glupteba | 70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d

Analysis

max time kernel
57s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06-10-2023 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

15.7MB
MD5

3141032e3b1e4f3ee0d0a1fe68ccc6e8
SHA1

37adc7f63e2c38b2ad803c49d2782be701da9b56
SHA256

70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d
SHA512

d063301b2c07d8722594dd2eec9fbcb100385bcaac9843c5f329537845888803c3a6ae68ac33983b9ea429bb15d74b43a189ef4bc359c80dbb19e46ae938f0e5
SSDEEP

393216:g8EDE090yXtcYODN8EDE090yXtcYODCef/GyF3ibKL4BCXtU/PS:gjg09jtcYyjg09jtcYyxFSbi4StU6

Score

10^/10

glupteba smokeloader xmrig up3 backdoor discovery dropper evasion loader miner trojan

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 24 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3044-96-0x0000000004370000-0x0000000004C5B000-memory.dmp	family_glupteba
behavioral1/memory/2704-109-0x00000000042D0000-0x0000000004BBB000-memory.dmp	family_glupteba
behavioral1/memory/3044-126-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/2704-127-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/3044-131-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/2704-134-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/3044-137-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/3044-144-0x0000000004370000-0x0000000004C5B000-memory.dmp	family_glupteba
behavioral1/memory/3044-158-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/2704-159-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/3044-160-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/2704-166-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/3044-195-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/2704-204-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/2704-215-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/3044-217-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/2788-222-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/2496-223-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/2496-234-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/2788-237-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/2788-240-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/2192-271-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/2192-327-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/2192-357-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

latestX.exe

description	pid	process	target process
PID 2672 created 1276	2672	latestX.exe	Explorer.EXE
PID 2672 created 1276	2672	latestX.exe	Explorer.EXE
PID 2672 created 1276	2672	latestX.exe	Explorer.EXE
PID 2672 created 1276	2672	latestX.exe	Explorer.EXE
PID 2672 created 1276	2672	latestX.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
1392	bcdedit.exe
2424	bcdedit.exe
1964	bcdedit.exe
1492	bcdedit.exe
2832	bcdedit.exe
1060	bcdedit.exe
528	bcdedit.exe
1996	bcdedit.exe
1676	bcdedit.exe
2032	bcdedit.exe
1636	bcdedit.exe
2168	bcdedit.exe
908	bcdedit.exe
684	bcdedit.exe

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2700-354-0x000000013FAD0000-0x0000000140071000-memory.dmp	xmrig

Drops file in Drivers directory 1 IoCs

Processes:

latestX.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts latestX.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

2872 netsh.exe
2440 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

pid	process
2872	netsh.exe
2440	netsh.exe

Executes dropped EXE 14 IoCs

Processes:

toolspub2.exee0cbefcb1af40c7d4aff4aca26621a98.exekos1.exetoolspub2.exelatestX.exeset16.exe31839b57a4f11171d6abc8bbc4451ee4.exekos.exeis-1386E.tmppreviewer.exepreviewer.exeupdater.exe31839b57a4f11171d6abc8bbc4451ee4.exee0cbefcb1af40c7d4aff4aca26621a98.exe

pid	process
2272	toolspub2.exe
3044	e0cbefcb1af40c7d4aff4aca26621a98.exe
2292	kos1.exe
2920	toolspub2.exe
2672	latestX.exe
2588	set16.exe
2704	31839b57a4f11171d6abc8bbc4451ee4.exe
2560	kos.exe
2596	is-1386E.tmp
1964	previewer.exe
928	previewer.exe
2700	updater.exe
2788	31839b57a4f11171d6abc8bbc4451ee4.exe
2496	e0cbefcb1af40c7d4aff4aca26621a98.exe

Loads dropped DLL 26 IoCs

Processes:

file.exetoolspub2.exekos1.exeset16.exeis-1386E.tmppreviewer.exepreviewer.exetaskeng.exe

pid	process
2060	file.exe
2060	file.exe
2060	file.exe
2060	file.exe
2060	file.exe
2272	toolspub2.exe
2292	kos1.exe
2060	file.exe
2060	file.exe
2060	file.exe
2588	set16.exe
2588	set16.exe
2588	set16.exe
2292	kos1.exe
2588	set16.exe
2596	is-1386E.tmp
2596	is-1386E.tmp
2596	is-1386E.tmp
2596	is-1386E.tmp
2596	is-1386E.tmp
1964	previewer.exe
1964	previewer.exe
2596	is-1386E.tmp
928	previewer.exe
928	previewer.exe
2668	taskeng.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

toolspub2.exe

description pid process target process

PID 2272 set thread context of 2920 2272 toolspub2.exe toolspub2.exe

description	pid	process	target process
PID 2272 set thread context of 2920	2272	toolspub2.exe	toolspub2.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exee0cbefcb1af40c7d4aff4aca26621a98.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe
File opened (read-only)	\??\VBoxMiniRdrDN	e0cbefcb1af40c7d4aff4aca26621a98.exe

