8a8a6206c95c5b7735d2010748592ed0c64ef5a7cff7eb49149e36bb21a922bbc26a6a7e5c98e366f88e20323632b4a7accb158e37d4f1ffcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\221D.exe

Filesize
5.1MB

MD5
739ac92d82f9ae4f557923ee2689099a

SHA1
93583178a8a370778b95a89c508c6bb7ee304df7

SHA256
e9dc3c310187d5aa3a5451c4c6799792b5e6c501da776f0adeaf16302aa84e6e

SHA512
db8570f53b70606455581827d164d132b30a6afe0a1eed2138546a5ca356887fa4d274cd5f5487ac13cfa3e9464ff0fd9669ef989617c127cc6018d3545de0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\221D.exe

Filesize
5.1MB

MD5
739ac92d82f9ae4f557923ee2689099a

SHA1
93583178a8a370778b95a89c508c6bb7ee304df7

SHA256
e9dc3c310187d5aa3a5451c4c6799792b5e6c501da776f0adeaf16302aa84e6e

SHA512
db8570f53b70606455581827d164d132b30a6afe0a1eed2138546a5ca356887fa4d274cd5f5487ac13cfa3e9464ff0fd9669ef989617c127cc6018d3545de0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
bcde3bccef28eec15ea3222c5883c39b

SHA1
e5dc5fc0a8ef95b8c0d8e1cedb9efc271e9da7f5

SHA256
34b38e43149feff08e0ed5d6e29d04c416629057aad2588118a80e209566ddca

SHA512
3c6c8ada811272d3dfc37923fd13ab5593f4bc5b87e69349f64e0893b0f5307c390d33e29828ae0c039076023965a85e45328b626237cc06f829ae4526437755

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
bcde3bccef28eec15ea3222c5883c39b

SHA1
e5dc5fc0a8ef95b8c0d8e1cedb9efc271e9da7f5

SHA256
34b38e43149feff08e0ed5d6e29d04c416629057aad2588118a80e209566ddca

SHA512
3c6c8ada811272d3dfc37923fd13ab5593f4bc5b87e69349f64e0893b0f5307c390d33e29828ae0c039076023965a85e45328b626237cc06f829ae4526437755

Download Submit
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Filesize
307KB

MD5
55f845c433e637594aaf872e41fda207

SHA1
1188348ca7e52f075e7d1d0031918c2cea93362e

SHA256
f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

SHA512
5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Filesize
307KB

MD5
55f845c433e637594aaf872e41fda207

SHA1
1188348ca7e52f075e7d1d0031918c2cea93362e

SHA256
f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

SHA512
5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Filesize
307KB

MD5
55f845c433e637594aaf872e41fda207

SHA1
1188348ca7e52f075e7d1d0031918c2cea93362e

SHA256
f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

SHA512
5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\599.exe

Filesize
775KB

MD5
deb916db19f8a4d4f291de914eca547e

SHA1
3ea35373a838ea611c9b777a99cb4e2373223d07

SHA256
f1efdfc8078af1d91c857359f41c4167c34d32f0c14bc90ea657078a2360927b

SHA512
013240c55c94b39cc539939758e04ff2d4deddfb047996e6448563afa688e864d96c26eaa68821a8a03216ba692804db77a4994774281ac3544cbc9cc762e434

Download Submit
C:\Users\Admin\AppData\Local\Temp\599.exe

Filesize
775KB

MD5
deb916db19f8a4d4f291de914eca547e

SHA1
3ea35373a838ea611c9b777a99cb4e2373223d07

SHA256
f1efdfc8078af1d91c857359f41c4167c34d32f0c14bc90ea657078a2360927b

SHA512
013240c55c94b39cc539939758e04ff2d4deddfb047996e6448563afa688e864d96c26eaa68821a8a03216ba692804db77a4994774281ac3544cbc9cc762e434

Download Submit
C:\Users\Admin\AppData\Local\Temp\599.exe

Filesize
775KB

MD5
deb916db19f8a4d4f291de914eca547e

SHA1
3ea35373a838ea611c9b777a99cb4e2373223d07

SHA256
f1efdfc8078af1d91c857359f41c4167c34d32f0c14bc90ea657078a2360927b

SHA512
013240c55c94b39cc539939758e04ff2d4deddfb047996e6448563afa688e864d96c26eaa68821a8a03216ba692804db77a4994774281ac3544cbc9cc762e434

