djvu | c5cdd5442277cadf2c11aa3122a70608c24db1a457b79923d8bf208b8d63e826

Analysis

max time kernel
103s
max time network
307s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10/10/2023, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5cdd5442277cadf2c11aa3122a70608c24db1a457b79923d8bf208b8d63e826.exe
Size

278KB
MD5

75ea13f371b1b24565a9eb41a7a8a5fc
SHA1

b3b1cfbda85b6922ed57b88917d893870c9c622c
SHA256

c5cdd5442277cadf2c11aa3122a70608c24db1a457b79923d8bf208b8d63e826
SHA512

b643a77b30f19e2632b40ee57dc903209de0154910d461ccffef37562323e6768dc56c0cdf80f03ce48cf73545da3dc9eb5870430aea16bfa0489b895985303a
SSDEEP

3072:OLq02r09y4hMEjnCW187d5gsAE2tB7QEG/L5QC/aT:iM6ygMEZuIsAFz0O

Score

10^/10

djvu glupteba redline smokeloader stealc logsdiller cloud (tg: @logsdillabot)up3 backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

rc4.i32

Extracted

Family

stealc

http://91.103.253.171

Attributes

url_path
/ed9891f07f96bfb8.php

rc4.plain

Extracted

Family

djvu

http://zexeq.com/lancer/get.php

Attributes

extension
.mlap
offline_id
FjtJkuhRHnUARRt9GnbbgUTa6ErhJq4ZM668xSt1
payload_url
http://colisumy.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-xN3VuzQl0a Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0804JOsie

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

51.255.152.132:36011

Extracted

Family

smokeloader

Botnet

up3

Signatures

Detected Djvu ransomware 17 IoCs

resource	yara_rule
behavioral1/memory/2748-39-0x0000000003B40000-0x0000000003C5B000-memory.dmp	family_djvu
behavioral1/memory/2676-44-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2676-48-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2676-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2652-62-0x0000000004670000-0x000000000478B000-memory.dmp	family_djvu
behavioral1/memory/2676-115-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/268-170-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/268-172-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/268-236-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/268-233-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/268-278-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/268-277-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/268-271-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/268-286-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/268-292-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/268-299-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2696-324-0x00000000037B0000-0x00000000039A1000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

resource	yara_rule
behavioral1/memory/1668-293-0x0000000000400000-0x0000000002FB3000-memory.dmp	family_glupteba
behavioral1/memory/1668-351-0x0000000004D10000-0x00000000055FB000-memory.dmp	family_glupteba
behavioral1/memory/1668-364-0x0000000000400000-0x0000000002FB3000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2844-80-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/2844-81-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/2844-84-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/2844-89-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/2844-91-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 1500 created 1200	1500	dsefix.exe	14
PID 1500 created 1200	1500	dsefix.exe	14
PID 1500 created 1200	1500	dsefix.exe	14
PID 1500 created 1200	1500	dsefix.exe	14
PID 1500 created 1200	1500	dsefix.exe	14

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
2332	bcdedit.exe
924	bcdedit.exe
2476	bcdedit.exe
1592	bcdedit.exe
1860	bcdedit.exe
1584	bcdedit.exe
2352	bcdedit.exe
2136	bcdedit.exe
2740	bcdedit.exe
2716	bcdedit.exe
2640	bcdedit.exe
2524	bcdedit.exe
2864	bcdedit.exe
2664	bcdedit.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	dsefix.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
592	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
1200	Explorer.EXE

Executes dropped EXE 22 IoCs

pid	Process
2652	83FF.exe
2736	8670.exe
2748	898C.exe
2676	898C.exe
1988	9689.exe
1428	CB21.exe
2076	898C.exe
3028	toolspub2.exe
1668	31839b57a4f11171d6abc8bbc4451ee4.exe
268	898C.exe
1892	Setup.exe
2592	powershell.exe
1500	latestX.exe
1320	set16.exe
808	kos.exe
2696	is-JBQTU.tmp
2572	previewer.exe
1752	build3.exe
1928	previewer.exe
1820	build3.exe
2628	31839b57a4f11171d6abc8bbc4451ee4.exe
1504	updater.exe

Loads dropped DLL 35 IoCs

pid	Process
2748	898C.exe
2580	regsvr32.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2676	898C.exe
2676	898C.exe
1428	CB21.exe
1428	CB21.exe
2076	898C.exe
1428	CB21.exe
1428	CB21.exe
1428	CB21.exe
1428	CB21.exe
1428	CB21.exe
2592	powershell.exe
1320	set16.exe
1320	set16.exe
1320	set16.exe
2592	powershell.exe
1320	set16.exe
2696	is-JBQTU.tmp
2696	is-JBQTU.tmp
2696	is-JBQTU.tmp
2696	is-JBQTU.tmp
2696	is-JBQTU.tmp
2572	previewer.exe
2572	previewer.exe
268	898C.exe
268	898C.exe
2696	is-JBQTU.tmp
1928	previewer.exe
1928	previewer.exe
2108	taskeng.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1296	icacls.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	51.159.66.125

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conhost.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\24c2e412-d6c9-4a6f-85a9-f8d5bb6cd27e\\898C.exe\" --AutoStart"	898C.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	api.2ip.ua
17	api.2ip.ua
27	api.2ip.ua

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	Process not Found
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 2676	2748	898C.exe	32
PID 1988 set thread context of 2844	1988	9689.exe	36
PID 2076 set thread context of 268	2076	898C.exe	45
PID 1752 set thread context of 1820	1752	build3.exe	62
PID 1892 set thread context of 1704	1892	Process not Found	66

