glupteba | beb55c57f2e4a2e6c97841db46cf87f37fe6991db0b3da7c1411eeda52fa0379

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.48cc00ee684092529fa1e8ed0f231a40.exe
Size

570KB
MD5

48cc00ee684092529fa1e8ed0f231a40
SHA1

9f12cca725352220c3f568a73e9c93add8aa4b2e
SHA256

beb55c57f2e4a2e6c97841db46cf87f37fe6991db0b3da7c1411eeda52fa0379
SHA512

ce6a5826070d6041ba5054ef8d84ded7e4f0e26e68a78b6ad626cc4f24927590945671803cea55e9728441f47a0b0ce1502aadba1f241ae7c8aa1aba019852bb
SSDEEP

12288:sMrAy90K25QPcLgW6gKY8TUs2Hu1kyIg0pXxM3CTOlVjkOzslVIRh:My3wqcLqgKYSz2Hu6TX6CT0VjksslVIz

Malware Config

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Extracted

Family

redline

Botnet

pixelfresh

194.49.94.11:80

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

raccoon

Botnet

c78f27a0d43f29dbd112dbd9e387406b

http://31.192.237.23:80/

http://193.233.132.12:80/

Attributes

user_agent
SunShineMoonLight

xor.plain

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

smokeloader

Botnet

Syst

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3684-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3684-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3684-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3684-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

resource	yara_rule
behavioral1/memory/3584-141-0x0000000002EA0000-0x000000000378B000-memory.dmp	family_glupteba
behavioral1/memory/3584-284-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3584-330-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3584-400-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1528-459-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1528-510-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/208-595-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/208-617-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/208-662-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/208-682-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/4372-335-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon
behavioral1/memory/4372-339-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

resource	yara_rule
behavioral1/memory/4400-30-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/files/0x0009000000022e29-47.dat	family_redline
behavioral1/files/0x0009000000022e29-50.dat	family_redline
behavioral1/memory/2172-52-0x0000000000490000-0x00000000004AE000-memory.dmp	family_redline
behavioral1/memory/1108-73-0x00000000001C0000-0x00000000001FE000-memory.dmp	family_redline
behavioral1/memory/1108-74-0x0000000000400000-0x0000000000449000-memory.dmp	family_redline
behavioral1/memory/1912-112-0x00000000004C0000-0x000000000051A000-memory.dmp	family_redline
behavioral1/memory/1912-111-0x0000000000400000-0x0000000000467000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0009000000022e29-47.dat	family_sectoprat
behavioral1/files/0x0009000000022e29-50.dat	family_sectoprat
behavioral1/memory/2172-52-0x0000000000490000-0x00000000004AE000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Blocklisted process makes network request 4 IoCs

flow	pid	Process
58	1956	powershell.exe
61	1956	powershell.exe
65	1956	powershell.exe
68	1956	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1280	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	DCB4.exe

Executes dropped EXE 22 IoCs

pid	Process
4836	kg2zu24.exe
1076	1DS94xx2.exe
1168	2ZM3641.exe
3468	6Jc5Bl1.exe
4356	DCB4.exe
2172	E446.exe
1108	EB7B.exe
1936	InstallSetup5.exe
1712	toolspub2.exe
3520	F446.exe
3584	31839b57a4f11171d6abc8bbc4451ee4.exe
1744	Broom.exe
1912	F6F7.exe
3952	toolspub2.exe
1528	31839b57a4f11171d6abc8bbc4451ee4.exe
2320	51F8.exe
208	csrss.exe
2584	injector.exe
2188	windefender.exe
880	tor.exe
2984	windefender.exe
4412	f801950a962ddba14caaa44bf084b55c.exe

Loads dropped DLL 14 IoCs

pid	Process
1108	EB7B.exe
1108	EB7B.exe
1912	F6F7.exe
1912	F6F7.exe
3520	F446.exe
880	tor.exe
880	tor.exe
880	tor.exe
880	tor.exe
880	tor.exe
880	tor.exe
880	tor.exe
880	tor.exe
880	tor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000022d53-636.dat	upx
behavioral1/files/0x0008000000022d53-639.dat	upx
behavioral1/files/0x0008000000022d53-643.dat	upx
behavioral1/memory/2188-645-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kg2zu24.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.48cc00ee684092529fa1e8ed0f231a40.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1076 set thread context of 3684	1076	1DS94xx2.exe	92
PID 3468 set thread context of 4400	3468	6Jc5Bl1.exe	105
PID 1712 set thread context of 3952	1712	toolspub2.exe	127
PID 3520 set thread context of 4372	3520	F446.exe	128
PID 2320 set thread context of 3252	2320	51F8.exe	147

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1824	sc.exe
2216	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2660	3684	WerFault.exe	92
364	1108	WerFault.exe	114
4588	1912	WerFault.exe	122