Download Submit
C:\Users\Admin\AppData\Local\Temp\599.exe

Filesize
775KB

MD5
deb916db19f8a4d4f291de914eca547e

SHA1
3ea35373a838ea611c9b777a99cb4e2373223d07

SHA256
f1efdfc8078af1d91c857359f41c4167c34d32f0c14bc90ea657078a2360927b

SHA512
013240c55c94b39cc539939758e04ff2d4deddfb047996e6448563afa688e864d96c26eaa68821a8a03216ba692804db77a4994774281ac3544cbc9cc762e434

Download Submit
C:\Users\Admin\AppData\Local\Temp\599.exe

Filesize
775KB

MD5
deb916db19f8a4d4f291de914eca547e

SHA1
3ea35373a838ea611c9b777a99cb4e2373223d07

SHA256
f1efdfc8078af1d91c857359f41c4167c34d32f0c14bc90ea657078a2360927b

SHA512
013240c55c94b39cc539939758e04ff2d4deddfb047996e6448563afa688e864d96c26eaa68821a8a03216ba692804db77a4994774281ac3544cbc9cc762e434

Download Submit
C:\Users\Admin\AppData\Local\Temp\666C.exe

Filesize
267KB

MD5
728b56fa1d51bc6e51f0ed7c2f8dbba2

SHA1
028494eeb85ab7d33d82176c26b1ac33a6c4a3c4

SHA256
b6e8c116284984029311070fc982332db26895b6f7d139c03d6ab4ac3bd0f1fc

SHA512
e877f07434650930ec9f99b7fd5c41589d552a918a7729673361c5a0038b63e39151d164271f4a8cee5bdacb617d3fc4b17148154d7c59b3c8003af78191c866

Download Submit
C:\Users\Admin\AppData\Local\Temp\666C.exe

Filesize
267KB

MD5
728b56fa1d51bc6e51f0ed7c2f8dbba2

SHA1
028494eeb85ab7d33d82176c26b1ac33a6c4a3c4

SHA256
b6e8c116284984029311070fc982332db26895b6f7d139c03d6ab4ac3bd0f1fc

SHA512
e877f07434650930ec9f99b7fd5c41589d552a918a7729673361c5a0038b63e39151d164271f4a8cee5bdacb617d3fc4b17148154d7c59b3c8003af78191c866

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AD.exe

Filesize
237KB

MD5
872d809faf6857be70216616ce0eae2f

SHA1
b240167f3054a54642cb03cdfadf4d17e5fb0005

SHA256
31712b36f255e5a75de26a4f167e363bacd38883f5ee58529ac5493a252e7d9e

SHA512
bbdaea6f78c501a642ac459bec2912e53fa547190f2148608daef29371ff69342767be0134f1c07e74587f04e938de9ca1f5c0dd2ea94783e888009521ad5516

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AD.exe

Filesize
237KB

MD5
872d809faf6857be70216616ce0eae2f

SHA1
b240167f3054a54642cb03cdfadf4d17e5fb0005

SHA256
31712b36f255e5a75de26a4f167e363bacd38883f5ee58529ac5493a252e7d9e

SHA512
bbdaea6f78c501a642ac459bec2912e53fa547190f2148608daef29371ff69342767be0134f1c07e74587f04e938de9ca1f5c0dd2ea94783e888009521ad5516

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E26.exe

Filesize
775KB

MD5
deb916db19f8a4d4f291de914eca547e

SHA1
3ea35373a838ea611c9b777a99cb4e2373223d07

SHA256
f1efdfc8078af1d91c857359f41c4167c34d32f0c14bc90ea657078a2360927b

SHA512
013240c55c94b39cc539939758e04ff2d4deddfb047996e6448563afa688e864d96c26eaa68821a8a03216ba692804db77a4994774281ac3544cbc9cc762e434

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E26.exe

Filesize
775KB

MD5
deb916db19f8a4d4f291de914eca547e

SHA1
3ea35373a838ea611c9b777a99cb4e2373223d07

SHA256
f1efdfc8078af1d91c857359f41c4167c34d32f0c14bc90ea657078a2360927b

SHA512
013240c55c94b39cc539939758e04ff2d4deddfb047996e6448563afa688e864d96c26eaa68821a8a03216ba692804db77a4994774281ac3544cbc9cc762e434

