eternity | 8b978cea455f253e274933089679a398069a42108e037cb3f930f168fb89c3cb

Analysis

max time kernel
111s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2023 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b5ab18b1fb6b220e32a614dfb5b4de2.exe
Size

37KB
MD5

0b5ab18b1fb6b220e32a614dfb5b4de2
SHA1

42b2d5dcf34395173b96899113d42080f0053643
SHA256

8b978cea455f253e274933089679a398069a42108e037cb3f930f168fb89c3cb
SHA512

999bcc43833f18abf11804bec0acc419a03dbce7ebc3900dfd3cdb5fe8e66af5baa71f8961c13d7a38162e73206ae245d3eb2ef6eb24d1b17de001f6b6324bf7
SSDEEP

768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX

Score

10^/10

eternity glupteba lumma redline smokeloader socks5systemz @oleh_ps up3 backdoor botnet discovery dropper evasion infostealer loader spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://81.19.131.34/fks/index.php

rc4.i32

Extracted

Family

eternity

Wallets

47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q

Attributes

payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe

Extracted

Family

redline

Botnet

@oleh_ps

176.123.7.190:32927

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

socks5systemz

Attributes

rc4_key
i4hiea56#7b&dfw3

Signatures

Detect Lumma Stealer payload V4 4 IoCs

resource	yara_rule
behavioral2/memory/3976-296-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4
behavioral2/memory/3976-299-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4
behavioral2/memory/3976-301-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4
behavioral2/memory/3976-307-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4808-527-0x0000000000900000-0x00000000009AD000-memory.dmp	family_socks5systemz

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

resource	yara_rule
behavioral2/memory/1752-271-0x0000000002DE0000-0x00000000036CB000-memory.dmp	family_glupteba
behavioral2/memory/1752-272-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1752-275-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1752-319-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1752-421-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1752-450-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4736-467-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4736-522-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00080000000230fd-23.dat	family_redline
behavioral2/memory/4596-27-0x00000000003F0000-0x000000000042C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2448 created 3228	2448	latestX.exe	50

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4952	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation	DF11.exe

Deletes itself 1 IoCs

pid	Process
3228	Explorer.EXE

Executes dropped EXE 16 IoCs

pid	Process
3208	623F.exe
4708	DF11.exe
3508	E3D5.exe
4596	E5CA.exe
652	InstallSetup9.exe
4768	toolspub2.exe
1752	31839b57a4f11171d6abc8bbc4451ee4.exe
2896	Broom.exe
492	tuc3.exe
780	tuc3.tmp
2448	latestX.exe
5100	powercfg.exe
4592	xrecode3.exe
4808	xrecode3.exe
2756	toolspub2.exe
5088	AppLaunch.exe

Loads dropped DLL 4 IoCs

pid	Process
780	tuc3.tmp
780	tuc3.tmp
780	tuc3.tmp
5100	powercfg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3508 set thread context of 3172	3508	E3D5.exe	110
PID 4768 set thread context of 2756	4768	toolspub2.exe	131
PID 5100 set thread context of 3976	5100	powercfg.exe	132

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-107PA.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-K5U9E.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\xrecode3\install\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\install\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\stuff\is-JADLP.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-04ARD.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-DQC50.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-Q08R6.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-D42A7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-JK8OL.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\plugins\internal\is-30HLC.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\stuff\is-KAOL4.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-RBVO4.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-KQN2M.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-D091I.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-O9MKH.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-T5IOV.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-JPCEK.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\xrecode3\xrecode3.exe	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-5GIRI.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-I1VBU.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-BAL10.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-NB1S4.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-B3E35.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-HFIFM.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\lessmsi\is-0BTMO.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-I93QH.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-FNJBG.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-PU8EM.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-1JE2U.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-EVB4T.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-B3BSK.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-I3AKA.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-854Q5.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-FLRJ1.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-CRJP5.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-GG4C2.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-17TAJ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-MGP4M.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-6LO38.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\plugins\internal\is-9VJIB.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\stuff\is-D7GRI.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-COTT7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-LLEOM.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-BDMOC.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-P71LO.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-O99TO.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-KQ0DM.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-VBF5M.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-6RT1S.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\install\is-IK9E4.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-6KBHJ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-L9QED.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-MA0PB.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-D8DCJ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\is-TON8D.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\stuff\is-I4919.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-DRGL1.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-I780K.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-6T0LQ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-NNILM.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-O9NKO.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\bin\x86\is-9JFNO.tmp	tuc3.tmp

