glupteba | 07deffdc1d80a2a2e95c834ed0f2f1ed3c3d4bd3df0cfbd41b518955ac58a166

Analysis

max time kernel
146s
max time network
126s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
01-12-2023 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07deffdc1d80a2a2e95c834ed0f2f1ed3c3d4bd3df0cfbd41b518955ac58a166.exe
Size

285KB
MD5

a4f7114c669e292f7d68f91b4d2e679e
SHA1

62f04b2e1b551c689d9178cf001247bc7a4feb56
SHA256

07deffdc1d80a2a2e95c834ed0f2f1ed3c3d4bd3df0cfbd41b518955ac58a166
SHA512

d44f6b61b19a1c53aad6f1512362519e3824ffd6c4e0ca7af5b7874ccf7ef27adc828817d71a1c7d9596aeb2075b2bd8044a42f91e635d4f0b554541d6335549
SSDEEP

6144:qyU1zKCKVDp3Cbitu7gJzmgkYUDBg8ZHAOEYReldp9cT66G:qyU1K9pv6RZH86T66G

Score

10^/10

glupteba purelogs redline smokeloader zgrat @ytlogsbot livetraffic up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://194.49.94.210/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Extracted

Family

redline

Botnet

LiveTraffic

195.10.205.16:2245

Extracted

Family

smokeloader

Botnet

up3

Signatures

Detect PureLogs payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0030000000014958-23.dat	family_purelogs
behavioral1/files/0x0030000000014958-24.dat	family_purelogs
behavioral1/files/0x0030000000014958-21.dat	family_purelogs
behavioral1/memory/2548-27-0x0000000000C90000-0x0000000000DD6000-memory.dmp	family_purelogs
behavioral1/files/0x0030000000014958-34.dat	family_purelogs
behavioral1/files/0x0030000000014958-43.dat	family_purelogs

Detect ZGRat V1 27 IoCs

resource	yara_rule
behavioral1/memory/2936-48-0x0000000000BA0000-0x0000000000C84000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-51-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-57-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-67-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-65-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-95-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-93-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-91-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-89-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-87-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-85-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-83-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-81-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-79-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-77-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-75-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-73-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-71-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-69-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-63-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-61-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-59-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-55-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-53-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-50-0x0000000000BA0000-0x0000000000C80000-memory.dmp	family_zgrat_v1
behavioral1/memory/2252-368-0x0000000003580000-0x000000000385A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2936-496-0x000000001AAF0000-0x000000001AB70000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

resource	yara_rule
behavioral1/memory/2716-527-0x0000000002A60000-0x000000000334B000-memory.dmp	family_glupteba
behavioral1/memory/2716-1103-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

PureLogs
PureLogs is an infostealer written in C#.
stealer purelogs
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012266-17.dat	family_redline
behavioral1/files/0x000a000000012266-18.dat	family_redline
behavioral1/memory/2532-25-0x0000000001060000-0x000000000109E000-memory.dmp	family_redline
behavioral1/memory/2232-374-0x0000000000100000-0x000000000013C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 696 created 1184	696	latestX.exe	15
PID 696 created 1184	696	latestX.exe	15
PID 696 created 1184	696	latestX.exe	15
PID 696 created 1184	696	latestX.exe	15

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2040	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 25 IoCs

pid	Process
2532	CA80.exe
2548	CCD2.exe
2936	CCD2.exe
2360	6C6.exe
2260	193E.exe
2252	193E.tmp
2232	2051.exe
3024	MathCRT.exe
2504	InstallSetup9.exe
1884	toolspub2.exe
2848	2976.exe
2840	Broom.exe
552	toolspub2.exe
2072	3CA9.exe
2716	31839b57a4f11171d6abc8bbc4451ee4.exe
1800	MathCRT.exe
1060	5393.exe
1804	tuc3.exe
2452	tuc3.tmp
696	latestX.exe
2508	cubggtv
1860	vbbggtv
2596	cubggtv
2744	31839b57a4f11171d6abc8bbc4451ee4.exe
944	csrss.exe

Loads dropped DLL 24 IoCs

pid	Process
1184	Explorer.EXE
2548	CCD2.exe
2260	193E.exe
2252	193E.tmp
2252	193E.tmp
2252	193E.tmp
2252	193E.tmp
2360	6C6.exe
2252	193E.tmp
2360	6C6.exe
2360	6C6.exe
2504	InstallSetup9.exe
1884	toolspub2.exe
2360	6C6.exe
2360	6C6.exe
2360	6C6.exe
1804	tuc3.exe
2360	6C6.exe
2452	tuc3.tmp
2452	tuc3.tmp
2452	tuc3.tmp
2452	tuc3.tmp
2744	31839b57a4f11171d6abc8bbc4451ee4.exe
2744	31839b57a4f11171d6abc8bbc4451ee4.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 2172	2020	07deffdc1d80a2a2e95c834ed0f2f1ed3c3d4bd3df0cfbd41b518955ac58a166.exe	29
PID 2548 set thread context of 2936	2548	CCD2.exe	35
PID 1884 set thread context of 552	1884	toolspub2.exe	50
PID 2508 set thread context of 2596	2508	cubggtv	68