Drops file in Program Files directory 8 IoCs

Processes:

is-1386E.tmplatestX.exe

description	ioc	process
File created	C:\Program Files (x86)\PA Previewer\is-OP7CN.tmp	is-1386E.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\unins000.dat	is-1386E.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\previewer.exe	is-1386E.tmp
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe
File created	C:\Program Files (x86)\PA Previewer\unins000.dat	is-1386E.tmp
File created	C:\Program Files (x86)\PA Previewer\is-FEL6T.tmp	is-1386E.tmp
File created	C:\Program Files (x86)\PA Previewer\is-2DKT5.tmp	is-1386E.tmp
File created	C:\Program Files (x86)\PA Previewer\is-8CQVN.tmp	is-1386E.tmp

Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2028 sc.exe
1812 sc.exe
2912 sc.exe
2708 sc.exe
1052 sc.exe
772 sc.exe
2128 sc.exe
620 sc.exe
2408 sc.exe
1272 sc.exe
1712 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2028	sc.exe
1812	sc.exe
2912	sc.exe
2708	sc.exe
1052	sc.exe
772	sc.exe
2128	sc.exe
620	sc.exe
2408	sc.exe
1272	sc.exe
1712	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub2.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1960 schtasks.exe
2248 schtasks.exe
2076 schtasks.exe
2836 schtasks.exe

pid	process
1960	schtasks.exe
2248	schtasks.exe
2076	schtasks.exe
2836	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspub2.exeExplorer.EXE

pid	process
2920	toolspub2.exe
2920	toolspub2.exe
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

toolspub2.exe

pid process

2920 toolspub2.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

previewer.exeExplorer.EXEkos.exepreviewer.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exee0cbefcb1af40c7d4aff4aca26621a98.exe31839b57a4f11171d6abc8bbc4451ee4.exe

description	pid	process
Token: SeDebugPrivilege	1964	previewer.exe
Token: SeShutdownPrivilege	1276	Explorer.EXE
Token: SeShutdownPrivilege	1276	Explorer.EXE
Token: SeShutdownPrivilege	1276	Explorer.EXE
Token: SeDebugPrivilege	2560	kos.exe
Token: SeDebugPrivilege	928	previewer.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeShutdownPrivilege	1600	powercfg.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeShutdownPrivilege	1352	powercfg.exe
Token: SeShutdownPrivilege	1680	powercfg.exe
Token: SeShutdownPrivilege	1684	powercfg.exe
Token: SeDebugPrivilege	3044	e0cbefcb1af40c7d4aff4aca26621a98.exe
Token: SeImpersonatePrivilege	3044	e0cbefcb1af40c7d4aff4aca26621a98.exe
Token: SeDebugPrivilege	2704	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	2704	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exetoolspub2.exekos1.exeset16.exeis-1386E.tmpnet.exe