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2ZM3641.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2ZM3641.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2ZM3641.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2976	schtasks.exe
4924	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	windefender.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1168	2ZM3641.exe
1168	2ZM3641.exe
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3092	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1168	2ZM3641.exe
3952	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeDebugPrivilege	2172	E446.exe
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeDebugPrivilege	3584	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	3584	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1744	Broom.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3092	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4836	4848	NEAS.48cc00ee684092529fa1e8ed0f231a40.exe	88
PID 4848 wrote to memory of 4836	4848	NEAS.48cc00ee684092529fa1e8ed0f231a40.exe	88
PID 4848 wrote to memory of 4836	4848	NEAS.48cc00ee684092529fa1e8ed0f231a40.exe	88
PID 4836 wrote to memory of 1076	4836	kg2zu24.exe	89
PID 4836 wrote to memory of 1076	4836	kg2zu24.exe	89
PID 4836 wrote to memory of 1076	4836	kg2zu24.exe	89
PID 1076 wrote to memory of 3684	1076	1DS94xx2.exe	92
PID 1076 wrote to memory of 3684	1076	1DS94xx2.exe	92
PID 1076 wrote to memory of 3684	1076	1DS94xx2.exe	92
PID 1076 wrote to memory of 3684	1076	1DS94xx2.exe	92
PID 1076 wrote to memory of 3684	1076	1DS94xx2.exe	92
PID 1076 wrote to memory of 3684	1076	1DS94xx2.exe	92
PID 1076 wrote to memory of 3684	1076	1DS94xx2.exe	92
PID 1076 wrote to memory of 3684	1076	1DS94xx2.exe	92
PID 1076 wrote to memory of 3684	1076	1DS94xx2.exe	92
PID 1076 wrote to memory of 3684	1076	1DS94xx2.exe	92
PID 4836 wrote to memory of 1168	4836	kg2zu24.exe	93
PID 4836 wrote to memory of 1168	4836	kg2zu24.exe	93
PID 4836 wrote to memory of 1168	4836	kg2zu24.exe	93
PID 4848 wrote to memory of 3468	4848	NEAS.48cc00ee684092529fa1e8ed0f231a40.exe	102
PID 4848 wrote to memory of 3468	4848	NEAS.48cc00ee684092529fa1e8ed0f231a40.exe	102
PID 4848 wrote to memory of 3468	4848	NEAS.48cc00ee684092529fa1e8ed0f231a40.exe	102
PID 3468 wrote to memory of 3888	3468	6Jc5Bl1.exe	104
PID 3468 wrote to memory of 3888	3468	6Jc5Bl1.exe	104
PID 3468 wrote to memory of 3888	3468	6Jc5Bl1.exe	104
PID 3468 wrote to memory of 4400	3468	6Jc5Bl1.exe	105
PID 3468 wrote to memory of 4400	3468	6Jc5Bl1.exe	105
PID 3468 wrote to memory of 4400	3468	6Jc5Bl1.exe	105
PID 3468 wrote to memory of 4400	3468	6Jc5Bl1.exe	105
PID 3468 wrote to memory of 4400	3468	6Jc5Bl1.exe	105
PID 3468 wrote to memory of 4400	3468	6Jc5Bl1.exe	105
PID 3468 wrote to memory of 4400	3468	6Jc5Bl1.exe	105
PID 3468 wrote to memory of 4400	3468	6Jc5Bl1.exe	105
PID 3092 wrote to memory of 4356	3092	Process not Found	109
PID 3092 wrote to memory of 4356	3092	Process not Found	109
PID 3092 wrote to memory of 4356	3092	Process not Found	109
PID 3092 wrote to memory of 2172	3092	Process not Found	110
PID 3092 wrote to memory of 2172	3092	Process not Found	110
PID 3092 wrote to memory of 2172	3092	Process not Found	110
PID 3092 wrote to memory of 1108	3092	Process not Found	114
PID 3092 wrote to memory of 1108	3092	Process not Found	114
PID 3092 wrote to memory of 1108	3092	Process not Found	114
PID 4356 wrote to memory of 1936	4356	DCB4.exe	115
PID 4356 wrote to memory of 1936	4356	DCB4.exe	115
PID 4356 wrote to memory of 1936	4356	DCB4.exe	115
PID 4356 wrote to memory of 1712	4356	DCB4.exe	116
PID 4356 wrote to memory of 1712	4356	DCB4.exe	116
PID 4356 wrote to memory of 1712	4356	DCB4.exe	116
PID 3092 wrote to memory of 3520	3092	Process not Found	117
PID 3092 wrote to memory of 3520	3092	Process not Found	117
PID 3092 wrote to memory of 3520	3092	Process not Found	117
PID 4356 wrote to memory of 3584	4356	DCB4.exe	123
PID 4356 wrote to memory of 3584	4356	DCB4.exe	123
PID 4356 wrote to memory of 3584	4356	DCB4.exe	123
PID 1936 wrote to memory of 1744	1936	InstallSetup5.exe	118
PID 1936 wrote to memory of 1744	1936	InstallSetup5.exe	118
PID 1936 wrote to memory of 1744	1936	InstallSetup5.exe	118
PID 3092 wrote to memory of 1912	3092	Process not Found	122
PID 3092 wrote to memory of 1912	3092	Process not Found	122
PID 3092 wrote to memory of 1912	3092	Process not Found	122
PID 1712 wrote to memory of 3952	1712	toolspub2.exe	127
PID 1712 wrote to memory of 3952	1712	toolspub2.exe	127
PID 1712 wrote to memory of 3952	1712	toolspub2.exe	127
PID 1712 wrote to memory of 3952	1712	toolspub2.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.48cc00ee684092529fa1e8ed0f231a40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.48cc00ee684092529fa1e8ed0f231a40.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kg2zu24.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kg2zu24.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1DS94xx2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1DS94xx2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3684
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 540
        5⤵
        Program crash
        
        PID:2660
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ZM3641.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ZM3641.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1168
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Jc5Bl1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Jc5Bl1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3684 -ip 3684
1⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\DCB4.exe
C:\Users\Admin\AppData\Local\Temp\DCB4.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1744
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:3952
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3584
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4320
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:1528
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Blocklisted process makes network request
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:1956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:2008
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1280
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:1524
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2208
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Manipulates WinMonFS driver.
      Drops file in Windows directory
      PID:208
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2788
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:2976
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:1064
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4556
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2644
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        
        PID:2584
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:4924
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        Executes dropped EXE
        
        PID:2188
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:3488
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:1824
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4576
    - - C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
        5⤵
        Executes dropped EXE
        
        PID:4412
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "csrss" /f
        6⤵
        