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\MathCRT\is-T2CLI.tmp	193E.tmp
File created	C:\Program Files (x86)\Common Files\MathCRT\is-FEQ50.tmp	193E.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-146P9.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-HBSML.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\MathCRT\is-4URPM.tmp	193E.tmp
File created	C:\Program Files (x86)\Common Files\MathCRT\is-7C9BO.tmp	193E.tmp
File opened for modification	C:\Program Files (x86)\Common Files\MathCRT\MathCRT.exe	193E.tmp
File created	C:\Program Files (x86)\Common Files\MathCRT\is-6K4SM.tmp	193E.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-9VN3O.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\MathCRT\is-CS5OT.tmp	193E.tmp
File created	C:\Program Files (x86)\Common Files\MathCRT\is-DJC0K.tmp	193E.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-3490L.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\MathCRT\is-2HNCL.tmp	193E.tmp
File created	C:\Program Files (x86)\Common Files\MathCRT\is-R320J.tmp	193E.tmp
File created	C:\Program Files (x86)\Common Files\MathCRT\is-P6TSC.tmp	193E.tmp
File opened for modification	C:\Program Files (x86)\Common Files\MathCRT\unins000.dat	193E.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-RFHQV.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\MathCRT\is-S41D5.tmp	193E.tmp
File created	C:\Program Files (x86)\Common Files\MathCRT\is-8AFQO.tmp	193E.tmp
File created	C:\Program Files (x86)\Common Files\MathCRT\UIText\is-HNMMB.tmp	193E.tmp
File created	C:\Program Files (x86)\Common Files\MathCRT\is-D9J9M.tmp	193E.tmp
File created	C:\Program Files (x86)\Common Files\MathCRT\UIText\is-JKI9C.tmp	193E.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-3LE1F.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\MathCRT\unins000.dat	193E.tmp
File created	C:\Program Files (x86)\Common Files\MathCRT\is-22DTE.tmp	193E.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\unins000.dat	tuc3.tmp

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20231201024958.cab	makecab.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1924	sc.exe
1228	sc.exe
1732	sc.exe
564	sc.exe
268	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2184	2232	WerFault.exe	39

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cubggtv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cubggtv
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cubggtv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2576	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	AppLaunch.exe
2172	AppLaunch.exe
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1184	Explorer.EXE

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2172	AppLaunch.exe
552	toolspub2.exe
2596	cubggtv

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	CCD2.exe
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeDebugPrivilege	2532	CA80.exe
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeDebugPrivilege	1060	5393.exe
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeDebugPrivilege	2716	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	2716	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	2072	3CA9.exe
Token: SeShutdownPrivilege	1032	powercfg.exe
Token: SeShutdownPrivilege	2972	powercfg.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeShutdownPrivilege	740	powercfg.exe
Token: SeShutdownPrivilege	2488	powercfg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2840	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2172	2020	07deffdc1d80a2a2e95c834ed0f2f1ed3c3d4bd3df0cfbd41b518955ac58a166.exe	29
PID 2020 wrote to memory of 2172	2020	07deffdc1d80a2a2e95c834ed0f2f1ed3c3d4bd3df0cfbd41b518955ac58a166.exe	29
PID 2020 wrote to memory of 2172	2020	07deffdc1d80a2a2e95c834ed0f2f1ed3c3d4bd3df0cfbd41b518955ac58a166.exe	29
PID 2020 wrote to memory of 2172	2020	07deffdc1d80a2a2e95c834ed0f2f1ed3c3d4bd3df0cfbd41b518955ac58a166.exe	29
PID 2020 wrote to memory of 2172	2020	07deffdc1d80a2a2e95c834ed0f2f1ed3c3d4bd3df0cfbd41b518955ac58a166.exe	29
PID 2020 wrote to memory of 2172	2020	07deffdc1d80a2a2e95c834ed0f2f1ed3c3d4bd3df0cfbd41b518955ac58a166.exe	29
PID 2020 wrote to memory of 2172	2020	07deffdc1d80a2a2e95c834ed0f2f1ed3c3d4bd3df0cfbd41b518955ac58a166.exe	29
PID 2020 wrote to memory of 2172	2020	07deffdc1d80a2a2e95c834ed0f2f1ed3c3d4bd3df0cfbd41b518955ac58a166.exe	29
PID 2020 wrote to memory of 2172	2020	07deffdc1d80a2a2e95c834ed0f2f1ed3c3d4bd3df0cfbd41b518955ac58a166.exe	29
PID 2020 wrote to memory of 2172	2020	07deffdc1d80a2a2e95c834ed0f2f1ed3c3d4bd3df0cfbd41b518955ac58a166.exe	29
PID 1184 wrote to memory of 2532	1184	Explorer.EXE	30
PID 1184 wrote to memory of 2532	1184	Explorer.EXE	30
PID 1184 wrote to memory of 2532	1184	Explorer.EXE	30
PID 1184 wrote to memory of 2532	1184	Explorer.EXE	30
PID 1184 wrote to memory of 2548	1184	Explorer.EXE	31
PID 1184 wrote to memory of 2548	1184	Explorer.EXE	31
PID 1184 wrote to memory of 2548	1184	Explorer.EXE	31
PID 2548 wrote to memory of 2936	2548	CCD2.exe	35
PID 2548 wrote to memory of 2936	2548	CCD2.exe	35
PID 2548 wrote to memory of 2936	2548	CCD2.exe	35
PID 2548 wrote to memory of 2936	2548	CCD2.exe	35
PID 2548 wrote to memory of 2936	2548	CCD2.exe	35
PID 2548 wrote to memory of 2936	2548	CCD2.exe	35
PID 2548 wrote to memory of 2936	2548	CCD2.exe	35
PID 1184 wrote to memory of 2360	1184	Explorer.EXE	36
PID 1184 wrote to memory of 2360	1184	Explorer.EXE	36
PID 1184 wrote to memory of 2360	1184	Explorer.EXE	36
PID 1184 wrote to memory of 2360	1184	Explorer.EXE	36
PID 1184 wrote to memory of 2260	1184	Explorer.EXE	37
PID 1184 wrote to memory of 2260	1184	Explorer.EXE	37
PID 1184 wrote to memory of 2260	1184	Explorer.EXE	37
PID 1184 wrote to memory of 2260	1184	Explorer.EXE	37
PID 1184 wrote to memory of 2260	1184	Explorer.EXE	37
PID 1184 wrote to memory of 2260	1184	Explorer.EXE	37
PID 1184 wrote to memory of 2260	1184	Explorer.EXE	37
PID 2260 wrote to memory of 2252	2260	193E.exe	38
PID 2260 wrote to memory of 2252	2260	193E.exe	38
PID 2260 wrote to memory of 2252	2260	193E.exe	38
PID 2260 wrote to memory of 2252	2260	193E.exe	38
PID 2260 wrote to memory of 2252	2260	193E.exe	38
PID 2260 wrote to memory of 2252	2260	193E.exe	38
PID 2260 wrote to memory of 2252	2260	193E.exe	38
PID 1184 wrote to memory of 2232	1184	Explorer.EXE	39
PID 1184 wrote to memory of 2232	1184	Explorer.EXE	39
PID 1184 wrote to memory of 2232	1184	Explorer.EXE	39
PID 1184 wrote to memory of 2232	1184	Explorer.EXE	39
PID 2360 wrote to memory of 2504	2360	6C6.exe	41
PID 2360 wrote to memory of 2504	2360	6C6.exe	41
PID 2360 wrote to memory of 2504	2360	6C6.exe	41
PID 2360 wrote to memory of 2504	2360	6C6.exe	41
PID 2360 wrote to memory of 2504	2360	6C6.exe	41
PID 2360 wrote to memory of 2504	2360	6C6.exe	41
PID 2360 wrote to memory of 2504	2360	6C6.exe	41
PID 2252 wrote to memory of 2012	2252	193E.tmp	42
PID 2252 wrote to memory of 2012	2252	193E.tmp	42
PID 2252 wrote to memory of 2012	2252	193E.tmp	42
PID 2252 wrote to memory of 2012	2252	193E.tmp	42
PID 2252 wrote to memory of 3024	2252	193E.tmp	44
PID 2252 wrote to memory of 3024	2252	193E.tmp	44
PID 2252 wrote to memory of 3024	2252	193E.tmp	44
PID 2252 wrote to memory of 3024	2252	193E.tmp	44
PID 2360 wrote to memory of 1884	2360	6C6.exe	45
PID 2360 wrote to memory of 1884	2360	6C6.exe	45
PID 2360 wrote to memory of 1884	2360	6C6.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\07deffdc1d80a2a2e95c834ed0f2f1ed3c3d4bd3df0cfbd41b518955ac58a166.exe
  "C:\Users\Admin\AppData\Local\Temp\07deffdc1d80a2a2e95c834ed0f2f1ed3c3d4bd3df0cfbd41b518955ac58a166.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2172
- C:\Users\Admin\AppData\Local\Temp\CA80.exe
  C:\Users\Admin\AppData\Local\Temp\CA80.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\CCD2.exe
  C:\Users\Admin\AppData\Local\Temp\CCD2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\CCD2.exe
    C:\Users\Admin\AppData\Local\Temp\CCD2.exe
    3⤵
    - Executes dropped EXE
    PID:2936
- C:\Users\Admin\AppData\Local\Temp\6C6.exe
  C:\Users\Admin\AppData\Local\Temp\6C6.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2504
  - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
      C:\Users\Admin\AppData\Local\Temp\Broom.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2840
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:552
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:2744
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2160
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:2040
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        
        PID:944
- - C:\Users\Admin\AppData\Local\Temp\tuc3.exe
    "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\is-TBUQ0.tmp\tuc3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-TBUQ0.tmp\tuc3.tmp" /SL5="$201DE,3243561,76288,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      PID:2452
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    PID:696
- C:\Users\Admin\AppData\Local\Temp\193E.exe
  C:\Users\Admin\AppData\Local\Temp\193E.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\is-IQQJQ.tmp\193E.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-IQQJQ.tmp\193E.tmp" /SL5="$30144,2962479,54272,C:\Users\Admin\AppData\Local\Temp\193E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Query
      4⤵
      PID:2012
  - - C:\Program Files (x86)\Common Files\MathCRT\MathCRT.exe
      "C:\Program Files (x86)\Common Files\MathCRT\MathCRT.exe" -i
      4⤵
      Executes dropped EXE
      PID:3024
  - - C:\Program Files (x86)\Common Files\MathCRT\MathCRT.exe
      "C:\Program Files (x86)\Common Files\MathCRT\MathCRT.exe" -s
      4⤵
      Executes dropped EXE
      PID:1800
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" helpmsg 30
      4⤵
      PID:944
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 30
        5⤵
        
