nullmixer | c5528f76191477d30f3d6451d82bf0015d9a3706565fddd37e87130635f3182c

Resubmissions

15-01-2024 16:26

240115-txs6fscbg2 10

15-01-2024 13:40

240115-qywfeshga6 10

14-01-2024 10:22

240114-mecbnahcd2 10

13-01-2024 02:49

240113-dbhjtsaffr 10

Analysis

max time kernel
1801s
max time network
1806s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57c9479f9b4b3a71a8af9f8bfb7dda53.exe
Size

4.6MB
MD5

57c9479f9b4b3a71a8af9f8bfb7dda53
SHA1

789dad79552581e4b24cb0b57d36aba44200041d
SHA256

c5528f76191477d30f3d6451d82bf0015d9a3706565fddd37e87130635f3182c
SHA512

1814f3ea07929ae2ee522d13812fd434ce526e27ae44a272e44d80d2712179db147250c942bf02714d912794e96aa40f1526d5163e2f8d1133d64a89dae834c5
SSDEEP

98304:xvCvLUBsgObqoJ9Gc8Jgm+JfewzfSAE9ql4WQAVFOKNPi7QZW4/A:xcLUCgObqq9Umm+JjzfVEw4WLZWaA

Score

10^/10

nullmixer privateloader risepro smokeloader socelars vidar 706 pub6 aspackv2 backdoor discovery dropper loader persistence spyware stealer trojan

Malware Config

Extracted

Family

nullmixer

http://znegs.xyz/

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

vidar

Version

39.9

Botnet

706

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023221-14.dat	family_socelars
behavioral1/files/0x0006000000023221-17.dat	family_socelars
behavioral1/files/0x0006000000023221-18.dat	family_socelars
behavioral1/files/0x0006000000023227-104.dat	family_socelars
behavioral1/files/0x0006000000023227-100.dat	family_socelars
behavioral1/memory/1152-169-0x0000000000400000-0x0000000000BD8000-memory.dmp	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral1/memory/3204-151-0x0000000002FA0000-0x000000000303D000-memory.dmp	family_vidar
behavioral1/memory/3204-167-0x0000000000400000-0x0000000002CC9000-memory.dmp	family_vidar
behavioral1/memory/2456-109-0x0000000002D90000-0x0000000002E90000-memory.dmp	family_vidar
behavioral1/memory/3204-267-0x0000000000400000-0x0000000002CC9000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000600000002321d-20.dat	aspack_v212_v242
behavioral1/files/0x0007000000023214-28.dat	aspack_v212_v242
behavioral1/files/0x000600000002321f-29.dat	aspack_v212_v242
behavioral1/files/0x000600000002321f-25.dat	aspack_v212_v242
behavioral1/files/0x0007000000023214-27.dat	aspack_v212_v242
behavioral1/files/0x0007000000023214-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	57c9479f9b4b3a71a8af9f8bfb7dda53.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	748a9adc6801b4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	2e7285fd71.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	9a3e880c6937.exe

Executes dropped EXE 20 IoCs

pid	Process
1152	setup_install.exe
4076	2e7285fd71.exe
432	1ac1015ba6795c5.exe
2456	66c299e192.exe
3204	eb1988139610f343.exe
2188	748a9adc6801b4.exe
1656	e2fc75078.exe
3520	9a3e880c6937.exe
4492	dc6e317b9.exe
3752	1cr.exe
3700	TrustedInstaller.exe
2724	2e7285fd7010.exe
4996	chrome2.exe
380	2e7285fd71.exe
4880	setup.exe
5040	winnetdriv.exe
2896	BUILD1~1.EXE
3944	hwhhuuu
1272	hwhhuuu
1256	hwhhuuu

Loads dropped DLL 6 IoCs

pid	Process
1152	setup_install.exe
1152	setup_install.exe
1152	setup_install.exe
1152	setup_install.exe
1152	setup_install.exe
1152	setup_install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1ac1015ba6795c5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ipinfo.io
30	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winnetdriv.exe	setup.exe
File opened for modification	C:\Windows\winnetdriv.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4800	1152	WerFault.exe	91

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hwhhuuu
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	66c299e192.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hwhhuuu
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hwhhuuu
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hwhhuuu
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hwhhuuu
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	66c299e192.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hwhhuuu
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hwhhuuu
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hwhhuuu
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hwhhuuu
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	66c299e192.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	eb1988139610f343.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	eb1988139610f343.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	2e7285fd7010.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02405c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	2e7285fd7010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2e7285fd7010.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da65c00000001000000040000000010000020000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2e7285fd7010.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2e7285fd7010.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2456	66c299e192.exe
2456	66c299e192.exe
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3508	Process not Found

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2456	66c299e192.exe
3944	hwhhuuu
1272	hwhhuuu
1256	hwhhuuu

