dcrat | 880cfe391a3652fee015dda49d156bbe047fabbd1eb77ce1560b8a64ebc66604

Analysis

max time kernel
60s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

880cfe391a3652fee015dda49d156bbe047fabbd1eb77ce1560b8a64ebc66604.exe
Size

244KB
MD5

79c996f4d780bc235cf93c973fe9ba7d
SHA1

ce84ecc4cae48aa39d864adeb278a08221521ac4
SHA256

880cfe391a3652fee015dda49d156bbe047fabbd1eb77ce1560b8a64ebc66604
SHA512

4424c393c21f73c7c71dcbbdf743ea9d5880402ad0c13db2ca43068ce28dc81be9e1f3625e499b999a91fea7a4302a9f40b1ba2ffde455810cd1e79e8627c7a7
SSDEEP

6144:FGKwnhrkDwlSJ/OjtXfMZ92E6rxlVram1h:FGKwnlCwlSRAtvMZ922+

Score

10^/10

dcrat glupteba smokeloader pub1 backdoor bootkit discovery dropper evasion infostealer loader persistence rat trojan upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
crownsupportservices.co.uk
Port:
21
Username:
[email protected]
Password:
Petrolhead12

Extracted

Credentials

Protocol: ftp
Host:
crownsupportservices.co.uk
Port:
21
Username:
info
Password:
Petrolhead12

Extracted

Credentials

Protocol: ftp
Host:
crownsupportservices.co.uk
Port:
21
Username:
admin
Password:
Petrolhead12

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

resource	yara_rule
behavioral2/memory/4536-245-0x0000000002E40000-0x000000000372B000-memory.dmp	family_glupteba
behavioral2/memory/4536-251-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4536-264-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	5DAF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	7D12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	work.exe

Deletes itself 1 IoCs

pid	Process
3444	Process not Found

Executes dropped EXE 18 IoCs

pid	Process
2160	DD6.exe
1092	DD6.exe
4144	15B8.exe
4932	2895.exe
3304	2895.tmp
3052	burnawareext.exe
4152	burnawareext.exe
4348	5DAF.exe
3700	6784.exe
4536	288c47bbc1871b439df19ff4df68f076.exe
1820	InstallSetup4.exe
2404	FourthX.exe
4116	BroomSetup.exe
1996	7495.exe
1520	nsk7666.tmp
5044	7D12.exe
3400	work.exe
1668	hftsef.exe

Loads dropped DLL 8 IoCs

pid	Process
1092	DD6.exe
1092	DD6.exe
4916	regsvr32.exe
3304	2895.tmp
3304	2895.tmp
3304	2895.tmp
1820	InstallSetup4.exe
1820	InstallSetup4.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1092-19-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1092-22-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1092-23-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1092-25-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1092-26-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1092-32-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1092-145-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1092-146-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1092-247-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1092-290-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	DD6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	15B8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1668	hftsef.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2160 set thread context of 1092	2160	DD6.exe	92

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4816	sc.exe
1604	sc.exe
4420	sc.exe
2316	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
2304	1520	WerFault.exe	108
4740	1996	WerFault.exe	107
5016	1520	WerFault.exe	108
4348	1520	WerFault.exe	108
2340	1520	WerFault.exe	108
2384	1520	WerFault.exe	108
4504	1520	WerFault.exe	108
3460	4536	WerFault.exe	103
2248	1520	WerFault.exe	108
3432	1520	WerFault.exe	108

