cobaltstrike | dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27

Analysis

max time kernel
153s
max time network
156s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-01-2024 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
Size

360KB
MD5

3d838159fdfcb5c26cec948f8687a0d1
SHA1

a4d569ebe607a080378401452f3b5855394bd791
SHA256

dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27
SHA512

db35a78f4e5ef9429850a97c65c60a3d1b0db6feea150b2b49a21071e5c2840c2ed79d9deeaffe8ad4cda15bb6d518c4d4387f447b1cc24bbd62fe96394dd219
SSDEEP

6144:a8v9b3uzTMu3PJFrafXjiLQhdYTitPuIjMsUVPbrnjPKohULB9OT:a8vpKTMu3z+fXQQhOT7IjEXmoWN9

Score

10^/10

cobaltstrike 100000 backdoor persistence trojan

Malware Config

Extracted

Family

cobaltstrike

http://update.microsoftwindows.biz:8443/api/2

Attributes

user_agent
Host: update.microsoftwindows.biz User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Extracted

Family

cobaltstrike

Botnet

100000

http://update.microsoftwindows.biz:8443/api/3

Attributes

access_type
512
beacon_type
2048
host
update.microsoftwindows.biz,/api/3
http_header1
AAAAEAAAACFIb3N0OiB1cGRhdGUubWljcm9zb2Z0d2luZG93cy5iaXoAAAAHAAAAAAAAAAMAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAACFIb3N0OiB1cGRhdGUubWljcm9zb2Z0d2luZG93cy5iaXoAAAAHAAAAAAAAAAwAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
8443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfOAvlVEsRCS3UC6+JcnuZD+f2HjE5TMA2p+lWq3cVWz/RlxpBh9PVCQLgrRUSEuQ6cDA0x93WPF3rCrJkOvddDcSdUx/YRhOPY1r+/A4KXMdj70vU0fO/gLFLjbZBMu7xEjopEdOtVq5+T4NFOE4BiwGtGAnGIOQ/zDt2bbahKQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/api/4
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1)
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 2 IoCs

Processes:

WindowsDefenderActive.exeDefenderActiveProtect.exe

pid process

2952 WindowsDefenderActive.exe
2464 DefenderActiveProtect.exe
Loads dropped DLL 2 IoCs

Processes:

taskeng.exe

pid process

1380 taskeng.exe
1380 taskeng.exe

pid	process
2952	WindowsDefenderActive.exe
2464	DefenderActiveProtect.exe

pid	process
1380	taskeng.exe
1380	taskeng.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderActive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsDefenderActive.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\DefenderActiveProtect = "C:\\Users\\Public\\DefenderActiveProtect.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe"	reg.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2796 schtasks.exe
2848 schtasks.exe
2996 schtasks.exe
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

2736 reg.exe
2732 reg.exe
2932 reg.exe

pid	process
2796	schtasks.exe
2848	schtasks.exe
2996	schtasks.exe

pid	process
2736	reg.exe
2732	reg.exe
2932	reg.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.execmd.execmd.execmd.execmd.execmd.execmd.exetaskeng.exe

