7a16eab1a33c180123fc460f88003b5724b76367fafe57bf67304e30c4f15ec1

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
09/10/2023, 06:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7a16eab1a33c180123fc460f88003b5724b76367fafe57bf67304e30c4f15ec1.exe
Size

271KB
MD5

3f09ffedc72407fd97d74d2f72f0a632
SHA1

93fbef69ff05a1b785668ca5dd4a79dd659124b2
SHA256

7a16eab1a33c180123fc460f88003b5724b76367fafe57bf67304e30c4f15ec1
SHA512

fee971b70bcfb16fdf3af5c13cb00609f506aeb1ac3fd10778eaa3302dae2a50d390e455e8755c495977f9ba2720d793321562806cf70949df80638856eb0a90
SSDEEP

6144:3l51orRJXlDixHkUXe35rGcEOkCybEaQRXr9HNdvOa:ZqXUHkUXe39sOkx2LIa

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\SsqxNed.sys	bitsadmin.exe

Deletes itself 1 IoCs

pid	Process
1720	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3056	ec2d0987
1748	bitsadmin.exe

Loads dropped DLL 1 IoCs

pid	Process
1204	Explorer.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2200-0-0x0000000000CC0000-0x0000000000D49000-memory.dmp	upx
behavioral1/memory/3056-3-0x0000000000A60000-0x0000000000AE9000-memory.dmp	upx
behavioral1/files/0x00080000000120be-2.dat	upx
behavioral1/memory/2200-40-0x0000000000CC0000-0x0000000000D49000-memory.dmp	upx
behavioral1/memory/3056-44-0x0000000000A60000-0x0000000000AE9000-memory.dmp	upx
behavioral1/memory/2200-49-0x0000000000CC0000-0x0000000000D49000-memory.dmp	upx
behavioral1/memory/3056-53-0x0000000000A60000-0x0000000000AE9000-memory.dmp	upx
behavioral1/memory/3056-102-0x0000000000A60000-0x0000000000AE9000-memory.dmp	upx
behavioral1/files/0x00080000000120be-112.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Syswow64\ec2d0987	7a16eab1a33c180123fc460f88003b5724b76367fafe57bf67304e30c4f15ec1.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	ec2d0987
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	ec2d0987
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	ec2d0987
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	ec2d0987
File created	C:\Windows\system32\ \Windows\System32\WVBG23Jn.sys	bitsadmin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	ec2d0987
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4	ec2d0987
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4	ec2d0987
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ec2d0987
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	ec2d0987
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	ec2d0987
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	ec2d0987

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\bitsadmin.exe	Explorer.EXE
File opened for modification	C:\Program Files\bitsadmin.exe	Explorer.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\HP6KhH.sys	bitsadmin.exe
File opened for modification	C:\Windows\3451e0	ec2d0987

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2372	timeout.exe
580	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	bitsadmin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www.hao774.com	bitsadmin.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ec2d0987
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-56-2b-3b-b9-34	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ec2d0987
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CA16FA63-3F0B-4D5B-A563-941497496C8C}\d2-56-2b-3b-b9-34	ec2d0987
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ec2d0987
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-56-2b-3b-b9-34\WpadDecision = "0"	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ec2d0987
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CA16FA63-3F0B-4D5B-A563-941497496C8C}\WpadDecisionTime = e028e03079fad901	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CA16FA63-3F0B-4D5B-A563-941497496C8C}	ec2d0987
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-56-2b-3b-b9-34\WpadDecisionTime = e028e03079fad901	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	ec2d0987
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	ec2d0987
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-56-2b-3b-b9-34\WpadDecisionReason = "1"	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ec2d0987
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ec2d0987
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	ec2d0987
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ce000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ec2d0987
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CA16FA63-3F0B-4D5B-A563-941497496C8C}\WpadDecisionReason = "1"	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	ec2d0987
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ec2d0987
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CA16FA63-3F0B-4D5B-A563-941497496C8C}\WpadNetworkName = "Network 2"	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ec2d0987
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CA16FA63-3F0B-4D5B-A563-941497496C8C}\WpadDecision = "0"	ec2d0987
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ec2d0987
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	ec2d0987
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ec2d0987