        PID:4588
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "ScheduledUpdate" /f
        6⤵
        
        PID:856

C:\Users\Admin\AppData\Local\Temp\E446.exe
C:\Users\Admin\AppData\Local\Temp\E446.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Users\Admin\AppData\Local\Temp\EB7B.exe
C:\Users\Admin\AppData\Local\Temp\EB7B.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 784
  2⤵
  - Program crash
  PID:364

C:\Users\Admin\AppData\Local\Temp\F446.exe
C:\Users\Admin\AppData\Local\Temp\F446.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1108 -ip 1108
1⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\F6F7.exe
C:\Users\Admin\AppData\Local\Temp\F6F7.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 788
  2⤵
  - Program crash
  PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1912 -ip 1912
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\51F8.exe
C:\Users\Admin\AppData\Local\Temp\51F8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2320
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
  2⤵
  PID:3252

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
678d96ed3b847d538803bbab728646f4

SHA1
2ab98c0bea2169560e6bafc5fc613027a5683504

SHA256
55689805dbe6d94feacbc6c863e4fa0dc0d9b4612db3497f731cd64b64b9346d

SHA512
6c69359ad731d991feb895685df1549b75b0f73b55eb852bb70cb36cf22e06af52e4b89038672b15532a32673b4b77a2acbe88e1068ab0a8c066a52341c01245

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
678d96ed3b847d538803bbab728646f4

SHA1
2ab98c0bea2169560e6bafc5fc613027a5683504

SHA256
55689805dbe6d94feacbc6c863e4fa0dc0d9b4612db3497f731cd64b64b9346d

SHA512
6c69359ad731d991feb895685df1549b75b0f73b55eb852bb70cb36cf22e06af52e4b89038672b15532a32673b4b77a2acbe88e1068ab0a8c066a52341c01245

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
678d96ed3b847d538803bbab728646f4

SHA1
2ab98c0bea2169560e6bafc5fc613027a5683504

SHA256
55689805dbe6d94feacbc6c863e4fa0dc0d9b4612db3497f731cd64b64b9346d

SHA512
6c69359ad731d991feb895685df1549b75b0f73b55eb852bb70cb36cf22e06af52e4b89038672b15532a32673b4b77a2acbe88e1068ab0a8c066a52341c01245

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
678d96ed3b847d538803bbab728646f4

SHA1
2ab98c0bea2169560e6bafc5fc613027a5683504

SHA256
55689805dbe6d94feacbc6c863e4fa0dc0d9b4612db3497f731cd64b64b9346d

SHA512
6c69359ad731d991feb895685df1549b75b0f73b55eb852bb70cb36cf22e06af52e4b89038672b15532a32673b4b77a2acbe88e1068ab0a8c066a52341c01245

Download Submit
C:\Users\Admin\AppData\Local\Temp\51F8.exe

Filesize
17.5MB

MD5
d6a28fab04acec60305a5c6be5b105d2

SHA1
8def206af9e2e8f463f15a2874b53c295fd28710

SHA256
ff8973e265cde0ecfc91cb81ae4af75946b2cfcaa772b5cd1390c176e788175f

SHA512
3406ec32344b3ffedc6295d10256920cb43dd511500473974400a3602b1b9d734b9a2439cc65dde64c7fae00cbe084812b3188cde78a7c8d75650ef8690a0212

Download Submit
C:\Users\Admin\AppData\Local\Temp\51F8.exe

Filesize
17.5MB

MD5
d6a28fab04acec60305a5c6be5b105d2

SHA1
8def206af9e2e8f463f15a2874b53c295fd28710

SHA256
ff8973e265cde0ecfc91cb81ae4af75946b2cfcaa772b5cd1390c176e788175f

SHA512
3406ec32344b3ffedc6295d10256920cb43dd511500473974400a3602b1b9d734b9a2439cc65dde64c7fae00cbe084812b3188cde78a7c8d75650ef8690a0212

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCB4.exe

Filesize
6.9MB

MD5
d9921e971523d3f4b1debc3e90e62096

SHA1
22edc25bf24193c00d139e2253ec4c6fb04e6c76

SHA256
cf7afbb776ecb9d56aadbe8b35a2491d92c2eb30cf3b4b121fec74d8d285d88d

SHA512
8f3291b7e9944b437390baa272c2c6bca99678e58fd360c83bdbb9240348baf1efbc3dca26da1b9d570d488bbb598058d8ac48a543da5aefc223794f2639033f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCB4.exe

Filesize
6.9MB

MD5
d9921e971523d3f4b1debc3e90e62096

SHA1
22edc25bf24193c00d139e2253ec4c6fb04e6c76

SHA256
cf7afbb776ecb9d56aadbe8b35a2491d92c2eb30cf3b4b121fec74d8d285d88d

SHA512
8f3291b7e9944b437390baa272c2c6bca99678e58fd360c83bdbb9240348baf1efbc3dca26da1b9d570d488bbb598058d8ac48a543da5aefc223794f2639033f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E446.exe

Filesize
95KB

MD5
a2687e610dad6bcf4359bf2a5953e10a

SHA1
8320fd92e757ab42f8429a9e3b43dec909add268

SHA256
439cc980ba48e5f62a043f0e923221e90a58bb20812b48569a223a562ade571a

SHA512
b16e6a6453ae5d18461aba546436f038070a4708116c0079cae27c9a9113efe61a750b8547f2911615cd07b350b9d857c474c4b3407093aec40ada71b2e76adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\E446.exe

Filesize
95KB

MD5
a2687e610dad6bcf4359bf2a5953e10a

SHA1
8320fd92e757ab42f8429a9e3b43dec909add268

SHA256
439cc980ba48e5f62a043f0e923221e90a58bb20812b48569a223a562ade571a

SHA512
b16e6a6453ae5d18461aba546436f038070a4708116c0079cae27c9a9113efe61a750b8547f2911615cd07b350b9d857c474c4b3407093aec40ada71b2e76adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB7B.exe