description	pid	process	target process
PID 2264 wrote to memory of 2544	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2264 wrote to memory of 2544	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2264 wrote to memory of 2544	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2544 wrote to memory of 2796	2544	cmd.exe	schtasks.exe
PID 2544 wrote to memory of 2796	2544	cmd.exe	schtasks.exe
PID 2544 wrote to memory of 2796	2544	cmd.exe	schtasks.exe
PID 2264 wrote to memory of 2304	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2264 wrote to memory of 2304	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2264 wrote to memory of 2304	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2304 wrote to memory of 2736	2304	cmd.exe	reg.exe
PID 2304 wrote to memory of 2736	2304	cmd.exe	reg.exe
PID 2304 wrote to memory of 2736	2304	cmd.exe	reg.exe
PID 2264 wrote to memory of 2756	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2264 wrote to memory of 2756	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2264 wrote to memory of 2756	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2756 wrote to memory of 2848	2756	cmd.exe	schtasks.exe
PID 2756 wrote to memory of 2848	2756	cmd.exe	schtasks.exe
PID 2756 wrote to memory of 2848	2756	cmd.exe	schtasks.exe
PID 2264 wrote to memory of 2884	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2264 wrote to memory of 2884	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2264 wrote to memory of 2884	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2884 wrote to memory of 2732	2884	cmd.exe	reg.exe
PID 2884 wrote to memory of 2732	2884	cmd.exe	reg.exe
PID 2884 wrote to memory of 2732	2884	cmd.exe	reg.exe
PID 2264 wrote to memory of 2860	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2264 wrote to memory of 2860	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2264 wrote to memory of 2860	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2860 wrote to memory of 2996	2860	cmd.exe	schtasks.exe
PID 2860 wrote to memory of 2996	2860	cmd.exe	schtasks.exe
PID 2860 wrote to memory of 2996	2860	cmd.exe	schtasks.exe
PID 2264 wrote to memory of 2768	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2264 wrote to memory of 2768	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2264 wrote to memory of 2768	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2768 wrote to memory of 2932	2768	cmd.exe	reg.exe
PID 2768 wrote to memory of 2932	2768	cmd.exe	reg.exe
PID 2768 wrote to memory of 2932	2768	cmd.exe	reg.exe
PID 2264 wrote to memory of 2632	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2264 wrote to memory of 2632	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2264 wrote to memory of 2632	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2264 wrote to memory of 2660	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2264 wrote to memory of 2660	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2264 wrote to memory of 2660	2264	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 1380 wrote to memory of 2960	1380	taskeng.exe	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
PID 1380 wrote to memory of 2960	1380	taskeng.exe	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
PID 1380 wrote to memory of 2960	1380	taskeng.exe	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
PID 1380 wrote to memory of 2952	1380	taskeng.exe	WindowsDefenderActive.exe
PID 1380 wrote to memory of 2952	1380	taskeng.exe	WindowsDefenderActive.exe
PID 1380 wrote to memory of 2952	1380	taskeng.exe	WindowsDefenderActive.exe
PID 1380 wrote to memory of 2464	1380	taskeng.exe	DefenderActiveProtect.exe
PID 1380 wrote to memory of 2464	1380	taskeng.exe	DefenderActiveProtect.exe
PID 1380 wrote to memory of 2464	1380	taskeng.exe	DefenderActiveProtect.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
"C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\system32\cmd.exe
cmd.exe /c schtasks /create /tn WinUpdate /tr C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe /sc minute /mo 1
2⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\system32\schtasks.exe
schtasks /create /tn WinUpdate /tr C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:2796

C:\Windows\system32\cmd.exe
cmd.exe /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V WinUpdate /t REG_SZ /F /D C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V WinUpdate /t REG_SZ /F /D C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2736

C:\Windows\system32\cmd.exe
cmd.exe /c schtasks /create /tn WindowsDefenderActive /tr C:\Users\Admin\AppData\Local\Temp\WindowsDefenderActive.exe /sc minute /mo 1
2⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\system32\schtasks.exe
schtasks /create /tn WindowsDefenderActive /tr C:\Users\Admin\AppData\Local\Temp\WindowsDefenderActive.exe /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\cmd.exe
cmd.exe /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V WindowsDefenderActive /t REG_SZ /F /D C:\Users\Admin\AppData\Local\Temp\WindowsDefenderActive.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V WindowsDefenderActive /t REG_SZ /F /D C:\Users\Admin\AppData\Local\Temp\WindowsDefenderActive.exe
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2732

C:\Windows\system32\cmd.exe
cmd.exe /c schtasks /create /tn DefenderActiveProtect /tr C:\Users\Public\DefenderActiveProtect.exe /sc minute /mo 1
2⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\system32\schtasks.exe
schtasks /create /tn DefenderActiveProtect /tr C:\Users\Public\DefenderActiveProtect.exe /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\cmd.exe
cmd.exe /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V DefenderActiveProtect /t REG_SZ /F /D C:\Users\Public\DefenderActiveProtect.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V DefenderActiveProtect /t REG_SZ /F /D C:\Users\Public\DefenderActiveProtect.exe
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2932

C:\Windows\system32\cmd.exe
cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe C:\Users\Admin\AppData\Local\Temp\WindowsDefenderActive.exe
2⤵
PID:2632

C:\Windows\system32\cmd.exe
cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe C:\Users\Public\DefenderActiveProtect.exe
2⤵
PID:2660

C:\Windows\system32\taskeng.exe
taskeng.exe {FCDB089A-2062-47EA-B2AA-01BF6789AD4D} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
2⤵
- Modifies system certificate store
PID:2960

C:\Users\Admin\AppData\Local\Temp\WindowsDefenderActive.exe
C:\Users\Admin\AppData\Local\Temp\WindowsDefenderActive.exe
2⤵
- Executes dropped EXE
PID:2952