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	880cfe391a3652fee015dda49d156bbe047fabbd1eb77ce1560b8a64ebc66604.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	880cfe391a3652fee015dda49d156bbe047fabbd1eb77ce1560b8a64ebc66604.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	880cfe391a3652fee015dda49d156bbe047fabbd1eb77ce1560b8a64ebc66604.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6784.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6784.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4688	880cfe391a3652fee015dda49d156bbe047fabbd1eb77ce1560b8a64ebc66604.exe
4688	880cfe391a3652fee015dda49d156bbe047fabbd1eb77ce1560b8a64ebc66604.exe
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4688	880cfe391a3652fee015dda49d156bbe047fabbd1eb77ce1560b8a64ebc66604.exe
3700	6784.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3304	2895.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4116	BroomSetup.exe
1668	hftsef.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 2160	3444	Process not Found	91
PID 3444 wrote to memory of 2160	3444	Process not Found	91
PID 3444 wrote to memory of 2160	3444	Process not Found	91
PID 2160 wrote to memory of 1092	2160	DD6.exe	92
PID 2160 wrote to memory of 1092	2160	DD6.exe	92
PID 2160 wrote to memory of 1092	2160	DD6.exe	92
PID 2160 wrote to memory of 1092	2160	DD6.exe	92
PID 2160 wrote to memory of 1092	2160	DD6.exe	92
PID 2160 wrote to memory of 1092	2160	DD6.exe	92
PID 2160 wrote to memory of 1092	2160	DD6.exe	92
PID 2160 wrote to memory of 1092	2160	DD6.exe	92
PID 3444 wrote to memory of 4708	3444	Process not Found	93
PID 3444 wrote to memory of 4708	3444	Process not Found	93
PID 3444 wrote to memory of 4144	3444	Process not Found	94
PID 3444 wrote to memory of 4144	3444	Process not Found	94
PID 3444 wrote to memory of 4144	3444	Process not Found	94
PID 4708 wrote to memory of 4916	4708	regsvr32.exe	95
PID 4708 wrote to memory of 4916	4708	regsvr32.exe	95
PID 4708 wrote to memory of 4916	4708	regsvr32.exe	95
PID 3444 wrote to memory of 4932	3444	Process not Found	97
PID 3444 wrote to memory of 4932	3444	Process not Found	97
PID 3444 wrote to memory of 4932	3444	Process not Found	97
PID 4932 wrote to memory of 3304	4932	2895.exe	98
PID 4932 wrote to memory of 3304	4932	2895.exe	98
PID 4932 wrote to memory of 3304	4932	2895.exe	98
PID 3304 wrote to memory of 3052	3304	2895.tmp	99
PID 3304 wrote to memory of 3052	3304	2895.tmp	99
PID 3304 wrote to memory of 3052	3304	2895.tmp	99
PID 3304 wrote to memory of 4152	3304	2895.tmp	100
PID 3304 wrote to memory of 4152	3304	2895.tmp	100
PID 3304 wrote to memory of 4152	3304	2895.tmp	100
PID 3444 wrote to memory of 4348	3444	Process not Found	101
PID 3444 wrote to memory of 4348	3444	Process not Found	101
PID 3444 wrote to memory of 4348	3444	Process not Found	101
PID 3444 wrote to memory of 3700	3444	Process not Found	102
PID 3444 wrote to memory of 3700	3444	Process not Found	102
PID 3444 wrote to memory of 3700	3444	Process not Found	102
PID 4348 wrote to memory of 4536	4348	5DAF.exe	103
PID 4348 wrote to memory of 4536	4348	5DAF.exe	103
PID 4348 wrote to memory of 4536	4348	5DAF.exe	103
PID 4348 wrote to memory of 1820	4348	5DAF.exe	104
PID 4348 wrote to memory of 1820	4348	5DAF.exe	104
PID 4348 wrote to memory of 1820	4348	5DAF.exe	104
PID 4348 wrote to memory of 2404	4348	WerFault.exe	105
PID 4348 wrote to memory of 2404	4348	WerFault.exe	105
PID 1820 wrote to memory of 4116	1820	InstallSetup4.exe	106
PID 1820 wrote to memory of 4116	1820	InstallSetup4.exe	106
PID 1820 wrote to memory of 4116	1820	InstallSetup4.exe	106
PID 3444 wrote to memory of 1996	3444	Process not Found	107
PID 3444 wrote to memory of 1996	3444	Process not Found	107
PID 3444 wrote to memory of 1996	3444	Process not Found	107
PID 1820 wrote to memory of 1520	1820	InstallSetup4.exe	108
PID 1820 wrote to memory of 1520	1820	InstallSetup4.exe	108
PID 1820 wrote to memory of 1520	1820	InstallSetup4.exe	108
PID 3444 wrote to memory of 5044	3444	Process not Found	112
PID 3444 wrote to memory of 5044	3444	Process not Found	112
PID 3444 wrote to memory of 5044	3444	Process not Found	112
PID 4116 wrote to memory of 4880	4116	BroomSetup.exe	111
PID 4116 wrote to memory of 4880	4116	BroomSetup.exe	111
PID 4116 wrote to memory of 4880	4116	BroomSetup.exe	111
PID 5044 wrote to memory of 1548	5044	7D12.exe	115
PID 5044 wrote to memory of 1548	5044	7D12.exe	115
PID 5044 wrote to memory of 1548	5044	7D12.exe	115
PID 4880 wrote to memory of 2408	4880	cmd.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\880cfe391a3652fee015dda49d156bbe047fabbd1eb77ce1560b8a64ebc66604.exe
"C:\Users\Admin\AppData\Local\Temp\880cfe391a3652fee015dda49d156bbe047fabbd1eb77ce1560b8a64ebc66604.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4688