description	pid	process	target process
PID 2060 wrote to memory of 2272	2060	file.exe	toolspub2.exe
PID 2060 wrote to memory of 2272	2060	file.exe	toolspub2.exe
PID 2060 wrote to memory of 2272	2060	file.exe	toolspub2.exe
PID 2060 wrote to memory of 2272	2060	file.exe	toolspub2.exe
PID 2060 wrote to memory of 3044	2060	file.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 2060 wrote to memory of 3044	2060	file.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 2060 wrote to memory of 3044	2060	file.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 2060 wrote to memory of 3044	2060	file.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 2060 wrote to memory of 2292	2060	file.exe	kos1.exe
PID 2060 wrote to memory of 2292	2060	file.exe	kos1.exe
PID 2060 wrote to memory of 2292	2060	file.exe	kos1.exe
PID 2060 wrote to memory of 2292	2060	file.exe	kos1.exe
PID 2272 wrote to memory of 2920	2272	toolspub2.exe	toolspub2.exe
PID 2272 wrote to memory of 2920	2272	toolspub2.exe	toolspub2.exe
PID 2272 wrote to memory of 2920	2272	toolspub2.exe	toolspub2.exe
PID 2272 wrote to memory of 2920	2272	toolspub2.exe	toolspub2.exe
PID 2272 wrote to memory of 2920	2272	toolspub2.exe	toolspub2.exe
PID 2272 wrote to memory of 2920	2272	toolspub2.exe	toolspub2.exe
PID 2272 wrote to memory of 2920	2272	toolspub2.exe	toolspub2.exe
PID 2060 wrote to memory of 2672	2060	file.exe	latestX.exe
PID 2060 wrote to memory of 2672	2060	file.exe	latestX.exe
PID 2060 wrote to memory of 2672	2060	file.exe	latestX.exe
PID 2060 wrote to memory of 2672	2060	file.exe	latestX.exe
PID 2292 wrote to memory of 2588	2292	kos1.exe	set16.exe
PID 2292 wrote to memory of 2588	2292	kos1.exe	set16.exe
PID 2292 wrote to memory of 2588	2292	kos1.exe	set16.exe
PID 2292 wrote to memory of 2588	2292	kos1.exe	set16.exe
PID 2292 wrote to memory of 2588	2292	kos1.exe	set16.exe
PID 2292 wrote to memory of 2588	2292	kos1.exe	set16.exe
PID 2292 wrote to memory of 2588	2292	kos1.exe	set16.exe
PID 2060 wrote to memory of 2704	2060	file.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2060 wrote to memory of 2704	2060	file.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2060 wrote to memory of 2704	2060	file.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2060 wrote to memory of 2704	2060	file.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2292 wrote to memory of 2560	2292	kos1.exe	kos.exe
PID 2292 wrote to memory of 2560	2292	kos1.exe	kos.exe
PID 2292 wrote to memory of 2560	2292	kos1.exe	kos.exe
PID 2292 wrote to memory of 2560	2292	kos1.exe	kos.exe
PID 2588 wrote to memory of 2596	2588	set16.exe	is-1386E.tmp
PID 2588 wrote to memory of 2596	2588	set16.exe	is-1386E.tmp
PID 2588 wrote to memory of 2596	2588	set16.exe	is-1386E.tmp
PID 2588 wrote to memory of 2596	2588	set16.exe	is-1386E.tmp
PID 2588 wrote to memory of 2596	2588	set16.exe	is-1386E.tmp
PID 2588 wrote to memory of 2596	2588	set16.exe	is-1386E.tmp
PID 2588 wrote to memory of 2596	2588	set16.exe	is-1386E.tmp
PID 2596 wrote to memory of 1932	2596	is-1386E.tmp	net.exe
PID 2596 wrote to memory of 1932	2596	is-1386E.tmp	net.exe
PID 2596 wrote to memory of 1932	2596	is-1386E.tmp	net.exe
PID 2596 wrote to memory of 1932	2596	is-1386E.tmp	net.exe
PID 2596 wrote to memory of 1932	2596	is-1386E.tmp	net.exe
PID 2596 wrote to memory of 1932	2596	is-1386E.tmp	net.exe
PID 2596 wrote to memory of 1932	2596	is-1386E.tmp	net.exe
PID 2596 wrote to memory of 1964	2596	is-1386E.tmp	previewer.exe
PID 2596 wrote to memory of 1964	2596	is-1386E.tmp	previewer.exe
PID 2596 wrote to memory of 1964	2596	is-1386E.tmp	previewer.exe
PID 2596 wrote to memory of 1964	2596	is-1386E.tmp	previewer.exe
PID 2596 wrote to memory of 1964	2596	is-1386E.tmp	previewer.exe
PID 2596 wrote to memory of 1964	2596	is-1386E.tmp	previewer.exe
PID 2596 wrote to memory of 1964	2596	is-1386E.tmp	previewer.exe
PID 1932 wrote to memory of 1732	1932	net.exe	powercfg.exe
PID 1932 wrote to memory of 1732	1932	net.exe	powercfg.exe
PID 1932 wrote to memory of 1732	1932	net.exe	powercfg.exe
PID 1932 wrote to memory of 1732	1932	net.exe	powercfg.exe
PID 1932 wrote to memory of 1732	1932	net.exe	powercfg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2920

C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
4⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:3052

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2440

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
PID:2192

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:1640

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:1960

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
6⤵
PID:1248

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
7⤵
- Modifies boot configuration data using bcdedit
PID:1392

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
7⤵
- Modifies boot configuration data using bcdedit
PID:2424