C:\Users\Public\DefenderActiveProtect.exe
C:\Users\Public\DefenderActiveProtect.exe
2⤵
- Executes dropped EXE
PID:2464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ffb31b79c37747a9215fa6b47478bc38

SHA1
7a5a26b2c8675be01624ebdcb9e9f4c180c56ab0

SHA256
d3e56dcb914fc2685f40c51038d58a1c2baf0c74f61259412ece8865062ed632

SHA512
b32c3bb8d49d340b78de0c7bd6cb44a7b9b27569a24430ff22f6d98a47f6185aaadb3543608ace2fc86e8899d2c6de0630c7057b58146173be1ecc0b5a5f27f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5d7dcd790c4d31de3d2f0fa320959387

SHA1
81aece46b616e85c7dbebf54c5326ab8d0361bc9

SHA256
1da7bc0af2b395b98390f59dd0055baae0e054fc8a2c77432a28c7bd49c371ba

SHA512
b26c0eb0ea6c91e73626ff870690be4a3484e632f44c9d8957c806469e17356946e1751d13512529c7f0275a69decdbf979221e39e1b4da81a7184da1cd82b52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c8e87a548f5e46de8fb7c38d02eadeea

SHA1
cbd75251b4a626c54c63154eaa91eeb6d9c10e5e

SHA256
3b6d687e8bc3e457a60c3c64f13b3b3e2ec8615748b30d36956d21b2bee678c3

SHA512
bdb8b281a9baf3f6bf384b29738f3bf53006e195d2b17f32c523880f9f7f6601ed82b178b5af293c8f3a3ee5eabbe393405752f1333026a033f4dd174f69e03c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ee454eaac501314151a7bf1a1f3b8685

SHA1
4a4cd5b937d3f34b1ccccbbbdb4db2fe02590a98

SHA256
cc8e5d5c764a566fffb7edba72390c9b815b4aea7ab4756482c1b542ce45387b

SHA512
f2f589b9bba3b1ca1dd7ea9b3ba31fd0df8d810665e261ca0a009ddb7a6b60712830cf23ba40106371c179877909d3b9c2ebcaf477903f8fb0171cc160a5a8cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8421e593d24b5025f3b8c4c51e8c266b

SHA1
54bd6123201076376a4c053e4b7c573ac085e943

SHA256
7dbfcd2d789f488c6e853f51947cc35c095c4eb7584c54bc42a89a1c5a76e85e

SHA512
f6c8a200044b9fbc06818d3bf0c6bbff8179030e9e702adb1cef906535ba882b1fdafc280de88789cf72b44f4202d8b7899d6270dd1c4264da2ffad8d886c819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ec826fd11c35f3f77c72103504ae009b

SHA1
751a908bcb49c1969cf8058a87f06829af97f70e

SHA256
4cee443c929ccde4094ed0f86ba1817088c6f28283a3c23fc48a0c659f979d44

SHA512
f03b68de884c44546b8738089a15f3fcdc501f47cc79972fd08c9944ac7feaa23bd2e34b8b9ed1bda7189a93fd9aae08817003b940f851e2f7dfaea186c8b0d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
541e8d9760b55a7316cb47db77173f59

SHA1
aa4ceada7b61bd4bd2dc2fec089de37ef531cc4d

SHA256
3a45f9657054a51f2580da32302e672b866013f44ffbdfd5fb4d860b2ef2d9ba

SHA512
fb19c34180d10062d6df7f3afb6688f5b8b1786cbf08a15138873adaf56e189460f20d12ee976f2bc0c9b979d92a163d21d1f2d4535d8492645dd46882f6780b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e91c4ef2624ac7b12a12498d0bd68130

SHA1
9cc3249f5addb2c6f9e4ecf6f3ab081e1ac62f6b

SHA256
62f5f1d005fc29b19d7a39c26a988d014bd216d0db912c2d120ec905c10ea7a3

SHA512
6d1235dee260ee36decac569a07cd1d39475f866a2a0b2ce10e28def92456fce536f31b4fe46473d1f44b9503540c138ee3ee03bc8110ed8fca86cda72a5d9df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4c394ef983849c1d55fe9311ca965c6c

SHA1
d9a247025a49bba01a2e4c30df9c75ef7027ab62

SHA256
2edb9c21c79799a25e9634ad2249a8c62504edcbf8ad38ade4e683a5115b07af

SHA512
42a20ccd2a974823990cada4bec253f893e539963aa69acac75341bc6f49a5a4fc1b50f1de4f2dd4bbbc12fa6f91eaabc3497093b74bc6ea51680b3bc5936ddd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0f33b6b4be39e3a7e06bca2e31181f3d

