umbral | d4f5d067ff567af50017ad3f0997b6aaea6fc8e3305adf57de560e03536e8e86

Analysis

max time kernel
70s
max time network
106s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BaffFree (1).rar
Size

14.0MB
MD5

1d5acc5687edcd169ff1f668fb614668
SHA1

5ef489cd47893a888286c8cfc5cf565945c44628
SHA256

d4f5d067ff567af50017ad3f0997b6aaea6fc8e3305adf57de560e03536e8e86
SHA512

8aaff2444d1bc3b308e0aa9761e97f3dd497df76a1fe68bb11560e06d2f73297c1fcf1bce74e0bab1e016ef52109a45c995ce750a3be5fde0cf6a75ee4c9b7d1
SSDEEP

196608:7nw75pSvvDy2bpmAa72xIvRt5snPdFK5Jdr9hj+i4etUqUFc/muT8EgJHZtmiC:7wCXbi7EIvRmPdFIhjF4eGnuT4DmP

Score

10^/10

umbral xworm zgrat evasion persistence rat stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1218255752314097764/pf1l_fyX4Y944q-tMNsmbSq2cfDBpqCBXuTvF0vyF76tkTcn3FOYasjrq_iM6NffJOYF

Extracted

Family

xworm

approved-supports.gl.at.ply.gg:45098

Attributes

Install_directory
%AppData%
install_file
rat.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000014251-57.dat	family_umbral
behavioral1/memory/2116-58-0x00000000011F0000-0x0000000001230000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001418c-54.dat	family_xworm
behavioral1/memory/2056-62-0x0000000000820000-0x0000000000838000-memory.dmp	family_xworm

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001565a-178.dat	family_zgrat_v1
behavioral1/files/0x00070000000158d9-290.dat	family_zgrat_v1
behavioral1/memory/2692-293-0x0000000000100000-0x00000000002E6000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\conhost.exe\", \"C:\\Program Files\\VideoLAN\\taskhost.exe\", \"C:\\Blockperf\\wininit.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\winlogon.exe\""	BlockDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\conhost.exe\", \"C:\\Program Files\\VideoLAN\\taskhost.exe\", \"C:\\Blockperf\\wininit.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\winlogon.exe\", \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\""	BlockDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\conhost.exe\", \"C:\\Program Files\\VideoLAN\\taskhost.exe\", \"C:\\Blockperf\\wininit.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\winlogon.exe\", \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\", \"C:\\Blockperf\\BlockDhcp.exe\""	BlockDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\conhost.exe\""	BlockDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\conhost.exe\", \"C:\\Program Files\\VideoLAN\\taskhost.exe\""	BlockDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\conhost.exe\", \"C:\\Program Files\\VideoLAN\\taskhost.exe\", \"C:\\Blockperf\\wininit.exe\""	BlockDhcp.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1380	schtasks.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	1380	schtasks.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	1380	schtasks.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1380	schtasks.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1380	schtasks.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1380	schtasks.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1380	schtasks.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1380	schtasks.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1380	schtasks.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	1380	schtasks.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	1380	schtasks.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	1380	schtasks.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	1380	schtasks.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1380	schtasks.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	1380	schtasks.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	1380	schtasks.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1380	schtasks.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	1380	schtasks.exe	42

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	OneCoreUAPCommonProxyStub.exe
File created	C:\Windows\system32\drivers\etc\hosts	rykmnxwyylqw.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rat.lnk	pautoenr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rat.lnk	pautoenr.exe

Executes dropped EXE 13 IoCs

pid	Process
2508	Bafffree.exe
2440	nvdebugdump.exe
2136	OneCoreUAPCommonProxyStub.exe
2056	pautoenr.exe
2116	PeerDistAD.exe
476	Process not Found
1452	rykmnxwyylqw.exe
2392	63B539LLH0SAOGI.exe
2692	BlockDhcp.exe
2756	taskhost.exe
3232	rat.exe
3288	rat.exe.exe
3332	conhost.exe

Loads dropped DLL 12 IoCs

pid	Process
2576	7zFM.exe
2508	Bafffree.exe
2508	Bafffree.exe
2508	Bafffree.exe
476	Process not Found
1196	Process not Found
1196	Process not Found
1536	cmd.exe
1536	cmd.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\winlogon.exe\""	BlockDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\rat = "C:\\Users\\Admin\\AppData\\Roaming\\rat.exe"	pautoenr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\it-IT\\conhost.exe\""	BlockDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\it-IT\\conhost.exe\""	BlockDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Blockperf\\wininit.exe\""	BlockDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\BlockDhcp = "\"C:\\Blockperf\\BlockDhcp.exe\""	BlockDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BlockDhcp = "\"C:\\Blockperf\\BlockDhcp.exe\""	BlockDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\VideoLAN\\taskhost.exe\""	BlockDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Registration\\CRMLog\\dwm.exe\""	BlockDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\winlogon.exe\""	BlockDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Registration\\CRMLog\\dwm.exe\""	BlockDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\VideoLAN\\taskhost.exe\""	BlockDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Blockperf\\wininit.exe\""	BlockDhcp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
36	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	OneCoreUAPCommonProxyStub.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	rykmnxwyylqw.exe
File created	\??\c:\Windows\System32\CSCB3D83287F8F649A2BC97114A5B30D738.TMP	csc.exe
File created	\??\c:\Windows\System32\u7e72d.exe	csc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2440	nvdebugdump.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 1772	1452	rykmnxwyylqw.exe	104