C:\Users\Admin\AppData\Local\Temp\DD6.exe
C:\Users\Admin\AppData\Local\Temp\DD6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\DD6.exe
  C:\Users\Admin\AppData\Local\Temp\DD6.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:1092

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1336.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\1336.dll
  2⤵
  - Loads dropped DLL
  PID:4916

C:\Users\Admin\AppData\Local\Temp\15B8.exe
C:\Users\Admin\AppData\Local\Temp\15B8.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4144

C:\Users\Admin\AppData\Local\Temp\2895.exe
C:\Users\Admin\AppData\Local\Temp\2895.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\is-G6I8E.tmp\2895.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-G6I8E.tmp\2895.tmp" /SL5="$50174,7139316,54272,C:\Users\Admin\AppData\Local\Temp\2895.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe
    "C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe" -i
    3⤵
    - Executes dropped EXE
    PID:3052
- - C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe
    "C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4152

C:\Users\Admin\AppData\Local\Temp\5DAF.exe
C:\Users\Admin\AppData\Local\Temp\5DAF.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  - Executes dropped EXE
  PID:4536
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:4396
- - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
    3⤵
    PID:1104
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 920
    3⤵
    - Program crash
    PID:3460
- C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4880
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:2408
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        Creates scheduled task(s)
        
        PID:888
- - C:\Users\Admin\AppData\Local\Temp\nsk7666.tmp
    C:\Users\Admin\AppData\Local\Temp\nsk7666.tmp
    3⤵
    - Executes dropped EXE
    PID:1520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 816
      4⤵
      Program crash
      PID:2304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 824
      4⤵
      Program crash
      PID:5016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 868
      4⤵
      Program crash
      Suspicious use of WriteProcessMemory
      PID:4348
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 876
      4⤵
      Program crash
      PID:2340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1048
      4⤵
      Program crash
      PID:2384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1112
      4⤵
      Program crash
      PID:4504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2316
      4⤵
      Program crash
      PID:2248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2432
      4⤵
      Program crash
      PID:3432
- C:\Users\Admin\AppData\Local\Temp\FourthX.exe
  "C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
  2⤵
  - Executes dropped EXE
  PID:2404
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    PID:2252
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "UTIXDCVF"
    3⤵
    - Launches sc.exe
    PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4772
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1648
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1604
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "UTIXDCVF"
    3⤵
    - Launches sc.exe
    PID:4420
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2316

C:\Users\Admin\AppData\Local\Temp\6784.exe
C:\Users\Admin\AppData\Local\Temp\6784.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3700

C:\Users\Admin\AppData\Local\Temp\7495.exe
C:\Users\Admin\AppData\Local\Temp\7495.exe
1⤵
- Executes dropped EXE
PID:1996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1032
  2⤵
  - Program crash
  PID:4740