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E26.exe

Filesize
775KB

MD5
deb916db19f8a4d4f291de914eca547e

SHA1
3ea35373a838ea611c9b777a99cb4e2373223d07

SHA256
f1efdfc8078af1d91c857359f41c4167c34d32f0c14bc90ea657078a2360927b

SHA512
013240c55c94b39cc539939758e04ff2d4deddfb047996e6448563afa688e864d96c26eaa68821a8a03216ba692804db77a4994774281ac3544cbc9cc762e434

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E26.exe

Filesize
775KB

MD5
deb916db19f8a4d4f291de914eca547e

SHA1
3ea35373a838ea611c9b777a99cb4e2373223d07

SHA256
f1efdfc8078af1d91c857359f41c4167c34d32f0c14bc90ea657078a2360927b

SHA512
013240c55c94b39cc539939758e04ff2d4deddfb047996e6448563afa688e864d96c26eaa68821a8a03216ba692804db77a4994774281ac3544cbc9cc762e434

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E26.exe

Filesize
775KB

MD5
deb916db19f8a4d4f291de914eca547e

SHA1
3ea35373a838ea611c9b777a99cb4e2373223d07

SHA256
f1efdfc8078af1d91c857359f41c4167c34d32f0c14bc90ea657078a2360927b

SHA512
013240c55c94b39cc539939758e04ff2d4deddfb047996e6448563afa688e864d96c26eaa68821a8a03216ba692804db77a4994774281ac3544cbc9cc762e434

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E26.exe

Filesize
775KB

MD5
deb916db19f8a4d4f291de914eca547e

SHA1
3ea35373a838ea611c9b777a99cb4e2373223d07

SHA256
f1efdfc8078af1d91c857359f41c4167c34d32f0c14bc90ea657078a2360927b

SHA512
013240c55c94b39cc539939758e04ff2d4deddfb047996e6448563afa688e864d96c26eaa68821a8a03216ba692804db77a4994774281ac3544cbc9cc762e434

Download Submit
C:\Users\Admin\AppData\Local\Temp\B86.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B86.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B86.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B86.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B86.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAA.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAA.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAA.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAA.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAA.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yy30wcsj.uq3.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe

Filesize
397KB

MD5
e3031f99f17a7c8cef9f8ccf6f0dc28e

SHA1
ea6e9a506ca921d15eb7cf4c78dec5dc41733ab3

SHA256
fdca3a9eff84349214459acb7530451c244a66e5e3347ac8366e22c2bee4a0fd

SHA512
8bf8b203f7cfe13f6a98d2b2b2f4bcf816cc58f18f7fad9af13cea0459b1ba7a338fdb18c78379ad79f7ec7c2157fd1cef2e35ec10689aa18d1532579dcbb73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe

Filesize
397KB

MD5
e3031f99f17a7c8cef9f8ccf6f0dc28e

SHA1
ea6e9a506ca921d15eb7cf4c78dec5dc41733ab3

SHA256
fdca3a9eff84349214459acb7530451c244a66e5e3347ac8366e22c2bee4a0fd

SHA512
8bf8b203f7cfe13f6a98d2b2b2f4bcf816cc58f18f7fad9af13cea0459b1ba7a338fdb18c78379ad79f7ec7c2157fd1cef2e35ec10689aa18d1532579dcbb73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

Filesize
307KB

MD5
55f845c433e637594aaf872e41fda207

SHA1
1188348ca7e52f075e7d1d0031918c2cea93362e

SHA256
f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

SHA512
5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

Filesize
307KB

MD5
55f845c433e637594aaf872e41fda207

SHA1
1188348ca7e52f075e7d1d0031918c2cea93362e

SHA256
f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

SHA512
5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
271KB

MD5
222a4c7e494a2314e9e1d0a07abecee9

SHA1
dd8f2552f2fa5256fac01a51fa2c383759e84f8e

SHA256
60e8eef70c565ec2abbe7d16157a0edc4f8dbf8938363680ac6362620114c436

SHA512
fd419aa596c7f91f7cfbde0a1cb6a6801ebe684c9966b53d2e8541f7f6b0763427c251f371ba3d252acfe6ab2dc0c611273af8ca14d3ad738e3ca98b30d18d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
271KB