        PID:876
- C:\Users\Admin\AppData\Local\Temp\2051.exe
  C:\Users\Admin\AppData\Local\Temp\2051.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 532
    3⤵
    - Program crash
    PID:2184
- C:\Users\Admin\AppData\Local\Temp\2976.exe
  C:\Users\Admin\AppData\Local\Temp\2976.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\3CA9.exe
  C:\Users\Admin\AppData\Local\Temp\3CA9.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3CA9.exe"
    3⤵
    PID:2172
- C:\Users\Admin\AppData\Local\Temp\5393.exe
  C:\Users\Admin\AppData\Local\Temp\5393.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1988
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1732
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:564
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:268
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1924
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2576
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1336
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1032
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:740
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1668

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231201024958.log C:\Windows\Logs\CBS\CbsPersist_20231201024958.cab
1⤵
- Drops file in Windows directory
PID:2964

C:\Windows\system32\taskeng.exe
taskeng.exe {92757937-EFEF-4AE2-96FA-81675C90E3DD} S-1-5-21-1861898231-3446828954-4278112889-1000:PTZSFKIF\Admin:Interactive:[1]
1⤵
PID:2932
- C:\Users\Admin\AppData\Roaming\cubggtv
  C:\Users\Admin\AppData\Roaming\cubggtv
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2508
- - C:\Users\Admin\AppData\Roaming\cubggtv
    C:\Users\Admin\AppData\Roaming\cubggtv
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:2596
- C:\Users\Admin\AppData\Roaming\vbbggtv
  C:\Users\Admin\AppData\Roaming\vbbggtv
  2⤵
  - Executes dropped EXE
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\MathCRT\MathCRT.exe