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PA Previewer\unins000.dat	is-JBQTU.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\previewer.exe	is-JBQTU.tmp
File created	C:\Program Files\Google\Chrome\updater.exe	dsefix.exe
File created	C:\Program Files (x86)\PA Previewer\unins000.dat	is-JBQTU.tmp
File created	C:\Program Files (x86)\PA Previewer\is-9UCG7.tmp	is-JBQTU.tmp
File created	C:\Program Files (x86)\PA Previewer\is-CHNFO.tmp	is-JBQTU.tmp
File created	C:\Program Files (x86)\PA Previewer\is-9GEGK.tmp	is-JBQTU.tmp
File created	C:\Program Files (x86)\PA Previewer\is-1BA59.tmp	is-JBQTU.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\CbsPersist_20231010034544.cab	makecab.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2912	sc.exe
2316	sc.exe
2392	sc.exe
2148	sc.exe
856	sc.exe
1960	sc.exe
888	sc.exe
540	sc.exe
1960	sc.exe
1576	sc.exe
1604	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2252	1988	WerFault.exe	35
2212	1704	WerFault.exe	66

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c5cdd5442277cadf2c11aa3122a70608c24db1a457b79923d8bf208b8d63e826.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c5cdd5442277cadf2c11aa3122a70608c24db1a457b79923d8bf208b8d63e826.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c5cdd5442277cadf2c11aa3122a70608c24db1a457b79923d8bf208b8d63e826.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8670.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8670.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1164	schtasks.exe
1776	schtasks.exe
3048	schtasks.exe
2948	schtasks.exe
2140	schtasks.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1300	c5cdd5442277cadf2c11aa3122a70608c24db1a457b79923d8bf208b8d63e826.exe
1300	c5cdd5442277cadf2c11aa3122a70608c24db1a457b79923d8bf208b8d63e826.exe
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1200	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1300	c5cdd5442277cadf2c11aa3122a70608c24db1a457b79923d8bf208b8d63e826.exe
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeDebugPrivilege	2572	previewer.exe
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeDebugPrivilege	808	kos.exe
Token: SeDebugPrivilege	1928	previewer.exe
Token: SeDebugPrivilege	1892	Process not Found
Token: SeDebugPrivilege	812	Process not Found
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeDebugPrivilege	2844	AppLaunch.exe
Token: SeShutdownPrivilege	2656	DllHost.exe
Token: SeShutdownPrivilege	2660	powercfg.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeShutdownPrivilege	2616	conhost.exe
Token: SeShutdownPrivilege	2640	bcdedit.exe
Token: SeDebugPrivilege	1668	cmd.exe
Token: SeImpersonatePrivilege	1668	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2652	1200	Explorer.EXE	28
PID 1200 wrote to memory of 2652	1200	Explorer.EXE	28
PID 1200 wrote to memory of 2652	1200	Explorer.EXE	28
PID 1200 wrote to memory of 2652	1200	Explorer.EXE	28
PID 1200 wrote to memory of 2736	1200	Explorer.EXE	29
PID 1200 wrote to memory of 2736	1200	Explorer.EXE	29
PID 1200 wrote to memory of 2736	1200	Explorer.EXE	29
PID 1200 wrote to memory of 2736	1200	Explorer.EXE	29
PID 1200 wrote to memory of 2748	1200	Explorer.EXE	30
PID 1200 wrote to memory of 2748	1200	Explorer.EXE	30
PID 1200 wrote to memory of 2748	1200	Explorer.EXE	30
PID 1200 wrote to memory of 2748	1200	Explorer.EXE	30
PID 2748 wrote to memory of 2676	2748	898C.exe	32
PID 2748 wrote to memory of 2676	2748	898C.exe	32
PID 2748 wrote to memory of 2676	2748	898C.exe	32
PID 2748 wrote to memory of 2676	2748	898C.exe	32
PID 2748 wrote to memory of 2676	2748	898C.exe	32
PID 2748 wrote to memory of 2676	2748	898C.exe	32
PID 2748 wrote to memory of 2676	2748	898C.exe	32
PID 2748 wrote to memory of 2676	2748	898C.exe	32
PID 2748 wrote to memory of 2676	2748	898C.exe	32
PID 2748 wrote to memory of 2676	2748	898C.exe	32
PID 2748 wrote to memory of 2676	2748	898C.exe	32
PID 1200 wrote to memory of 2540	1200	Explorer.EXE	33
PID 1200 wrote to memory of 2540	1200	Explorer.EXE	33
PID 1200 wrote to memory of 2540	1200	Explorer.EXE	33
PID 1200 wrote to memory of 2540	1200	Explorer.EXE	33
PID 1200 wrote to memory of 2540	1200	Explorer.EXE	33
PID 2540 wrote to memory of 2580	2540	regsvr32.exe	34
PID 2540 wrote to memory of 2580	2540	regsvr32.exe	34
PID 2540 wrote to memory of 2580	2540	regsvr32.exe	34
PID 2540 wrote to memory of 2580	2540	regsvr32.exe	34
PID 2540 wrote to memory of 2580	2540	regsvr32.exe	34
PID 2540 wrote to memory of 2580	2540	regsvr32.exe	34
PID 2540 wrote to memory of 2580	2540	regsvr32.exe	34
PID 1200 wrote to memory of 1988	1200	Explorer.EXE	35
PID 1200 wrote to memory of 1988	1200	Explorer.EXE	35
PID 1200 wrote to memory of 1988	1200	Explorer.EXE	35
PID 1200 wrote to memory of 1988	1200	Explorer.EXE	35
PID 1988 wrote to memory of 2844	1988	9689.exe	36
PID 1988 wrote to memory of 2844	1988	9689.exe	36
PID 1988 wrote to memory of 2844	1988	9689.exe	36
PID 1988 wrote to memory of 2844	1988	9689.exe	36
PID 1988 wrote to memory of 2844	1988	9689.exe	36
PID 1988 wrote to memory of 2844	1988	9689.exe	36
PID 1988 wrote to memory of 2844	1988	9689.exe	36
PID 1988 wrote to memory of 2844	1988	9689.exe	36
PID 1988 wrote to memory of 2844	1988	9689.exe	36
PID 1988 wrote to memory of 2844	1988	9689.exe	36
PID 1988 wrote to memory of 2844	1988	9689.exe	36
PID 1988 wrote to memory of 2844	1988	9689.exe	36
PID 2676 wrote to memory of 1296	2676	898C.exe	37
PID 2676 wrote to memory of 1296	2676	898C.exe	37
PID 2676 wrote to memory of 1296	2676	898C.exe	37
PID 2676 wrote to memory of 1296	2676	898C.exe	37
PID 1988 wrote to memory of 2252	1988	9689.exe	38
PID 1988 wrote to memory of 2252	1988	9689.exe	38
PID 1988 wrote to memory of 2252	1988	9689.exe	38
PID 1988 wrote to memory of 2252	1988	9689.exe	38
PID 1200 wrote to memory of 1428	1200	Explorer.EXE	40
PID 1200 wrote to memory of 1428	1200	Explorer.EXE	40
PID 1200 wrote to memory of 1428	1200	Explorer.EXE	40
PID 1200 wrote to memory of 1428	1200	Explorer.EXE	40
PID 2676 wrote to memory of 2076	2676	898C.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conhost.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\c5cdd5442277cadf2c11aa3122a70608c24db1a457b79923d8bf208b8d63e826.exe
  "C:\Users\Admin\AppData\Local\Temp\c5cdd5442277cadf2c11aa3122a70608c24db1a457b79923d8bf208b8d63e826.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1300
- C:\Users\Admin\AppData\Local\Temp\83FF.exe
  C:\Users\Admin\AppData\Local\Temp\83FF.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\8670.exe
  C:\Users\Admin\AppData\Local\Temp\8670.exe
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\898C.exe
  C:\Users\Admin\AppData\Local\Temp\898C.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\898C.exe
    C:\Users\Admin\AppData\Local\Temp\898C.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\24c2e412-d6c9-4a6f-85a9-f8d5bb6cd27e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      4⤵
      Modifies file permissions
      PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\898C.exe
      "C:\Users\Admin\AppData\Local\Temp\898C.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      PID:2076
    - - C:\Users\Admin\AppData\Local\Temp\898C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\898C.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:268
      - C:\Users\Admin\AppData\Local\b7617e3d-a6dc-48dd-917e-7f9565e5c126\build3.exe
        