Filesize
277KB

MD5
1c3eced439962f3570f523d9af5fb908

SHA1
4bf23ad43ee572abd2c85418939793ffbcd444d3

SHA256
7acf0eba2165fcdfc72338959e9add02c362918c8451a0313c4ef797ae337abd

SHA512
bc4d4fc365609bcc1b112e9c09bc9c7c7b9ac523120cc4f997e98639a22ff0ac3860ccae067e558e067c36da18e445fc3c724622e1891dd2f5a61a05ac96ac37

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB7B.exe

Filesize
277KB

MD5
1c3eced439962f3570f523d9af5fb908

SHA1
4bf23ad43ee572abd2c85418939793ffbcd444d3

SHA256
7acf0eba2165fcdfc72338959e9add02c362918c8451a0313c4ef797ae337abd

SHA512
bc4d4fc365609bcc1b112e9c09bc9c7c7b9ac523120cc4f997e98639a22ff0ac3860ccae067e558e067c36da18e445fc3c724622e1891dd2f5a61a05ac96ac37

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB7B.exe

Filesize
277KB

MD5
1c3eced439962f3570f523d9af5fb908

SHA1
4bf23ad43ee572abd2c85418939793ffbcd444d3

SHA256
7acf0eba2165fcdfc72338959e9add02c362918c8451a0313c4ef797ae337abd

SHA512
bc4d4fc365609bcc1b112e9c09bc9c7c7b9ac523120cc4f997e98639a22ff0ac3860ccae067e558e067c36da18e445fc3c724622e1891dd2f5a61a05ac96ac37

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB7B.exe

Filesize
277KB

MD5
1c3eced439962f3570f523d9af5fb908

SHA1
4bf23ad43ee572abd2c85418939793ffbcd444d3

SHA256
7acf0eba2165fcdfc72338959e9add02c362918c8451a0313c4ef797ae337abd

SHA512
bc4d4fc365609bcc1b112e9c09bc9c7c7b9ac523120cc4f997e98639a22ff0ac3860ccae067e558e067c36da18e445fc3c724622e1891dd2f5a61a05ac96ac37

Download Submit
C:\Users\Admin\AppData\Local\Temp\F446.exe

Filesize
4.0MB

MD5
547267d1f4af300668737da9e4979413

SHA1
801ddcf4bf33609da1b2b0f88ebbd5f1107600b4

SHA256
4ecddc16e5b3e808518b5ba17950c04427f9de389259b4027ad76ac5289e0d8a

SHA512
118ddcdce722238ac207cde3053389699b396ba3af796f86140ad6a0072ffe7162ab150d82f8c3d6ca28f49f726c16551bfa5d56a8bec0bbc143092024f24b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F446.exe

Filesize
4.0MB

MD5
547267d1f4af300668737da9e4979413

SHA1
801ddcf4bf33609da1b2b0f88ebbd5f1107600b4

SHA256
4ecddc16e5b3e808518b5ba17950c04427f9de389259b4027ad76ac5289e0d8a

SHA512
118ddcdce722238ac207cde3053389699b396ba3af796f86140ad6a0072ffe7162ab150d82f8c3d6ca28f49f726c16551bfa5d56a8bec0bbc143092024f24b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6F7.exe

Filesize
398KB

MD5
461b8083838b2d837b19466b5acce0e4

SHA1
a88e1d0174d481c858bf2426d5dbaa7eeca7981c

SHA256
34c1b8d7e8431854989230c9a65c6b2fd80e74958e893c7eeafd41dcd7796cfd

SHA512
5fb86c07fd8bb855327ba40201eb49a6e1aed4e2f164dae1ac0bff0d370f53702a41b47b4f6a9a6198a65ad12960cc9b9b67fafb3ef742c8a438f0568c9712e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6F7.exe

Filesize
398KB

MD5
461b8083838b2d837b19466b5acce0e4

SHA1
a88e1d0174d481c858bf2426d5dbaa7eeca7981c

SHA256
34c1b8d7e8431854989230c9a65c6b2fd80e74958e893c7eeafd41dcd7796cfd

SHA512
5fb86c07fd8bb855327ba40201eb49a6e1aed4e2f164dae1ac0bff0d370f53702a41b47b4f6a9a6198a65ad12960cc9b9b67fafb3ef742c8a438f0568c9712e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6F7.exe

Filesize
398KB

MD5
461b8083838b2d837b19466b5acce0e4

SHA1
a88e1d0174d481c858bf2426d5dbaa7eeca7981c

SHA256
34c1b8d7e8431854989230c9a65c6b2fd80e74958e893c7eeafd41dcd7796cfd

SHA512
5fb86c07fd8bb855327ba40201eb49a6e1aed4e2f164dae1ac0bff0d370f53702a41b47b4f6a9a6198a65ad12960cc9b9b67fafb3ef742c8a438f0568c9712e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6F7.exe

Filesize
398KB

MD5
461b8083838b2d837b19466b5acce0e4

SHA1
a88e1d0174d481c858bf2426d5dbaa7eeca7981c

SHA256
34c1b8d7e8431854989230c9a65c6b2fd80e74958e893c7eeafd41dcd7796cfd

SHA512
5fb86c07fd8bb855327ba40201eb49a6e1aed4e2f164dae1ac0bff0d370f53702a41b47b4f6a9a6198a65ad12960cc9b9b67fafb3ef742c8a438f0568c9712e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Jc5Bl1.exe