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3712	sc.exe
3964	sc.exe
2060	sc.exe
212	sc.exe
2736	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1060	5100	WerFault.exe	122
5092	3976	WerFault.exe	132

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0b5ab18b1fb6b220e32a614dfb5b4de2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0b5ab18b1fb6b220e32a614dfb5b4de2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0b5ab18b1fb6b220e32a614dfb5b4de2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
888	schtasks.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2616	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5076	0b5ab18b1fb6b220e32a614dfb5b4de2.exe
5076	0b5ab18b1fb6b220e32a614dfb5b4de2.exe
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE
3228	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5076	0b5ab18b1fb6b220e32a614dfb5b4de2.exe
2756	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeDebugPrivilege	4596	E5CA.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2896	Broom.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3228	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 3208	3228	Explorer.EXE	103
PID 3228 wrote to memory of 3208	3228	Explorer.EXE	103
PID 3228 wrote to memory of 3208	3228	Explorer.EXE	103
PID 3228 wrote to memory of 4708	3228	Explorer.EXE	106
PID 3228 wrote to memory of 4708	3228	Explorer.EXE	106
PID 3228 wrote to memory of 4708	3228	Explorer.EXE	106
PID 3228 wrote to memory of 3508	3228	Explorer.EXE	107
PID 3228 wrote to memory of 3508	3228	Explorer.EXE	107
PID 3228 wrote to memory of 3508	3228	Explorer.EXE	107
PID 3508 wrote to memory of 2372	3508	E3D5.exe	108
PID 3508 wrote to memory of 2372	3508	E3D5.exe	108
PID 3508 wrote to memory of 2372	3508	E3D5.exe	108
PID 3508 wrote to memory of 4400	3508	E3D5.exe	109
PID 3508 wrote to memory of 4400	3508	E3D5.exe	109
PID 3508 wrote to memory of 4400	3508	E3D5.exe	109
PID 3508 wrote to memory of 3172	3508	E3D5.exe	110
PID 3508 wrote to memory of 3172	3508	E3D5.exe	110
PID 3508 wrote to memory of 3172	3508	E3D5.exe	110
PID 3508 wrote to memory of 3172	3508	E3D5.exe	110
PID 3508 wrote to memory of 3172	3508	E3D5.exe	110
PID 3508 wrote to memory of 3172	3508	E3D5.exe	110
PID 3508 wrote to memory of 3172	3508	E3D5.exe	110
PID 3508 wrote to memory of 3172	3508	E3D5.exe	110
PID 3228 wrote to memory of 4596	3228	Explorer.EXE	111
PID 3228 wrote to memory of 4596	3228	Explorer.EXE	111
PID 3228 wrote to memory of 4596	3228	Explorer.EXE	111
PID 3172 wrote to memory of 3560	3172	AppLaunch.exe	112
PID 3172 wrote to memory of 3560	3172	AppLaunch.exe	112
PID 3172 wrote to memory of 3560	3172	AppLaunch.exe	112
PID 4708 wrote to memory of 652	4708	DF11.exe	113
PID 4708 wrote to memory of 652	4708	DF11.exe	113
PID 4708 wrote to memory of 652	4708	DF11.exe	113
PID 4708 wrote to memory of 4768	4708	DF11.exe	115
PID 4708 wrote to memory of 4768	4708	DF11.exe	115
PID 4708 wrote to memory of 4768	4708	DF11.exe	115
PID 4708 wrote to memory of 1752	4708	DF11.exe	116
PID 4708 wrote to memory of 1752	4708	DF11.exe	116
PID 4708 wrote to memory of 1752	4708	DF11.exe	116
PID 652 wrote to memory of 2896	652	InstallSetup9.exe	117
PID 652 wrote to memory of 2896	652	InstallSetup9.exe	117
PID 652 wrote to memory of 2896	652	InstallSetup9.exe	117
PID 4708 wrote to memory of 492	4708	DF11.exe	118
PID 4708 wrote to memory of 492	4708	DF11.exe	118
PID 4708 wrote to memory of 492	4708	DF11.exe	118
PID 492 wrote to memory of 780	492	tuc3.exe	120
PID 492 wrote to memory of 780	492	tuc3.exe	120
PID 492 wrote to memory of 780	492	tuc3.exe	120
PID 4708 wrote to memory of 2448	4708	DF11.exe	119
PID 4708 wrote to memory of 2448	4708	DF11.exe	119
PID 3560 wrote to memory of 1292	3560	cmd.exe	121
PID 3560 wrote to memory of 1292	3560	cmd.exe	121
PID 3560 wrote to memory of 1292	3560	cmd.exe	121
PID 3228 wrote to memory of 5100	3228	Explorer.EXE	155
PID 3228 wrote to memory of 5100	3228	Explorer.EXE	155
PID 3228 wrote to memory of 5100	3228	Explorer.EXE	155
PID 780 wrote to memory of 3028	780	tuc3.tmp	124
PID 780 wrote to memory of 3028	780	tuc3.tmp	124
PID 780 wrote to memory of 3028	780	tuc3.tmp	124
PID 780 wrote to memory of 4592	780	tuc3.tmp	123
PID 780 wrote to memory of 4592	780	tuc3.tmp	123
PID 780 wrote to memory of 4592	780	tuc3.tmp	123
PID 780 wrote to memory of 4564	780	tuc3.tmp	126
PID 780 wrote to memory of 4564	780	tuc3.tmp	126
PID 780 wrote to memory of 4564	780	tuc3.tmp	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Users\Admin\AppData\Local\Temp\0b5ab18b1fb6b220e32a614dfb5b4de2.exe
  "C:\Users\Admin\AppData\Local\Temp\0b5ab18b1fb6b220e32a614dfb5b4de2.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:5076
- C:\Users\Admin\AppData\Local\Temp\623F.exe
  C:\Users\Admin\AppData\Local\Temp\623F.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Users\Admin\AppData\Local\Temp\DF11.exe
  C:\Users\Admin\AppData\Local\Temp\DF11.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:652
  - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
      C:\Users\Admin\AppData\Local\Temp\Broom.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2896
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4768
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:2756
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:1752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      PID:4736
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:568
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1688
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:4952
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1908
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3120
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:964
- - C:\Users\Admin\AppData\Local\Temp\tuc3.exe
    "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:492
  - - C:\Users\Admin\AppData\Local\Temp\is-8A15D.tmp\tuc3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-8A15D.tmp\tuc3.tmp" /SL5="$D01CE,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:780
    - - C:\Program Files (x86)\xrecode3\xrecode3.exe
        