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	e2fc75078.exe
Token: SeCreateTokenPrivilege	2724	2e7285fd7010.exe
Token: SeAssignPrimaryTokenPrivilege	2724	2e7285fd7010.exe
Token: SeLockMemoryPrivilege	2724	2e7285fd7010.exe
Token: SeIncreaseQuotaPrivilege	2724	2e7285fd7010.exe
Token: SeMachineAccountPrivilege	2724	2e7285fd7010.exe
Token: SeTcbPrivilege	2724	2e7285fd7010.exe
Token: SeSecurityPrivilege	2724	2e7285fd7010.exe
Token: SeTakeOwnershipPrivilege	2724	2e7285fd7010.exe
Token: SeLoadDriverPrivilege	2724	2e7285fd7010.exe
Token: SeSystemProfilePrivilege	2724	2e7285fd7010.exe
Token: SeSystemtimePrivilege	2724	2e7285fd7010.exe
Token: SeProfSingleProcessPrivilege	2724	2e7285fd7010.exe
Token: SeIncBasePriorityPrivilege	2724	2e7285fd7010.exe
Token: SeCreatePagefilePrivilege	2724	2e7285fd7010.exe
Token: SeCreatePermanentPrivilege	2724	2e7285fd7010.exe
Token: SeBackupPrivilege	2724	2e7285fd7010.exe
Token: SeRestorePrivilege	2724	2e7285fd7010.exe
Token: SeShutdownPrivilege	2724	2e7285fd7010.exe
Token: SeDebugPrivilege	2724	2e7285fd7010.exe
Token: SeAuditPrivilege	2724	2e7285fd7010.exe
Token: SeSystemEnvironmentPrivilege	2724	2e7285fd7010.exe
Token: SeChangeNotifyPrivilege	2724	2e7285fd7010.exe
Token: SeRemoteShutdownPrivilege	2724	2e7285fd7010.exe
Token: SeUndockPrivilege	2724	2e7285fd7010.exe
Token: SeSyncAgentPrivilege	2724	2e7285fd7010.exe
Token: SeEnableDelegationPrivilege	2724	2e7285fd7010.exe
Token: SeManageVolumePrivilege	2724	2e7285fd7010.exe
Token: SeImpersonatePrivilege	2724	2e7285fd7010.exe
Token: SeCreateGlobalPrivilege	2724	2e7285fd7010.exe
Token: 31	2724	2e7285fd7010.exe
Token: 32	2724	2e7285fd7010.exe
Token: 33	2724	2e7285fd7010.exe
Token: 34	2724	2e7285fd7010.exe
Token: 35	2724	2e7285fd7010.exe
Token: SeDebugPrivilege	3700	TrustedInstaller.exe
Token: SeShutdownPrivilege	3508	Process not Found
Token: SeCreatePagefilePrivilege	3508	Process not Found
Token: SeShutdownPrivilege	3508	Process not Found
Token: SeCreatePagefilePrivilege	3508	Process not Found
Token: SeShutdownPrivilege	3508	Process not Found
Token: SeCreatePagefilePrivilege	3508	Process not Found
Token: SeCreateGlobalPrivilege	4788	dwm.exe
Token: SeChangeNotifyPrivilege	4788	dwm.exe
Token: 33	4788	dwm.exe
Token: SeIncBasePriorityPrivilege	4788	dwm.exe
Token: SeShutdownPrivilege	3508	Process not Found
Token: SeCreatePagefilePrivilege	3508	Process not Found
Token: SeShutdownPrivilege	3508	Process not Found
Token: SeCreatePagefilePrivilege	3508	Process not Found
Token: SeShutdownPrivilege	3508	Process not Found
Token: SeCreatePagefilePrivilege	3508	Process not Found
Token: SeCreateGlobalPrivilege	1588	dwm.exe
Token: SeChangeNotifyPrivilege	1588	dwm.exe
Token: 33	1588	dwm.exe
Token: SeIncBasePriorityPrivilege	1588	dwm.exe
Token: SeShutdownPrivilege	3508	Process not Found
Token: SeCreatePagefilePrivilege	3508	Process not Found
Token: SeShutdownPrivilege	3508	Process not Found
Token: SeCreatePagefilePrivilege	3508	Process not Found
Token: SeShutdownPrivilege	3508	Process not Found
Token: SeCreatePagefilePrivilege	3508	Process not Found
Token: SeShutdownPrivilege	3508	Process not Found
Token: SeCreatePagefilePrivilege	3508	Process not Found