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\taskhost.exe	BlockDhcp.exe
File created	C:\Program Files\VideoLAN\b75386f1303e64	BlockDhcp.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\6cb0b6c459d5d3	BlockDhcp.exe
File created	C:\Windows\it-IT\conhost.exe	BlockDhcp.exe
File created	C:\Windows\it-IT\088424020bedd6	BlockDhcp.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\Registration\CRMLog\dwm.exe	BlockDhcp.exe
File opened for modification	C:\Windows\Registration\CRMLog\dwm.exe	BlockDhcp.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1444	sc.exe
1616	sc.exe
2472	sc.exe
1760	sc.exe
996	sc.exe
1776	sc.exe
2320	sc.exe
2012	sc.exe
2512	sc.exe
1560	sc.exe
2156	sc.exe
2572	sc.exe
2764	sc.exe
1624	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Creates scheduled task(s) 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
272	schtasks.exe
1192	schtasks.exe
2756	schtasks.exe
2592	schtasks.exe
1924	schtasks.exe
792	schtasks.exe
1596	schtasks.exe
2636	schtasks.exe
2716	schtasks.exe
2828	schtasks.exe
1696	schtasks.exe
1376	schtasks.exe
1448	schtasks.exe
2844	schtasks.exe
2600	schtasks.exe
2200	schtasks.exe
1004	schtasks.exe
448	schtasks.exe
692	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b0877c4fee77da01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pautoenr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pautoenr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	pautoenr.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2512	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2576	7zFM.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe
2440	nvdebugdump.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2576	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2576	7zFM.exe
Token: 35	2576	7zFM.exe
Token: SeSecurityPrivilege	2576	7zFM.exe
Token: SeDebugPrivilege	2056	pautoenr.exe
Token: SeDebugPrivilege	2116	PeerDistAD.exe
Token: SeIncreaseQuotaPrivilege	340	wmic.exe
Token: SeSecurityPrivilege	340	wmic.exe
Token: SeTakeOwnershipPrivilege	340	wmic.exe
Token: SeLoadDriverPrivilege	340	wmic.exe
Token: SeSystemProfilePrivilege	340	wmic.exe
Token: SeSystemtimePrivilege	340	wmic.exe
Token: SeProfSingleProcessPrivilege	340	wmic.exe
Token: SeIncBasePriorityPrivilege	340	wmic.exe
Token: SeCreatePagefilePrivilege	340	wmic.exe
Token: SeBackupPrivilege	340	wmic.exe
Token: SeRestorePrivilege	340	wmic.exe
Token: SeShutdownPrivilege	340	wmic.exe
Token: SeDebugPrivilege	340	wmic.exe
Token: SeSystemEnvironmentPrivilege	340	wmic.exe
Token: SeRemoteShutdownPrivilege	340	wmic.exe
Token: SeUndockPrivilege	340	wmic.exe
Token: SeManageVolumePrivilege	340	wmic.exe
Token: 33	340	wmic.exe
Token: 34	340	wmic.exe
Token: 35	340	wmic.exe
Token: SeIncreaseQuotaPrivilege	340	wmic.exe
Token: SeSecurityPrivilege	340	wmic.exe
Token: SeTakeOwnershipPrivilege	340	wmic.exe
Token: SeLoadDriverPrivilege	340	wmic.exe
Token: SeSystemProfilePrivilege	340	wmic.exe
Token: SeSystemtimePrivilege	340	wmic.exe
Token: SeProfSingleProcessPrivilege	340	wmic.exe
Token: SeIncBasePriorityPrivilege	340	wmic.exe
Token: SeCreatePagefilePrivilege	340	wmic.exe
Token: SeBackupPrivilege	340	wmic.exe
Token: SeRestorePrivilege	340	wmic.exe
Token: SeShutdownPrivilege	340	wmic.exe
Token: SeDebugPrivilege	340	wmic.exe
Token: SeSystemEnvironmentPrivilege	340	wmic.exe
Token: SeRemoteShutdownPrivilege	340	wmic.exe
Token: SeUndockPrivilege	340	wmic.exe
Token: SeManageVolumePrivilege	340	wmic.exe
Token: 33	340	wmic.exe
Token: 34	340	wmic.exe
Token: 35	340	wmic.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	2136	OneCoreUAPCommonProxyStub.exe
Token: SeShutdownPrivilege	1504	powercfg.exe
Token: SeShutdownPrivilege	1644	powercfg.exe
Token: SeShutdownPrivilege	1048	powercfg.exe
Token: SeShutdownPrivilege	1540	powercfg.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	1452	rykmnxwyylqw.exe
Token: SeDebugPrivilege	2056	pautoenr.exe
Token: SeShutdownPrivilege	2792	powercfg.exe
Token: SeShutdownPrivilege	1636	powercfg.exe
Token: SeShutdownPrivilege	2176	powercfg.exe
Token: SeShutdownPrivilege	2752	powercfg.exe
Token: SeDebugPrivilege	2692	BlockDhcp.exe
Token: SeDebugPrivilege	972	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2576	7zFM.exe
2576	7zFM.exe
496	firefox.exe
496	firefox.exe
496	firefox.exe