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
7⤵
- Modifies boot configuration data using bcdedit
PID:1964

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
7⤵
- Modifies boot configuration data using bcdedit
PID:1492

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
7⤵
- Modifies boot configuration data using bcdedit
PID:2832

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
7⤵
- Modifies boot configuration data using bcdedit
PID:1060

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
7⤵
- Modifies boot configuration data using bcdedit
PID:528

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
7⤵
- Modifies boot configuration data using bcdedit
PID:1996

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
7⤵
- Modifies boot configuration data using bcdedit
PID:1676

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
7⤵
- Modifies boot configuration data using bcdedit
PID:2032

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
7⤵
- Modifies boot configuration data using bcdedit
PID:1636

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
7⤵
- Modifies boot configuration data using bcdedit
PID:2168

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
7⤵
- Modifies boot configuration data using bcdedit
PID:908

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
PID:952

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
6⤵
- Modifies boot configuration data using bcdedit
PID:684

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
6⤵
PID:3048

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:2076

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
6⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
PID:2108

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
- Launches sc.exe
PID:620

C:\Users\Admin\AppData\Local\Temp\kos1.exe
"C:\Users\Admin\AppData\Local\Temp\kos1.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\kos.exe
"C:\Users\Admin\AppData\Local\Temp\kos.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Users\Admin\AppData\Local\Temp\set16.exe
"C:\Users\Admin\AppData\Local\Temp\set16.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Admin\AppData\Local\Temp\is-1E20J.tmp\is-1386E.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1E20J.tmp\is-1386E.tmp" /SL4 $6011A "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
6⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
7⤵
PID:1732

C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -i
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -s
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:2672

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:2904

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:680

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:2408

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1272

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1712

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2912

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:2836

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:2024

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:2868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:3000

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:1988

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:2708

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1052

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2028

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1812

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:2128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
PID:1872

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:2248

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:2008

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:2664

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:1732

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:2124

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:932

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
PID:2440

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2904

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231006120654.log C:\Windows\Logs\CBS\CbsPersist_20231006120654.cab
1⤵
PID:3040

C:\Windows\system32\taskeng.exe
taskeng.exe {627FFB8F-4AA5-451D-B4EA-8E760267DEE9} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2668

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Executes dropped EXE
PID:2700

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
906e8dd59115761a98c0308313a2ad3b

SHA1
b2f9debeea9624b2e64e8062bf40382318cc42bd

SHA256
56d6788b4b40af4a7c0329a9d91b1b4407beef8bd9395ef852851f53a3d36dcf

SHA512
18cbbddc8e85acb236cd15c122adaa9537efc18216c394ba368ab0e391afe40b3dd6130dc1c60bb812da616f37897725c0ea6a695a93e9b25eb665f82bca870e

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
906e8dd59115761a98c0308313a2ad3b

SHA1
b2f9debeea9624b2e64e8062bf40382318cc42bd

SHA256
56d6788b4b40af4a7c0329a9d91b1b4407beef8bd9395ef852851f53a3d36dcf

SHA512
18cbbddc8e85acb236cd15c122adaa9537efc18216c394ba368ab0e391afe40b3dd6130dc1c60bb812da616f37897725c0ea6a695a93e9b25eb665f82bca870e

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
906e8dd59115761a98c0308313a2ad3b

SHA1
b2f9debeea9624b2e64e8062bf40382318cc42bd

SHA256
56d6788b4b40af4a7c0329a9d91b1b4407beef8bd9395ef852851f53a3d36dcf

SHA512
18cbbddc8e85acb236cd15c122adaa9537efc18216c394ba368ab0e391afe40b3dd6130dc1c60bb812da616f37897725c0ea6a695a93e9b25eb665f82bca870e

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
906e8dd59115761a98c0308313a2ad3b

SHA1
b2f9debeea9624b2e64e8062bf40382318cc42bd

SHA256
56d6788b4b40af4a7c0329a9d91b1b4407beef8bd9395ef852851f53a3d36dcf

SHA512
18cbbddc8e85acb236cd15c122adaa9537efc18216c394ba368ab0e391afe40b3dd6130dc1c60bb812da616f37897725c0ea6a695a93e9b25eb665f82bca870e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD74E.tmp
Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD78F.tmp
Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
4.2MB

MD5
4c05c54dd3007dced398eb41ab68992f

SHA1
1a737edff587c6acc830c8897ccf6128c718530c

SHA256
7a0417d7440e50f8156d6487b9e58fd1c5cb55eafe6e2dc95ab1627f7b099e6a

SHA512
71c1ebd7b0e6038fda5d970af409bf1a00171c44ade366482226348907e335abbd32c4daa89b0e3407f272e0302a9c0900120aec5ff57041fc26c91951815ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
4.2MB