MD5
222a4c7e494a2314e9e1d0a07abecee9

SHA1
dd8f2552f2fa5256fac01a51fa2c383759e84f8e

SHA256
60e8eef70c565ec2abbe7d16157a0edc4f8dbf8938363680ac6362620114c436

SHA512
fd419aa596c7f91f7cfbde0a1cb6a6801ebe684c9966b53d2e8541f7f6b0763427c251f371ba3d252acfe6ab2dc0c611273af8ca14d3ad738e3ca98b30d18d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
271KB

MD5
222a4c7e494a2314e9e1d0a07abecee9

SHA1
dd8f2552f2fa5256fac01a51fa2c383759e84f8e

SHA256
60e8eef70c565ec2abbe7d16157a0edc4f8dbf8938363680ac6362620114c436

SHA512
fd419aa596c7f91f7cfbde0a1cb6a6801ebe684c9966b53d2e8541f7f6b0763427c251f371ba3d252acfe6ab2dc0c611273af8ca14d3ad738e3ca98b30d18d11

Download Submit
C:\Users\Admin\AppData\Local\bowsakkdestx.txt

Filesize
563B

MD5
e3c640eced72a28f10eac99da233d9fd

SHA1
1d7678afc24a59de1da0bf74126baf3b8540b5b0

SHA256
87de9c0701eab8d410954dc4d3e7e6013ca6a0c8a514969418a12c21135f133e

SHA512
bcb94b7ba487784d343961b24107ea17a82f200961505927ef385caeb0684fbbe1a3482b7d0af7f3766b9ec2c4d6236341b50541cf7b1217acdc0a8b5b37e3d7

Download Submit
C:\Users\Admin\AppData\Local\cc02aee1-d6f4-408f-abfd-44e1f48c9b00\build2.exe

Filesize
361KB

MD5
9545d2c1b9c67ae6c7536fa637f6e8dc

SHA1
b2654f52dfde5ae8791588d224fe707784a3c6fd

SHA256
44f9e81a2e056d24c0da23b8be38d37eceefe06e5bc6dbf67df2b18caf6223b8

SHA512
6eef0a2feec33e8bf1a6ede2fc62ee531299ce49759df07a463e8c5476617184d9b8e5a21fbb4b6641131a7130474f39800839c3d0127ba84b8f5a7b3fdffa4c

Download Submit
C:\Users\Admin\AppData\Local\cc02aee1-d6f4-408f-abfd-44e1f48c9b00\build2.exe

Filesize
361KB

MD5
9545d2c1b9c67ae6c7536fa637f6e8dc

SHA1
b2654f52dfde5ae8791588d224fe707784a3c6fd

SHA256
44f9e81a2e056d24c0da23b8be38d37eceefe06e5bc6dbf67df2b18caf6223b8

SHA512
6eef0a2feec33e8bf1a6ede2fc62ee531299ce49759df07a463e8c5476617184d9b8e5a21fbb4b6641131a7130474f39800839c3d0127ba84b8f5a7b3fdffa4c

Download Submit
C:\Users\Admin\AppData\Local\cc02aee1-d6f4-408f-abfd-44e1f48c9b00\build2.exe

Filesize
361KB

MD5
9545d2c1b9c67ae6c7536fa637f6e8dc

SHA1
b2654f52dfde5ae8791588d224fe707784a3c6fd

SHA256
44f9e81a2e056d24c0da23b8be38d37eceefe06e5bc6dbf67df2b18caf6223b8

SHA512
6eef0a2feec33e8bf1a6ede2fc62ee531299ce49759df07a463e8c5476617184d9b8e5a21fbb4b6641131a7130474f39800839c3d0127ba84b8f5a7b3fdffa4c

Download Submit
C:\Users\Admin\AppData\Local\cc02aee1-d6f4-408f-abfd-44e1f48c9b00\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\cc02aee1-d6f4-408f-abfd-44e1f48c9b00\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\fectvwt