496	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
496	firefox.exe
496	firefox.exe
496	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2056	pautoenr.exe
496	firefox.exe
496	firefox.exe
496	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2576	2316	cmd.exe	29
PID 2316 wrote to memory of 2576	2316	cmd.exe	29
PID 2316 wrote to memory of 2576	2316	cmd.exe	29
PID 2576 wrote to memory of 2508	2576	7zFM.exe	30
PID 2576 wrote to memory of 2508	2576	7zFM.exe	30
PID 2576 wrote to memory of 2508	2576	7zFM.exe	30
PID 2508 wrote to memory of 2440	2508	Bafffree.exe	31
PID 2508 wrote to memory of 2440	2508	Bafffree.exe	31
PID 2508 wrote to memory of 2440	2508	Bafffree.exe	31
PID 2508 wrote to memory of 2136	2508	Bafffree.exe	32
PID 2508 wrote to memory of 2136	2508	Bafffree.exe	32
PID 2508 wrote to memory of 2136	2508	Bafffree.exe	32
PID 2508 wrote to memory of 2056	2508	Bafffree.exe	33
PID 2508 wrote to memory of 2056	2508	Bafffree.exe	33
PID 2508 wrote to memory of 2056	2508	Bafffree.exe	33
PID 2508 wrote to memory of 2116	2508	Bafffree.exe	34
PID 2508 wrote to memory of 2116	2508	Bafffree.exe	34
PID 2508 wrote to memory of 2116	2508	Bafffree.exe	34
PID 2116 wrote to memory of 340	2116	PeerDistAD.exe	35
PID 2116 wrote to memory of 340	2116	PeerDistAD.exe	35
PID 2116 wrote to memory of 340	2116	PeerDistAD.exe	35
PID 2440 wrote to memory of 1436	2440	nvdebugdump.exe	37
PID 2440 wrote to memory of 1436	2440	nvdebugdump.exe	37
PID 2440 wrote to memory of 1436	2440	nvdebugdump.exe	37
PID 1436 wrote to memory of 1560	1436	cmd.exe	39
PID 1436 wrote to memory of 1560	1436	cmd.exe	39
PID 1436 wrote to memory of 1560	1436	cmd.exe	39
PID 1436 wrote to memory of 2384	1436	cmd.exe	40
PID 1436 wrote to memory of 2384	1436	cmd.exe	40
PID 1436 wrote to memory of 2384	1436	cmd.exe	40
PID 1436 wrote to memory of 1324	1436	cmd.exe	41
PID 1436 wrote to memory of 1324	1436	cmd.exe	41
PID 1436 wrote to memory of 1324	1436	cmd.exe	41
PID 2056 wrote to memory of 2072	2056	pautoenr.exe	45
PID 2056 wrote to memory of 2072	2056	pautoenr.exe	45
PID 2056 wrote to memory of 2072	2056	pautoenr.exe	45
PID 2056 wrote to memory of 608	2056	pautoenr.exe	47
PID 2056 wrote to memory of 608	2056	pautoenr.exe	47
PID 2056 wrote to memory of 608	2056	pautoenr.exe	47
PID 2056 wrote to memory of 1756	2056	pautoenr.exe	49
PID 2056 wrote to memory of 1756	2056	pautoenr.exe	49
PID 2056 wrote to memory of 1756	2056	pautoenr.exe	49
PID 2056 wrote to memory of 976	2056	pautoenr.exe	51
PID 2056 wrote to memory of 976	2056	pautoenr.exe	51
PID 2056 wrote to memory of 976	2056	pautoenr.exe	51
PID 1020 wrote to memory of 2260	1020	cmd.exe	57
PID 1020 wrote to memory of 2260	1020	cmd.exe	57
PID 1020 wrote to memory of 2260	1020	cmd.exe	57
PID 2056 wrote to memory of 2636	2056	pautoenr.exe	85
PID 2056 wrote to memory of 2636	2056	pautoenr.exe	85
PID 2056 wrote to memory of 2636	2056	pautoenr.exe	85
PID 2920 wrote to memory of 2724	2920	cmd.exe	91
PID 2920 wrote to memory of 2724	2920	cmd.exe	91
PID 2920 wrote to memory of 2724	2920	cmd.exe	91
PID 1452 wrote to memory of 1772	1452	rykmnxwyylqw.exe	104
PID 1452 wrote to memory of 1772	1452	rykmnxwyylqw.exe	104
PID 1452 wrote to memory of 1772	1452	rykmnxwyylqw.exe	104
PID 1452 wrote to memory of 1772	1452	rykmnxwyylqw.exe	104
PID 1452 wrote to memory of 1772	1452	rykmnxwyylqw.exe	104
PID 1452 wrote to memory of 1772	1452	rykmnxwyylqw.exe	104
PID 1452 wrote to memory of 1772	1452	rykmnxwyylqw.exe	104
PID 1452 wrote to memory of 1772	1452	rykmnxwyylqw.exe	104
PID 1452 wrote to memory of 1772	1452	rykmnxwyylqw.exe	104
PID 2056 wrote to memory of 2392	2056	pautoenr.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\BaffFree (1).rar"
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BaffFree (1).rar"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\7zO01AA9726\Bafffree.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO01AA9726\Bafffree.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\nvdebugdump.exe
      "C:\Users\Admin\AppData\Local\Temp\nvdebugdump.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\nvdebugdump.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1436
      - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\nvdebugdump.exe" MD5
        6⤵
        