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found

Suspicious use of SendNotifyMessage 23 IoCs

pid	Process
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3508	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1152	2152	57c9479f9b4b3a71a8af9f8bfb7dda53.exe	91
PID 2152 wrote to memory of 1152	2152	57c9479f9b4b3a71a8af9f8bfb7dda53.exe	91
PID 2152 wrote to memory of 1152	2152	57c9479f9b4b3a71a8af9f8bfb7dda53.exe	91
PID 1152 wrote to memory of 1348	1152	setup_install.exe	122
PID 1152 wrote to memory of 1348	1152	setup_install.exe	122
PID 1152 wrote to memory of 1348	1152	setup_install.exe	122
PID 1152 wrote to memory of 5104	1152	setup_install.exe	121
PID 1152 wrote to memory of 5104	1152	setup_install.exe	121
PID 1152 wrote to memory of 5104	1152	setup_install.exe	121
PID 1152 wrote to memory of 1108	1152	setup_install.exe	120
PID 1152 wrote to memory of 1108	1152	setup_install.exe	120
PID 1152 wrote to memory of 1108	1152	setup_install.exe	120
PID 1152 wrote to memory of 1472	1152	setup_install.exe	119
PID 1152 wrote to memory of 1472	1152	setup_install.exe	119
PID 1152 wrote to memory of 1472	1152	setup_install.exe	119
PID 1152 wrote to memory of 932	1152	setup_install.exe	94
PID 1152 wrote to memory of 932	1152	setup_install.exe	94
PID 1152 wrote to memory of 932	1152	setup_install.exe	94
PID 1152 wrote to memory of 1980	1152	setup_install.exe	95
PID 1152 wrote to memory of 1980	1152	setup_install.exe	95
PID 1152 wrote to memory of 1980	1152	setup_install.exe	95
PID 1152 wrote to memory of 3576	1152	setup_install.exe	128
PID 1152 wrote to memory of 3576	1152	setup_install.exe	128
PID 1152 wrote to memory of 3576	1152	setup_install.exe	128
PID 1152 wrote to memory of 3840	1152	setup_install.exe	117
PID 1152 wrote to memory of 3840	1152	setup_install.exe	117
PID 1152 wrote to memory of 3840	1152	setup_install.exe	117
PID 1152 wrote to memory of 5056	1152	setup_install.exe	97
PID 1152 wrote to memory of 5056	1152	setup_install.exe	97
PID 1152 wrote to memory of 5056	1152	setup_install.exe	97
PID 1152 wrote to memory of 216	1152	setup_install.exe	96
PID 1152 wrote to memory of 216	1152	setup_install.exe	96
PID 1152 wrote to memory of 216	1152	setup_install.exe	96
PID 1348 wrote to memory of 4076	1348	cmd.exe	98
PID 1348 wrote to memory of 4076	1348	cmd.exe	98
PID 1348 wrote to memory of 4076	1348	cmd.exe	98
PID 932 wrote to memory of 432	932	cmd.exe	116
PID 932 wrote to memory of 432	932	cmd.exe	116
PID 5104 wrote to memory of 2456	5104	cmd.exe	114
PID 5104 wrote to memory of 2456	5104	cmd.exe	114
PID 5104 wrote to memory of 2456	5104	cmd.exe	114
PID 1472 wrote to memory of 3204	1472	cmd.exe	113
PID 1472 wrote to memory of 3204	1472	cmd.exe	113
PID 1472 wrote to memory of 3204	1472	cmd.exe	113
PID 1108 wrote to memory of 2188	1108	cmd.exe	115
PID 1108 wrote to memory of 2188	1108	cmd.exe	115
PID 1108 wrote to memory of 2188	1108	cmd.exe	115
PID 5056 wrote to memory of 4492	5056	cmd.exe	112
PID 5056 wrote to memory of 4492	5056	cmd.exe	112
PID 3840 wrote to memory of 1656	3840	cmd.exe	111
PID 3840 wrote to memory of 1656	3840	cmd.exe	111
PID 1980 wrote to memory of 3520	1980	cmd.exe	109
PID 1980 wrote to memory of 3520	1980	cmd.exe	109
PID 1980 wrote to memory of 3520	1980	cmd.exe	109
PID 3576 wrote to memory of 3700	3576	svchost.exe	127
PID 3576 wrote to memory of 3700	3576	svchost.exe	127
PID 432 wrote to memory of 3752	432	1ac1015ba6795c5.exe	107
PID 432 wrote to memory of 3752	432	1ac1015ba6795c5.exe	107
PID 432 wrote to memory of 3752	432	1ac1015ba6795c5.exe	107
PID 216 wrote to memory of 2724	216	cmd.exe	99
PID 216 wrote to memory of 2724	216	cmd.exe	99
PID 216 wrote to memory of 2724	216	cmd.exe	99
PID 2188 wrote to memory of 4996	2188	748a9adc6801b4.exe	105
PID 2188 wrote to memory of 4996	2188	748a9adc6801b4.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\57c9479f9b4b3a71a8af9f8bfb7dda53.exe
"C:\Users\Admin\AppData\Local\Temp\57c9479f9b4b3a71a8af9f8bfb7dda53.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\7zS86858F27\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS86858F27\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 1ac1015ba6795c5.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\7zS86858F27\1ac1015ba6795c5.exe
      1ac1015ba6795c5.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
        5⤵
        Executes dropped EXE
        
        PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 9a3e880c6937.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\7zS86858F27\9a3e880c6937.exe
      9a3e880c6937.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 2e7285fd7010.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\7zS86858F27\2e7285fd7010.exe
      2e7285fd7010.exe
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dc6e317b9.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\7zS86858F27\dc6e317b9.exe
      dc6e317b9.exe
      4⤵
      Executes dropped EXE
      PID:4492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 500
    3⤵
    - Program crash
    PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e2fc75078.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c fcc788d66.exe
    3⤵
    PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eb1988139610f343.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 748a9adc6801b4.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 66c299e192.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 2e7285fd71.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1348

C:\Users\Admin\AppData\Local\Temp\7zS86858F27\2e7285fd71.exe
2e7285fd71.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4076
- C:\Users\Admin\AppData\Local\Temp\7zS86858F27\2e7285fd71.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS86858F27\2e7285fd71.exe" -a
  2⤵
  - Executes dropped EXE
  PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1152 -ip 1152
1⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4880
- C:\Windows\winnetdriv.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" 1705227877 0
  2⤵
  - Executes dropped EXE
  PID:5040

C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
1⤵
- Executes dropped EXE
PID:4996

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
1⤵
- Executes dropped EXE
PID:3752