Filesize
2.8MB

MD5
ff6971c9e581145161ee9fb04e34d018

SHA1
f6bace7570a797af745d33f3ab975f5e46c9c61c

SHA256
664eca5db2407a1a1647ddaa868f8345d05d584e005854c269baa49c1120a0b6

SHA512
690d7c30714c4488affab471c9fcd2f027f791dc944c0fdd091a9a6f651fdf971bb72f585464b27275577ed9a4239241fff8f2c926a2601c834681c3eac3c057

Download Submit
C:\Program Files (x86)\Common Files\MathCRT\MathCRT.exe

Filesize
2.8MB

MD5
ff6971c9e581145161ee9fb04e34d018

SHA1
f6bace7570a797af745d33f3ab975f5e46c9c61c

SHA256
664eca5db2407a1a1647ddaa868f8345d05d584e005854c269baa49c1120a0b6

SHA512
690d7c30714c4488affab471c9fcd2f027f791dc944c0fdd091a9a6f651fdf971bb72f585464b27275577ed9a4239241fff8f2c926a2601c834681c3eac3c057

Download Submit
C:\Program Files (x86)\Common Files\MathCRT\MathCRT.exe

Filesize
2.8MB

MD5
ff6971c9e581145161ee9fb04e34d018

SHA1
f6bace7570a797af745d33f3ab975f5e46c9c61c

SHA256
664eca5db2407a1a1647ddaa868f8345d05d584e005854c269baa49c1120a0b6

SHA512
690d7c30714c4488affab471c9fcd2f027f791dc944c0fdd091a9a6f651fdf971bb72f585464b27275577ed9a4239241fff8f2c926a2601c834681c3eac3c057

Download Submit
C:\Users\Admin\AppData\Local\Temp\193E.exe

Filesize
3.1MB

MD5
7a288dae7875b6aafd117258e7d8117a

SHA1
bc7347899b1881eadaeed8bad77cad1226622ee9

SHA256
5ca80ded4474d2a0b961dd27ef5e2b22fbdc4450a0ed5df3e0a38645a30d4203

SHA512
aef62a8a524d0e3385531cf1ae88de598d0c2caaa9da4ba074d4621917a4b6fbc33df28494c3abbc686c5365a457dca160aba2142a443be77153fda100168e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\193E.exe

Filesize
3.1MB

MD5
7a288dae7875b6aafd117258e7d8117a

SHA1
bc7347899b1881eadaeed8bad77cad1226622ee9

SHA256
5ca80ded4474d2a0b961dd27ef5e2b22fbdc4450a0ed5df3e0a38645a30d4203

SHA512
aef62a8a524d0e3385531cf1ae88de598d0c2caaa9da4ba074d4621917a4b6fbc33df28494c3abbc686c5365a457dca160aba2142a443be77153fda100168e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\2051.exe

Filesize
1.1MB

MD5
0d59fcb62fa366d5dee9362e268ccfe2

SHA1
9dc45ee33d79ec364c326ff762b1ee1570eca4b3

SHA256
1985a74337eb19b536bac8686cd2357cbf68b755bb228bdbff159a8b61539486

SHA512
c2aa6cca44be4e624ceb98b87136c21991a9adb6d86fa8fe6b6dc9587c1b0e63f1a01d295a5a7c679012fa0cdd486dceec5826f25c5ec02d59032a8a0b687363

Download Submit
C:\Users\Admin\AppData\Local\Temp\2976.exe

Filesize
651KB

MD5
cfa3e6ac04f2cd8e22c5ecd2b2119333

SHA1
428caaae3142b4976cd158bb9cdc433b8dbf11b1

SHA256
4b0f65a9706c2c604bac8a03c33ca9935656d08a4a94905f1ce2a16aedff5382

SHA512
ea68f638a7a1229d7cae2125bd4d358c3c4bbc2f7bc354c8c2d6568c1928893c21b53e4d6e4bc91490dccc328963acb7dee0af976519d3925c0344eac2f7bf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\2976.exe

Filesize
651KB

MD5
cfa3e6ac04f2cd8e22c5ecd2b2119333

SHA1
428caaae3142b4976cd158bb9cdc433b8dbf11b1

SHA256
4b0f65a9706c2c604bac8a03c33ca9935656d08a4a94905f1ce2a16aedff5382

SHA512
ea68f638a7a1229d7cae2125bd4d358c3c4bbc2f7bc354c8c2d6568c1928893c21b53e4d6e4bc91490dccc328963acb7dee0af976519d3925c0344eac2f7bf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\2976.exe

Filesize
651KB

MD5
cfa3e6ac04f2cd8e22c5ecd2b2119333

SHA1
428caaae3142b4976cd158bb9cdc433b8dbf11b1

SHA256
4b0f65a9706c2c604bac8a03c33ca9935656d08a4a94905f1ce2a16aedff5382

SHA512
ea68f638a7a1229d7cae2125bd4d358c3c4bbc2f7bc354c8c2d6568c1928893c21b53e4d6e4bc91490dccc328963acb7dee0af976519d3925c0344eac2f7bf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CA9.exe

Filesize
979KB

MD5
a571a9cb4dc957dadced28c592e3ac76

SHA1
2c66ee3b5503cd39e48a4ba3da011634316ac3bd

SHA256
525f9063ee54145e221f4a3f96598120d81c375796ab77ad83e9e363b91c159e

SHA512
3f9462fb2bd91d0ae068f706c25a9c7e09ea03cfd445d711f3a8c2e8375d10cd1989261b32296b0d514ac0c11f840822e0297a2b67a803968c43c58d9057efa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CA9.exe

Filesize
979KB

MD5
a571a9cb4dc957dadced28c592e3ac76

SHA1
2c66ee3b5503cd39e48a4ba3da011634316ac3bd

SHA256
525f9063ee54145e221f4a3f96598120d81c375796ab77ad83e9e363b91c159e

SHA512
3f9462fb2bd91d0ae068f706c25a9c7e09ea03cfd445d711f3a8c2e8375d10cd1989261b32296b0d514ac0c11f840822e0297a2b67a803968c43c58d9057efa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5393.exe