        "C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
        5⤵
        Executes dropped EXE
        
        PID:4592
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Query
        5⤵
        
        PID:3028
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 1
        5⤵
        
        PID:4564
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 1
        6⤵
        
        PID:4704
    - - C:\Program Files (x86)\xrecode3\xrecode3.exe
        
        "C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
        5⤵
        Executes dropped EXE
        
        PID:4808
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    PID:2448
- C:\Users\Admin\AppData\Local\Temp\E3D5.exe
  C:\Users\Admin\AppData\Local\Temp\E3D5.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4400
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1292
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:2616
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:888
    - - C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
        
        "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
        5⤵
        Executes dropped EXE
        
        PID:5088
- C:\Users\Admin\AppData\Local\Temp\E5CA.exe
  C:\Users\Admin\AppData\Local\Temp\E5CA.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Users\Admin\AppData\Local\Temp\23FD.exe
  C:\Users\Admin\AppData\Local\Temp\23FD.exe
  2⤵
  PID:5100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:3976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 792
      4⤵
      Program crash
      PID:5092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 1196
    3⤵
    - Program crash
    PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3080
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5096
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3712
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3964
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2060
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:212
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2736
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3556
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:5100
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:3204
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:184
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:4624
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\164D.bat" "
  2⤵
  PID:3984
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
    3⤵
    PID:4912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1E4D.bat" "
  2⤵
  PID:768
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
    3⤵
    PID:684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5100 -ip 5100
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3976 -ip 3976
1⤵
PID:988

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
1⤵
PID:1028

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\xrecode3\xrecode3.exe

Filesize
3.5MB

MD5
aa9f5a4dbd05ae5fbefe5cea48f2f355

SHA1
ea851b9f6521875a8a550d9c788bd11750ae6151

SHA256
0f01b2ad6d8723a6d2195080d2fba1eb2e853510828e27c47299efa34956ef02

SHA512
dfb39816d508dba9a3ac74d6c27829e8415c39482f6de21171767f3f1fcddc0cf443608b1ca0e4c45ce0241c7ebffa4c324701d73e207917181671ae6f6ff521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
588e5b3406537204588ef39f4c84259f