C:\Users\Admin\AppData\Local\Temp\7zS86858F27\fcc788d66.exe
fcc788d66.exe
1⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\7zS86858F27\e2fc75078.exe
e2fc75078.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\7zS86858F27\eb1988139610f343.exe
eb1988139610f343.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3204

C:\Users\Admin\AppData\Local\Temp\7zS86858F27\66c299e192.exe
66c299e192.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2456

C:\Users\Admin\AppData\Local\Temp\7zS86858F27\748a9adc6801b4.exe
748a9adc6801b4.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2724 -ip 2724
1⤵
PID:4808

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:4932

C:\Users\Admin\AppData\Roaming\hwhhuuu
C:\Users\Admin\AppData\Roaming\hwhhuuu
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3944

C:\Users\Admin\AppData\Roaming\hwhhuuu
C:\Users\Admin\AppData\Roaming\hwhhuuu
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1272

C:\Users\Admin\AppData\Roaming\hwhhuuu
C:\Users\Admin\AppData\Roaming\hwhhuuu
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Y1IO78ZW4VVY9G32PVISDZYJO\06e98980-15b5-4d19-8f6d-e648d137a4183446231124.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\1ac1015ba6795c5.exe

Filesize
205KB

MD5
e002e795ccd2b3c2c89ff8dc7ed6ec54

SHA1
5adbd083991f771c7a64d2f22e1b4ed7cfd70665

SHA256
bbcf6ba9f88d5cfcd804cdd71e159db55f6b5571197da4b790fd00feef54fa5a

SHA512
4bf309ce1165510b45f88c9e22feb6711182f1c88ee6a85b8f9f6d6c23b85816fec0cebd407adbc17514c8afdbe2a276ab2205432edba19672e04553f9f9c44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\1ac1015ba6795c5.exe

Filesize
216KB

MD5
566a71583256774710779939dea73e43

SHA1
8fa33a3e8df91143d831002f1c504ace1e5c6e25

SHA256
76b33f77b4ecb676864fd90735af6cb55d023228a98296c319d15811d27f6f96

SHA512
b48bb97b8b1b109bc107db2871ffac695494e96e07070a9546c0daee3c8f5354bcf8cbec9eb60fef0163992319625a6df046d113c867d5abcdf20544791e18c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\2e7285fd7010.exe

Filesize
43KB

MD5
7f370cda8b16e7be2d68169b6a1aa63d

SHA1
702f8ceacb9445c21eb653ccb7626d3b08d8dd81

SHA256
4fecc3284a4083adc6a01c61b1cdf1d6f9ece505ef6a2e3d1f415f47ab955d4a

SHA512
d48a571b0b5d8e066a5efbab155308104ddfc43bbe23f5cb244c0d1959f440af4882cfe6fbec7b085fb51f89ebd2785dec154b9ff940cd286b170d888fad982b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\2e7285fd7010.exe

Filesize
42KB

MD5
12a4c9e0bd3cbfcc37110b2331ab599a

SHA1
3713a56879ed042389efa3a81acfb99f4bddf9d0

SHA256
4b4cf47090b441421045e6fd9311d71c92131631c7df4d23cea91a1650f9fec9

SHA512
d552b591f9708ca8ca0491adb95d3fc9b6d6fcb541cd04876e6d9e8d924d216b63ffb5cb0614a3498d016381f1aeb4e3a99ea4f31f5704559cc3c0ff23e39556

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\2e7285fd71.exe

Filesize
56KB

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\66c299e192.exe

Filesize
127KB

MD5
48f6bb759f432f7902d6405fa1941c03

SHA1
d3cce1f308196950880a8137abfc6b31b8ab5a78

SHA256
aa3dd0ac22d2f5387f9b59975d577d31c6e2953d13d428b1fa805d303860181b

SHA512
a2484df4fdf7f7919cc9c4cb76d4e3f66a5a1fcaceac2c239c738f1c68a39654cdaa81919f7144717a2cd0106b0dcd5ebb44464b2f62fbbf071a83397a04956a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\66c299e192.exe

Filesize
189KB

MD5
92c1bef533eed28274451b97525c3dc8

SHA1
f49a8f8850e7fb33d1c535a68751aa2bcaf813d7

SHA256
54c41fe5da57058906abed0b0bad21e2303ecc4e20d539fe9aa08d0b4f5f9d32

SHA512
5096c580665ca149b685d403163b47d9ddcd51f95a01858e9fec69f97857c7b22436f2bf5b458f015e289a99edbfcd54f0254b428f818aec34cb23825e980c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\748a9adc6801b4.exe

Filesize
121KB

MD5
75cd4107b3f3f4b5feefb62e60f46d74

SHA1
e75ea298d2477aee015cbd8ee4134200916c9979

SHA256
e94521ce77c6169ce70cdfc76c1bbd616642d220a6f1cf5b0a4839e8ddb6e308

SHA512
76d19f596c4db82b0808a201a7eb79347ddaaf59dda0b45f420aaa5f9043f6ebb6f45c5a9122f365d6e4a22b88b155b87e707c6219a714d14806ef4f75c67e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\748a9adc6801b4.exe

Filesize
147KB

MD5
96f18a0ac5493469cfa697821acb0aba

SHA1
f56f5d647b3c6e1036c172aa2cbb2864960faa45

SHA256
b8ee791719427179699f49df6b0d7063eecf58d52b6e40bdd8587742e0b1e2e6

SHA512
b0f981b4ee45a3ee82c8cab9faba068825fd2a17e69ddc8a98d5a05fa1cbda3eadca25a563491b3746b00a85773ee923b21fd9ca8f4fff30952bbe9d91b4165c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\9a3e880c6937.exe