Filesize
271KB

MD5
222a4c7e494a2314e9e1d0a07abecee9

SHA1
dd8f2552f2fa5256fac01a51fa2c383759e84f8e

SHA256
60e8eef70c565ec2abbe7d16157a0edc4f8dbf8938363680ac6362620114c436

SHA512
fd419aa596c7f91f7cfbde0a1cb6a6801ebe684c9966b53d2e8541f7f6b0763427c251f371ba3d252acfe6ab2dc0c611273af8ca14d3ad738e3ca98b30d18d11

Download Submit
C:\Users\Admin\AppData\Roaming\ssctvwt

Filesize
267KB

MD5
728b56fa1d51bc6e51f0ed7c2f8dbba2

SHA1
028494eeb85ab7d33d82176c26b1ac33a6c4a3c4

SHA256
b6e8c116284984029311070fc982332db26895b6f7d139c03d6ab4ac3bd0f1fc

SHA512
e877f07434650930ec9f99b7fd5c41589d552a918a7729673361c5a0038b63e39151d164271f4a8cee5bdacb617d3fc4b17148154d7c59b3c8003af78191c866

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
bcde3bccef28eec15ea3222c5883c39b

SHA1
e5dc5fc0a8ef95b8c0d8e1cedb9efc271e9da7f5

SHA256
34b38e43149feff08e0ed5d6e29d04c416629057aad2588118a80e209566ddca

SHA512
3c6c8ada811272d3dfc37923fd13ab5593f4bc5b87e69349f64e0893b0f5307c390d33e29828ae0c039076023965a85e45328b626237cc06f829ae4526437755

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/8-302-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/96-186-0x0000000000400000-0x00000000022EB000-memory.dmp

Filesize
30.9MB

Download
memory/96-152-0x0000000000400000-0x00000000022EB000-memory.dmp

Filesize
30.9MB

Download
memory/96-150-0x0000000002390000-0x0000000002490000-memory.dmp

Filesize
1024KB

Download
memory/96-151-0x0000000002310000-0x0000000002319000-memory.dmp

Filesize
36KB

Download
memory/220-41-0x0000000072BC0000-0x00000000732AE000-memory.dmp

Filesize
6.9MB

Download
memory/220-156-0x000000000B2A0000-0x000000000B462000-memory.dmp

Filesize
1.8MB

Download
memory/220-40-0x0000000002300000-0x0000000002306000-memory.dmp

Filesize
24KB

Download
memory/220-192-0x000000000B470000-0x000000000B99C000-memory.dmp

Filesize
5.2MB

Download
memory/220-67-0x000000000A690000-0x000000000A6DB000-memory.dmp

Filesize
300KB

Download
memory/220-29-0x0000000000450000-0x0000000000480000-memory.dmp

Filesize
192KB

Download
memory/220-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/220-123-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/220-115-0x000000000AE10000-0x000000000AE76000-memory.dmp

Filesize
408KB

Download
memory/220-103-0x000000000A8D0000-0x000000000ADCE000-memory.dmp

Filesize
5.0MB

Download
memory/220-55-0x0000000009E00000-0x000000000A406000-memory.dmp

Filesize
6.0MB

Download
memory/220-104-0x0000000072BC0000-0x00000000732AE000-memory.dmp

Filesize
6.9MB

Download
memory/220-59-0x000000000A5C0000-0x000000000A5D2000-memory.dmp

Filesize
72KB

Download
memory/220-96-0x00000000049D0000-0x0000000004A62000-memory.dmp

Filesize
584KB

Download
memory/220-94-0x0000000004950000-0x00000000049C6000-memory.dmp

Filesize
472KB

Download
memory/220-61-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/220-66-0x000000000A5E0000-0x000000000A61E000-memory.dmp

Filesize
248KB

Download
memory/220-329-0x0000000004450000-0x00000000044A0000-memory.dmp

Filesize
320KB

Download
memory/220-57-0x000000000A490000-0x000000000A59A000-memory.dmp

Filesize
1.0MB

Download
memory/668-163-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/668-281-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/668-240-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/668-118-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/668-172-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/668-183-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/668-112-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/668-127-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/668-157-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/668-195-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1132-296-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1240-64-0x0000000002410000-0x00000000024B1000-memory.dmp