MD5
4c05c54dd3007dced398eb41ab68992f

SHA1
1a737edff587c6acc830c8897ccf6128c718530c

SHA256
7a0417d7440e50f8156d6487b9e58fd1c5cb55eafe6e2dc95ab1627f7b099e6a

SHA512
71c1ebd7b0e6038fda5d970af409bf1a00171c44ade366482226348907e335abbd32c4daa89b0e3407f272e0302a9c0900120aec5ff57041fc26c91951815ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
4.2MB

MD5
4c05c54dd3007dced398eb41ab68992f

SHA1
1a737edff587c6acc830c8897ccf6128c718530c

SHA256
7a0417d7440e50f8156d6487b9e58fd1c5cb55eafe6e2dc95ab1627f7b099e6a

SHA512
71c1ebd7b0e6038fda5d970af409bf1a00171c44ade366482226348907e335abbd32c4daa89b0e3407f272e0302a9c0900120aec5ff57041fc26c91951815ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
4.2MB

MD5
4c05c54dd3007dced398eb41ab68992f

SHA1
1a737edff587c6acc830c8897ccf6128c718530c

SHA256
7a0417d7440e50f8156d6487b9e58fd1c5cb55eafe6e2dc95ab1627f7b099e6a

SHA512
71c1ebd7b0e6038fda5d970af409bf1a00171c44ade366482226348907e335abbd32c4daa89b0e3407f272e0302a9c0900120aec5ff57041fc26c91951815ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1E20J.tmp\is-1386E.tmp
Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1E20J.tmp\is-1386E.tmp
Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe
Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe
Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe
Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe
Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe
Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe
Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe
Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe
Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
292KB

MD5
39baa178f1fc5ec2111eb95008ee6e38

SHA1
8a36b6d95d6453e9eed8df12eaed71580384f2a3

SHA256
0990c73e4389e3b912fff43e2ed3363e9f9af367741fc285b3aa5168b5646c74

SHA512
3b50e27da905b4c8cd8a5dcc7c4c37015d1c1bc3187f1572d3bea7caffdd278a00f73844024cc04d06f47374425fc4c7cbfa4752678f9f40269d2979369b2d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
292KB

MD5
39baa178f1fc5ec2111eb95008ee6e38

SHA1
8a36b6d95d6453e9eed8df12eaed71580384f2a3

SHA256
0990c73e4389e3b912fff43e2ed3363e9f9af367741fc285b3aa5168b5646c74

SHA512
3b50e27da905b4c8cd8a5dcc7c4c37015d1c1bc3187f1572d3bea7caffdd278a00f73844024cc04d06f47374425fc4c7cbfa4752678f9f40269d2979369b2d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
292KB

MD5
39baa178f1fc5ec2111eb95008ee6e38

SHA1
8a36b6d95d6453e9eed8df12eaed71580384f2a3

SHA256
0990c73e4389e3b912fff43e2ed3363e9f9af367741fc285b3aa5168b5646c74

SHA512
3b50e27da905b4c8cd8a5dcc7c4c37015d1c1bc3187f1572d3bea7caffdd278a00f73844024cc04d06f47374425fc4c7cbfa4752678f9f40269d2979369b2d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
292KB

MD5
39baa178f1fc5ec2111eb95008ee6e38

SHA1
8a36b6d95d6453e9eed8df12eaed71580384f2a3

SHA256
0990c73e4389e3b912fff43e2ed3363e9f9af367741fc285b3aa5168b5646c74

SHA512
3b50e27da905b4c8cd8a5dcc7c4c37015d1c1bc3187f1572d3bea7caffdd278a00f73844024cc04d06f47374425fc4c7cbfa4752678f9f40269d2979369b2d74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
2143eaf89f2f72ee0bd3a38004f61a67

SHA1
227fcdb840b1e0e292e935dd0b50eec2f7308a16

SHA256
9796950ce056a35f678e5ab118a45bb17daccba04fcd353a0162753daa7bbbee

SHA512
47fc0b72851846f1a499c4cb9a107a7a48e82593e76bec643eee2ccbc8c56090d9d8f2092857b9127bd8153a087d17ae466607873e0464f4a4a193a8d3575247

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9W9D3OI14RPK2C4H1EFA.temp
Filesize
7KB