SHA1
c6056b8139c0796cc6272b7b71fca2085f62b785

SHA256
3b7e7c56deb0f16483d67e60a42a5f0a58ee557790fe0f312d036e4ecc31f7f0

SHA512
f85ea8f8f0c3ea56840a84f42a188f125c13cea8b23f86ddcce8eb28758e816dd6d871154dfe63d250ef369b153f72c587a7a8bccd0a2728b7bc922dd7436e96

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\164D.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\23FD.exe

Filesize
5.7MB

MD5
2e47689f4002fe68d190b2f939f683c7

SHA1
f389e3443edaf6886220427b65a0688cd87de873

SHA256
dab540109675f8680f497b14f62913bc6ffa21c28dd4604f480ea5a9beffaff4

SHA512
398a682c426be43396894cd8d5dda25f6308f191dab236496522e524a69ceacd31019f238034e27af8af2155b017bd50397a6b3b939441a0e2fdbc034f22b57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
be7a91954af6ada6a01c772ed847bf34

SHA1
a63ff4ee47dd98cb1a8421829fecdbfaebc05cfd

SHA256
870521d8d909645904244a2c6b1716569e633156fe30868c5590041dde4e63a5

SHA512
1d2f3c88a71183531b1c4c319832f54f9070fe1b64bdb35e3ab3dc26fd45cc11ec16ab4f5a4b7b492cfdc8d46258f5c916fc12ce393edf789a42b377f4f4418d

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
f81be07058935d224ab3843bff94fec0

SHA1
1a7360901f8cb5017f7a41ca1a6984227b712b16

SHA256
8d4df79cf6bf1cb8285b7358a7c6d92c7f665065999934b24c1175311d99fb6c

SHA512
342b2c767af972819c57091e9d9d65578522fa48549b6c40aad6791b0c65e186b377e3f095458e8b5d873ffdadd73897252a13bead652bd74a09540d2c27c96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\623F.exe

Filesize
401KB

MD5
f88edad62a7789c2c5d8047133da5fa7

SHA1
41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9

SHA256
eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc

SHA512
e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
4.4MB

MD5
53cab90888cbff8605e2b5e4f40a07f7

SHA1
7f4762a6a28235627270b3db8a5385c07ff2b98a

SHA256
01a97a72d3d4ecd30bedf0bf1ef1e8ed4bebc97915fb38d849891b18bb907f9e

SHA512
62db077aba95be65e9c7ef37d75da612ee98b180d364cee4e5eb4d2a93f6684bfac0ac8b9d5c1b2083cb1b9ad852a0bd05882f6fdf91c12946e52180d062e291

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF11.exe

Filesize
8.9MB

MD5
fca377a108531c56badfd85ce2410ea3

SHA1
4a9cadd4b01a10e3693e0510a4d358c188b9ac19

SHA256
6b1474f5c11c9d050589e996c227e473097b3bd5617d01134db9797a0364eb7f

SHA512
77e9f51d0915ad2653678d88b8de750cfa340f91f1eac4a4fb68e2609ec10b863a16e8ab4210b84b8d87d2753ee46202a55cbc48541b4ae2969c0f2521ea2ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF11.exe

Filesize
20.6MB

MD5
bf9285a3f634873dec83208c90b2681f

SHA1
b064e4917653c5809ec894bad3c1cf02937ad80f

SHA256
f806fe1853829495067c57c7a5440debd91247c3080823ed34187aec2d2299dc

SHA512
740779ee80feef1e979a20d0efbb953e7fa885644a6ab324a48ae3008b0f5525724601a46ad75de432845611928b04de7dc6c25a2de3fd7888a3f0590d847a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3D5.exe

Filesize
279KB

MD5
0de1d0372e15bbfeded7fb418e8c00ae

SHA1
6d0dc8617e5bcdd48dd5b45d8f40b97e4bbce0a1

SHA256
98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502

SHA512
7b3f2d2cc3fce6707be938053fd94a8a5edb48f7dad787847bd362329b6f07657fd7f66ab1f5c5d78db12aa7a41717ea3c7cbe8a1706d2456d1c42e9b1fb4e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5CA.exe

Filesize
219KB

MD5
91d23595c11c7ee4424b6267aabf3600

SHA1
ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02

SHA256
d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47

SHA512
cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

Filesize
2.3MB

MD5
77471d919a5e2151fb49f37c315af514

SHA1
0687047ed80aa348bdc1657731f21181995b654c

SHA256
52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1

SHA512
6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4cnbpuws.mub.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8A15D.tmp\tuc3.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JT8GK.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JT8GK.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
291KB