        "C:\Users\Admin\AppData\Local\b7617e3d-a6dc-48dd-917e-7f9565e5c126\build3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\b7617e3d-a6dc-48dd-917e-7f9565e5c126\build3.exe
        
        "C:\Users\Admin\AppData\Local\b7617e3d-a6dc-48dd-917e-7f9565e5c126\build3.exe"
        7⤵
        Executes dropped EXE
        
        PID:1820
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        8⤵
        Creates scheduled task(s)
        
        PID:2948
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9456.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\9456.dll
    3⤵
    - Loads dropped DLL
    PID:2580
- C:\Users\Admin\AppData\Local\Temp\9689.exe
  C:\Users\Admin\AppData\Local\Temp\9689.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 140
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2252
- C:\Users\Admin\AppData\Local\Temp\CB21.exe
  C:\Users\Admin\AppData\Local\Temp\CB21.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    PID:3028
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      PID:2628
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2896
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:592
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:2084
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1164
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:1624
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:1980
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        
        PID:884
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2332
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:924
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2476
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1592
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1860
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1584
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2352
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2136
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2740
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2716
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        7⤵
        Modifies boot configuration data using bcdedit
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2524
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2864
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2664
      - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Drops file in Program Files directory
        
        PID:1500
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:3048
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:1960
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    3⤵
    - Executes dropped EXE
    PID:1892
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:1704
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 44
        5⤵
        Program crash
        
        PID:2212
- - C:\Users\Admin\AppData\Local\Temp\kos1.exe
    "C:\Users\Admin\AppData\Local\Temp\kos1.exe"
    3⤵
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\set16.exe
      "C:\Users\Admin\AppData\Local\Temp\set16.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1320
    - - C:\Users\Admin\AppData\Local\Temp\is-QFOLR.tmp\is-JBQTU.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QFOLR.tmp\is-JBQTU.tmp" /SL4 $9015C "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:2696
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 8
        6⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 8
        7⤵
        
        PID:2764
      - C:\Program Files (x86)\PA Previewer\previewer.exe
        
        "C:\Program Files (x86)\PA Previewer\previewer.exe" -i
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
      - C:\Program Files (x86)\PA Previewer\previewer.exe
        
        "C:\Program Files (x86)\PA Previewer\previewer.exe" -s
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\kos.exe
      "C:\Users\Admin\AppData\Local\Temp\kos.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:808
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Executes dropped EXE
    PID:1500
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1100
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:812
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2016
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2912
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:888
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2316
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:540
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2140
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1680
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2656
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:2616
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:2640
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:1768
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1092
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2148
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1960
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1576
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1604
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:2492
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1776
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:1484
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:1724
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:3000
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:568
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1920
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-987785272-572963450-101936731316237350231697168886341799856331353432-2016376130"
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1100

C:\Windows\system32\taskeng.exe
taskeng.exe {97D92649-A99E-4299-A7C6-221E59BB497D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2108
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Executes dropped EXE
  PID:1504

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010034544.log C:\Windows\Logs\CBS\CbsPersist_20231010034544.cab
1⤵
- Drops file in Windows directory
PID:1968

C:\Windows\system32\taskeng.exe
taskeng.exe {8F976AA0-60A1-4C6A-985B-21E1F95CC751} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]
1⤵
PID:2292
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:1528

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-903243358-2128030612-1036477980-858481183-16662219651360893536-8354501781453456566"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
c8c559002f7c83d448f34537d3b7f8cb

SHA1
f50d00c3ce3a3b596865c18539715fb19074fdef

SHA256
4a9f164463e8d76ca3f191a36352298eac183ded3d956f8cf79a26d8b7dd884c

SHA512
fcbd362c2db2d65cab5b058ed486606655b6130c1729442fd0dcdecdb306d4c2a8b8ea0e049519c5660a4d222b537a648508dc4e278f9d9d993363bcb7d5afc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
67a657fd4aa54dc1434c6f3b9c763418