Filesize
339KB

MD5
14d9834611ad581afcfea061652ff6cb

SHA1
802f964d0be7858eb2f1e7c6fcda03501fd1b71c

SHA256
e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60

SHA512
cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Jc5Bl1.exe

Filesize
339KB

MD5
14d9834611ad581afcfea061652ff6cb

SHA1
802f964d0be7858eb2f1e7c6fcda03501fd1b71c

SHA256
e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60

SHA512
cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kg2zu24.exe

Filesize
334KB

MD5
2824c90df10ab0e350544a9ce27ac4ed

SHA1
4a6b874a5dde16680f726a93d033323231c20691

SHA256
6a75e7b6d48a1a6d7206ac2147653eec1f146999b079165876930a24c4675245

SHA512
f277a85ff8a510399cdafa74c3c64ede590d795f24666fb5fa7e63e80decc4a1efffed5ae179a0417970717e127b2dc35a7a5be278703053bda9dc841bc7a2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kg2zu24.exe

Filesize
334KB

MD5
2824c90df10ab0e350544a9ce27ac4ed

SHA1
4a6b874a5dde16680f726a93d033323231c20691

SHA256
6a75e7b6d48a1a6d7206ac2147653eec1f146999b079165876930a24c4675245

SHA512
f277a85ff8a510399cdafa74c3c64ede590d795f24666fb5fa7e63e80decc4a1efffed5ae179a0417970717e127b2dc35a7a5be278703053bda9dc841bc7a2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1DS94xx2.exe

Filesize
300KB

MD5
784667bb96ccb30c4cf44f2c5f493769

SHA1
28185165ab4dbbb4a139ae1af0bb6934ebe05c04

SHA256
1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9

SHA512
62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1DS94xx2.exe

Filesize
300KB

MD5
784667bb96ccb30c4cf44f2c5f493769

SHA1
28185165ab4dbbb4a139ae1af0bb6934ebe05c04

SHA256
1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9

SHA512
62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ZM3641.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ZM3641.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zklnxlwh.40y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdesc-consensus.tmp

Filesize
2.5MB

MD5
253ed91d1cd428d0bf880eac27234691

SHA1
8480e252ef13143557974b24b59c2ec84a293281

SHA256
e3c69b7b1d63c79adaebe17d78b8079fc6192e8bee8bab8cdd7520280ad27379

SHA512
0c8c3a145342bb654613e9838768e292f9c2c63f8e06f674391d26f3594480a46f6256e6708021c19326f0f8ac0946a5492a1e30d943a281a71db8baee3274ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdescs.new

Filesize
8.7MB

MD5
81c56f66dcae5fe34fe479f6f0d1e9e9

SHA1
faad891f7c845f71fea4ce565dfe055a70270da1

SHA256
89e4f0f9704349709340f413fa6b9efcde2927185d8ec7d517066f31900095de

SHA512
3fb3cf0dafbd201364f7c0ce98b217031c5a732775a8d24f2656b725ed26a5b221f57716fab4391049f2590ce9f3ff15371d94f710f4354f01c2b7c356243c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll

Filesize
3.5MB

MD5
b7c32c8e7d21aa9b79470037227eba43

SHA1
38d719b10ca035cee65162c1a44e2c62123d41b4

SHA256
99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23

SHA512
d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll

Filesize
3.5MB

MD5
b7c32c8e7d21aa9b79470037227eba43

SHA1
38d719b10ca035cee65162c1a44e2c62123d41b4

SHA256
99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23

SHA512
d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll

Filesize
876KB

MD5
736443b08b5a52b6958f001e8200be71

SHA1
e56ddc8476aef0d3482c99c5bfaf0f57458b2576

SHA256
da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4

SHA512
9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll

Filesize
876KB

MD5
736443b08b5a52b6958f001e8200be71

SHA1
e56ddc8476aef0d3482c99c5bfaf0f57458b2576

SHA256
da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4

SHA512
9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libgcc_s_dw2-1.dll

Filesize
668KB

MD5
36e1c3814bde3418ba3d38517954cb7c

SHA1
495e1ba5b0b442e70124d33daa6fea4e3e5931b0

SHA256
b34edd252f46dd881e79cfd274777fe5e90943d511c8e002aeca0528d7f3b4b1

SHA512
df7b608c51a782ad5cdfd753577a3dcacf4e2515ac02ce9e35b3cbc543895862844e8adcaff983b1348884085cf7427c33a67acc5ce48fe656f5b2083d0813b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libgcc_s_dw2-1.dll

Filesize
668KB

MD5
36e1c3814bde3418ba3d38517954cb7c

SHA1
495e1ba5b0b442e70124d33daa6fea4e3e5931b0

SHA256
b34edd252f46dd881e79cfd274777fe5e90943d511c8e002aeca0528d7f3b4b1

SHA512
df7b608c51a782ad5cdfd753577a3dcacf4e2515ac02ce9e35b3cbc543895862844e8adcaff983b1348884085cf7427c33a67acc5ce48fe656f5b2083d0813b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssl-1_1.dll

Filesize
938KB

MD5
d92e59b71bf8a0d827597ed95b2eca42

SHA1
cfc49ff29eddb7127fbed166a8a1e740ea3dfb9a

SHA256
b6ef5cb4c093431f3e73c53e66df33d08237ba46d457d119a2c4dcae582314e3

SHA512
be65e003a498e753b08912d697e9b4d8a28828581c17d1e8e20880372a81030ce18610eeff230c8880e68a831041075bb2ebffcf318d29ebf58bc856fac3df04

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssl-1_1.dll

Filesize
938KB

MD5
d92e59b71bf8a0d827597ed95b2eca42

SHA1
cfc49ff29eddb7127fbed166a8a1e740ea3dfb9a

SHA256
b6ef5cb4c093431f3e73c53e66df33d08237ba46d457d119a2c4dcae582314e3

SHA512
be65e003a498e753b08912d697e9b4d8a28828581c17d1e8e20880372a81030ce18610eeff230c8880e68a831041075bb2ebffcf318d29ebf58bc856fac3df04