MD5
cde750f39f58f1ec80ef41ce2f4f1db9

SHA1
942ea40349b0e5af7583fd34f4d913398a9c3b96

SHA256
0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094

SHA512
c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
3.8MB

MD5
ff8e64f8f241e0e0a7a32615cd72707c

SHA1
257849edf5d476baeca61201475f76533c597b91

SHA256
56095d0dee6b5c70ac93afbcc6ad17529de87ee27c2e2facea4b8bd0806d620f

SHA512
4fde63da346dcd55964c09acc1c52d763cbf6c4528fda38cac2cd007da8701489ed607f65fc87269fe369c597eecdeca8da06429ccc4e5a5509f7a4ebc291938

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
5.8MB

MD5
35188b0d3e18fc5879ecb1867cdb2187

SHA1
8c2afd9dd30666c4899e58da78a07b71b892653f

SHA256
4ab079f5f3a0c1a10a38a4d7c29252bd2f29a2c0d32f9d87325fcdf82ad0736b

SHA512
c10744f21dc9742cba20c4ba2cbd746dda078a04daf2e2ebb516c9459692a82bf64fc12ec8e942a7fc1547b8736700eeca485fdc168ab045e19e455e748ff514

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
4.3MB

MD5
b085b07c9fb1aa44b3f854512a6f1b2f

SHA1
0a9aa29c512dc0ff4aba69480d0544f5d829831e

SHA256
de15932684958ba35f798f366ad2e56fa14a3b6259944e5906c2fb3e4a3a4c40

SHA512
1fb1f9972e0a5ab5b4c36f51d3f028d023939f1f6a8e3c84ac7bf72162ac0ba3fa830380a4b6172bcfaf75ed36b0841a160f3c9f326c2bcbf9292816f92e698a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e491e1c9f0d0f376d303348c842b80e5

SHA1
cb73a37caa2b9d668dabc25dc4ceee0689c982c8

SHA256
4677d745694ceb100bc6f6a9a238acc296aa7c4b167628e48961feddb935ad32

SHA512
cd888f86a7dab50a0a6de995c16c3905800067212845b10a95d434728bcb9998d635ba1d8e1e0a4a212091171bdacc1fa2b0f1a13e1a736df53b788208c04c10

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
da448e1428870d75b940d62acb27d6bd

SHA1
719e6c9fa6ac5075d75047af7b1fd7eea378e274

SHA256
448f59e067bda71ec0112c897b7ed8c5d44349575cbd67e69bfa4b36547ce3ca

SHA512
469b7e1241c54896110acf9bbc6ee2294ec9193859503d1df010ca0e18d0b27f07225fdc912c9ad389c6040f96d1dc7603d17556b6c11400bca52aac73f1f688

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.6MB

MD5
dbce59377617577da362f207bd5e676d

SHA1
845d7edc936d6eef2fe5a9a6fe2a76a26481c95e

SHA256
036b7641118db559beeca4a03bc1181d51845d670db9a227fcc5a781c122105d

SHA512
ef25a91648dbae6870325393ad29688250dd5a3da57052b5176e400bd6e1cacbfacebd1aeb51db13eda41b535118f48a2893b3cdf28c7df48b2d19956ef67706

Download Submit
memory/492-85-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/492-261-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/780-304-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/780-267-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/780-116-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/1752-270-0x00000000029D0000-0x0000000002DD8000-memory.dmp

Filesize
4.0MB

Download
memory/1752-319-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1752-271-0x0000000002DE0000-0x00000000036CB000-memory.dmp

Filesize
8.9MB

Download
memory/1752-421-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1752-272-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1752-450-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1752-275-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1892-434-0x00007FF737840000-0x00007FF737DE1000-memory.dmp

Filesize
5.6MB

Download
memory/2448-392-0x00007FF7786E0000-0x00007FF778C81000-memory.dmp

Filesize
5.6MB

Download
memory/2448-342-0x00007FF7786E0000-0x00007FF778C81000-memory.dmp

Filesize
5.6MB

Download
memory/2448-268-0x00007FF7786E0000-0x00007FF778C81000-memory.dmp

Filesize
5.6MB

Download
memory/2448-400-0x00007FF7786E0000-0x00007FF778C81000-memory.dmp

Filesize
5.6MB

Download
memory/2756-278-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2756-273-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2756-309-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2896-89-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/2896-259-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/2896-291-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/3172-28-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/3172-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3172-52-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/3172-30-0x00000000054D0000-0x0000000005A74000-memory.dmp