SHA1
be2b6d9a44864b531003ecde865c306e6e4e7494

SHA256
95bd4f705a38d786b7fb4dd23278e29b61442cc383999f45427be617c29876a8

SHA512
72d8a5b1d5aa82c868f87e0d6b7db560d3cccd322fdddb7765bfe45e2fcef0f2f0bfc9073a90236451e289121322fe698243463d6c8aa4def6df7a876b59be93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
88aff2b107c11f70be8f9dd31ae08c39

SHA1
542cbc2c17f2cf7830637f03bc8db3438c0fde17

SHA256
3b3ec41b0be9a63a4ec8a5ccaa1bd9e7965e6829507d953157d14200b1471f38

SHA512
23500de8723c9682e6cb997a96b87199d4146623a08685f1eca9d4b2e3cb31f60882863c52dbea35b69a801ab361c3728e505f73bbe3afe855df09df09072a3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ef64f1342ae01be275607d14f58e1f29

SHA1
d3fc61b628cd15dc41a7c9a0ceb20d34cadba0ba

SHA256
7dc4abca200e530d1adc34f170ec1405f5669011b08ad92318fd74653775a2a2

SHA512
cd129cac31a7e25a81da561565a426bacf7861918ac358bed6de1c7fe1ac6f8ce0c669b5d24e58528dbd828753dabd442e3fd1a38088bb2280f3587e9a937959

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a3ef290edbde0425f187355cd4256654

SHA1
7bdf8d0f74e93548197e2b678ca3708965d826a5

SHA256
c32b4b396c8931a69319c9682c825fa1b303f7272fc4e64173a31f02e9cd0ce1

SHA512
968160787e94d5b16f2334668d33bf38f2916da924d9c60c7ac2497ac1b2542f99aa74a5e3f5473669dbe8a76051df5ac614b061ed6d52412f22649a1cf025b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
71f0e4fcfba63181754c7b7263b00a7b

SHA1
a06015f6f1640c81860adbebc3446d41032160c8

SHA256
5d018cec36624f31cd85550639f9f0f7fa41a84d52e9a4de916b3bbfec37eab3

SHA512
418fffdef4a59afeaf7b1d9d0cb50fe9d0b235777dabc40fab77aa82d9c1f2c83fc624e0e5bec9ac85f1e86a1970613a573527f1b0b24dc5a7c465915a21147e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
Filesize
252B

MD5
4910742fdbd01766aec9b2864085b926

SHA1
42bb1d4f9facfc5509dcd46dff91764cc3e73324

SHA256
0b01472eac83c7cfa82dd552d371718180ffddbfad8e368b04364037967529e1

SHA512
43cd7a071f1899032508113197408b20b1f37dae7b453b5285c085a0ca4493c69408c079510f999a16ff537046e5e5216c49f3c9e7c76838aa2677412e68a3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab79E3.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7A30.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsDefenderActive.exe
Filesize
360KB

MD5
3d838159fdfcb5c26cec948f8687a0d1

SHA1
a4d569ebe607a080378401452f3b5855394bd791

SHA256
dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27

SHA512
db35a78f4e5ef9429850a97c65c60a3d1b0db6feea150b2b49a21071e5c2840c2ed79d9deeaffe8ad4cda15bb6d518c4d4387f447b1cc24bbd62fe96394dd219

Download Submit
memory/2264-222-0x0000000002150000-0x000000000219F000-memory.dmp

Filesize
316KB

Download
memory/2264-4-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2264-132-0x0000000002150000-0x000000000219F000-memory.dmp

Filesize
316KB

Download
memory/2264-131-0x0000000003870000-0x0000000003C70000-memory.dmp

Filesize
4.0MB

Download
memory/2464-168-0x0000000001D00000-0x0000000001D4F000-memory.dmp

Filesize
316KB

Download
memory/2464-224-0x0000000001D00000-0x0000000001D4F000-memory.dmp

Filesize
316KB

Download
memory/2952-225-0x00000000002D0000-0x000000000031F000-memory.dmp

Filesize
316KB

Download
memory/2952-203-0x00000000002D0000-0x000000000031F000-memory.dmp

Filesize
316KB

Download
memory/2960-223-0x0000000002230000-0x000000000227F000-memory.dmp

Filesize
316KB

Download
memory/2960-150-0x0000000002230000-0x000000000227F000-memory.dmp

Filesize
316KB

Download