MD5
2143eaf89f2f72ee0bd3a38004f61a67

SHA1
227fcdb840b1e0e292e935dd0b50eec2f7308a16

SHA256
9796950ce056a35f678e5ab118a45bb17daccba04fcd353a0162753daa7bbbee

SHA512
47fc0b72851846f1a499c4cb9a107a7a48e82593e76bec643eee2ccbc8c56090d9d8f2092857b9127bd8153a087d17ae466607873e0464f4a4a193a8d3575247

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.2MB

MD5
4c05c54dd3007dced398eb41ab68992f

SHA1
1a737edff587c6acc830c8897ccf6128c718530c

SHA256
7a0417d7440e50f8156d6487b9e58fd1c5cb55eafe6e2dc95ab1627f7b099e6a

SHA512
71c1ebd7b0e6038fda5d970af409bf1a00171c44ade366482226348907e335abbd32c4daa89b0e3407f272e0302a9c0900120aec5ff57041fc26c91951815ca0

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.2MB

MD5
4c05c54dd3007dced398eb41ab68992f

SHA1
1a737edff587c6acc830c8897ccf6128c718530c

SHA256
7a0417d7440e50f8156d6487b9e58fd1c5cb55eafe6e2dc95ab1627f7b099e6a

SHA512
71c1ebd7b0e6038fda5d970af409bf1a00171c44ade366482226348907e335abbd32c4daa89b0e3407f272e0302a9c0900120aec5ff57041fc26c91951815ca0

Download Submit
\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
906e8dd59115761a98c0308313a2ad3b

SHA1
b2f9debeea9624b2e64e8062bf40382318cc42bd

SHA256
56d6788b4b40af4a7c0329a9d91b1b4407beef8bd9395ef852851f53a3d36dcf

SHA512
18cbbddc8e85acb236cd15c122adaa9537efc18216c394ba368ab0e391afe40b3dd6130dc1c60bb812da616f37897725c0ea6a695a93e9b25eb665f82bca870e

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
906e8dd59115761a98c0308313a2ad3b

SHA1
b2f9debeea9624b2e64e8062bf40382318cc42bd

SHA256
56d6788b4b40af4a7c0329a9d91b1b4407beef8bd9395ef852851f53a3d36dcf

SHA512
18cbbddc8e85acb236cd15c122adaa9537efc18216c394ba368ab0e391afe40b3dd6130dc1c60bb812da616f37897725c0ea6a695a93e9b25eb665f82bca870e

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
4.2MB

MD5
4c05c54dd3007dced398eb41ab68992f

SHA1
1a737edff587c6acc830c8897ccf6128c718530c

SHA256
7a0417d7440e50f8156d6487b9e58fd1c5cb55eafe6e2dc95ab1627f7b099e6a

SHA512
71c1ebd7b0e6038fda5d970af409bf1a00171c44ade366482226348907e335abbd32c4daa89b0e3407f272e0302a9c0900120aec5ff57041fc26c91951815ca0

Download Submit
\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
4.2MB

MD5
4c05c54dd3007dced398eb41ab68992f

SHA1
1a737edff587c6acc830c8897ccf6128c718530c

SHA256
7a0417d7440e50f8156d6487b9e58fd1c5cb55eafe6e2dc95ab1627f7b099e6a

SHA512
71c1ebd7b0e6038fda5d970af409bf1a00171c44ade366482226348907e335abbd32c4daa89b0e3407f272e0302a9c0900120aec5ff57041fc26c91951815ca0

Download Submit
\Users\Admin\AppData\Local\Temp\is-1E20J.tmp\is-1386E.tmp
Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
\Users\Admin\AppData\Local\Temp\is-9R3AT.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-9R3AT.tmp\_isetup\_isdecmp.dll
Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
\Users\Admin\AppData\Local\Temp\is-9R3AT.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-9R3AT.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\kos.exe
Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
\Users\Admin\AppData\Local\Temp\kos1.exe
Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
\Users\Admin\AppData\Local\Temp\latestX.exe
Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\set16.exe
Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
\Users\Admin\AppData\Local\Temp\set16.exe
Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
\Users\Admin\AppData\Local\Temp\set16.exe
Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
\Users\Admin\AppData\Local\Temp\set16.exe
Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
292KB

MD5
39baa178f1fc5ec2111eb95008ee6e38

SHA1
8a36b6d95d6453e9eed8df12eaed71580384f2a3

SHA256
0990c73e4389e3b912fff43e2ed3363e9f9af367741fc285b3aa5168b5646c74

SHA512
3b50e27da905b4c8cd8a5dcc7c4c37015d1c1bc3187f1572d3bea7caffdd278a00f73844024cc04d06f47374425fc4c7cbfa4752678f9f40269d2979369b2d74