SHA1
8670d9e02a8a9c446389868f5c90ea3d498f249d

SHA256
4cf25eeb0e2817fa52661671fbddbd1f5ad0b7d8beee0c372c802bd602a867dc

SHA512
5caecde01ae3d2a73a7b4c210e8d8ead67636f73827c5661be96c8ed578067ecca6f2658c8346ac8d8db95b87422ff6ee6d4cfcd80c12e89d321aa5e6ad5c772

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9c0f52ba026147645bef8bd870b09fef

SHA1
7776baa8c1622af8d18db35f08e20e286c34b88c

SHA256
a74ecfa740c82ab6af313b7bcf588f2140821fe8cfede40bacfea590b228f890

SHA512
8bb17957b753c678eb9f82dd3e1954b2404891717027867e83b3127abb1b7618e9226baf66f32aa95bc18c56566a030f577d29b0643f9cf763faed4521b2448b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
b8c973942d6701c6eced97b25a914482

SHA1
cc7008192ed2862e999158012bc01619cda6d240

SHA256
7b28f0129fa7f984b59fa97206794f6dba8ee9f95818a3f7c3c262b5a9ef3ca0

SHA512
ec0ec085e8faf8c63c43dba6e5126af1e76d1e81b85056b753a6f6b5c5ce0e13670c898d7dcdcfa3afaa65c2585fca5d39ae87b90c3e2853d50737f77e1d2df2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
13683536c732118d5976e83ad8717fb4

SHA1
d5924fba559c9f5736a7f54dc2d25e86732a2957

SHA256
ca28d319adecbb9e7a3f096789f2b9f25f1c40301c9fe3801f3bf02ec6ab132a

SHA512
e7d0f5a6fecc4018b7599ddd133f1d82daebb309f9c7ac1263c9639744041d1ef1b0324f73a924356643edbd20878f9644b0b33e441c79ffb8f35d5ac9a94051

Download Submit
C:\Users\Admin\AppData\Local\24c2e412-d6c9-4a6f-85a9-f8d5bb6cd27e\898C.exe

Filesize
786KB

MD5
69f5dff8be8969d736ee39dddd89bfdb

SHA1
497642e33fb248275700cc1f2c81f4f6790703a8

SHA256
061faf306ca4b633821f8d64e760f763f89c4afed8f053667f7f3d8ce6a0a805

SHA512
220d1d583078ead93f7617524875b496d3889256ee042d34e6b8f79819d10e283d8f845288b95ee97145fe2207cb58dfa65e0a5aea8135b1dad8e2f41586a22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
9066252ec48e20ddd82d2ec928cb7867

SHA1
222cbf0415a3166b1f55ff1ba293c4f8b5b840c8

SHA256
97501b83431f3b3f369d96c268ef1de99d588e74f0b28d7b853ff3ebf259f96c

SHA512
4be0962e8cfdb2e723b87a76c9b43c5d3bb5e432e7ef3f28146056ec0cb854256a0a67c44fd9fabfbb66e5f150047890b76bab3d5bf86175a94e33d9d6f4e7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
9066252ec48e20ddd82d2ec928cb7867

SHA1
222cbf0415a3166b1f55ff1ba293c4f8b5b840c8

SHA256
97501b83431f3b3f369d96c268ef1de99d588e74f0b28d7b853ff3ebf259f96c

SHA512
4be0962e8cfdb2e723b87a76c9b43c5d3bb5e432e7ef3f28146056ec0cb854256a0a67c44fd9fabfbb66e5f150047890b76bab3d5bf86175a94e33d9d6f4e7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\83FF.exe

Filesize
690KB

MD5
1ebfeeb76df7e40ec991d45a7838092f

SHA1
549618dfe1fbe6a7067a5c626d1836fb85ea27db

SHA256
a15099a75cba35273d491725b6c704d4f6e242e163d728c9617b4ffef6894a2d

SHA512
63a4f12b9053d661e135985ad319e8beed2931218bd07b1f876bc03ba6036d203cf3e894760c95dfe09b851b337cd4899af3b359b43d17af8543de0c767427dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\83FF.exe

Filesize
690KB

MD5
1ebfeeb76df7e40ec991d45a7838092f

SHA1
549618dfe1fbe6a7067a5c626d1836fb85ea27db

SHA256
a15099a75cba35273d491725b6c704d4f6e242e163d728c9617b4ffef6894a2d

SHA512
63a4f12b9053d661e135985ad319e8beed2931218bd07b1f876bc03ba6036d203cf3e894760c95dfe09b851b337cd4899af3b359b43d17af8543de0c767427dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8670.exe

Filesize
284KB

MD5
c95ce5b6cd63186301890503b7c536c3

SHA1
a5347ab0498d68cb9d10f8cc375bd7978130258d

SHA256
22a1ff3ccf315ba3d16f06b504e8aa0c3e87f23581b5b298fee772fbc6276f32

SHA512
d584d4aa2fcc2d8d07a300cd8286913f017eab5641d01e278b8a0ec0e0dda7446cc6002a5811229717d3399f3cc77b82264b6dcc79efd86793c79c792cc2fa28

Download Submit
C:\Users\Admin\AppData\Local\Temp\8670.exe

Filesize
284KB

MD5
c95ce5b6cd63186301890503b7c536c3

SHA1
a5347ab0498d68cb9d10f8cc375bd7978130258d

SHA256
22a1ff3ccf315ba3d16f06b504e8aa0c3e87f23581b5b298fee772fbc6276f32

SHA512
d584d4aa2fcc2d8d07a300cd8286913f017eab5641d01e278b8a0ec0e0dda7446cc6002a5811229717d3399f3cc77b82264b6dcc79efd86793c79c792cc2fa28