        PID:1560
      - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        6⤵
        
        PID:2384
      - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        6⤵
        
        PID:1324
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2440 -s 576
        5⤵
        Loads dropped DLL
        
        PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\OneCoreUAPCommonProxyStub.exe
      "C:\Users\Admin\AppData\Local\Temp\OneCoreUAPCommonProxyStub.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:2136
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1020
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        Drops file in Windows directory
        
        PID:2260
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2012
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:996
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2156
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:1444
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1776
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "CBABZYWT"
        5⤵
        Launches sc.exe
        
        PID:2512
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "CBABZYWT" binpath= "C:\ProgramData\yhdrdrurzmhh\rykmnxwyylqw.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:2572
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:1616
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "CBABZYWT"
        5⤵
        Launches sc.exe
        
        PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\pautoenr.exe
      "C:\Users\Admin\AppData\Local\Temp\pautoenr.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\pautoenr.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pautoenr.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\rat.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'rat.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "rat" /tr "C:\Users\Admin\AppData\Roaming\rat.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2636
    - - C:\Users\Admin\AppData\Local\Temp\63B539LLH0SAOGI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\63B539LLH0SAOGI.exe"
        5⤵
        Executes dropped EXE
        
        PID:2392
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Blockperf\SsxsOgj7UItOyP.vbe"
        6⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Blockperf\W03a7eRByVe59tEfoEn5p9hfLGE7liRC1WwfhocqTKwXnqoCeIu86OnqQ.bat" "
        7⤵
        Loads dropped DLL
        
        PID:1536
        
        C:\Blockperf\BlockDhcp.exe
        
        "C:\Blockperf/BlockDhcp.exe"
        8⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ucqobjea\ucqobjea.cmdline"
        9⤵
        
        PID:2916
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC13D.tmp" "c:\Users\Admin\AppData\Roaming\CSCCABADF5DD504499811F5C25E9E3D2A0.TMP"
        10⤵
        
        PID:1756
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k05eabe5\k05eabe5.cmdline"
        9⤵
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC17B.tmp" "c:\Windows\System32\CSCB3D83287F8F649A2BC97114A5B30D738.TMP"
        10⤵
        
        PID:2644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\conhost.exe'
        9⤵
        
        PID:280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\taskhost.exe'
        9⤵
        
        PID:3044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Blockperf\wininit.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe'
        9⤵
        
        PID:2400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\dwm.exe'
        9⤵
        
        PID:1368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Blockperf\BlockDhcp.exe'
        9⤵
        
        PID:804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gxLEna3CRC.bat"
        9⤵
        
        PID:1680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        Runs ping.exe
        
        PID:2512
        
        C:\Program Files\VideoLAN\taskhost.exe
        
        "C:\Program Files\VideoLAN\taskhost.exe"
        10⤵
        Executes dropped EXE
        
        PID:2756
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2056 -s 1760
        5⤵
        
        PID:3452
  - - C:\Users\Admin\AppData\Local\Temp\PeerDistAD.exe
      "C:\Users\Admin\AppData\Local\Temp\PeerDistAD.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:340

C:\ProgramData\yhdrdrurzmhh\rykmnxwyylqw.exe
C:\ProgramData\yhdrdrurzmhh\rykmnxwyylqw.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2724
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2764
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2472
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1560
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1760
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1624
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Blockperf\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Blockperf\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Blockperf\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockDhcpB" /sc MINUTE /mo 11 /tr "'C:\Blockperf\BlockDhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockDhcp" /sc ONLOGON /tr "'C:\Blockperf\BlockDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockDhcpB" /sc MINUTE /mo 10 /tr "'C:\Blockperf\BlockDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:792
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="496.0.1943716432\858117281" -parentBuildID 20221007134813 -prefsHandle 1208 -prefMapHandle 1200 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8520e4e3-2f05-4c57-abc3-a84d06955a50} 496 "\\.\pipe\gecko-crash-server-pipe.496" 1272 14106558 gpu
    3⤵
    PID:2888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="496.1.1893896813\1595849461" -parentBuildID 20221007134813 -prefsHandle 1448 -prefMapHandle 1444 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd2aabb3-479f-4a31-8ab5-f8d03712fbc0} 496 "\\.\pipe\gecko-crash-server-pipe.496" 1460 e71c58 socket
    3⤵
    PID:1944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="496.2.1502788014\1511021034" -childID 1 -isForBrowser -prefsHandle 2044 -prefMapHandle 2040 -prefsLen 20868 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {220bf6c3-924e-4f5e-9976-79077e0c67e6} 496 "\\.\pipe\gecko-crash-server-pipe.496" 2060 1a56ad58 tab
    3⤵
    PID:2660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="496.3.1199999300\1620412271" -childID 2 -isForBrowser -prefsHandle 2516 -prefMapHandle 2496 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20836e4f-c1a4-40e6-8146-413f8126548f} 496 "\\.\pipe\gecko-crash-server-pipe.496" 2528 1c1ea658 tab
    3⤵
    PID:2760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="496.4.839741018\331785129" -childID 3 -isForBrowser -prefsHandle 2880 -prefMapHandle 2876 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f60b766a-14a0-4313-87a5-b755ce799841} 496 "\\.\pipe\gecko-crash-server-pipe.496" 2892 1c5e6e58 tab
    3⤵
    PID:2804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="496.5.746084104\1980859188" -childID 4 -isForBrowser -prefsHandle 3696 -prefMapHandle 3724 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cb738b3-be20-4c65-b3ca-dea4fef4b0d3} 496 "\\.\pipe\gecko-crash-server-pipe.496" 3732 1e9f2158 tab
    3⤵
    PID:3024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="496.6.400122587\2015634942" -childID 5 -isForBrowser -prefsHandle 3848 -prefMapHandle 3852 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {075f51c4-3150-41de-ac40-f6c67c8ecf06} 496 "\\.\pipe\gecko-crash-server-pipe.496" 3840 1e9f2758 tab
    3⤵
    PID:1328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="496.7.119810291\1863495352" -childID 6 -isForBrowser -prefsHandle 4024 -prefMapHandle 4028 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a19af84-a606-46a1-a08e-9a6670f24a53} 496 "\\.\pipe\gecko-crash-server-pipe.496" 4016 1e9f2458 tab
    3⤵
    PID:328