Filesize
236KB

MD5
9e38130415f1885ee01ba761aa956e73

SHA1
e870bce365a7317f839d878efd810926a811621a

SHA256
6984b6beedc6aa033c74400b14a4ec92b7a4c1a621273df445724001d5f8adc3

SHA512
8532c5af7252c8f6566d855a5f4061dcb94e076567c43711b7371912ec0e6a6f8a0dab62a43a428ca4bdb3707463c9b968b184d06c745e02a57b41c3dd8dd324

Download Submit
C:\Users\Admin\AppData\Local\Temp\5393.exe

Filesize
236KB

MD5
9e38130415f1885ee01ba761aa956e73

SHA1
e870bce365a7317f839d878efd810926a811621a

SHA256
6984b6beedc6aa033c74400b14a4ec92b7a4c1a621273df445724001d5f8adc3

SHA512
8532c5af7252c8f6566d855a5f4061dcb94e076567c43711b7371912ec0e6a6f8a0dab62a43a428ca4bdb3707463c9b968b184d06c745e02a57b41c3dd8dd324

Download Submit
C:\Users\Admin\AppData\Local\Temp\5393.exe

Filesize
236KB

MD5
9e38130415f1885ee01ba761aa956e73

SHA1
e870bce365a7317f839d878efd810926a811621a

SHA256
6984b6beedc6aa033c74400b14a4ec92b7a4c1a621273df445724001d5f8adc3

SHA512
8532c5af7252c8f6566d855a5f4061dcb94e076567c43711b7371912ec0e6a6f8a0dab62a43a428ca4bdb3707463c9b968b184d06c745e02a57b41c3dd8dd324

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C6.exe

Filesize
15.7MB

MD5
0666ec08cfd84b8e3bca9f8458395df0

SHA1
b16539196615ea2b3341ecb24ff708a375cb25df

SHA256
af28ca70335efa9702faf39ba2f9313123b6453350855b287653151a6b5944e9

SHA512
47bac4457da37eab7f00c03f6996fbbc56691982be3268b22226a79c92390a755cc79e4f3843f1f7203aac6bff3dc269681a8a771649413af6553318262d7a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C6.exe

Filesize
15.7MB

MD5
0666ec08cfd84b8e3bca9f8458395df0

SHA1
b16539196615ea2b3341ecb24ff708a375cb25df

SHA256
af28ca70335efa9702faf39ba2f9313123b6453350855b287653151a6b5944e9

SHA512
47bac4457da37eab7f00c03f6996fbbc56691982be3268b22226a79c92390a755cc79e4f3843f1f7203aac6bff3dc269681a8a771649413af6553318262d7a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA80.exe

Filesize
222KB

MD5
9e41d2cc0de2e45ce74e42dd3608df3b

SHA1
a9744a4b76e2f38a0b3b287ef229cbeb8c9e4ba6

SHA256
1081d313fe627ca22ce02c7bd8d33ece52b1e2cc8978f99653671f94175caf8f

SHA512
849673924bdb3db9a08c2ff4a510af599539531e052847caaf8a2d47f91497bedaf48714a3a6cdee1c0f5b8a8b53054c91564267be2c02de63446e207a78f9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA80.exe

Filesize
222KB

MD5
9e41d2cc0de2e45ce74e42dd3608df3b

SHA1
a9744a4b76e2f38a0b3b287ef229cbeb8c9e4ba6

SHA256
1081d313fe627ca22ce02c7bd8d33ece52b1e2cc8978f99653671f94175caf8f

SHA512
849673924bdb3db9a08c2ff4a510af599539531e052847caaf8a2d47f91497bedaf48714a3a6cdee1c0f5b8a8b53054c91564267be2c02de63446e207a78f9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCD2.exe

Filesize
1.3MB

MD5
28995fd2b7e5c574cd5c910d2f1fa923

SHA1
38d8be92979b5a6cbb7a45df58cc1d41ce5f7a9a

SHA256
60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

SHA512
ad33ea0538c85b21123a71bfb79fab22ba96e45d1f95da0d38b69eeee96d0fc91da620b5a30c771f66600593ccc57293a2073a4888930b9aa8de7bc735da7325

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCD2.exe

Filesize
1.3MB

MD5
28995fd2b7e5c574cd5c910d2f1fa923

SHA1
38d8be92979b5a6cbb7a45df58cc1d41ce5f7a9a

SHA256
60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

SHA512
ad33ea0538c85b21123a71bfb79fab22ba96e45d1f95da0d38b69eeee96d0fc91da620b5a30c771f66600593ccc57293a2073a4888930b9aa8de7bc735da7325

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCD2.exe

Filesize
1.3MB

MD5
28995fd2b7e5c574cd5c910d2f1fa923

SHA1
38d8be92979b5a6cbb7a45df58cc1d41ce5f7a9a

SHA256
60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

SHA512
ad33ea0538c85b21123a71bfb79fab22ba96e45d1f95da0d38b69eeee96d0fc91da620b5a30c771f66600593ccc57293a2073a4888930b9aa8de7bc735da7325

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

Filesize
2.3MB

MD5
5a4d9c7655774781ac874d28e5f4e8c3

SHA1
a07b8efb4ba7a5325310d67f8ab0bab289c1bcfe

SHA256
6dbdd7e60ed858d48b55cc0ccc5036e0f075fac5ca204711c3e2e96488335af1

SHA512
ff9cdb2b0e881c6edbf1e35d280f5fa308ccc4e58dce8aa095990c721950f8378435c8479fd7707a18eede44baf5c4fed8ee23a6d0c67f170b74812d9b0c732f

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

Filesize
2.3MB

MD5
5a4d9c7655774781ac874d28e5f4e8c3

SHA1
a07b8efb4ba7a5325310d67f8ab0bab289c1bcfe

SHA256
6dbdd7e60ed858d48b55cc0ccc5036e0f075fac5ca204711c3e2e96488335af1

SHA512
ff9cdb2b0e881c6edbf1e35d280f5fa308ccc4e58dce8aa095990c721950f8378435c8479fd7707a18eede44baf5c4fed8ee23a6d0c67f170b74812d9b0c732f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IQQJQ.tmp\193E.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JD9FS.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TBUQ0.tmp\tuc3.tmp