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ec2d0987
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ec2d0987
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ec2d0987
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ec2d0987
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	bitsadmin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	bitsadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	ec2d0987
3056	ec2d0987
3056	ec2d0987
3056	ec2d0987
3056	ec2d0987
3056	ec2d0987
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
3056	ec2d0987
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1204	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	7a16eab1a33c180123fc460f88003b5724b76367fafe57bf67304e30c4f15ec1.exe
Token: SeTcbPrivilege	2200	7a16eab1a33c180123fc460f88003b5724b76367fafe57bf67304e30c4f15ec1.exe
Token: SeDebugPrivilege	3056	ec2d0987
Token: SeTcbPrivilege	3056	ec2d0987
Token: SeDebugPrivilege	3056	ec2d0987
Token: SeDebugPrivilege	1204	Explorer.EXE
Token: SeDebugPrivilege	1204	Explorer.EXE
Token: SeIncBasePriorityPrivilege	2200	7a16eab1a33c180123fc460f88003b5724b76367fafe57bf67304e30c4f15ec1.exe
Token: SeDebugPrivilege	3056	ec2d0987
Token: SeDebugPrivilege	1748	bitsadmin.exe
Token: SeDebugPrivilege	1748	bitsadmin.exe
Token: SeDebugPrivilege	1748	bitsadmin.exe
Token: SeIncBasePriorityPrivilege	3056	ec2d0987
Token: SeDebugPrivilege	1748	bitsadmin.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe
1748	bitsadmin.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1748	bitsadmin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 1204	3056	ec2d0987	27
PID 3056 wrote to memory of 1204	3056	ec2d0987	27
PID 3056 wrote to memory of 1204	3056	ec2d0987	27
PID 3056 wrote to memory of 1204	3056	ec2d0987	27
PID 3056 wrote to memory of 1204	3056	ec2d0987	27
PID 1204 wrote to memory of 1748	1204	Explorer.EXE	30
PID 1204 wrote to memory of 1748	1204	Explorer.EXE	30
PID 1204 wrote to memory of 1748	1204	Explorer.EXE	30
PID 1204 wrote to memory of 1748	1204	Explorer.EXE	30
PID 1204 wrote to memory of 1748	1204	Explorer.EXE	30
PID 1204 wrote to memory of 1748	1204	Explorer.EXE	30
PID 1204 wrote to memory of 1748	1204	Explorer.EXE	30
PID 1204 wrote to memory of 1748	1204	Explorer.EXE	30
PID 3056 wrote to memory of 420	3056	ec2d0987	5
PID 3056 wrote to memory of 420	3056	ec2d0987	5
PID 3056 wrote to memory of 420	3056	ec2d0987	5
PID 3056 wrote to memory of 420	3056	ec2d0987	5
PID 3056 wrote to memory of 420	3056	ec2d0987	5
PID 2200 wrote to memory of 1720	2200	7a16eab1a33c180123fc460f88003b5724b76367fafe57bf67304e30c4f15ec1.exe	33
PID 2200 wrote to memory of 1720	2200	7a16eab1a33c180123fc460f88003b5724b76367fafe57bf67304e30c4f15ec1.exe	33
PID 2200 wrote to memory of 1720	2200	7a16eab1a33c180123fc460f88003b5724b76367fafe57bf67304e30c4f15ec1.exe	33
PID 2200 wrote to memory of 1720	2200	7a16eab1a33c180123fc460f88003b5724b76367fafe57bf67304e30c4f15ec1.exe	33
PID 1720 wrote to memory of 2372	1720	cmd.exe	35
PID 1720 wrote to memory of 2372	1720	cmd.exe	35
PID 1720 wrote to memory of 2372	1720	cmd.exe	35
PID 1720 wrote to memory of 2372	1720	cmd.exe	35
PID 3056 wrote to memory of 2496	3056	ec2d0987	36
PID 3056 wrote to memory of 2496	3056	ec2d0987	36
PID 3056 wrote to memory of 2496	3056	ec2d0987	36
PID 3056 wrote to memory of 2496	3056	ec2d0987	36
PID 2496 wrote to memory of 580	2496	cmd.exe	38
PID 2496 wrote to memory of 580	2496	cmd.exe	38
PID 2496 wrote to memory of 580	2496	cmd.exe	38
PID 2496 wrote to memory of 580	2496	cmd.exe	38
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27
PID 1748 wrote to memory of 1204	1748	bitsadmin.exe	27