C:\Users\Admin\AppData\Local\Temp\7D12.exe
C:\Users\Admin\AppData\Local\Temp\7D12.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3400
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetWindowsHookEx
      PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1520 -ip 1520
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1996 -ip 1996
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1520 -ip 1520
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1996 -ip 1996
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1520 -ip 1520
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1520 -ip 1520
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1520 -ip 1520
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1520 -ip 1520
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4536 -ip 4536
1⤵
PID:4904

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
1⤵
PID:808
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1520 -ip 1520
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1520 -ip 1520
1⤵
PID:5524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1520 -ip 1520
1⤵
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\IMAP List Mailboxes 65\IMAP List Mailboxes 65.exe

Filesize
1.1MB

MD5
abbf40dcdde722a608b2f65566529d20

SHA1
fc97646b980d396a5fdde8e1f11e0c3224b7d316

SHA256
1a17ef080888e125ab02a6aec9a2f09214259a60b2753f43051af5e8c9d6fd3c

SHA512
8de0dbdee7ac16fcfc8f9430c731819b6bdc4357b74aaa82ca3618b7719bcf3f17bd637cfca7c96f82e059449f3d423848a538a8fdbfb30eb43bf452b71a8e86

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe

Filesize
2.0MB

MD5
b75e76c59f54d7d26b1ec8f9bc284a45

SHA1
4d8f815ebb810ba645f03c7f3e39f39cf24f45db

SHA256
87fbe3d2e129b22ea6d9db55811c58b922273370e4ef89ddaaad0053e0fa648e

SHA512
e93b605df019dede65b2a1f1d1b7c73f2b33e0e3964d36f3af64aafa86f802f300b736185eb23c5028bfbddb3445690e39b24001d66c9f948f16dec4b303d5a8

Download Submit
C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe

Filesize
1.2MB

MD5
072e3db2d48e36bbc8f4ffaa95db0904

SHA1
cdc4183e6751e6238bffd72c16cfcf7d10fd0ae2

SHA256
ba07a3ec68c465f0d251fe97c14a6ffd37c687f65ad52806c97eaf52cc5a4846

SHA512
62febd71826b5979623b3d61cb1857e4c665964600d93ef792f87f28b555067258bf339633f70dc764417a560bc4aa3a45c430928b508428fd8efb5d80c95837

Download Submit
C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe

Filesize
2.7MB

MD5
08fe2c61615b6b4efead74e7e7521483

SHA1
4c6fa9c4d1ccc4fb519e3b0e56814764477ca5d5

SHA256
532f2e28a6a656ec2a2b54c21e611461835464888d00fcd753f4d94b361c8316

SHA512
bb1a07fdc886676747a1b98d6329795d338f1b35d6c480e1074e5218b37df2856efbe2b5ad376718e3205d42b1b93072cb9ac854f9a00c78cd17f64dded85672

Download Submit
C:\Users\Admin\AppData\Local\Temp\1336.dll

Filesize
1.7MB

MD5
b019a088041eb55df8a7482338ea240a

SHA1
9d4789657cfc50ef5d5d5e6899c89de0119f8ea6

SHA256
c994bc26c7cc7a003ac3120415cff033b912c66939ed3b09a9683d20a47b0dda

SHA512
1fdaf714398b82d3bde85ee3264200c8b9116f40b4f33a3b96a394ccdecc5a308cb671c634243cc09247f5594d9c78552c751e281c0531ae4f2e16b38bf37b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1336.dll

Filesize
960KB

MD5
0aeff8a9f6e99abc2d2b7ddfb7b8174e

SHA1
506b374bfb0af1c76a716a930ea3d04ce8cb3c7a

SHA256
1ff152cc0e2cb44934b3b2191bce656f203e3aaf378d4ef1843df4e2c4a46934

SHA512
948afe735cdc6110fd24117ad57d9347a4714ca469d78a05553d0d445fe2766074e02d1d09cabc9d04f3e2796b6ce75a35150901c32a49e45a3f245a1026ceaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1336.dll