Download Submit
C:\Users\Admin\AppData\Local\Temp\898C.exe

Filesize
786KB

MD5
69f5dff8be8969d736ee39dddd89bfdb

SHA1
497642e33fb248275700cc1f2c81f4f6790703a8

SHA256
061faf306ca4b633821f8d64e760f763f89c4afed8f053667f7f3d8ce6a0a805

SHA512
220d1d583078ead93f7617524875b496d3889256ee042d34e6b8f79819d10e283d8f845288b95ee97145fe2207cb58dfa65e0a5aea8135b1dad8e2f41586a22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\898C.exe

Filesize
786KB

MD5
69f5dff8be8969d736ee39dddd89bfdb

SHA1
497642e33fb248275700cc1f2c81f4f6790703a8

SHA256
061faf306ca4b633821f8d64e760f763f89c4afed8f053667f7f3d8ce6a0a805

SHA512
220d1d583078ead93f7617524875b496d3889256ee042d34e6b8f79819d10e283d8f845288b95ee97145fe2207cb58dfa65e0a5aea8135b1dad8e2f41586a22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\898C.exe

Filesize
786KB

MD5
69f5dff8be8969d736ee39dddd89bfdb

SHA1
497642e33fb248275700cc1f2c81f4f6790703a8

SHA256
061faf306ca4b633821f8d64e760f763f89c4afed8f053667f7f3d8ce6a0a805

SHA512
220d1d583078ead93f7617524875b496d3889256ee042d34e6b8f79819d10e283d8f845288b95ee97145fe2207cb58dfa65e0a5aea8135b1dad8e2f41586a22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\898C.exe

Filesize
786KB

MD5
69f5dff8be8969d736ee39dddd89bfdb

SHA1
497642e33fb248275700cc1f2c81f4f6790703a8

SHA256
061faf306ca4b633821f8d64e760f763f89c4afed8f053667f7f3d8ce6a0a805

SHA512
220d1d583078ead93f7617524875b496d3889256ee042d34e6b8f79819d10e283d8f845288b95ee97145fe2207cb58dfa65e0a5aea8135b1dad8e2f41586a22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\898C.exe

Filesize
786KB

MD5
69f5dff8be8969d736ee39dddd89bfdb

SHA1
497642e33fb248275700cc1f2c81f4f6790703a8

SHA256
061faf306ca4b633821f8d64e760f763f89c4afed8f053667f7f3d8ce6a0a805

SHA512
220d1d583078ead93f7617524875b496d3889256ee042d34e6b8f79819d10e283d8f845288b95ee97145fe2207cb58dfa65e0a5aea8135b1dad8e2f41586a22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\898C.exe

Filesize
786KB

MD5
69f5dff8be8969d736ee39dddd89bfdb

SHA1
497642e33fb248275700cc1f2c81f4f6790703a8

SHA256
061faf306ca4b633821f8d64e760f763f89c4afed8f053667f7f3d8ce6a0a805

SHA512
220d1d583078ead93f7617524875b496d3889256ee042d34e6b8f79819d10e283d8f845288b95ee97145fe2207cb58dfa65e0a5aea8135b1dad8e2f41586a22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9456.dll

Filesize
2.6MB

MD5
d4ed47c8ec3fd064e59c4912909108f6

SHA1
de772bcba10ece704bfb235cd87ecce175c2b393

SHA256
88a16185166fb8d2f1cfbe1c24d09b8d3277920118d4e922c660ea1958a02f6c

SHA512
69439a965c206d449000406d60c724db26af098c51536161e983e9bdb63487441307dace8bc967ab3548e993100277bfa5c3e8a733bf49531b77106dfbd2242f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9689.exe

Filesize
461KB

MD5
efc42d9a9abb7b241e9d0159202e5648

SHA1
0ca9735c2dcbf3861a1703a82857d9b465c8b172

SHA256
71eb4498d0683b4743919617e1439ab732456f52bfcdab8526b063edb54c4141

SHA512
d70cca636384e12ea70727f3365c675a0521e45d30eacee85186862e5933b4a5fd864a9b781817357e40556b5cf7a4feeb1aedd7b75cb9db0759194d509147bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9689.exe

Filesize
461KB

MD5
efc42d9a9abb7b241e9d0159202e5648

SHA1
0ca9735c2dcbf3861a1703a82857d9b465c8b172

SHA256
71eb4498d0683b4743919617e1439ab732456f52bfcdab8526b063edb54c4141

SHA512
d70cca636384e12ea70727f3365c675a0521e45d30eacee85186862e5933b4a5fd864a9b781817357e40556b5cf7a4feeb1aedd7b75cb9db0759194d509147bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB21.exe

Filesize
13.3MB

MD5
2eadf9045ac431174e4bd101584983a8

SHA1
3d1b54d531afad80e51ec04dcc80e00f53b6505e

SHA256
c81cee973bcb85d3ab943e32fe4a19cdc3fa195fbce18e6c3ea8ed16bd1678fc

SHA512
d5056860dbfa0f5e9f49a31d73f1af62f0c92db6c80bd1819791098d58375cbf7733599e49b3513c5bfbf54ab216e8de4f1bb6d91fb1aaf9c84f0f0298f48599

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB21.exe

Filesize
13.3MB

MD5
2eadf9045ac431174e4bd101584983a8

SHA1
3d1b54d531afad80e51ec04dcc80e00f53b6505e

SHA256
c81cee973bcb85d3ab943e32fe4a19cdc3fa195fbce18e6c3ea8ed16bd1678fc

SHA512
d5056860dbfa0f5e9f49a31d73f1af62f0c92db6c80bd1819791098d58375cbf7733599e49b3513c5bfbf54ab216e8de4f1bb6d91fb1aaf9c84f0f0298f48599

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE4D3.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
1.9MB