Filesize
644KB

Download
memory/1684-305-0x0000000009320000-0x0000000009330000-memory.dmp

Filesize
64KB

Download
memory/1684-294-0x0000000072BC0000-0x00000000732AE000-memory.dmp

Filesize
6.9MB

Download
memory/1684-136-0x0000000009320000-0x0000000009330000-memory.dmp

Filesize
64KB

Download
memory/1684-134-0x0000000072BC0000-0x00000000732AE000-memory.dmp

Filesize
6.9MB

Download
memory/2288-110-0x0000000003FC0000-0x0000000004055000-memory.dmp

Filesize
596KB

Download
memory/2324-56-0x0000000004080000-0x000000000419B000-memory.dmp

Filesize
1.1MB

Download
memory/2324-54-0x0000000003FD0000-0x000000000406D000-memory.dmp

Filesize
628KB

Download
memory/2424-155-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-121-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-197-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-124-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-209-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-234-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-179-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-132-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-287-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-162-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-171-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2532-95-0x0000000003EF0000-0x0000000003F90000-memory.dmp

Filesize
640KB

Download
memory/2988-18-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2988-20-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2988-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2988-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2988-86-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3088-301-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3240-166-0x0000000002D50000-0x0000000002D66000-memory.dmp

Filesize
88KB

Download
memory/3240-4-0x0000000000F90000-0x0000000000FA6000-memory.dmp

Filesize
88KB

Download
memory/3412-319-0x00007FF75CDF0000-0x00007FF75CE57000-memory.dmp

Filesize
412KB

Download
memory/3572-334-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3944-114-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-154-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-215-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-185-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-161-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-169-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-196-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-119-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-153-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-282-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-129-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4008-280-0x0000000072BC0000-0x00000000732AE000-memory.dmp

Filesize
6.9MB

Download
memory/4008-300-0x0000000008C50000-0x0000000008C60000-memory.dmp

Filesize
64KB

Download
memory/4008-130-0x0000000008BF0000-0x0000000008BF6000-memory.dmp

Filesize
24KB

Download
memory/4008-135-0x0000000008C50000-0x0000000008C60000-memory.dmp

Filesize
64KB

Download
memory/4008-125-0x0000000072BC0000-0x00000000732AE000-memory.dmp

Filesize
6.9MB

Download
memory/4008-105-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4160-290-0x0000000001A10000-0x0000000001A41000-memory.dmp

Filesize
196KB

Download
memory/4188-324-0x0000000002630000-0x0000000002730000-memory.dmp

Filesize
1024KB

Download
memory/4188-326-0x0000000002420000-0x0000000002429000-memory.dmp

Filesize
36KB

Download
memory/4192-106-0x0000000004040000-0x00000000040E2000-memory.dmp

Filesize
648KB

Download
memory/4208-75-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4208-76-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4208-71-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4208-87-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4248-251-0x0000000003FF2000-0x0000000004084000-memory.dmp

Filesize
584KB

Download
memory/4484-17-0x00000000040F0000-0x000000000420B000-memory.dmp

Filesize
1.1MB

Download
memory/4484-16-0x00000000024C0000-0x0000000002561000-memory.dmp

Filesize
644KB

Download
memory/4604-97-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4604-65-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4604-63-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4604-58-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4604-68-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4604-93-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4624-330-0x0000000072BC0000-0x00000000732AE000-memory.dmp

Filesize
6.9MB

Download
memory/4624-241-0x00000000004A0000-0x00000000009C6000-memory.dmp

Filesize
5.1MB

Download
memory/4624-266-0x0000000072BC0000-0x00000000732AE000-memory.dmp

Filesize
6.9MB

Download
memory/4924-1-0x0000000002410000-0x0000000002510000-memory.dmp

Filesize
1024KB

Download
memory/4924-5-0x0000000000400000-0x00000000022E6000-memory.dmp

Filesize
30.9MB

Download
memory/4924-3-0x0000000002350000-0x0000000002359000-memory.dmp

Filesize
36KB

Download
memory/4924-2-0x0000000000400000-0x00000000022E6000-memory.dmp

Filesize
30.9MB

Download
memory/5036-265-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5100-291-0x0000000003500000-0x000000000355B000-memory.dmp

Filesize
364KB

Download