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\7a16eab1a33c180123fc460f88003b5724b76367fafe57bf67304e30c4f15ec1.exe
  "C:\Users\Admin\AppData\Local\Temp\7a16eab1a33c180123fc460f88003b5724b76367fafe57bf67304e30c4f15ec1.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\7a16eab1a33c180123fc460f88003b5724b76367fafe57bf67304e30c4f15ec1.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2372
- C:\Program Files\bitsadmin.exe
  "C:\Program Files\bitsadmin.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1748

C:\Windows\Syswow64\ec2d0987
C:\Windows\Syswow64\ec2d0987
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\ec2d0987"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\bitsadmin.exe

Filesize
227KB

MD5
dc81872e3e6bca39b322a7fa1a044040

SHA1
79f880e63e5640353451aa0a3e67cb4912c7d070

SHA256
2990813e869a0a5c7706938a8136bca09046623a8225b24b54f76ac4126efbb0

SHA512
57a17125acf4b39d111d293a80b70c6c770a996015e13dd120b9b40e2069127c51df4403b837b71bb06977cf95dfc270dbd643be4d95fa0581763fd2a408ce82

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA959.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Windows\SysWOW64\ec2d0987

Filesize
271KB

MD5
035b3126ec16837489e35bd6b0712524

SHA1
45649aa8c9f3c51041a0c4d31cf3c634d24ed068

SHA256
e3c3f4a24ab93528ea8f618727822ed17609752d86f2e973fc695ce7a0c8fd52

SHA512
b672f0dece56832417768e1ffb0986db58530ccbc1282623f9aea29d23c7dcfd1b1dc51a333cb6fc071d87596e9d285d2a42ed85fcbf9d056ae55137922e074f

Download Submit
C:\Windows\Syswow64\ec2d0987

Filesize
271KB

MD5
035b3126ec16837489e35bd6b0712524

SHA1
45649aa8c9f3c51041a0c4d31cf3c634d24ed068

SHA256
e3c3f4a24ab93528ea8f618727822ed17609752d86f2e973fc695ce7a0c8fd52

SHA512
b672f0dece56832417768e1ffb0986db58530ccbc1282623f9aea29d23c7dcfd1b1dc51a333cb6fc071d87596e9d285d2a42ed85fcbf9d056ae55137922e074f

Download Submit
C:\Windows\Temp\TarAAA4.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
\Program Files\bitsadmin.exe

Filesize
227KB

MD5
dc81872e3e6bca39b322a7fa1a044040

SHA1
79f880e63e5640353451aa0a3e67cb4912c7d070

SHA256
2990813e869a0a5c7706938a8136bca09046623a8225b24b54f76ac4126efbb0

SHA512
57a17125acf4b39d111d293a80b70c6c770a996015e13dd120b9b40e2069127c51df4403b837b71bb06977cf95dfc270dbd643be4d95fa0581763fd2a408ce82

Download Submit
memory/420-70-0x0000000000870000-0x0000000000898000-memory.dmp

Filesize
160KB

Download
memory/420-50-0x0000000000870000-0x0000000000898000-memory.dmp

Filesize
160KB

Download
memory/420-48-0x00000000007E0000-0x00000000007E3000-memory.dmp

Filesize
12KB

Download
memory/1204-134-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-158-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-172-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-173-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-170-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-171-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-168-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-169-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-166-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-167-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-165-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-26-0x0000000006310000-0x0000000006407000-memory.dmp