MD5
4c7efd165af03d720ce4a9d381bfb29a

SHA1
92b14564856155487a57db57b8a222b7f57a81e9

SHA256
f5bbe3fdc27074249c6860b8959a155e6c79571daa86e7a574656a3c5c6326b8

SHA512
38a26722e2669e7432b5a068b08ff852988a26ed875e8aa23156ea4bd0e852686ccabe6e685d5b0e888cb5755cbe424189fb8033ada37994417d3549b10637dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
1.9MB

MD5
4c7efd165af03d720ce4a9d381bfb29a

SHA1
92b14564856155487a57db57b8a222b7f57a81e9

SHA256
f5bbe3fdc27074249c6860b8959a155e6c79571daa86e7a574656a3c5c6326b8

SHA512
38a26722e2669e7432b5a068b08ff852988a26ed875e8aa23156ea4bd0e852686ccabe6e685d5b0e888cb5755cbe424189fb8033ada37994417d3549b10637dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2618.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QFOLR.tmp\is-JBQTU.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QFOLR.tmp\is-JBQTU.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
216KB

MD5
fd134e455dc6caf3b95e7f4dfefb1550

SHA1
bc7fef4d1e9bdb19e79b2d4f0b66ef627e977882

SHA256
aadebe52d66f6c135cdccbf672ba6e7797097c830bb6ee11d8523d5de169d82f

SHA512
a38dada18974648f2291bc08d6c32b8670a86b856e15a51d9836e832e7c4074ebc31e0f78778c65da49c4d91ac23a23c6a686179c82b6a76ed0096c5e1eb83c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
216KB

MD5
fd134e455dc6caf3b95e7f4dfefb1550

SHA1
bc7fef4d1e9bdb19e79b2d4f0b66ef627e977882

SHA256
aadebe52d66f6c135cdccbf672ba6e7797097c830bb6ee11d8523d5de169d82f

SHA512
a38dada18974648f2291bc08d6c32b8670a86b856e15a51d9836e832e7c4074ebc31e0f78778c65da49c4d91ac23a23c6a686179c82b6a76ed0096c5e1eb83c4

Download Submit
C:\Users\Admin\AppData\Local\b7617e3d-a6dc-48dd-917e-7f9565e5c126\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\b7617e3d-a6dc-48dd-917e-7f9565e5c126\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NJQ3GMQPR466HBE9VHKR.temp

Filesize
7KB

MD5
87b96545dfe555aa1f8274c94d1046b4

SHA1
28d4d31c7b6e62de882785b902b87f15ef24022e

SHA256
9482c019a84045ca4b7c7536f85b4f93f39ea28ec75fa8ab75c7e9f23cededf9

SHA512
fb358b63a90b52dd7342bd0f7fd3b1a11c49b19c8e72a9fcd2ed04b4f0c4d33903d666bc1cac08a19fa36c2bce7244437a6ec2efeee944ff0f33fa2fee6ba1d1

Download Submit
\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
9066252ec48e20ddd82d2ec928cb7867

SHA1
222cbf0415a3166b1f55ff1ba293c4f8b5b840c8

SHA256
97501b83431f3b3f369d96c268ef1de99d588e74f0b28d7b853ff3ebf259f96c

SHA512
4be0962e8cfdb2e723b87a76c9b43c5d3bb5e432e7ef3f28146056ec0cb854256a0a67c44fd9fabfbb66e5f150047890b76bab3d5bf86175a94e33d9d6f4e7f2

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
9066252ec48e20ddd82d2ec928cb7867

SHA1
222cbf0415a3166b1f55ff1ba293c4f8b5b840c8

SHA256
97501b83431f3b3f369d96c268ef1de99d588e74f0b28d7b853ff3ebf259f96c

SHA512
4be0962e8cfdb2e723b87a76c9b43c5d3bb5e432e7ef3f28146056ec0cb854256a0a67c44fd9fabfbb66e5f150047890b76bab3d5bf86175a94e33d9d6f4e7f2

Download Submit
\Users\Admin\AppData\Local\Temp\898C.exe

Filesize
786KB

MD5
69f5dff8be8969d736ee39dddd89bfdb

SHA1
497642e33fb248275700cc1f2c81f4f6790703a8

SHA256
061faf306ca4b633821f8d64e760f763f89c4afed8f053667f7f3d8ce6a0a805

SHA512
220d1d583078ead93f7617524875b496d3889256ee042d34e6b8f79819d10e283d8f845288b95ee97145fe2207cb58dfa65e0a5aea8135b1dad8e2f41586a22f

Download Submit
\Users\Admin\AppData\Local\Temp\898C.exe

Filesize
786KB

MD5
69f5dff8be8969d736ee39dddd89bfdb

SHA1
497642e33fb248275700cc1f2c81f4f6790703a8

SHA256
061faf306ca4b633821f8d64e760f763f89c4afed8f053667f7f3d8ce6a0a805

SHA512
220d1d583078ead93f7617524875b496d3889256ee042d34e6b8f79819d10e283d8f845288b95ee97145fe2207cb58dfa65e0a5aea8135b1dad8e2f41586a22f

Download Submit
\Users\Admin\AppData\Local\Temp\898C.exe

Filesize
786KB

MD5
69f5dff8be8969d736ee39dddd89bfdb

SHA1
497642e33fb248275700cc1f2c81f4f6790703a8

SHA256
061faf306ca4b633821f8d64e760f763f89c4afed8f053667f7f3d8ce6a0a805

SHA512
220d1d583078ead93f7617524875b496d3889256ee042d34e6b8f79819d10e283d8f845288b95ee97145fe2207cb58dfa65e0a5aea8135b1dad8e2f41586a22f

Download Submit
\Users\Admin\AppData\Local\Temp\898C.exe

Filesize
786KB

MD5
69f5dff8be8969d736ee39dddd89bfdb

SHA1
497642e33fb248275700cc1f2c81f4f6790703a8

SHA256
061faf306ca4b633821f8d64e760f763f89c4afed8f053667f7f3d8ce6a0a805

SHA512
220d1d583078ead93f7617524875b496d3889256ee042d34e6b8f79819d10e283d8f845288b95ee97145fe2207cb58dfa65e0a5aea8135b1dad8e2f41586a22f