Filesize
175KB

MD5
64909982b45887773380fad5ca63117c

SHA1
b26c291b374367c82c223eecf01beadea47e4f50

SHA256
e67518356c813ba65e004150e70a9ce2655db383dd765035f17c222a5640a7eb

SHA512
eb7c1f7c06271e8b31b49e887c4c90eaf57679d0d6747d0c4c43d739334756a5443c7ae8d6cc8ce73db3d5fe911f86884be7bd8aa49ffa845f3537c3c72712a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\9a3e880c6937.exe

Filesize
185KB

MD5
ea20371fa62f39991825969886018e37

SHA1
8bc63b562666e513464f7af68f68b978c2588c67

SHA256
11dd94bf32451a47b59c18f511106de46e52b0fb769f161ac0910fdd0780796a

SHA512
04062cae3b12bbbe0a89535d90400ef4b6e5439761ba37656bbae9b541482b5617ed2484628b4b1e74f05995f2f8587d8070948226341b05e96d48b8831b4772

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\dc6e317b9.exe

Filesize
181KB

MD5
4453ec34f60166ff3fb140e9ea4bdc57

SHA1
e165dbcc1b65983ec6a2bf5b6d63bfdb7c191587

SHA256
31ceee33a72667143423476b2c0a7bb5cf11ac837b5536981bad97a63816a2c9

SHA512
d16fa6711497fe21298a558493752d98913a07a35c64f22382cf48107e51370749c05cba6717bbb5bc304518cfcfa9939007edb7f7574af1bf73d0522ed5d127

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\dc6e317b9.exe

Filesize
62KB

MD5
94c9f6ee4fe58f700247e998f0f725e7

SHA1
f27859af0dbcc6ca64fb4906ad8d50be71f6b74a

SHA256
73bd2fa744fd3a29a6af6a727c9db529504ead75ac8896a4c134447bc52d4231

SHA512
222b3c7b08b5ad6eaaa433c62a2383a7ff2423e13de26460fcf876db34531f99008d742cc7d0aaa9635af4cfdcdd9b1c54102fd6afacdf69fe426feca666d62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\e2fc75078.exe

Filesize
8KB

MD5
7aaf005f77eea53dc227734db8d7090b

SHA1
b6be1dde4cf73bbf0d47c9e07734e96b3442ed59

SHA256
a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71

SHA512
19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\eb1988139610f343.exe

Filesize
101KB

MD5
1a784811ce0b2c2c53a5eb742189e427

SHA1
db3098224b80c68bfdb001e8a92d64ceb96ef434

SHA256
5accccf7fa464205c4d435dfb34f7d3f4ead77fbe4d4044976a936f9065e8a7c

SHA512
1cb7cde5e4112899923a5dc63588792497e3195ee5d0275c0e3762634c0a5c70895cece555614bd00148f27ba3362bcf21d7134c9b1fe154e1c6ae358e6957bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\eb1988139610f343.exe

Filesize
117KB

MD5
c58272b0bdb77388ea7e124f218b354a

SHA1
9e02b82636b144f9ad76f4dd3dba6353c7255dac

SHA256
fe464d68ee66ef10ce07a2270185b91e8db0c0897ef507b91befdbffae2d8aa1

SHA512
f20cded3bbc6af9399749405e4e16d3d9d67a33a861c816bbd0d20d4bfe87cb7e08c1a9b37846b8e181184b5b72d667fdabde5979aea71fbe71a46e131f26f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\fcc788d66.exe

Filesize
20KB

MD5
aab80303f5c30f7b1388a98493fbf98e

SHA1
e79e12e6016f86608d15d88d93f28b35f6c375ce

SHA256
a937def4045457920c049495fca2468d6bf63d72ac18d7d679bced8eb3ecf5e5

SHA512
fd5049734ecfab5c2421b151a6fbe6af56ea9c15da328518f563251b7ec248be8057525cf1767d72d6a07ccb0532e235e652ea710ad86e077dbdf493770c2bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\fcc788d66.exe

Filesize
34KB

MD5
e77b5054f0c90c968cff7a2245e707cc

SHA1
3981b6429410f610bcb12e234cecb2cd01f1acd1

SHA256
f7a9d47e1dc1ad54006943a4cbde9af20cc95548d69417c879ea97ae93469c85

SHA512
702a256d92c910683c8b4fe3434ac83b3c466c111a0e688abf20833e5d5e269d7a1e3453ef8d8eb9110d911646f4433a523ea321b7af7dac692d988812dcb1b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\libcurl.dll

Filesize
88KB

MD5
1ed5ff1b3a0db29743d096e5fc8cfee1

SHA1
c0d886d42b71f3f5fb8a7ab103b4dc40a78a52de

SHA256
3d4937d0335156e34dc86f2cc7f87c6ae1dd29d6a64931a149a64a3ebe460d05

SHA512
e636bfd0e21cb9a621110a69c21dc9f255a75edff4e49ed6cb5b4a9a054ce909f5a59a5ccb0f1196ad10eb595e64251d122a67c8184760f9b0c63fc719b880a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\libcurl.dll