C:\Windows\system32\taskeng.exe
taskeng.exe {465BB98B-0AEE-414E-BE6D-4ABCB2114429} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
PID:3184
- C:\Users\Admin\AppData\Roaming\rat.exe
  C:\Users\Admin\AppData\Roaming\rat.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- - C:\Users\Admin\AppData\Roaming\rat.exe.exe
    "C:\Users\Admin\AppData\Roaming\rat.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:3288
- - C:\Windows\it-IT\conhost.exe
    "C:\Windows\it-IT\conhost.exe"
    3⤵
    - Executes dropped EXE
    PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Blockperf\BlockDhcp.exe

Filesize
1.9MB

MD5
885ad16db4188802c438079fef3e24bf

SHA1
8f941a38471c9ad803a5f79ada6fe88c0bcebe1b

SHA256
581d9667e6d2b6fa9c5630f72a5bfe24622719ab0adce77c5ac3f207af871b5c

SHA512
54e17934a19994b847070705741e3b10c4145b6e9b940a563ab0835b4975cb091afbd783e48a981abd84c1b684ea8c4abfd08a83469b2580058a1f9c1959ec55

Download Submit
C:\Blockperf\SsxsOgj7UItOyP.vbe

Filesize
256B

MD5
7bd4ae5733494fe9888a9fb6cc6212b6

SHA1
155ea81b368875d5015e49b11b7ccdb9458505bd

SHA256
00fafff153878b3bc60ab36aafda3d2fccbab69c728153733fcf857016c93d50

SHA512
c573019171da281cf08d64dfdec1f71ba444819f1f444021543296cdb3fe8225e024895294ca0856e588d20789cd763d65ffbd4a0ba5a5ecc645bda2e0080664

Download Submit
C:\Blockperf\W03a7eRByVe59tEfoEn5p9hfLGE7liRC1WwfhocqTKwXnqoCeIu86OnqQ.bat

Filesize
91B

MD5
1d4c24d719063e18d59f87ad8b86f7f0

SHA1
16e96049b02c4ac6017ea616e9419764da32feb9

SHA256
1fe35093cfbf50d0d702dc90e107c1ba9834e37b6e3be78063261eb8ed7a6051

SHA512
1902dec43b5e9552826d09f018b6edf78c993bc8ae96112918ab516790bc2d9c87f92769e4ebe28384f804036efa0fa7a405713226350638e5e4a6bdcaab46f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\63B539LLH0SAOGI.exe

Filesize
2.2MB

MD5
a61d423019f0f0b040c9fa740eac0b32

SHA1
f17c16cf0b313eb622511ce4dfcee561c8579611

SHA256
c6a3c48defac245c5a5895199196518308be9a1aaa6402ba08389eeb5671f4e1

SHA512
7086e88c7b8c48a66401dc8fb6e05ac5f34365b33f982f9b69af7feef5de75f6a73e507f14d6ab463c84ea385d547ccd17f0d02f109d37b30fc30b3be4f14feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO01AA9726\Bafffree.exe

Filesize
11.6MB

MD5
06ecd8fc05f981e487cf6dece0e15ccc

SHA1
23dcd788dd8e8f679d968738974490964d05f981

SHA256
87f7c9282e4e3d6995af26d4183f02f55d13933aedac7b160023f77bdef71a68

SHA512
b71caf34de4fa26b79cd49bfea814fecd1d21c5993b7eebbbb74b90c1ada9e89af2157200c1e5d34cb39676d1cb3e5db40f48fe4b4bd1bcced83986ac29ed4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO01AA9726\Bafffree.exe

Filesize
7.8MB

MD5
5dc0745931a0cbf90d9470dccb419d32

SHA1
db9169e45b88b1b74a78cf9d7833d64ed2450b53

SHA256
ca4e60b2a9f85d1e12bb0290e4c9b2368cd11648856f3faa1478254ec7989d46

SHA512
a76d874204671e7b551fcd943b057319c013a02babe73c95de9d05b1bb1b393676adf06960505dd6a409ea1220036f35257be8df68deb144e13fecf67815481b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA141.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneCoreUAPCommonProxyStub.exe

Filesize
2.6MB

MD5
7c14d590880406022bc0d8bdd3e2aa2c

SHA1
ffe66d0792a93e977f6366903cb349ac4cc6021c

SHA256
dbff26f5d4d1c5c35a636639161924c8bf6f8750be150fd1670092bd581a42ac

SHA512
c355ae4800a018a5651eb9222db16e7067cd2ec5a09fb619485441f4dd654dbb8d34051afb42622e086be0ad2a3aba46d8f9795a4c56f3e06b8bcd45fc1baf67

Download Submit
C:\Users\Admin\AppData\Local\Temp\PeerDistAD.exe

Filesize
229KB

MD5
afa8bb7e6708d4b5c056079f642b65f9

SHA1
3cadcd7a2da0bc26fd7912f46bdc692e51752913

SHA256
9041042642f5c0b67443490fc595aaaa1858c3a8582602969f1af568cad398e9

SHA512
46392d04c3827a9f1602685bae2b10a69306839ce3af5b51889a70925e48654e0b8793ae4f68a4ce94f7c7dc71d0d69f0437583417b32cef9619024294351ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC13D.tmp

Filesize
1KB

MD5
ce86780c8d1a9584fc1b23a8fac24048

SHA1
c748bd3a91aaa691f4a55c1871aac53b920b7e6c

SHA256
e918d1d811fd083972754e134040e373667e3e1c6f36804cc1890f93da4fbf17

SHA512
667118bd88496e8e4e598ab24e85c0f2edadd0f21c5b9f8fbfaff5b3811510982e8fecc4121d3ac3ca8cce149ad15226be0551bb31827c157bc700f65f9427e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC17B.tmp