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
292KB

MD5
39baa178f1fc5ec2111eb95008ee6e38

SHA1
8a36b6d95d6453e9eed8df12eaed71580384f2a3

SHA256
0990c73e4389e3b912fff43e2ed3363e9f9af367741fc285b3aa5168b5646c74

SHA512
3b50e27da905b4c8cd8a5dcc7c4c37015d1c1bc3187f1572d3bea7caffdd278a00f73844024cc04d06f47374425fc4c7cbfa4752678f9f40269d2979369b2d74

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
292KB

MD5
39baa178f1fc5ec2111eb95008ee6e38

SHA1
8a36b6d95d6453e9eed8df12eaed71580384f2a3

SHA256
0990c73e4389e3b912fff43e2ed3363e9f9af367741fc285b3aa5168b5646c74

SHA512
3b50e27da905b4c8cd8a5dcc7c4c37015d1c1bc3187f1572d3bea7caffdd278a00f73844024cc04d06f47374425fc4c7cbfa4752678f9f40269d2979369b2d74

Download Submit
\Windows\rss\csrss.exe
Filesize
4.2MB

MD5
4c05c54dd3007dced398eb41ab68992f

SHA1
1a737edff587c6acc830c8897ccf6128c718530c

SHA256
7a0417d7440e50f8156d6487b9e58fd1c5cb55eafe6e2dc95ab1627f7b099e6a

SHA512
71c1ebd7b0e6038fda5d970af409bf1a00171c44ade366482226348907e335abbd32c4daa89b0e3407f272e0302a9c0900120aec5ff57041fc26c91951815ca0

Download Submit
\Windows\rss\csrss.exe
Filesize
4.2MB

MD5
4c05c54dd3007dced398eb41ab68992f

SHA1
1a737edff587c6acc830c8897ccf6128c718530c

SHA256
7a0417d7440e50f8156d6487b9e58fd1c5cb55eafe6e2dc95ab1627f7b099e6a

SHA512
71c1ebd7b0e6038fda5d970af409bf1a00171c44ade366482226348907e335abbd32c4daa89b0e3407f272e0302a9c0900120aec5ff57041fc26c91951815ca0

Download Submit
memory/928-199-0x0000000000BE0000-0x0000000000DD1000-memory.dmp

Filesize
1.9MB

Download
memory/928-198-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/928-273-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/928-238-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/928-201-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/928-200-0x0000000000BE0000-0x0000000000DD1000-memory.dmp

Filesize
1.9MB

Download
memory/928-155-0x0000000000BE0000-0x0000000000DD1000-memory.dmp

Filesize
1.9MB

Download
memory/928-154-0x0000000000BE0000-0x0000000000DD1000-memory.dmp

Filesize
1.9MB

Download
memory/928-153-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/928-333-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1276-118-0x0000000002B40000-0x0000000002B56000-memory.dmp

Filesize
88KB

Download
memory/1816-181-0x000007FEEE900000-0x000007FEEF29D000-memory.dmp

Filesize
9.6MB

Download
memory/1816-176-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/1816-177-0x000007FEEE900000-0x000007FEEF29D000-memory.dmp

Filesize
9.6MB

Download
memory/1816-175-0x000007FEEE900000-0x000007FEEF29D000-memory.dmp

Filesize
9.6MB

Download
memory/1816-172-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

Filesize
32KB

Download
memory/1816-178-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/1816-171-0x000000001B170000-0x000000001B452000-memory.dmp

Filesize
2.9MB

Download
memory/1816-179-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/1964-120-0x00000000009F0000-0x0000000000BE1000-memory.dmp

Filesize
1.9MB

Download
memory/1964-119-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1964-121-0x00000000009F0000-0x0000000000BE1000-memory.dmp

Filesize
1.9MB

Download
memory/1964-142-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1964-146-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2060-0-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/2060-1-0x00000000009C0000-0x0000000001978000-memory.dmp

Filesize
15.7MB

Download
memory/2060-73-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/2060-128-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/2192-241-0x0000000004150000-0x0000000004548000-memory.dmp

Filesize
4.0MB

Download
memory/2192-239-0x0000000004150000-0x0000000004548000-memory.dmp

Filesize
4.0MB

Download
memory/2192-271-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/2192-327-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/2192-357-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/2272-36-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2272-38-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/2292-76-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/2292-29-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/2292-27-0x0000000000B50000-0x0000000000CC4000-memory.dmp