Filesize
512KB

MD5
c72095df492461ea72dc065729835854

SHA1
99015010233c80652cd7bc5c7fd053969894b784

SHA256
6c774e3f40fa8178c8962693bb7774098159aa8fe9ee521a972b332254ff30a7

SHA512
c044563ba148c2195b46453ccd724c25cc2fc9ab8f97d899a1de401cfbcdae440f6da2e8b3aa7746cc89f47cc3905f36610ce45e0ade8738b3a6a786b5e43fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1336.dll

Filesize
896KB

MD5
ed9d26c04c5c0f35b6bad3319efd4b6f

SHA1
478daab8ebc40fdea29ef18cedb2514eb170cc86

SHA256
e005ef64e14de300ceb7a3f6514f00022bf7d8e51a98c0916c9d3b44aa9599da

SHA512
e9a0f5bbc3dd05b61ec2147cfb6acbc8e4ff2d4ebd3b984928cf9ed51b999fc2b6dfcbb0b4e1e5699e5508a79a1d149365720f9f68baebf4f055f9080509bc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\15B8.exe

Filesize
421KB

MD5
1996a23c7c764a77ccacf5808fec23b0

SHA1
5a7141b167056bf8f01c067ebe12ed4ccc608dc7

SHA256
e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888

SHA512
430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
4.1MB

MD5
d122f827c4fc73f9a06d7f6f2d08cd95

SHA1
cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5

SHA256
b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc

SHA512
8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

Download Submit
C:\Users\Admin\AppData\Local\Temp\2895.exe

Filesize
2.9MB

MD5
533ca8fbd029f9f78985a1ca43479fde

SHA1
8253be9fc799a9166f13f9f77df792901bccb130

SHA256
fb38dca142d64a23b6c811828ef575da6027a41727fc15c50d196df2ed66331d

SHA512
5a3d8a21b87355a68ed8054d5bafc600e02e8115f1c4d415a54cf5d5be88b9516d33413aac1fbbed25cfd0d98842f574607fb67032382db9fe39e1c8b38de9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2895.exe

Filesize
5.3MB

MD5
6f1dab66bcabfc18807b808b24de3805

SHA1
74b111207ef6ebc32227ee17612ac83ded35e0d8

SHA256
3a138fe149a2c431cd1a8611eed538b21ec8282f935a79c0eb191c288d1cbb9e

SHA512
530468103795862a0daea662b5c87c72ccbb4ed6b1ed909cbf402793a0b4b53e2f6667d00e82ba4da9fdd2515c7f0dba1f2bc6cfda08d38b8dc3c045f95b9e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
e32842c6879ac72e66a3c9b5d2254f11

SHA1
2ffbf2c1a8115d1f4d21615570465fe3f76999be

SHA256
5f5b6997440bdfb2f1210f5823522df23c19c7bdda75a1e92611f2a2c1ad1502

SHA512
4ab0d475130533b1c40675795ddd5711aa2d46a1dd47550d1e95394ad45fbe2115f52af69728de19730d73c77e2da7e0ff565ec4a31e8b962ca6b5488e4cbff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
20.0MB

MD5
28f51e4b367f8bc7d842d4e6a71cc29f

SHA1
2e9251647253d481a04b79374c70b9311cc19d77

SHA256
1cd7d3d10a53f113009805387dbb57dbd73d52d1ace0c0526b04b47dadf2d709

SHA512
0941bc446805616685fb2a60cf24310df51df66d103bd865091de0a2e87aff17b232b087ebd5c8758a2b4a8ba82d114befc8a677d133c6481f2e7652778c022f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAF.exe