Filesize
1KB

MD5
1ac6adaf5b5b950abee66838bb6bd839

SHA1
b766f9c02ad0b44cac588652423ba28aced60ae9

SHA256
a23ba9f49dfdfcef7e1e1b485e2d0a20787c239d3a5c258754593f8dfc97c9d1

SHA512
9336424335b6f687b7779008eff84e8ce4faa05d10c55aaa7862ae54d9a6ea149603afff1b9df06cabf6c63a4d41969cd175cbae64d38cfedbcb4ddc32801d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA153.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\gxLEna3CRC.bat

Filesize
166B

MD5
040caaa0fa9f2e1f73cc0f758ef3aad5

SHA1
9cd1bf6d6a277567888ed80bad6c1106b9f50efc

SHA256
8f4484c67820952547871cac582860492e86db4242b81ecd4d33918781043a2c

SHA512
2f59fab20bd20348043204399a5945af2bd09b948a9a48911ed57661e456e8bfd3de670aa6dd8fdcfe1a9dc019282d39641665a393ae89eaf097bb2b035a9e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvdebugdump.exe

Filesize
5.6MB

MD5
f51da321a967b66e0eeb5c7d4dbd871f

SHA1
d040b83c888a0b44c472847366d05943485e0054

SHA256
ab9aa3f47addabb55623394a518921cd67bbca6c8f5ab2740d8fd3f92606b06c

SHA512
d9d4c98c72d73d1bb6090a01bd54a6ced4708aed05c230a4c7d53e5197483554664c0b8440c6f9253d45cac7e584c2b8c2ea0afbcdaf94687122619fb2b98cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvdebugdump.exe

Filesize
7.1MB

MD5
e4eb928e7cce7d473b2cc6d1df3e3190

SHA1
879975f8ee53a115c6139183e422e9772cef0ea4

SHA256
3e04620768b005af9baeec4349ff1df5e884d743a220a92144481345d8a0b446

SHA512
07525868d8d98e205973776bb6d9ed82eb38715c572d2727a327ec29f8e8ee3d87c7c19f76a7f46e69e4f6342bfc8c6b75b2f07f91f10594293c446f4d3391b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pautoenr.exe

Filesize
71KB

MD5
5adb580a8a93b829aefd180ab1773e19

SHA1
66f11192207b97a0e1d7df0d3a7080a555801d9a

SHA256
bf52359d6a85fd4df2d11603dfa1ccd90e432cdd19c64928791246cdb46ec03c

SHA512
1afabcc8b2963bd44eb9523e3d6f0957ed477a25292d1bcd4cd1188a62381fedf4d2d0d68b06b2f73b84d0b493ace4f9ee7f52b30ea264577e0e4c07f3927a04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6126556952316e2183b93c7cc25616ff

SHA1
26c93361b5a99a51c35fee66c78bfbc8de46f177

SHA256
05f9d9ab622b4471c3d404f69657776b8178f4de452ba36999a04143e172a80c

SHA512
ed77b522b27c54c527ec13e11025c46f5bc55ae2374a6d114234f08f7009f4df0578c1d4862f63d27b4551ca4547e4adbbef54d4fc365d38931f152175c62898

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
956480d7bdf7a8cad41930c6faff0544

SHA1
a0ea5c9bb8362e4480c4cdef9667d478689e9f17

SHA256
3d7c5f5351491aac380da133869bd5fa53f9f4f9fd73b311e93e210fb0eecddf

SHA512
6344e2b70b10e4c2d783a9151b2c10aa45ecfdd546baa822ead5f3332acffeca07824d4e246ecd099453c1350c90d6eb31fa4376f4c22d44a41ede7123a5c496

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
052652612a137251d4603b215aa39867

SHA1
f862866d02f3f94f228951e4451aae410346d5f9

SHA256
e25e3a30ae067e213d93414a6ad348dbe858e1fc51c63c67740d50dac00d01c1

SHA512
b25d49eb48289660c0cf5d9fa7279f41806066a425387dd55b5df2406f9e00e920f976f60378491489729dee0c1ae0c2c1a1d59fc3117a1fe07e5b8b36849ffb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\pending_pings\573ba270-8ebe-4f21-893d-ae8f39aff374

Filesize
12KB

MD5
bb1ed7b4847cfd0bb64eb604d746047a

SHA1
41b2d5536f8d0cb402c230057346b3c39bf5e1e9

SHA256
1c55740f369174a5def24b25bb39bba320f44c69c590c265512c1010ed5d206b

SHA512
899df199df48b7e2b712ddc701f44fada9c3cf445d2f2dc27ad67cb36277ea9b1bd74116f137413f15b15227f96ab033b05a53b351f6ac4fd9e2456e59389412

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\pending_pings\dd65b60b-beb3-4aa8-9635-2554e8b277d0

Filesize
745B

MD5
4c180b0ed4dc09785c049c4848565c0b

SHA1
fc49553c32f81350bbc23dad6037515faa8c576c

SHA256
9903acf6904eb3f298d8421354beb7243c6f6574c1c74223be3c4fd6a8e39bd9

SHA512
74ca699fb643bef356a6a399f610d2f2b7bc50943d5e59f130643e414795417375d5c344e5caff80a8b251d4bf649c6f022aa322dc4df298d416820fb6bd9c67