Filesize
138KB

MD5
9c82aba09a5154e8bc6b15c773f67fe6

SHA1
7709e1a1fd1348f41a7e626f79fc9d782186bbd7

SHA256
e3f9aa6d4a4176108ae361908b3cb69886aa60f58aa6aedd8067e377d0a6bb3b

SHA512
c6844f5f2aaa2af2e72751f83f72377486e67b10a7967579f7e691fdf49f6f5f9f556867be1678dddf05aa744e208d468c35fef66e1d6df87254b097047f2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\libcurl.dll

Filesize
121KB

MD5
7f51cc8a25d3f786226042d3ef219205

SHA1
fdb1b34b1f83a63f69d9bae1e905b1254001dd71

SHA256
01265c09c2c1740eac2fe9db898e0a2c730929c52f85ad2bf256ad865a6b1164

SHA512
ebf32274c7729673507ac33ba185294bd4e9358ce2124b404e89f735ad1a321ff627fc5306888547782d39eaf5f079d2774a9b72b87ad667449c53ab1c910460

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\libgcc_s_dw2-1.dll

Filesize
92KB

MD5
4ad181bae2435254c5a6964f170da140

SHA1
a4a10c9f8960b04db3082fd91e262a0f93052859

SHA256
cf8c5df290a07ded0fa75a553f2f70e3d9c7251e7e309f59e71c786a22c82e12

SHA512
1ca1e447b75da5abd3bbc6f8199fefa65434bd964b5981b3ef5fd9a652f485bc399f59f1c40e20860a3ca8b4cd92fbff906d9e6bbe169fa9010db22725bd8535

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\libstdc++-6.dll

Filesize
127KB

MD5
a7e99c02126c74ad1a5eba26a4c1a0b8

SHA1
a4553c7cc820f58cfa23326a9264733a47f9b6f3

SHA256
e2eb0237d2aa737a9675d7511722aadac783e3ca460a9633e8278d1c6526e415

SHA512
eff7747d54210eeac1e930821431e90389c986ae89384dcda146af3bde4ae45b3f65951e7bcd122d04d4cdbc4411197467203b1bd99c1d6674d533a904500437

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\libstdc++-6.dll

Filesize
122KB

MD5
5880ae32ad76c06295ba3ff1c0a24374

SHA1
473a29a582dcf6f4d3a6ecb1aab2201581477380

SHA256
6c597c191e120ad7c12b0db35c1de78a3f1a70a4c7ca02a2820b812baab24dc3

SHA512
b51bfdc9d51910298c9be865c8dd478d683e7b9ec345e58b67e9e9c19f8fe9f354060c4e043ac67933c8a0ae9a5d349461299a774a39621bce1ad2baa966279a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\setup_install.exe

Filesize
1.7MB

MD5
187f95c9fba6483a3ee0970d6caef33f

SHA1
3b38adae28bc8dd023c4e35eb8b1420b30ba3cb2

SHA256
a040f07cd336c4557f88e4f7ede57ca4478d4be94133492761cce04224356c8e

SHA512
8dd3d55bee594557843b2cb530d33f76144b371831f102e56a7a745b858c52803897da53dff1cd50817dde219541b21c4a473be0fa92d0a67bbe73b0313a6e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\setup_install.exe

Filesize
539KB

MD5
85cf7262fd5df48fe7a552ae674a27eb

SHA1
4dafef52ed943fb19a94b5710525f0f5b8887d17

SHA256
dba18d835e5e833e5746d6f737b3c13b644f7c1a61e33f0fe4d46a95de4371ed

SHA512
7ac0fad4e6963ede159eade5f371d073f72576ff12dd9631f32f5b4919281120bd4d2a0f94fa9d9a16c2106d263593bdfe75d8ed3d35eb9eae523cfb9180ce8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS86858F27\setup_install.exe

Filesize
169KB

MD5
11d8ef10fde3392ef0276860f35ab51f

SHA1
606e81a3ff3c5e687801236bd38421070987bc85

SHA256
355e46e4023cc4e689cdee8af0707a5809f7b910cac18901e19267878ebf313c

SHA512
40f97ea2fbb678e810e15f48b73c12c07142f514d73d9c01492192d1bea7233535ccf153d8283db571df3161f1f89b2d0492edbd0969dff242f380e63957a57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

Filesize
17KB

MD5
b2703c5d0e742d2d008f664012ae4721

SHA1
9464d873d06299b0baf63698d41182bb906351d7

SHA256
da2116cfd010a607a5836b06d37f8ca9a65aaf0aa18b5568c738caba930a0b80

SHA512
dfd87e30a56d844e1fb0a39893660f06e8a56c00afff946e9855270d3412bb6bae6bfffc761454ac79e8b3a0f878a0c092f5907be460743da43f1a7b53825da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

Filesize
196KB

MD5
888866b6bca367691dd63bb1f16a19a9

SHA1
8705c4195e35598169c1d7c8a3d3e6cd706b7584

SHA256
f017a0eef5b6edfbe1d2b72ff8421e1ddc16245e082e947daf759ccc53fa3efc

SHA512
f1877c60ce83c5e354ea26b7e5b9fdc00637ad27ce0760c515369dce5a009590128efaf4a93d37ae9cccbfc4267fd369f31468b3a33bb2a5473abe756e6d9179