Filesize
1.5MB

Download
memory/2496-234-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/2496-225-0x0000000004090000-0x0000000004488000-memory.dmp

Filesize
4.0MB

Download
memory/2496-223-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/2496-220-0x0000000004090000-0x0000000004488000-memory.dmp

Filesize
4.0MB

Download
memory/2560-180-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/2560-129-0x00000000012D0000-0x00000000012D8000-memory.dmp

Filesize
32KB

Download
memory/2560-130-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2560-136-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/2560-174-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2588-132-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2588-68-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2596-135-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2596-113-0x0000000003700000-0x00000000038F1000-memory.dmp

Filesize
1.9MB

Download
memory/2596-157-0x0000000003700000-0x00000000038F1000-memory.dmp

Filesize
1.9MB

Download
memory/2596-156-0x0000000003700000-0x00000000038F1000-memory.dmp

Filesize
1.9MB

Download
memory/2596-205-0x0000000003700000-0x00000000038F1000-memory.dmp

Filesize
1.9MB

Download
memory/2672-210-0x000000013F890000-0x000000013FE31000-memory.dmp

Filesize
5.6MB

Download
memory/2672-203-0x000000013F890000-0x000000013FE31000-memory.dmp

Filesize
5.6MB

Download
memory/2672-165-0x000000013F890000-0x000000013FE31000-memory.dmp

Filesize
5.6MB

Download
memory/2672-133-0x000000013F890000-0x000000013FE31000-memory.dmp

Filesize
5.6MB

Download
memory/2700-354-0x000000013FAD0000-0x0000000140071000-memory.dmp

Filesize
5.6MB

Download
memory/2700-236-0x000000013FAD0000-0x0000000140071000-memory.dmp

Filesize
5.6MB

Download
memory/2704-109-0x00000000042D0000-0x0000000004BBB000-memory.dmp

Filesize
8.9MB

Download
memory/2704-127-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/2704-215-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/2704-134-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/2704-166-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/2704-145-0x0000000003ED0000-0x00000000042C8000-memory.dmp

Filesize
4.0MB

Download
memory/2704-99-0x0000000003ED0000-0x00000000042C8000-memory.dmp

Filesize
4.0MB

Download
memory/2704-108-0x0000000003ED0000-0x00000000042C8000-memory.dmp

Filesize
4.0MB

Download
memory/2704-159-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/2704-204-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/2788-222-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/2788-240-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/2788-237-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/2788-219-0x0000000004000000-0x00000000043F8000-memory.dmp

Filesize
4.0MB

Download
memory/2788-221-0x0000000004000000-0x00000000043F8000-memory.dmp

Filesize
4.0MB

Download
memory/2788-242-0x0000000004000000-0x00000000043F8000-memory.dmp

Filesize
4.0MB

Download
memory/2900-194-0x0000000002280000-0x0000000002300000-memory.dmp

Filesize
512KB

Download
memory/2900-190-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/2900-188-0x000000001B100000-0x000000001B3E2000-memory.dmp

Filesize
2.9MB

Download
memory/2900-191-0x0000000002280000-0x0000000002300000-memory.dmp

Filesize
512KB

Download
memory/2900-189-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

Filesize
9.6MB

Download
memory/2900-206-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

Filesize
9.6MB

Download
memory/2900-193-0x0000000002280000-0x0000000002300000-memory.dmp

Filesize
512KB

Download
memory/2900-196-0x0000000002280000-0x0000000002300000-memory.dmp

Filesize
512KB

Download
memory/2900-192-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

Filesize
9.6MB

Download
memory/2904-355-0x0000000000130000-0x0000000000150000-memory.dmp

Filesize
128KB

Download
memory/2920-122-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2920-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2920-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2920-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2920-47-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3044-137-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/3044-77-0x0000000003F70000-0x0000000004368000-memory.dmp

Filesize
4.0MB

Download
memory/3044-131-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/3044-158-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/3044-126-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/3044-195-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/3044-217-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/3044-66-0x0000000003F70000-0x0000000004368000-memory.dmp

Filesize
4.0MB

Download
memory/3044-160-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/3044-96-0x0000000004370000-0x0000000004C5B000-memory.dmp

Filesize
8.9MB

Download
memory/3044-144-0x0000000004370000-0x0000000004C5B000-memory.dmp

Filesize
8.9MB

Download