Download Submit
C:\Users\Admin\AppData\Roaming\rat.exe

Filesize
4KB

MD5
015f1555576e2fdfb485c1dbca112bc1

SHA1
5aca66a5299374effa4d762945274efae4e551b8

SHA256
7a28604b07bf5b5ba2fcb2ab64b54fd9c32afad7ae973708f971de551b51b715

SHA512
7afb43a835f433985185130920044a276b35b0112d03199ba6edc8f861368137d188680e0ba7b5be71529ac4573a018efb429851501dd808d7441a8eafcd51f0

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1014B

MD5
6370af232d4fd25d542da59eedb851d7

SHA1
57f3eee511ac384e88e2578bcddbca0d130eaaa9

SHA256
cee379bb0152545fa11817c2793d8b04edf3f75b063dbddb3635a8e810b4c02d

SHA512
fefbddc3fb1012f892153ba40d8842c36115bee115e16f0eccbab55df7ec27a7cf9a736ea4cba71f1337942655544073b23b68460d6506589c142499575de0e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k05eabe5\k05eabe5.0.cs

Filesize
360B

MD5
4fb735a00e5049183f24518df3cb20c6

SHA1
880717f59a895ffde41be2676a01251e5d398409

SHA256
cdf119ac0abe0b3c99c4338ace6abb822fd346b0f7000e1f9d392077337cc125

SHA512
4d06f2bdcbd08839eaa4596f520b2ecac86dd4db57011d32aba97d0c51e23ec00aef1b039b90f1ab110998939de33aaa32e395be89db2f076b3b335d944e1d24

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k05eabe5\k05eabe5.cmdline

Filesize
235B

MD5
c81b23164c61362b3e35e1682e8afd4a

SHA1
2b30b0ec6c0d62585c143c7f345b59d9b49b4c07

SHA256
41b4253d5b3c829bac4e7bef9d239be4b5d0bcc6461b5e94c87aa6173e1802d7

SHA512
f6bcf45f2baf18df037fd122e43b8882451db57c84037ec3aa651e7c4edb640460d8ca588cc2d5aff197da79390cd4d7265fa0b698fece58f46fa82e2293c36e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ucqobjea\ucqobjea.0.cs

Filesize
368B

MD5
72fff1af701005182accf00851c6d094

SHA1
1f1f96dab579dabc1875152e385b8a302f6227c5

SHA256
864fd2fc95fc2c65dfc7ee834ac2fa107a2ed502d7c65bf9ed58565568f023a5

SHA512
9eee7c01d268fc39f8de2682c5e5ac0c50335fd444a99dfa7adf75ac6259bb6fc07c89e1b1ee2f5444bb46e8953e5e67477109a88a4b7adba80321a956c93294

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ucqobjea\ucqobjea.cmdline

Filesize
243B

MD5
f31860f8201c7ecb0cc38036c9f93cda

SHA1
37c8fc9f8ca09fca54a179edbf84daf256f71f27

SHA256
4f8834302b7f470d2399021990d148e718247de7059a4dec3f9079b5d0b3f7dd

SHA512
ccca404a251323a1905a58ed059893ff0295d177812310161c03a483602f6161b559e07200d1f13a6fadb721f5bb709a0559631117abd724ced86e9929d4b632

Download Submit
\??\c:\Users\Admin\AppData\Roaming\CSCCABADF5DD504499811F5C25E9E3D2A0.TMP

Filesize
1KB

MD5
ba1dd2055e24bfbcb6ce5ba295e12ded

SHA1
70b3721965d577d55c1b71aaab9266cfa5b65709

SHA256
c67577458b1fed5104a88e79f559531fd93e3e41bcea82d6cbd750fa57009c76

SHA512
c16f4d3ad01b5f92f4f4494bc9f3855471e2848888ee317e8a9336b031e434122dbba647277b001f3aea557efea811d637af5421e90dfeadc183faee5f9c3b27

Download Submit
\??\c:\Windows\System32\CSCB3D83287F8F649A2BC97114A5B30D738.TMP

Filesize
1KB

MD5
984924caf6574026769de34f35c2358e

SHA1
6dd41e492235d812252231912aa025f47fa7a9e7

SHA256
2bf5f65c8161575847113a1b4194625204c6ddce042f9b3432011c31348bb986

SHA512
5918fdc8d27ff5421dea1455df93c6cf85738e94c5079701ba7fded59b01bda482b70e2a500ba2c2aebedb6d2b0815d094d9bb271133de738f9e630167f6be46

Download Submit
\Users\Admin\AppData\Local\Temp\7zO01AA9726\Bafffree.exe

Filesize
7.9MB

MD5
1dd9b7824717abb49ded0e14c1f0a326

SHA1
455f66e783112c790a24df7d2947f87df3348599

SHA256
88c345ba8ba4061fb0765e4e8c6153c460429b874ca0888485ebd2a725f7fe54

SHA512
d2e2fa159a26292f8b987156a0adddb9e161102ae828e3e030e4f2dae99e09f73ed677c12d14ca0a48193be339bd446198f16731489979f257cfdc3d54c28113

Download Submit
\Users\Admin\AppData\Local\Temp\nvdebugdump.exe

Filesize
13.4MB

MD5
620bf28f920ea959bcf357c43c70a95d

SHA1
2c47d23853f15691a0ca6b10bb34e66cd3f4963c

SHA256
5243278657abc9314cdab49ac849a4feb13cee3b454f49300acf3a5162f3fe60

SHA512
09d27a733fe6913f860033af9770c1989e12f3988345fffdf743c7cb4a2d9dcd775881e26c1a65056c3495aac55fabfed903fdefb5e7688b5c13e0f186f0ceaf