Filesize
683KB

MD5
f507ce43ea08d1721816ad4b0e090f50

SHA1
e4f02bcd410bddabea4c741838d9a88386547629

SHA256
d2218bde27d66f28e3caf15e899653a9357ebdc7adf9a763b687f6c03c93e5e1

SHA512
37b2f92df632f75447572df840a236ef01021e8291536bf2e8156179333f770afdd8bcbf50cb05bbdbdaa53c00ace46119290800b115823ea035a2389a3f6693

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TBUQ0.tmp\tuc3.tmp

Filesize
683KB

MD5
f507ce43ea08d1721816ad4b0e090f50

SHA1
e4f02bcd410bddabea4c741838d9a88386547629

SHA256
d2218bde27d66f28e3caf15e899653a9357ebdc7adf9a763b687f6c03c93e5e1

SHA512
37b2f92df632f75447572df840a236ef01021e8291536bf2e8156179333f770afdd8bcbf50cb05bbdbdaa53c00ace46119290800b115823ea035a2389a3f6693

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
282KB

MD5
2edd463e1e0eb9ee47c8c652292376fd

SHA1
4489c3b20a3a6d2f97838371a53c6d1a25493359

SHA256
d2a392c59f9985f753b9a10f03a7a567f21747ff3a7589722f22748a005953e7

SHA512
d964b77fbb92910909415f5fe7823984752f03d3cda4051da95f8b075ecf4bffa16acc8716f7fe79a017251438f415c41526bfa6245e8e1bab73da4113e99516

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
282KB

MD5
2edd463e1e0eb9ee47c8c652292376fd

SHA1
4489c3b20a3a6d2f97838371a53c6d1a25493359

SHA256
d2a392c59f9985f753b9a10f03a7a567f21747ff3a7589722f22748a005953e7

SHA512
d964b77fbb92910909415f5fe7823984752f03d3cda4051da95f8b075ecf4bffa16acc8716f7fe79a017251438f415c41526bfa6245e8e1bab73da4113e99516

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
282KB

MD5
2edd463e1e0eb9ee47c8c652292376fd

SHA1
4489c3b20a3a6d2f97838371a53c6d1a25493359

SHA256
d2a392c59f9985f753b9a10f03a7a567f21747ff3a7589722f22748a005953e7

SHA512
d964b77fbb92910909415f5fe7823984752f03d3cda4051da95f8b075ecf4bffa16acc8716f7fe79a017251438f415c41526bfa6245e8e1bab73da4113e99516

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
282KB

MD5
2edd463e1e0eb9ee47c8c652292376fd

SHA1
4489c3b20a3a6d2f97838371a53c6d1a25493359

SHA256
d2a392c59f9985f753b9a10f03a7a567f21747ff3a7589722f22748a005953e7

SHA512
d964b77fbb92910909415f5fe7823984752f03d3cda4051da95f8b075ecf4bffa16acc8716f7fe79a017251438f415c41526bfa6245e8e1bab73da4113e99516

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
3.3MB

MD5
9d203bb88cfaf2a9dc2cdb04d888b4a2

SHA1
4481b6b9195590eee905f895cce62524f970fd51

SHA256
ba8a003d3491205e5e43c608daa1a51087d43dfe53260eb82227ddfb7448d83b

SHA512
86790d21b2731f36c9e1f80b617e016c37a01b3d8bb74dc73f53387b2c57dfd301f936f9ec6bc8d9750870ffcd7bb3dedb92c41c07eb0b519961e029aff2996d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
3.3MB

MD5
9d203bb88cfaf2a9dc2cdb04d888b4a2

SHA1
4481b6b9195590eee905f895cce62524f970fd51

SHA256
ba8a003d3491205e5e43c608daa1a51087d43dfe53260eb82227ddfb7448d83b

SHA512
86790d21b2731f36c9e1f80b617e016c37a01b3d8bb74dc73f53387b2c57dfd301f936f9ec6bc8d9750870ffcd7bb3dedb92c41c07eb0b519961e029aff2996d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fcc8cc0ec806b312af206ccaa7fff7d4

SHA1
2ce30f35b6939fb8fb899b754b7af96c490dd7c0

SHA256
c44f7bbb25f60c9a145bd1a8788a8551ec29121061378d91ca236a00c6cff304

SHA512
d52289e8407adc3684259ab934c96c12c13c33b164bfdc11e7a9a16ddde9192628db4797c901c083943dda622e62ee2d6ff99ed89327cbdb81a0aaaa7e605144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SN5Z0CV3FDXZDL17MHMX.temp

Filesize
7KB

MD5
753aca8f3c1455b3348c08ba702a987e

SHA1
7d08c16e59789e83c589ff70e16457c2eb659c63

SHA256
86059dfb4f75d92df4267a8d5fc5e6e8a3bf3cd0cdb6b4b359539cc1e36494e1

SHA512
cbada7550aab779958fcaec3ad4138c9ecbb1b95771f76a904f92dd6be841c99cf3112db967f93883cdac978e764dc4b44d6aa95075613bf51154632453f079a

Download Submit
C:\Users\Admin\AppData\Roaming\cubggtv

Filesize
282KB

MD5
2edd463e1e0eb9ee47c8c652292376fd

SHA1
4489c3b20a3a6d2f97838371a53c6d1a25493359

SHA256
d2a392c59f9985f753b9a10f03a7a567f21747ff3a7589722f22748a005953e7

SHA512
d964b77fbb92910909415f5fe7823984752f03d3cda4051da95f8b075ecf4bffa16acc8716f7fe79a017251438f415c41526bfa6245e8e1bab73da4113e99516