Filesize
988KB

Download
memory/1204-164-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-24-0x0000000002A00000-0x0000000002A03000-memory.dmp

Filesize
12KB

Download
memory/1204-23-0x0000000002A00000-0x0000000002A03000-memory.dmp

Filesize
12KB

Download
memory/1204-21-0x0000000002A00000-0x0000000002A03000-memory.dmp

Filesize
12KB

Download
memory/1204-162-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-163-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-113-0x0000000006310000-0x0000000006407000-memory.dmp

Filesize
988KB

Download
memory/1204-161-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-135-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-138-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-159-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-142-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-157-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-156-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-155-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-154-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-153-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-152-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-150-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-151-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-149-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-147-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-132-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-148-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-145-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-146-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-144-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-143-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-160-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-137-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-139-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-140-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1204-141-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1748-116-0x0000000001CA0000-0x0000000001D6B000-memory.dmp

Filesize
812KB

Download
memory/1748-118-0x0000000001CA0000-0x0000000001D6B000-memory.dmp

Filesize
812KB

Download
memory/1748-37-0x0000000000160000-0x0000000000163000-memory.dmp

Filesize
12KB

Download
memory/1748-131-0x00000000037C0000-0x0000000003860000-memory.dmp

Filesize
640KB

Download
memory/1748-133-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/1748-186-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/1748-129-0x0000000001EA0000-0x0000000001EAF000-memory.dmp

Filesize
60KB

Download
memory/1748-128-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/1748-127-0x00000000037C0000-0x0000000003860000-memory.dmp

Filesize
640KB

Download
memory/1748-126-0x00000000037C0000-0x0000000003860000-memory.dmp

Filesize
640KB

Download
memory/1748-125-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/1748-136-0x0000000001E00000-0x0000000001E10000-memory.dmp

Filesize
64KB

Download
memory/1748-123-0x0000000000870000-0x0000000000898000-memory.dmp

Filesize
160KB

Download
memory/1748-122-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/1748-121-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/1748-120-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/1748-119-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/1748-124-0x0000000001EA0000-0x0000000001EAF000-memory.dmp

Filesize
60KB

Download
memory/1748-117-0x0000000000870000-0x0000000000898000-memory.dmp

Filesize
160KB

Download
memory/1748-114-0x0000000037C50000-0x0000000037C60000-memory.dmp

Filesize
64KB

Download
memory/1748-185-0x00000000037C0000-0x0000000003860000-memory.dmp

Filesize
640KB

Download
memory/1748-32-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1748-42-0x0000000001CA0000-0x0000000001D6B000-memory.dmp

Filesize
812KB

Download
memory/1748-30-0x0000000000060000-0x0000000000123000-memory.dmp

Filesize
780KB

Download
memory/1748-41-0x0000000001CA0000-0x0000000001D6B000-memory.dmp

Filesize
812KB

Download
memory/1748-46-0x0000000001CA0000-0x0000000001D6B000-memory.dmp

Filesize
812KB

Download
memory/1748-45-0x000007FEBF1E0000-0x000007FEBF1F0000-memory.dmp

Filesize
64KB

Download
memory/2200-49-0x0000000000CC0000-0x0000000000D49000-memory.dmp

Filesize
548KB

Download
memory/2200-40-0x0000000000CC0000-0x0000000000D49000-memory.dmp

Filesize
548KB

Download
memory/2200-0-0x0000000000CC0000-0x0000000000D49000-memory.dmp

Filesize
548KB

Download
memory/3056-44-0x0000000000A60000-0x0000000000AE9000-memory.dmp

Filesize
548KB

Download
memory/3056-53-0x0000000000A60000-0x0000000000AE9000-memory.dmp

Filesize
548KB

Download
memory/3056-102-0x0000000000A60000-0x0000000000AE9000-memory.dmp

Filesize
548KB

Download
memory/3056-3-0x0000000000A60000-0x0000000000AE9000-memory.dmp

Filesize
548KB

Download