Filesize
8.7MB

MD5
ceae65ee17ff158877706edfe2171501

SHA1
b1f807080da9c25393c85f5d57105090f5629500

SHA256
0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49

SHA512
5214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6784.exe

Filesize
169KB

MD5
e031b277a9d1232f0e7a52351828c5aa

SHA1
af2f480ffc2e11da07c7d688edc41686bcfb6201

SHA256
203088a7531c7d4be50ad16a2ce9a3facdc2cba18e5d13c4fd57fdf1f751178a

SHA512
b7c7f902f715cda4963c9612a5d74cf90d4086ba919345a9fb944867667e28f348a4e1cd0cdc7c490dc8e37c5828bbde27c6585870b970790aeeef379793c113

Download Submit
C:\Users\Admin\AppData\Local\Temp\7495.exe

Filesize
3.2MB

MD5
ad9ca09dc7bcb9cde15c8e46b3d5d7a9

SHA1
f55a1c12633cb48e1bb1e6708ec5a85f3893242b

SHA256
64b8e722915a6d2108756a0586f55850d8cb9f6ecc6b5483ef0fe7210be2dcec

SHA512
c981574f077e6a67e8b013605c04bc2bf177452542201726e437fbaaaccff55292dafad335ee036b385f9b1535b4a439719ba09499836f5013089c2673f46c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D12.exe

Filesize
1.6MB

MD5
725a272d58c38263bac81cc348f27923

SHA1
940380233efcda57a22341e09515696d6b80bc25

SHA256
b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee

SHA512
55d9e6a2fc3b39f8ef333cef91c9c131039a8cffd9f353c5ee68aba3c35efa4f23928196fc89a9d633413287c084ad1bd6628ba92725f8e5ee8dafca9835691c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
4.7MB

MD5
5e94f0f6265f9e8b2f706f1d46bbd39e

SHA1
d0189cba430f5eea07efe1ab4f89adf5ae2453db

SHA256
50a46b3120da828502ef0caba15defbad004a3adb88e6eacf1f9604572e2d503

SHA512
473dfa66a36feed9b29a43245074141478327ce22ba7cce512599379dcb783b4d665e2d65c5e9750b988c7ed8f6c3349a7a12d4b8b57c89840eee6ca6e1a30cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD6.exe

Filesize
1.9MB

MD5
151e9ec4f0355d2f131b871671bd5e20

SHA1
50992f712b281db70518e6d404084e26dcd98b98

SHA256
a1480e23bd2a89b188fb01138ef2f54130f2dc41ce85ff9319ab7f15471b0011

SHA512
18a2fa6e9c97281328de819126dccb6cc8576e11ea11a8faba629da58e724040427c7d941ce0f935948195c30da6d60a6873d7e3e9613eba7df42bde1a3aba1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FourthX.exe

Filesize
2.5MB

MD5
b03886cb64c04b828b6ec1b2487df4a4

SHA1
a7b9a99950429611931664950932f0e5525294a4

SHA256
5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc

SHA512
21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

Filesize
2.0MB

MD5
28b72e7425d6d224c060d3cf439c668c

SHA1
a0a14c90e32e1ffd82558f044c351ad785e4dcd8

SHA256
460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98

SHA512
3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
1.4MB

MD5
138b89cd7998a23858a944fc0580fe45

SHA1
3d0c907b4b9f546f59d5a42d8b4826785907b715

SHA256
8b01d914e3ab190a3c305acb8b124841064d2d9f15163d193dfe7969d7f93230

SHA512
7380d75c60c6297f8e0742da297bec0ff425a08d7254a0758f740cc66691a40b2283e6993d2ad6ce50ee29e103d97f32ad24d81d6bdcc1a15027ec3fac958dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe

Filesize
1.1MB

MD5
38d71977d7eb1451e0497d888b8b40d1

SHA1
12abfe0a3074280d31afe0dd66066bbc550bfb50

SHA256
d720711e2a7717437c0116adeeb382ef61a717bc91faa90a0e06a63f9d7c763c

SHA512
d3150d7ba767bd1a455b0875ab70a1cc436e59dd2f88d40941f3f4605d44e72e82c106381d2706e01528159d411d3f6d3b0964bb7de58d3a26582e353d3f25b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ngzzwthb.hir.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G6I8E.tmp\2895.tmp