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll

Filesize
95KB

MD5
7cdbaca31739500aefc06dd85a8558ff

SHA1
adc36ec6a3cdc7e57a1b706c820e382627f6cb90

SHA256
0a1dee5dd5234971f7526f3d5f8b7e2cfdcb536e18debd51c985010fb504fbdb

SHA512
6df8ac9054f27ebbef9642ce79ff7ba836411ea0ed0bd04b3cfe724a336a91f665c2cc0b7a4bfc99a80786d1a6d361b971a7dbb7a298b919a1baa812541841ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll

Filesize
95KB

MD5
7cdbaca31739500aefc06dd85a8558ff

SHA1
adc36ec6a3cdc7e57a1b706c820e382627f6cb90

SHA256
0a1dee5dd5234971f7526f3d5f8b7e2cfdcb536e18debd51c985010fb504fbdb

SHA512
6df8ac9054f27ebbef9642ce79ff7ba836411ea0ed0bd04b3cfe724a336a91f665c2cc0b7a4bfc99a80786d1a6d361b971a7dbb7a298b919a1baa812541841ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libwinpthread-1.dll

Filesize
301KB

MD5
07f4bbf18077231cb44750684dd8daf4

SHA1
8560627e9e05d6022abdfe7e576856e91ac90188

SHA256
4a146671b1fed4906799cb1cfc670753f1b1922793f5b40d5cf710befb287316

SHA512
04e31ad60e797cdbd1f3db36a8473139bbd1b763d2d67a160454b24b524e8bbc4d5784c62446a0f9d83b95dd518534ab4581d3a43a14146b17d0035ecc79c151

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libwinpthread-1.dll

Filesize
301KB

MD5
07f4bbf18077231cb44750684dd8daf4

SHA1
8560627e9e05d6022abdfe7e576856e91ac90188

SHA256
4a146671b1fed4906799cb1cfc670753f1b1922793f5b40d5cf710befb287316

SHA512
04e31ad60e797cdbd1f3db36a8473139bbd1b763d2d67a160454b24b524e8bbc4d5784c62446a0f9d83b95dd518534ab4581d3a43a14146b17d0035ecc79c151

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libwinpthread-1.dll

Filesize
301KB

MD5
07f4bbf18077231cb44750684dd8daf4

SHA1
8560627e9e05d6022abdfe7e576856e91ac90188

SHA256
4a146671b1fed4906799cb1cfc670753f1b1922793f5b40d5cf710befb287316

SHA512
04e31ad60e797cdbd1f3db36a8473139bbd1b763d2d67a160454b24b524e8bbc4d5784c62446a0f9d83b95dd518534ab4581d3a43a14146b17d0035ecc79c151

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe

Filesize
4.3MB

MD5
055ae7c584a7b012955bf5d874f30cfa

SHA1
f2b4d8c5307ff09607be929ec08fc2727bf03dcf

SHA256
d51b5bf807f6de3b5521b49b9a722592fb85aee1ea2f1c03bbb5255d62bfb9c8

SHA512
910bb0be7a3840bb37cb453ea066677a5327e272cfa0995f7a600bd4eb2e7c31685dcc0758c3b2cf07c7622fd45b2d4cdd3a4272cddaf9e97e2ffc48120646c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe

Filesize
4.3MB

MD5
055ae7c584a7b012955bf5d874f30cfa

SHA1
f2b4d8c5307ff09607be929ec08fc2727bf03dcf

SHA256
d51b5bf807f6de3b5521b49b9a722592fb85aee1ea2f1c03bbb5255d62bfb9c8

SHA512
910bb0be7a3840bb37cb453ea066677a5327e272cfa0995f7a600bd4eb2e7c31685dcc0758c3b2cf07c7622fd45b2d4cdd3a4272cddaf9e97e2ffc48120646c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\zlib1.dll

Filesize
135KB

MD5
f08b1f044c68770c190daf1eb1f3157e

SHA1
f94103a542459d60434f9ddb6b5f45b11eae2923

SHA256
1d0278386f8922bdf4808861e6e901541ad23cc6337bb022c78dc05915202f27

SHA512
0667416a7515cd845e96d2ad26ca676cffd2d1c9f0449ff05455e8cf6a7ab595d3f972785d051f45332c04f1c0b576726f645e3669122608a4f374e984ba161c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\zlib1.dll

Filesize
135KB

MD5
f08b1f044c68770c190daf1eb1f3157e

SHA1
f94103a542459d60434f9ddb6b5f45b11eae2923

SHA256
1d0278386f8922bdf4808861e6e901541ad23cc6337bb022c78dc05915202f27

SHA512
0667416a7515cd845e96d2ad26ca676cffd2d1c9f0449ff05455e8cf6a7ab595d3f972785d051f45332c04f1c0b576726f645e3669122608a4f374e984ba161c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1856.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp18AB.tmp

Filesize
92KB

MD5
4bd8313fab1caf1004295d44aab77860

SHA1
0b84978fd191001c7cf461063ac63b243ffb7283

SHA256
604e2ecd34c77664dae4ceb0dab0b3e4bb6afb2778d3ed21f8d8791edd1408d9

SHA512
ca96d92a8abbd3a762e19f8e77514ee0018b7e5dc21493c37e83e22047b3cc892eced2fc80b78e6861bb972e20b93007eb46bcb7b562965be2bfa98a24c2ed65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1914.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp192A.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1930.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp19E8.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
217KB