Download Submit
\Users\Admin\AppData\Local\Temp\nvdebugdump.exe

Filesize
8.7MB

MD5
f7205ea850dd300e99c489d42efc8eee

SHA1
bcf7df2000ca2c15eca816349444de4e7ad99bf9

SHA256
5712caa9b7d30c13bb92bb540131234d7c344da0a5b19b4a18258e679b8fb287

SHA512
dd16087284070f9df1e37e7651f789c69c8d750fa5fd142460e5e4ea7a3e0fe4886d3c14702f49c7dae0ce6fabb057beea99249ab52519c66d847ef4fa2aa5ba

Download Submit
memory/608-89-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/608-91-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/608-93-0x000007FEEE070000-0x000007FEEEA0D000-memory.dmp

Filesize
9.6MB

Download
memory/608-94-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/608-95-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/608-96-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/608-97-0x000007FEEE070000-0x000007FEEEA0D000-memory.dmp

Filesize
9.6MB

Download
memory/608-92-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/608-90-0x000007FEEE070000-0x000007FEEEA0D000-memory.dmp

Filesize
9.6MB

Download
memory/976-130-0x000007FEEEA10000-0x000007FEEF3AD000-memory.dmp

Filesize
9.6MB

Download
memory/976-131-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/976-127-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/976-128-0x000007FEEEA10000-0x000007FEEF3AD000-memory.dmp

Filesize
9.6MB

Download
memory/976-132-0x000007FEEEA10000-0x000007FEEF3AD000-memory.dmp

Filesize
9.6MB

Download
memory/976-134-0x00000000027DB000-0x0000000002842000-memory.dmp

Filesize
412KB

Download
memory/976-129-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/976-188-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/976-133-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/1756-110-0x000007FEEEA10000-0x000007FEEF3AD000-memory.dmp

Filesize
9.6MB

Download
memory/1756-112-0x0000000002E40000-0x0000000002EC0000-memory.dmp

Filesize
512KB

Download
memory/1756-105-0x0000000002E40000-0x0000000002EC0000-memory.dmp

Filesize
512KB

Download
memory/1756-103-0x000007FEEEA10000-0x000007FEEF3AD000-memory.dmp

Filesize
9.6MB

Download
memory/1756-117-0x000007FEEEA10000-0x000007FEEF3AD000-memory.dmp

Filesize
9.6MB

Download
memory/1756-114-0x0000000002E4B000-0x0000000002EB2000-memory.dmp

Filesize
412KB

Download
memory/1756-111-0x0000000002E40000-0x0000000002EC0000-memory.dmp

Filesize
512KB

Download
memory/1772-156-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1772-160-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1772-162-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1772-158-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1772-159-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1772-157-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2056-62-0x0000000000820000-0x0000000000838000-memory.dmp

Filesize
96KB

Download
memory/2056-166-0x0000000001F60000-0x0000000001F6C000-memory.dmp

Filesize
48KB

Download
memory/2056-119-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2056-71-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2056-142-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2056-60-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-80-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/2072-83-0x000007FEEEA10000-0x000007FEEF3AD000-memory.dmp

Filesize
9.6MB

Download
memory/2072-77-0x000007FEEEA10000-0x000007FEEF3AD000-memory.dmp

Filesize
9.6MB

Download
memory/2072-76-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2072-79-0x000007FEEEA10000-0x000007FEEF3AD000-memory.dmp

Filesize
9.6MB

Download
memory/2072-78-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/2072-81-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/2072-82-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/2116-70-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2116-58-0x00000000011F0000-0x0000000001230000-memory.dmp

Filesize
256KB

Download
memory/2116-64-0x000000001A680000-0x000000001A700000-memory.dmp

Filesize
512KB

Download
memory/2116-61-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2168-143-0x000007FEEE070000-0x000007FEEEA0D000-memory.dmp

Filesize
9.6MB

Download
memory/2168-150-0x000007FEEE070000-0x000007FEEEA0D000-memory.dmp

Filesize
9.6MB

Download
memory/2168-144-0x0000000001600000-0x0000000001680000-memory.dmp

Filesize
512KB

Download
memory/2168-145-0x000007FEEE070000-0x000007FEEEA0D000-memory.dmp

Filesize
9.6MB

Download
memory/2168-146-0x0000000001600000-0x0000000001680000-memory.dmp

Filesize
512KB

Download
memory/2168-147-0x0000000001600000-0x0000000001680000-memory.dmp

Filesize
512KB

Download
memory/2168-148-0x0000000001600000-0x0000000001680000-memory.dmp

Filesize
512KB

Download
memory/2228-116-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/2228-115-0x000007FEEEA10000-0x000007FEEF3AD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-113-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/2228-121-0x00000000027DB000-0x0000000002842000-memory.dmp

Filesize
412KB

Download
memory/2228-120-0x000007FEEEA10000-0x000007FEEF3AD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-118-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/2440-69-0x00000000778A0000-0x0000000077A49000-memory.dmp

Filesize
1.7MB

Download
memory/2440-65-0x000000013F450000-0x0000000140B45000-memory.dmp

Filesize
23.0MB

Download
memory/2440-135-0x00000000778A0000-0x0000000077A49000-memory.dmp

Filesize
1.7MB

Download
memory/2508-63-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-34-0x000000001C0F0000-0x000000001C170000-memory.dmp

Filesize
512KB

Download
memory/2508-33-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-32-0x000000013F940000-0x0000000140744000-memory.dmp

Filesize
14.0MB

Download
memory/2692-294-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2692-293-0x0000000000100000-0x00000000002E6000-memory.dmp

Filesize
1.9MB

Download