Download Submit
\Users\Admin\AppData\Local\Temp\9456.dll

Filesize
2.6MB

MD5
d4ed47c8ec3fd064e59c4912909108f6

SHA1
de772bcba10ece704bfb235cd87ecce175c2b393

SHA256
88a16185166fb8d2f1cfbe1c24d09b8d3277920118d4e922c660ea1958a02f6c

SHA512
69439a965c206d449000406d60c724db26af098c51536161e983e9bdb63487441307dace8bc967ab3548e993100277bfa5c3e8a733bf49531b77106dfbd2242f

Download Submit
\Users\Admin\AppData\Local\Temp\9689.exe

Filesize
461KB

MD5
efc42d9a9abb7b241e9d0159202e5648

SHA1
0ca9735c2dcbf3861a1703a82857d9b465c8b172

SHA256
71eb4498d0683b4743919617e1439ab732456f52bfcdab8526b063edb54c4141

SHA512
d70cca636384e12ea70727f3365c675a0521e45d30eacee85186862e5933b4a5fd864a9b781817357e40556b5cf7a4feeb1aedd7b75cb9db0759194d509147bd

Download Submit
\Users\Admin\AppData\Local\Temp\9689.exe

Filesize
461KB

MD5
efc42d9a9abb7b241e9d0159202e5648

SHA1
0ca9735c2dcbf3861a1703a82857d9b465c8b172

SHA256
71eb4498d0683b4743919617e1439ab732456f52bfcdab8526b063edb54c4141

SHA512
d70cca636384e12ea70727f3365c675a0521e45d30eacee85186862e5933b4a5fd864a9b781817357e40556b5cf7a4feeb1aedd7b75cb9db0759194d509147bd

Download Submit
\Users\Admin\AppData\Local\Temp\9689.exe

Filesize
461KB

MD5
efc42d9a9abb7b241e9d0159202e5648

SHA1
0ca9735c2dcbf3861a1703a82857d9b465c8b172

SHA256
71eb4498d0683b4743919617e1439ab732456f52bfcdab8526b063edb54c4141

SHA512
d70cca636384e12ea70727f3365c675a0521e45d30eacee85186862e5933b4a5fd864a9b781817357e40556b5cf7a4feeb1aedd7b75cb9db0759194d509147bd

Download Submit
\Users\Admin\AppData\Local\Temp\9689.exe

Filesize
461KB

MD5
efc42d9a9abb7b241e9d0159202e5648

SHA1
0ca9735c2dcbf3861a1703a82857d9b465c8b172

SHA256
71eb4498d0683b4743919617e1439ab732456f52bfcdab8526b063edb54c4141

SHA512
d70cca636384e12ea70727f3365c675a0521e45d30eacee85186862e5933b4a5fd864a9b781817357e40556b5cf7a4feeb1aedd7b75cb9db0759194d509147bd

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
1.9MB

MD5
4c7efd165af03d720ce4a9d381bfb29a

SHA1
92b14564856155487a57db57b8a222b7f57a81e9

SHA256
f5bbe3fdc27074249c6860b8959a155e6c79571daa86e7a574656a3c5c6326b8

SHA512
38a26722e2669e7432b5a068b08ff852988a26ed875e8aa23156ea4bd0e852686ccabe6e685d5b0e888cb5755cbe424189fb8033ada37994417d3549b10637dd

Download Submit
\Users\Admin\AppData\Local\Temp\is-4QB8O.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-4QB8O.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
\Users\Admin\AppData\Local\Temp\is-4QB8O.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-4QB8O.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-QFOLR.tmp\is-JBQTU.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
216KB

MD5
fd134e455dc6caf3b95e7f4dfefb1550

SHA1
bc7fef4d1e9bdb19e79b2d4f0b66ef627e977882

SHA256
aadebe52d66f6c135cdccbf672ba6e7797097c830bb6ee11d8523d5de169d82f

SHA512
a38dada18974648f2291bc08d6c32b8670a86b856e15a51d9836e832e7c4074ebc31e0f78778c65da49c4d91ac23a23c6a686179c82b6a76ed0096c5e1eb83c4

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
216KB

MD5
fd134e455dc6caf3b95e7f4dfefb1550

SHA1
bc7fef4d1e9bdb19e79b2d4f0b66ef627e977882

SHA256
aadebe52d66f6c135cdccbf672ba6e7797097c830bb6ee11d8523d5de169d82f

SHA512
a38dada18974648f2291bc08d6c32b8670a86b856e15a51d9836e832e7c4074ebc31e0f78778c65da49c4d91ac23a23c6a686179c82b6a76ed0096c5e1eb83c4

Download Submit
\Users\Admin\AppData\Local\b7617e3d-a6dc-48dd-917e-7f9565e5c126\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
\Users\Admin\AppData\Local\b7617e3d-a6dc-48dd-917e-7f9565e5c126\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
memory/268-271-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/268-233-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/268-278-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/268-170-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/268-172-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/268-277-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/268-292-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/268-299-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/268-236-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/268-286-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/808-290-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/808-267-0x00000000013E0000-0x00000000013E8000-memory.dmp

Filesize
32KB

Download
memory/808-345-0x000000001B0D0000-0x000000001B150000-memory.dmp

Filesize
512KB

Download
memory/812-375-0x000007FEEE6D0000-0x000007FEEF06D000-memory.dmp

Filesize
9.6MB

Download
memory/812-374-0x000000000244B000-0x00000000024B2000-memory.dmp

Filesize
412KB

Download
memory/812-366-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/812-363-0x000000001AFA0000-0x000000001B282000-memory.dmp

Filesize
2.9MB

Download
memory/812-376-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/1100-164-0x0000000000110000-0x000000000017B000-memory.dmp