MD5
aec6574d82d7e5f96a01f9f048192490

SHA1
0286b5d6fa5fb8c17fcab11648857e91fbba803f

SHA256
4502fe32e39a7351336cde70507ee3f07eaad121a4dda4757608fc7354c7d157

SHA512
53848861e058547c4ad7faa29afe33b1df2382ab28689627c70e3ea8fd39014244a093d6e49294663e669becd3251126fb3e72f05f5e136a25c0aafb46aa755c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
217KB

MD5
aec6574d82d7e5f96a01f9f048192490

SHA1
0286b5d6fa5fb8c17fcab11648857e91fbba803f

SHA256
4502fe32e39a7351336cde70507ee3f07eaad121a4dda4757608fc7354c7d157

SHA512
53848861e058547c4ad7faa29afe33b1df2382ab28689627c70e3ea8fd39014244a093d6e49294663e669becd3251126fb3e72f05f5e136a25c0aafb46aa755c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
217KB

MD5
aec6574d82d7e5f96a01f9f048192490

SHA1
0286b5d6fa5fb8c17fcab11648857e91fbba803f

SHA256
4502fe32e39a7351336cde70507ee3f07eaad121a4dda4757608fc7354c7d157

SHA512
53848861e058547c4ad7faa29afe33b1df2382ab28689627c70e3ea8fd39014244a093d6e49294663e669becd3251126fb3e72f05f5e136a25c0aafb46aa755c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
217KB

MD5
aec6574d82d7e5f96a01f9f048192490

SHA1
0286b5d6fa5fb8c17fcab11648857e91fbba803f

SHA256
4502fe32e39a7351336cde70507ee3f07eaad121a4dda4757608fc7354c7d157

SHA512
53848861e058547c4ad7faa29afe33b1df2382ab28689627c70e3ea8fd39014244a093d6e49294663e669becd3251126fb3e72f05f5e136a25c0aafb46aa755c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
1661eeedae56b688687176528426f522

SHA1
f69a8ac45ca27255aa77da69ec82f166ac4cb8a9

SHA256
e702bebe66f0f6f3c5feb6bf6971a19c00eba148ce15ba756bd48f0da86f30bf

SHA512
454ab51ef4dd5224bc1f22ad965413727c9a467251a20e8ce6d219fe4419964597c7cc72173a5ab3d8b9af015d332d2038f4053ceaff8ad545844be02408fc04

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2b3ad20ef4ad855c415dd36575450795

SHA1
434a79665cfb41558c1a76862afa6ce670f21ec7

SHA256
fb4a2ec42c18822a0a4dd8291c81ec5629acdb9b78b4f946536aed9bbef13082

SHA512
326aad79ff34e0c64f67e7d5a8d330acd1fd692fe91950d9df37e434015121b6413502f0c795961a4292412f8a662c81873eb11f256ee4bda540f4cf05a248bd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
01b5af566e4756ef9c73e34521504931

SHA1
bb79b71aa27694217dfc0c5d302eab07e92806a1

SHA256
e9097496ae691d1de50df3e6053d69a31cee57c5c9269aa86d882b799b51a030

SHA512
a52726b526928c66fd3510fbb04ba645a139e80f087616fdff13d3b893c9a5d044271cae6b7213eaa13ec04f2c5fc08b8f67a2a298ce65c78397cd596ad7c85b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
cf28d31a9e0541f3553f283308f75d84

SHA1
d50ce53278b7f0999088cd5e05d5645f0373918b

SHA256
ea084add34730bf20c3498036fa49763f5f6fe27179dff98a39e5d0f4c17fc1e

SHA512
5a831bdcdc564def74f25901eb132952166d0fe8494c384bbb67f779245870cd60b5eac18d74d9bf495a5477010c300602c1597f3a4a959dad14ad1ed83e828c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b44f00c6b03e611666f6fde29b2a7f0a

SHA1
0dca5d0c785da8a8441106d015f0b7cfc0ca5e39

SHA256
4470384cfb545540b8a0cde444d9faf29b2db509f3c9c2f35f46673773e12188

SHA512
322a509e08ab95e7dd069eca91802c87fecffce6914aaf95ee0e7aadb99de8620e7e799d8da4b0c36c784368a7b2f96ef6c947ace15e1e88d5865e89ec44aea3

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
678d96ed3b847d538803bbab728646f4

SHA1
2ab98c0bea2169560e6bafc5fc613027a5683504

SHA256
55689805dbe6d94feacbc6c863e4fa0dc0d9b4612db3497f731cd64b64b9346d

SHA512
6c69359ad731d991feb895685df1549b75b0f73b55eb852bb70cb36cf22e06af52e4b89038672b15532a32673b4b77a2acbe88e1068ab0a8c066a52341c01245

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
678d96ed3b847d538803bbab728646f4

SHA1
2ab98c0bea2169560e6bafc5fc613027a5683504

SHA256
55689805dbe6d94feacbc6c863e4fa0dc0d9b4612db3497f731cd64b64b9346d

SHA512
6c69359ad731d991feb895685df1549b75b0f73b55eb852bb70cb36cf22e06af52e4b89038672b15532a32673b4b77a2acbe88e1068ab0a8c066a52341c01245

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/208-595-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/208-662-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/208-682-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/208-617-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/880-684-0x0000000000F80000-0x00000000013CE000-memory.dmp

Filesize
4.3MB

Download
memory/880-686-0x000000006D780000-0x000000006D79E000-memory.dmp

Filesize
120KB

Download
memory/880-685-0x000000006D450000-0x000000006D511000-memory.dmp

Filesize
772KB

Download
memory/880-688-0x000000006D3B0000-0x000000006D450000-memory.dmp

Filesize
640KB

Download
memory/880-661-0x000000006D450000-0x000000006D511000-memory.dmp

Filesize
772KB

Download
memory/880-664-0x0000000000F80000-0x00000000013CE000-memory.dmp

Filesize
4.3MB

Download
memory/880-663-0x000000006D730000-0x000000006D75A000-memory.dmp

Filesize
168KB

Download
memory/1108-95-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/1108-122-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/1108-74-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1108-73-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/1108-120-0x00000000049A0000-0x00000000049E9000-memory.dmp