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

Filesize
70KB

MD5
e15ed2f04d75b0789d55af54e9d6e7b6

SHA1
1e3160472241951289677e502dbc11ab454aa6d9

SHA256
65725ada06c06f58e5c5e8a47999ed075a958ee6f212b200db2f62f6f228082c

SHA512
7968035cd83b391275d7014b83b61189fd1189483700fc4bdc96ed63f5627af1e4e4946708a7bdcc03929a960794050308b9650adb26ef61d2ebf825e6263dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

Filesize
117KB

MD5
a628baa97881fa5528009c9470cadee0

SHA1
583aa730e302fe0015cdb0dee4e279f193d66d87

SHA256
e2bb9ee3616cd827cc3ee297cbe24cfbd2ded4d9efe894e68453f6cfbf18e4c5

SHA512
c84e496e13d30c24efd020f25f4cd55b6157feb529f7285d97445c386fd50a50e943b0f67745a861a97c5bf0c4ff7dee7b5240d52c59b66421a9bdc26de58faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome2.exe

Filesize
42KB

MD5
02073fc510ba32b3c5ddc7e401ac0c83

SHA1
5246edb3fa6165e6a868e74a0e2d81454078d182

SHA256
a9bbdf74403ecb52c5294fc3150c64b05527335638765646cb7176459a99e449

SHA512
f617a997838dcab02e4737c0aeefd02037b3b72efc3a1c02ee31186ea8e80e751224803692451aa0b4daff10eff8a2a0b7ebc704b214fd424d0852bf82964960

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome2.exe

Filesize
43KB

MD5
ad0aca1934f02768fd5fedaf4d9762a3

SHA1
0e5b8372015d81200c4eff22823e854d0030f305

SHA256
dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388

SHA512
2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
20KB

MD5
75c2f10ef0b55a3c3a92a775d72723f1

SHA1
c7dd6ba424ade190b2a31b1595c9f555b6adb2ec

SHA256
661e7c38afddb37325dea16d4872d48ad38fe3ad793b8536168fa25246171745

SHA512
3e70ac463d1816bcdc74d9526242157166c83cb66cb3be7a73bf17c504616cf034642fbed24b6d5f1fdaec3b69c0ac882b321f739e64b0a0dbb59c91a7c6aae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
130KB

MD5
4c32174967fdb01f787bb8e1cb7569d0

SHA1
ebcf646bdb9296d762f47df9d7aec434ad00bee6

SHA256
f18b2a17616e17dc604d775f3452953379e78ed8e88d202d2a1b9a1369fc91a6

SHA512
73f95db253f6871a5435bcae9fc1c1139bbd67d01753ae0e42b464b10e7248039c685adf8e8daaac96b63428a6e01ba4d4b9fe98928cff1e5d9aa67ed727fd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
21KB

MD5
a6e4cab21a83e15dc0125660de492ac0

SHA1
4fbf385a3937cc3f75c6a9292fc7b3ae0dc80336

SHA256
9895b752301a9fafe5d7dda4521c562d29c5195ea9b17df67da2b18c8e55f0d2

SHA512
399e1c063b111ae1922c2e8db9fb064754c88f0622bd9f02c97b59d312155a57706affe820b7bafd24e8b8577624958bf648f30ca2637cd7b3987c767a41ede6

Download Submit
C:\Users\Admin\AppData\Roaming\hwhhuuu

Filesize
31KB

MD5
6bd0381cf6d30a86624bff7966f1d26a

SHA1
f66a80e390996a854436ebae4a5f540d5dad16e0

SHA256
18841695af298498e2239bc7b759f4a77c05112eae833bab2fdb21a7b0759753

SHA512
6f238189a4d3600c207930944c53a41fb02b6bd3c352169f69432460c260408b6c397681e04e69d51ae8d39b5f7058245dac0f201ba95cf6c2b69af5cb4a1f2f

Download Submit
C:\Users\Admin\AppData\Roaming\hwhhuuu

Filesize
222KB

MD5
2f581d722cd1c7cc9f9c29569c7d32b1

SHA1
deb8843ca6bf82ad0e141c886ba2332c14d0eab7

SHA256
b91ab30061e7c4bcf5249492c5d9216d03f848561e8ed46e0dfc818298ebebdd

SHA512
005c9d8445f66e3ea2e28568eb5b80fe641293ac44f0774ecda1c6e6f8daa70ee4004958c3941565d44971062d30fb5a9efc991a2865a843197c5d7b0506c0bf

Download Submit
C:\Windows\winnetdriv.exe

Filesize
32KB

MD5
19389ef220b4f0bb0b4f644b9e4067d1

SHA1
639f209fa7c52f782e037de681959dd7bd2ec293

SHA256
c053280f0cdf89dc3aea05f2e9859cf6d91df7c10c7601f727558ddcf85114bc

SHA512
6d7b83d05cd864482bb7673b229c8fa61b7109767cf1c4d1ceab8a49b4ffe2f0a8d8001030f4564d900b003e1c482bef5bbff77ba5795d06489dbaa7e12b9fe9

Download Submit
C:\Windows\winnetdriv.exe

Filesize
82KB

MD5
7d833e25d2c4da7bbed9f9b6090ff451

SHA1
030a445851140eb36696cac4610f1cf53fc382df

SHA256
adbe656cd724116c060bf730c69f84a601ee092ef872806bb4ab3c16f784570f

SHA512
07fc82ccfc914988222a72659efc68e5a60b80b69ebf9090bae707a34a0f276104fd1013cb25e43efec60564d0bcd4a07a5a0be286000a82ef2f35ff8a40a2ca