Download Submit
C:\Users\Admin\AppData\Roaming\cubggtv

Filesize
282KB

MD5
2edd463e1e0eb9ee47c8c652292376fd

SHA1
4489c3b20a3a6d2f97838371a53c6d1a25493359

SHA256
d2a392c59f9985f753b9a10f03a7a567f21747ff3a7589722f22748a005953e7

SHA512
d964b77fbb92910909415f5fe7823984752f03d3cda4051da95f8b075ecf4bffa16acc8716f7fe79a017251438f415c41526bfa6245e8e1bab73da4113e99516

Download Submit
C:\Users\Admin\AppData\Roaming\cubggtv

Filesize
282KB

MD5
2edd463e1e0eb9ee47c8c652292376fd

SHA1
4489c3b20a3a6d2f97838371a53c6d1a25493359

SHA256
d2a392c59f9985f753b9a10f03a7a567f21747ff3a7589722f22748a005953e7

SHA512
d964b77fbb92910909415f5fe7823984752f03d3cda4051da95f8b075ecf4bffa16acc8716f7fe79a017251438f415c41526bfa6245e8e1bab73da4113e99516

Download Submit
C:\Users\Admin\AppData\Roaming\vbbggtv

Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
C:\Users\Admin\AppData\Roaming\vbbggtv

Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
\??\c:\users\admin\appdata\local\temp\is-iqqjq.tmp\193e.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
\Program Files (x86)\Common Files\MathCRT\MathCRT.exe

Filesize
2.8MB

MD5
ff6971c9e581145161ee9fb04e34d018

SHA1
f6bace7570a797af745d33f3ab975f5e46c9c61c

SHA256
664eca5db2407a1a1647ddaa868f8345d05d584e005854c269baa49c1120a0b6

SHA512
690d7c30714c4488affab471c9fcd2f027f791dc944c0fdd091a9a6f651fdf971bb72f585464b27275577ed9a4239241fff8f2c926a2601c834681c3eac3c057

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
\Users\Admin\AppData\Local\Temp\CCD2.exe

Filesize
1.3MB

MD5
28995fd2b7e5c574cd5c910d2f1fa923

SHA1
38d8be92979b5a6cbb7a45df58cc1d41ce5f7a9a

SHA256
60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

SHA512
ad33ea0538c85b21123a71bfb79fab22ba96e45d1f95da0d38b69eeee96d0fc91da620b5a30c771f66600593ccc57293a2073a4888930b9aa8de7bc735da7325

Download Submit
\Users\Admin\AppData\Local\Temp\CCD2.exe

Filesize
1.3MB

MD5
28995fd2b7e5c574cd5c910d2f1fa923

SHA1
38d8be92979b5a6cbb7a45df58cc1d41ce5f7a9a

SHA256
60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

SHA512
ad33ea0538c85b21123a71bfb79fab22ba96e45d1f95da0d38b69eeee96d0fc91da620b5a30c771f66600593ccc57293a2073a4888930b9aa8de7bc735da7325

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

Filesize
2.3MB

MD5
5a4d9c7655774781ac874d28e5f4e8c3

SHA1
a07b8efb4ba7a5325310d67f8ab0bab289c1bcfe

SHA256
6dbdd7e60ed858d48b55cc0ccc5036e0f075fac5ca204711c3e2e96488335af1

SHA512
ff9cdb2b0e881c6edbf1e35d280f5fa308ccc4e58dce8aa095990c721950f8378435c8479fd7707a18eede44baf5c4fed8ee23a6d0c67f170b74812d9b0c732f

Download Submit
\Users\Admin\AppData\Local\Temp\is-65F8O.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-65F8O.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b6f11a0ab7715f570f45900a1fe84732

SHA1
77b1201e535445af5ea94c1b03c0a1c34d67a77b

SHA256
e47dd306a9854599f02bc1b07ca6dfbd5220f8a1352faa9616d1a327de0bbf67

SHA512
78a757e67d21eb7cc95954df15e3eeff56113d6b40fb73f0c5f53304265cc52c79125d6f1b3655b64f9a411711b5b70f746080d708d7c222f4e65bad64b1b771

Download Submit
\Users\Admin\AppData\Local\Temp\is-65F8O.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-65F8O.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-IQQJQ.tmp\193E.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
\Users\Admin\AppData\Local\Temp\is-JD9FS.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-JD9FS.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b6f11a0ab7715f570f45900a1fe84732

SHA1
77b1201e535445af5ea94c1b03c0a1c34d67a77b

SHA256
e47dd306a9854599f02bc1b07ca6dfbd5220f8a1352faa9616d1a327de0bbf67

SHA512
78a757e67d21eb7cc95954df15e3eeff56113d6b40fb73f0c5f53304265cc52c79125d6f1b3655b64f9a411711b5b70f746080d708d7c222f4e65bad64b1b771

Download Submit
\Users\Admin\AppData\Local\Temp\is-JD9FS.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-JD9FS.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-TBUQ0.tmp\tuc3.tmp

Filesize
683KB

MD5
f507ce43ea08d1721816ad4b0e090f50

SHA1
e4f02bcd410bddabea4c741838d9a88386547629

SHA256
d2218bde27d66f28e3caf15e899653a9357ebdc7adf9a763b687f6c03c93e5e1

SHA512
37b2f92df632f75447572df840a236ef01021e8291536bf2e8156179333f770afdd8bcbf50cb05bbdbdaa53c00ace46119290800b115823ea035a2389a3f6693

Download Submit
\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
282KB

MD5
2edd463e1e0eb9ee47c8c652292376fd

SHA1
4489c3b20a3a6d2f97838371a53c6d1a25493359

SHA256
d2a392c59f9985f753b9a10f03a7a567f21747ff3a7589722f22748a005953e7

SHA512
d964b77fbb92910909415f5fe7823984752f03d3cda4051da95f8b075ecf4bffa16acc8716f7fe79a017251438f415c41526bfa6245e8e1bab73da4113e99516