Filesize
692KB

MD5
4fcb9ac602df0c633c808db2146b80c8

SHA1
4bb07e033a795236495ae079ab541e9751827828

SHA256
a1a06d4495d973442c6be292bc8a22efef811aac463f6cd6d0f1f616edca9f87

SHA512
8f678f0a1ed63b750d08b0f47ae13a8bd6b2327703af645329dff8ece42a0e5bdb48399850f6d488f30817935a2bd565205ee4f30c066f4d522aca89f284d96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VIJKE.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VIJKE.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7666.tmp

Filesize
211KB

MD5
597450e5424da3a517472e48744cdc0d

SHA1
9f69579745b69385e028e24eccca76214ec38ff3

SHA256
1b16f12e0094703f6384857fb7b4c292da177ba537622ec6b9b6536bb76a5504

SHA512
2029d9b73d269d3b762f9ffb7c33697250387daa7691a08eb8d499f8a0f5ef4c6bec888d75a62fbecafa270c9cf93b74a6e91424b642a791834c38866e615ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx70A8.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
memory/1092-32-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1092-130-0x00000000030A0000-0x000000000319F000-memory.dmp

Filesize
1020KB

Download
memory/1092-22-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1092-290-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1092-25-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1092-37-0x0000000000E60000-0x0000000000E66000-memory.dmp

Filesize
24KB

Download
memory/1092-247-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1092-124-0x0000000002F80000-0x000000000309C000-memory.dmp

Filesize
1.1MB

Download
memory/1092-36-0x0000000002AF0000-0x0000000002CA1000-memory.dmp

Filesize
1.7MB

Download
memory/1092-26-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1092-146-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1092-23-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1092-133-0x00000000030A0000-0x000000000319F000-memory.dmp

Filesize
1020KB

Download
memory/1092-134-0x00000000030A0000-0x000000000319F000-memory.dmp

Filesize
1020KB

Download
memory/1092-145-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1092-19-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1092-35-0x0000000002AF0000-0x0000000002CA1000-memory.dmp

Filesize
1.7MB

Download
memory/1520-235-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1520-350-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/1520-233-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/1520-234-0x0000000002290000-0x00000000022C4000-memory.dmp

Filesize
208KB

Download
memory/1520-304-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1520-289-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1668-262-0x0000000000C30000-0x0000000000F9C000-memory.dmp

Filesize
3.4MB

Download
memory/1996-220-0x0000000002780000-0x00000000027B2000-memory.dmp

Filesize
200KB

Download
memory/1996-216-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/1996-219-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/1996-222-0x0000000002780000-0x00000000027B2000-memory.dmp

Filesize
200KB

Download
memory/1996-228-0x0000000002780000-0x00000000027B2000-memory.dmp

Filesize
200KB

Download
memory/1996-224-0x0000000002780000-0x00000000027B2000-memory.dmp

Filesize
200KB

Download
memory/1996-206-0x0000000000430000-0x0000000000B35000-memory.dmp

Filesize
7.0MB

Download
memory/2160-18-0x00000000024E0000-0x0000000002697000-memory.dmp

Filesize
1.7MB

Download
memory/2160-17-0x0000000002320000-0x00000000024DE000-memory.dmp

Filesize
1.7MB

Download
memory/3052-114-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/3052-118-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/3304-212-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/3304-59-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/3304-140-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3444-4-0x00000000010A0000-0x00000000010B6000-memory.dmp

Filesize
88KB

Download
memory/3444-221-0x0000000003040000-0x0000000003056000-memory.dmp

Filesize
88KB

Download
memory/3700-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-156-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/3700-157-0x00000000005A0000-0x00000000005AB000-memory.dmp