Download Submit
memory/1152-38-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1152-36-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1152-30-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1152-33-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1152-35-0x00000000015E0000-0x000000000166F000-memory.dmp

Filesize
572KB

Download
memory/1152-39-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1152-43-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1152-31-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1152-42-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1152-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1152-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1152-169-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/1152-171-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1152-173-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1152-174-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1152-172-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/1152-170-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1152-37-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1152-34-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1256-450-0x0000000002CA0000-0x0000000002DA0000-memory.dmp

Filesize
1024KB

Download
memory/1256-451-0x0000000000400000-0x0000000002C6D000-memory.dmp

Filesize
40.4MB

Download
memory/1256-457-0x0000000000400000-0x0000000002C6D000-memory.dmp

Filesize
40.4MB

Download
memory/1272-370-0x0000000002C70000-0x0000000002D70000-memory.dmp

Filesize
1024KB

Download
memory/1272-371-0x0000000000400000-0x0000000002C6D000-memory.dmp

Filesize
40.4MB

Download
memory/1272-377-0x0000000000400000-0x0000000002C6D000-memory.dmp

Filesize
40.4MB

Download
memory/1656-107-0x00007FFDB0F10000-0x00007FFDB19D1000-memory.dmp

Filesize
10.8MB

Download
memory/1656-203-0x000000001B420000-0x000000001B430000-memory.dmp

Filesize
64KB

Download
memory/1656-102-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/1656-144-0x000000001B420000-0x000000001B430000-memory.dmp

Filesize
64KB

Download
memory/2188-143-0x0000000073AF0000-0x00000000742A0000-memory.dmp

Filesize
7.7MB

Download
memory/2188-99-0x0000000000C30000-0x0000000000D1E000-memory.dmp

Filesize
952KB

Download
memory/2456-111-0x0000000002CF0000-0x0000000002CF9000-memory.dmp

Filesize
36KB

Download
memory/2456-137-0x0000000000400000-0x0000000002C6D000-memory.dmp

Filesize
40.4MB

Download
memory/2456-109-0x0000000002D90000-0x0000000002E90000-memory.dmp

Filesize
1024KB

Download
memory/2456-186-0x0000000000400000-0x0000000002C6D000-memory.dmp

Filesize
40.4MB

Download
memory/3204-149-0x0000000003050000-0x0000000003150000-memory.dmp

Filesize
1024KB

Download
memory/3204-204-0x0000000003050000-0x0000000003150000-memory.dmp

Filesize
1024KB

Download
memory/3204-151-0x0000000002FA0000-0x000000000303D000-memory.dmp

Filesize
628KB

Download
memory/3204-267-0x0000000000400000-0x0000000002CC9000-memory.dmp

Filesize
40.8MB

Download
memory/3204-167-0x0000000000400000-0x0000000002CC9000-memory.dmp

Filesize
40.8MB

Download
memory/3508-184-0x0000000002870000-0x0000000002886000-memory.dmp

Filesize
88KB

Download
memory/3508-292-0x00000000027E0000-0x00000000027F6000-memory.dmp

Filesize
88KB

Download
memory/3700-112-0x0000000002E70000-0x0000000002E90000-memory.dmp

Filesize
128KB

Download
memory/3700-123-0x0000000002E50000-0x0000000002E56000-memory.dmp

Filesize
24KB

Download
memory/3700-190-0x00007FFDB0F10000-0x00007FFDB19D1000-memory.dmp

Filesize
10.8MB

Download
memory/3700-115-0x00007FFDB0F10000-0x00007FFDB19D1000-memory.dmp

Filesize
10.8MB

Download
memory/3700-105-0x0000000000DC0000-0x0000000000DEC000-memory.dmp

Filesize
176KB

Download
memory/3700-108-0x0000000002E40000-0x0000000002E46000-memory.dmp

Filesize
24KB

Download
memory/3752-110-0x0000000000F20000-0x0000000001062000-memory.dmp

Filesize
1.3MB

Download
memory/3752-147-0x0000000073AF0000-0x00000000742A0000-memory.dmp

Filesize
7.7MB

Download
memory/3752-131-0x0000000005C80000-0x0000000005D1C000-memory.dmp

Filesize
624KB

Download
memory/3752-205-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/3752-168-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/3752-114-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/3752-113-0x0000000005F90000-0x0000000006534000-memory.dmp

Filesize
5.6MB

Download
memory/3752-125-0x00000000059C0000-0x00000000059CA000-memory.dmp

Filesize
40KB

Download
memory/3752-189-0x0000000005340000-0x0000000005352000-memory.dmp

Filesize
72KB

Download
memory/3944-289-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

Filesize
1024KB

Download
memory/3944-293-0x0000000000400000-0x0000000002C6D000-memory.dmp

Filesize
40.4MB

Download
memory/3944-290-0x0000000000400000-0x0000000002C6D000-memory.dmp

Filesize
40.4MB

Download
memory/4880-141-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4996-154-0x00007FFDB0F10000-0x00007FFDB19D1000-memory.dmp

Filesize
10.8MB

Download
memory/4996-129-0x0000000000890000-0x00000000008A0000-memory.dmp

Filesize
64KB

Download