Filesize
5.6MB

Download
memory/3228-308-0x0000000002330000-0x0000000002346000-memory.dmp

Filesize
88KB

Download
memory/3228-1-0x0000000002980000-0x0000000002996000-memory.dmp

Filesize
88KB

Download
memory/3976-301-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3976-296-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3976-299-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3976-307-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4056-322-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/4056-325-0x0000000005B50000-0x0000000006178000-memory.dmp

Filesize
6.2MB

Download
memory/4056-327-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/4056-326-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/4056-328-0x00000000059C0000-0x00000000059E2000-memory.dmp

Filesize
136KB

Download
memory/4056-321-0x0000000003190000-0x00000000031C6000-memory.dmp

Filesize
216KB

Download
memory/4056-329-0x0000000005A60000-0x0000000005AC6000-memory.dmp

Filesize
408KB

Download
memory/4056-340-0x00000000062A0000-0x00000000065F4000-memory.dmp

Filesize
3.3MB

Download
memory/4056-352-0x00000000067B0000-0x00000000067CE000-memory.dmp

Filesize
120KB

Download
memory/4592-253-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/4592-257-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/4592-252-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/4596-69-0x00000000074A0000-0x00000000074DC000-memory.dmp

Filesize
240KB

Download
memory/4596-27-0x00000000003F0000-0x000000000042C000-memory.dmp

Filesize
240KB

Download
memory/4596-263-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/4596-55-0x00000000082C0000-0x00000000088D8000-memory.dmp

Filesize
6.1MB

Download
memory/4596-63-0x0000000007510000-0x000000000761A000-memory.dmp

Filesize
1.0MB

Download
memory/4596-35-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/4596-31-0x00000000071E0000-0x0000000007272000-memory.dmp

Filesize
584KB

Download
memory/4596-269-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/4596-65-0x0000000007440000-0x0000000007452000-memory.dmp

Filesize
72KB

Download
memory/4596-26-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/4596-80-0x0000000007620000-0x000000000766C000-memory.dmp

Filesize
304KB

Download
memory/4596-36-0x00000000071C0000-0x00000000071CA000-memory.dmp

Filesize
40KB

Download
memory/4596-339-0x000000000A660000-0x000000000A6B0000-memory.dmp

Filesize
320KB

Download
memory/4596-265-0x0000000007E60000-0x0000000007EC6000-memory.dmp

Filesize
408KB

Download
memory/4596-318-0x0000000009530000-0x0000000009A5C000-memory.dmp

Filesize
5.2MB

Download
memory/4596-317-0x0000000008E30000-0x0000000008FF2000-memory.dmp

Filesize
1.8MB

Download
memory/4708-117-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/4708-29-0x0000000000A10000-0x0000000001EC6000-memory.dmp

Filesize
20.7MB

Download
memory/4708-25-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-522-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4736-467-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4768-276-0x00000000009A8000-0x00000000009BB000-memory.dmp

Filesize
76KB

Download
memory/4768-277-0x0000000000820000-0x0000000000829000-memory.dmp

Filesize
36KB

Download
memory/4808-324-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/4808-387-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/4808-527-0x0000000000900000-0x00000000009AD000-memory.dmp

Filesize
692KB

Download
memory/4808-521-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/4808-290-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/4808-465-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/4808-264-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/4808-433-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/5076-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5076-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5100-297-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/5100-293-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/5100-298-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/5100-302-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/5100-305-0x00000000062D0000-0x00000000063D0000-memory.dmp

Filesize
1024KB

Download
memory/5100-306-0x00000000062D0000-0x00000000063D0000-memory.dmp

Filesize
1024KB

Download
memory/5100-295-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/5100-256-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/5100-294-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/5100-303-0x00000000062D0000-0x00000000063D0000-memory.dmp

Filesize
1024KB

Download
memory/5100-292-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/5100-246-0x0000000000050000-0x0000000000602000-memory.dmp

Filesize
5.7MB

Download
memory/5100-251-0x0000000005130000-0x00000000051CC000-memory.dmp

Filesize
624KB

Download
memory/5100-286-0x0000000006010000-0x0000000006020000-memory.dmp

Filesize
64KB

Download
memory/5100-316-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/5100-279-0x0000000005A80000-0x0000000005C12000-memory.dmp

Filesize
1.6MB

Download
memory/5100-247-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download