Filesize
44KB

Download
memory/3700-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-266-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/4116-291-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/4116-198-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/4152-263-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/4152-155-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/4152-246-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/4152-123-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/4152-122-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/4348-147-0x0000000072D40000-0x00000000734F0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-191-0x0000000072D40000-0x00000000734F0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-148-0x00000000008B0000-0x0000000001166000-memory.dmp

Filesize
8.7MB

Download
memory/4396-303-0x0000000007960000-0x000000000797A000-memory.dmp

Filesize
104KB

Download
memory/4396-331-0x0000000070580000-0x00000000708D4000-memory.dmp

Filesize
3.3MB

Download
memory/4396-371-0x0000000007C70000-0x0000000007C81000-memory.dmp

Filesize
68KB

Download
memory/4396-369-0x0000000007D10000-0x0000000007DA6000-memory.dmp

Filesize
600KB

Download
memory/4396-357-0x0000000007C50000-0x0000000007C5A000-memory.dmp

Filesize
40KB

Download
memory/4396-352-0x000000007F8C0000-0x000000007F8D0000-memory.dmp

Filesize
64KB

Download
memory/4396-351-0x0000000007B70000-0x0000000007C13000-memory.dmp

Filesize
652KB

Download
memory/4396-265-0x0000000002FB0000-0x0000000002FE6000-memory.dmp

Filesize
216KB

Download
memory/4396-267-0x0000000071720000-0x0000000071ED0000-memory.dmp

Filesize
7.7MB

Download
memory/4396-268-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/4396-269-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/4396-270-0x0000000005830000-0x0000000005E58000-memory.dmp

Filesize
6.2MB

Download
memory/4396-271-0x00000000057B0000-0x00000000057D2000-memory.dmp

Filesize
136KB

Download
memory/4396-272-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/4396-273-0x0000000005F40000-0x0000000005FA6000-memory.dmp

Filesize
408KB

Download
memory/4396-342-0x0000000007B10000-0x0000000007B2E000-memory.dmp

Filesize
120KB

Download
memory/4396-283-0x00000000060B0000-0x0000000006404000-memory.dmp

Filesize
3.3MB

Download
memory/4396-284-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/4396-285-0x00000000065F0000-0x000000000663C000-memory.dmp

Filesize
304KB

Download
memory/4396-288-0x0000000006AF0000-0x0000000006B34000-memory.dmp

Filesize
272KB

Download
memory/4396-330-0x0000000071430000-0x000000007147C000-memory.dmp

Filesize
304KB

Download
memory/4396-328-0x0000000007B30000-0x0000000007B62000-memory.dmp

Filesize
200KB

Download
memory/4396-302-0x0000000007FE0000-0x000000000865A000-memory.dmp

Filesize
6.5MB

Download
memory/4396-292-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/4396-298-0x00000000078E0000-0x0000000007956000-memory.dmp

Filesize
472KB

Download
memory/4536-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4536-245-0x0000000002E40000-0x000000000372B000-memory.dmp

Filesize
8.9MB

Download
memory/4536-264-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4536-244-0x0000000002A30000-0x0000000002E34000-memory.dmp

Filesize
4.0MB

Download
memory/4688-1-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/4688-8-0x00000000005F0000-0x00000000005FB000-memory.dmp

Filesize
44KB

Download
memory/4688-2-0x00000000005F0000-0x00000000005FB000-memory.dmp

Filesize
44KB

Download
memory/4688-3-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4688-5-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4916-40-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/4916-129-0x0000000002AB0000-0x0000000002BAF000-memory.dmp

Filesize
1020KB

Download
memory/4916-128-0x0000000002AB0000-0x0000000002BAF000-memory.dmp

Filesize
1020KB

Download
memory/4916-41-0x0000000000DC0000-0x0000000000DC6000-memory.dmp

Filesize
24KB

Download
memory/4916-115-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/4916-125-0x0000000002AB0000-0x0000000002BAF000-memory.dmp

Filesize
1020KB

Download
memory/4916-109-0x0000000002990000-0x0000000002AAC000-memory.dmp

Filesize
1.1MB

Download
memory/4932-139-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4932-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download