Filesize
292KB

Download
memory/1168-24-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1168-21-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1528-459-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1528-510-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1712-133-0x00000000009A0000-0x0000000000AA0000-memory.dmp

Filesize
1024KB

Download
memory/1712-134-0x0000000000800000-0x0000000000809000-memory.dmp

Filesize
36KB

Download
memory/1744-109-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1744-352-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1744-401-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1744-332-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1744-564-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1912-112-0x00000000004C0000-0x000000000051A000-memory.dmp

Filesize
360KB

Download
memory/1912-130-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/1912-116-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/1912-111-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2172-52-0x0000000000490000-0x00000000004AE000-memory.dmp

Filesize
120KB

Download
memory/2172-129-0x0000000006A10000-0x0000000006F3C000-memory.dmp

Filesize
5.2MB

Download
memory/2172-298-0x0000000006FB0000-0x0000000007016000-memory.dmp

Filesize
408KB

Download
memory/2172-59-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2172-131-0x00000000064E0000-0x0000000006556000-memory.dmp

Filesize
472KB

Download
memory/2172-126-0x0000000006310000-0x00000000064D2000-memory.dmp

Filesize
1.8MB

Download
memory/2172-132-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/2172-57-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/2172-138-0x00000000068D0000-0x00000000068EE000-memory.dmp

Filesize
120KB

Download
memory/2172-139-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2188-645-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2320-514-0x00007FF787180000-0x00007FF78837A000-memory.dmp

Filesize
18.0MB

Download
memory/3092-344-0x0000000007400000-0x0000000007416000-memory.dmp

Filesize
88KB

Download
memory/3092-23-0x0000000002AE0000-0x0000000002AF6000-memory.dmp

Filesize
88KB

Download
memory/3252-517-0x0000000000D00000-0x0000000000D8A000-memory.dmp

Filesize
552KB

Download
memory/3252-515-0x0000000000D00000-0x0000000000D8A000-memory.dmp

Filesize
552KB

Download
memory/3252-513-0x0000000000D00000-0x0000000000D8A000-memory.dmp

Filesize
552KB

Download
memory/3252-512-0x0000000000D00000-0x0000000000D8A000-memory.dmp

Filesize
552KB

Download
memory/3520-323-0x0000000005920000-0x0000000005ACA000-memory.dmp

Filesize
1.7MB

Download
memory/3520-343-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/3520-105-0x0000000005040000-0x00000000050DC000-memory.dmp

Filesize
624KB

Download
memory/3520-177-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/3520-107-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3520-92-0x0000000000080000-0x0000000000478000-memory.dmp

Filesize
4.0MB

Download
memory/3520-324-0x0000000005AD0000-0x0000000005C62000-memory.dmp

Filesize
1.6MB

Download
memory/3520-331-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/3520-333-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3520-334-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3520-91-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/3520-336-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3520-338-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3520-341-0x0000000006180000-0x0000000006280000-memory.dmp

Filesize
1024KB

Download
memory/3520-342-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3584-284-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3584-330-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3584-400-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3584-141-0x0000000002EA0000-0x000000000378B000-memory.dmp

Filesize
8.9MB

Download
memory/3584-140-0x0000000002A90000-0x0000000002E95000-memory.dmp

Filesize
4.0MB

Download
memory/3684-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-137-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3952-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3952-345-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4320-353-0x0000000003140000-0x0000000003150000-memory.dmp

Filesize
64KB

Download
memory/4320-351-0x0000000003140000-0x0000000003150000-memory.dmp

Filesize
64KB

Download
memory/4320-366-0x0000000006100000-0x0000000006454000-memory.dmp

Filesize
3.3MB

Download
memory/4320-355-0x0000000005E50000-0x0000000005E72000-memory.dmp

Filesize
136KB

Download
memory/4320-350-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/4320-349-0x0000000005180000-0x00000000051B6000-memory.dmp

Filesize
216KB

Download
memory/4320-354-0x00000000057F0000-0x0000000005E18000-memory.dmp

Filesize
6.2MB

Download
memory/4320-356-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/4356-48-0x0000000000470000-0x0000000000B56000-memory.dmp

Filesize
6.9MB

Download
memory/4356-108-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/4356-54-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/4372-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4372-339-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4400-58-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/4400-30-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4400-61-0x0000000007DF0000-0x0000000007E00000-memory.dmp

Filesize
64KB

Download
memory/4400-31-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/4400-32-0x0000000008180000-0x0000000008724000-memory.dmp

Filesize
5.6MB

Download
memory/4400-33-0x0000000007CB0000-0x0000000007D42000-memory.dmp

Filesize
584KB

Download
memory/4400-34-0x0000000007DF0000-0x0000000007E00000-memory.dmp

Filesize
64KB

Download
memory/4400-35-0x0000000007D50000-0x0000000007D5A000-memory.dmp

Filesize
40KB

Download
memory/4400-36-0x0000000008D50000-0x0000000009368000-memory.dmp

Filesize
6.1MB

Download
memory/4400-37-0x0000000008840000-0x000000000894A000-memory.dmp

Filesize
1.0MB

Download
memory/4400-38-0x0000000007F60000-0x0000000007F72000-memory.dmp

Filesize
72KB

Download
memory/4400-39-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/4400-40-0x0000000008110000-0x000000000815C000-memory.dmp

Filesize
304KB

Download