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
282KB

MD5
2edd463e1e0eb9ee47c8c652292376fd

SHA1
4489c3b20a3a6d2f97838371a53c6d1a25493359

SHA256
d2a392c59f9985f753b9a10f03a7a567f21747ff3a7589722f22748a005953e7

SHA512
d964b77fbb92910909415f5fe7823984752f03d3cda4051da95f8b075ecf4bffa16acc8716f7fe79a017251438f415c41526bfa6245e8e1bab73da4113e99516

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
282KB

MD5
2edd463e1e0eb9ee47c8c652292376fd

SHA1
4489c3b20a3a6d2f97838371a53c6d1a25493359

SHA256
d2a392c59f9985f753b9a10f03a7a567f21747ff3a7589722f22748a005953e7

SHA512
d964b77fbb92910909415f5fe7823984752f03d3cda4051da95f8b075ecf4bffa16acc8716f7fe79a017251438f415c41526bfa6245e8e1bab73da4113e99516

Download Submit
\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
3.3MB

MD5
9d203bb88cfaf2a9dc2cdb04d888b4a2

SHA1
4481b6b9195590eee905f895cce62524f970fd51

SHA256
ba8a003d3491205e5e43c608daa1a51087d43dfe53260eb82227ddfb7448d83b

SHA512
86790d21b2731f36c9e1f80b617e016c37a01b3d8bb74dc73f53387b2c57dfd301f936f9ec6bc8d9750870ffcd7bb3dedb92c41c07eb0b519961e029aff2996d

Download Submit
\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
memory/552-452-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1060-502-0x00000000002B0000-0x00000000002DE000-memory.dmp

Filesize
184KB

Download
memory/1060-503-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/1060-494-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1060-1298-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/1060-505-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1184-13-0x000007FF28980000-0x000007FF2898A000-memory.dmp

Filesize
40KB

Download
memory/1184-12-0x000007FEF5EB0000-0x000007FEF5FF3000-memory.dmp

Filesize
1.3MB

Download
memory/1184-5-0x0000000002A00000-0x0000000002A16000-memory.dmp

Filesize
88KB

Download
memory/1800-499-0x0000000000400000-0x00000000006DA000-memory.dmp

Filesize
2.9MB

Download
memory/1800-1105-0x0000000000400000-0x00000000006DA000-memory.dmp

Filesize
2.9MB

Download
memory/1800-462-0x0000000000400000-0x00000000006DA000-memory.dmp

Filesize
2.9MB

Download
memory/1804-463-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1804-1107-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1884-417-0x00000000002D5000-0x00000000002EB000-memory.dmp

Filesize
88KB

Download
memory/1884-418-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/2072-1113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2072-1109-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2072-464-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2072-465-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2072-1149-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/2072-1145-0x0000000000490000-0x00000000004A8000-memory.dmp

Filesize
96KB

Download
memory/2072-423-0x0000000000AE0000-0x0000000000BDA000-memory.dmp

Filesize
1000KB

Download
memory/2172-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2172-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2172-1-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2172-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2172-4-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2172-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2232-528-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2232-385-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2232-374-0x0000000000100000-0x000000000013C000-memory.dmp

Filesize
240KB

Download
memory/2252-299-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2252-368-0x0000000003580000-0x000000000385A000-memory.dmp

Filesize
2.9MB

Download
memory/2252-525-0x0000000003580000-0x000000000385A000-memory.dmp

Filesize
2.9MB

Download
memory/2252-506-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2260-274-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2260-504-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2360-220-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2360-500-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2360-498-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2360-221-0x0000000000AB0000-0x0000000001A6E000-memory.dmp

Filesize
15.7MB

Download
memory/2452-495-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2532-28-0x0000000007120000-0x0000000007160000-memory.dmp

Filesize
256KB

Download
memory/2532-461-0x0000000007120000-0x0000000007160000-memory.dmp

Filesize
256KB

Download
memory/2532-20-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2532-25-0x0000000001060000-0x000000000109E000-memory.dmp

Filesize
248KB

Download
memory/2532-382-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2532-1302-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2548-26-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-27-0x0000000000C90000-0x0000000000DD6000-memory.dmp

Filesize
1.3MB

Download
memory/2548-29-0x000000001AEB0000-0x000000001AF90000-memory.dmp

Filesize
896KB

Download
memory/2548-30-0x000000001B090000-0x000000001B110000-memory.dmp

Filesize
512KB

Download
memory/2548-31-0x000000001AF90000-0x000000001B058000-memory.dmp

Filesize
800KB

Download
memory/2548-32-0x000000001B590000-0x000000001B658000-memory.dmp

Filesize
800KB

Download
memory/2548-33-0x0000000000570000-0x00000000005BC000-memory.dmp

Filesize
304KB

Download
memory/2548-45-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-1103-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2716-527-0x0000000002A60000-0x000000000334B000-memory.dmp

Filesize
8.9MB

Download
memory/2716-526-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/2840-467-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2936-67-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-40-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

Filesize
4KB

Download
memory/2936-87-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-89-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-91-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-93-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-95-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-65-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-478-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-57-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-51-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-49-0x000000001AAF0000-0x000000001AB70000-memory.dmp

Filesize
512KB

Download
memory/2936-83-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-81-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-47-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-79-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-48-0x0000000000BA0000-0x0000000000C84000-memory.dmp

Filesize
912KB

Download
memory/2936-77-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-42-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2936-85-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-37-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2936-39-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2936-35-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2936-75-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-73-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-71-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-69-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-496-0x000000001AAF0000-0x000000001AB70000-memory.dmp

Filesize
512KB

Download
memory/2936-63-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-61-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-59-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-55-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-53-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/2936-50-0x0000000000BA0000-0x0000000000C80000-memory.dmp

Filesize
896KB

Download
memory/3024-434-0x0000000000400000-0x00000000006DA000-memory.dmp

Filesize
2.9MB

Download
memory/3024-397-0x0000000000400000-0x00000000006DA000-memory.dmp

Filesize
2.9MB

Download
memory/3024-371-0x0000000000400000-0x00000000006DA000-memory.dmp

Filesize
2.9MB

Download