Filesize
428KB

Download
memory/1100-135-0x0000000000110000-0x000000000017B000-memory.dmp

Filesize
428KB

Download
memory/1100-134-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1100-124-0x0000000000110000-0x000000000017B000-memory.dmp

Filesize
428KB

Download
memory/1200-4-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/1300-1-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/1300-5-0x0000000000400000-0x0000000002282000-memory.dmp

Filesize
30.5MB

Download
memory/1300-2-0x0000000000400000-0x0000000002282000-memory.dmp

Filesize
30.5MB

Download
memory/1300-3-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/1320-295-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1320-221-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1428-118-0x0000000073380000-0x0000000073A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1428-208-0x0000000073380000-0x0000000073A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1428-110-0x00000000000A0000-0x0000000000DF0000-memory.dmp

Filesize
13.3MB

Download
memory/1500-294-0x000000013F740000-0x000000013FCE1000-memory.dmp

Filesize
5.6MB

Download
memory/1668-351-0x0000000004D10000-0x00000000055FB000-memory.dmp

Filesize
8.9MB

Download
memory/1668-364-0x0000000000400000-0x0000000002FB3000-memory.dmp

Filesize
43.7MB

Download
memory/1668-161-0x0000000004910000-0x0000000004D08000-memory.dmp

Filesize
4.0MB

Download
memory/1668-349-0x0000000004910000-0x0000000004D08000-memory.dmp

Filesize
4.0MB

Download
memory/1668-293-0x0000000000400000-0x0000000002FB3000-memory.dmp

Filesize
43.7MB

Download
memory/1752-314-0x0000000000332000-0x0000000000343000-memory.dmp

Filesize
68KB

Download
memory/1752-318-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download
memory/1820-367-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1892-193-0x0000000073380000-0x0000000073A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1892-191-0x0000000000AC0000-0x0000000000CB8000-memory.dmp

Filesize
2.0MB

Download
memory/1892-372-0x0000000073380000-0x0000000073A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1892-373-0x0000000005195000-0x00000000051CD000-memory.dmp

Filesize
224KB

Download
memory/1892-300-0x0000000000760000-0x0000000000775000-memory.dmp

Filesize
84KB

Download
memory/1892-298-0x0000000000760000-0x000000000077C000-memory.dmp

Filesize
112KB

Download
memory/1928-346-0x0000000000DC0000-0x0000000000FB1000-memory.dmp

Filesize
1.9MB

Download
memory/1928-344-0x0000000000DC0000-0x0000000000FB1000-memory.dmp

Filesize
1.9MB

Download
memory/1928-342-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1928-381-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2076-123-0x0000000003BB0000-0x0000000003C42000-memory.dmp

Filesize
584KB

Download
memory/2076-137-0x0000000003BB0000-0x0000000003C42000-memory.dmp

Filesize
584KB

Download
memory/2572-275-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2572-289-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2580-100-0x0000000002510000-0x0000000002609000-memory.dmp

Filesize
996KB

Download
memory/2580-53-0x0000000010000000-0x00000000102A0000-memory.dmp

Filesize
2.6MB

Download
memory/2580-58-0x00000000000D0000-0x00000000000D6000-memory.dmp

Filesize
24KB

Download
memory/2580-103-0x0000000002510000-0x0000000002609000-memory.dmp

Filesize
996KB

Download
memory/2580-98-0x00000000023F0000-0x0000000002504000-memory.dmp

Filesize
1.1MB

Download
memory/2580-99-0x0000000002510000-0x0000000002609000-memory.dmp

Filesize
996KB

Download
memory/2580-102-0x0000000002510000-0x0000000002609000-memory.dmp

Filesize
996KB

Download
memory/2592-228-0x0000000073380000-0x0000000073A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-392-0x000007FEEDD30000-0x000007FEEE6CD000-memory.dmp

Filesize
9.6MB

Download
memory/2592-199-0x0000000000D60000-0x0000000000ED4000-memory.dmp

Filesize
1.5MB

Download
memory/2592-389-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2592-390-0x000007FEEDD30000-0x000007FEEE6CD000-memory.dmp

Filesize
9.6MB

Download
memory/2592-391-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2592-388-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

Filesize
2.9MB

Download
memory/2592-201-0x0000000073380000-0x0000000073A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2652-61-0x0000000000320000-0x00000000003B1000-memory.dmp

Filesize
580KB

Download
memory/2652-20-0x0000000000320000-0x00000000003B1000-memory.dmp

Filesize
580KB

Download
memory/2652-62-0x0000000004670000-0x000000000478B000-memory.dmp

Filesize
1.1MB

Download
memory/2676-115-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2676-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2676-44-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2676-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-48-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2696-324-0x00000000037B0000-0x00000000039A1000-memory.dmp

Filesize
1.9MB

Download
memory/2696-296-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2736-30-0x00000000002B0000-0x00000000002CB000-memory.dmp

Filesize
108KB

Download
memory/2736-29-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2736-36-0x0000000000400000-0x0000000002284000-memory.dmp

Filesize
30.5MB

Download
memory/2736-96-0x0000000000400000-0x0000000002284000-memory.dmp

Filesize
30.5MB

Download
memory/2736-83-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2736-95-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2748-38-0x0000000002310000-0x00000000023A2000-memory.dmp

Filesize
584KB

Download
memory/2748-37-0x0000000002310000-0x00000000023A2000-memory.dmp

Filesize
584KB

Download
memory/2748-39-0x0000000003B40000-0x0000000003C5B000-memory.dmp

Filesize
1.1MB

Download
memory/2844-70-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2844-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2844-215-0x0000000073380000-0x0000000073A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-84-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2844-125-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2844-111-0x0000000073380000-0x0000000073A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-82-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2844-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2844-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2844-225-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2844-66-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2844-91-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3000-165-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/3000-171-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/3000-387-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/3000-169-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/3028-347-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/3028-348-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download