7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 01:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
Size

1.8MB
MD5

a827a96f84fd96ff687d1011c924ff12
SHA1

b7c77ebf0dd9b9276ffa980d19a18d1b38cccac0
SHA256

7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f
SHA512

0bd5643d74c9bd673eacd89e2356596dad638d116b0e6022fcbb462b60609686675ca7f1c93fa6820ee2c6d964bdf085894374a62a401ca056591339f86180f8
SSDEEP

24576:c7Zs3/D1H+cZvKUfcr/hL5Jr/wrFcCZHEbbNEZrKEKe3X:cVsPD1NZbYJ5Jr4Jc8kbikEKe3

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\services.exe\", \"C:\\Program Files\\Common Files\\wininit.exe\", \"C:\\Users\\Default User\\dllhost.exe\""	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\services.exe\", \"C:\\Program Files\\Common Files\\wininit.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\fr-FR\\unsecapp.exe\""	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\fontdrvhost.exe\""	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\services.exe\""	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\services.exe\", \"C:\\Program Files\\Common Files\\wininit.exe\""	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	4828	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	4828	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	4828	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	4828	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	4828	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	4828	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	4828	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4828	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	4828	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	4828	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	4828	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	4828	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	4828	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	4828	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4828	schtasks.exe	87

Detects executables packed with ConfuserEx Mod 2 IoCs

resource	yara_rule
behavioral2/memory/1860-0-0x00000000000B0000-0x000000000027C000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000700000002321c-56.dat	INDICATOR_EXE_Packed_ConfuserEx

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	services.exe

Executes dropped EXE 12 IoCs

pid	Process
3760	services.exe
1632	services.exe
1520	services.exe
1564	services.exe
2240	services.exe
2604	services.exe
3224	services.exe
3712	services.exe
4964	services.exe
3128	services.exe
608	services.exe
4704	services.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Uninstall Information\\fontdrvhost.exe\""	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\services.exe\""	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\services.exe\""	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Common Files\\wininit.exe\""	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\""	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\fr-FR\\unsecapp.exe\""	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\fr-FR\\unsecapp.exe\""	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Uninstall Information\\fontdrvhost.exe\""	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Common Files\\wininit.exe\""	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\""	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC71D949ED458841008CA73982A811241.TMP	csc.exe
File created	\??\c:\Windows\System32\b-zayo.exe	csc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\c5b4cb5e9653cc	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
File created	C:\Program Files\Common Files\wininit.exe	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
File created	C:\Program Files\Common Files\56085415360792	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
File created	C:\Program Files\Uninstall Information\fontdrvhost.exe	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
File opened for modification	C:\Program Files\Uninstall Information\fontdrvhost.exe	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
File created	C:\Program Files\Uninstall Information\5b884080fd4f94	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\unsecapp.exe	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
File created	C:\Windows\fr-FR\29c1c3cc0f7685	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1264	schtasks.exe
4712	schtasks.exe
3584	schtasks.exe
3952	schtasks.exe
2704	schtasks.exe
860	schtasks.exe
692	schtasks.exe
2980	schtasks.exe
3864	schtasks.exe
4896	schtasks.exe
3636	schtasks.exe
2604	schtasks.exe
5012	schtasks.exe
1572	schtasks.exe
4436	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	services.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
1028	PING.EXE
5012	PING.EXE
1408	PING.EXE
212	PING.EXE
4432	PING.EXE
364	PING.EXE
1048	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
Token: SeDebugPrivilege	3760	services.exe
Token: SeDebugPrivilege	1632	services.exe
Token: SeDebugPrivilege	1520	services.exe
Token: SeDebugPrivilege	1564	services.exe
Token: SeDebugPrivilege	2240	services.exe
Token: SeDebugPrivilege	2604	services.exe
Token: SeDebugPrivilege	3224	services.exe
Token: SeDebugPrivilege	3712	services.exe
Token: SeDebugPrivilege	4964	services.exe
Token: SeDebugPrivilege	3128	services.exe
Token: SeDebugPrivilege	608	services.exe
Token: SeDebugPrivilege	4704	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 4380	1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe	91
PID 1860 wrote to memory of 4380	1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe	91
PID 4380 wrote to memory of 4252	4380	csc.exe	93
PID 4380 wrote to memory of 4252	4380	csc.exe	93
PID 1860 wrote to memory of 792	1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe	107
PID 1860 wrote to memory of 792	1860	7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe	107
PID 792 wrote to memory of 4648	792	cmd.exe	110
PID 792 wrote to memory of 4648	792	cmd.exe	110
PID 792 wrote to memory of 364	792	cmd.exe	111
PID 792 wrote to memory of 364	792	cmd.exe	111
PID 792 wrote to memory of 3760	792	cmd.exe	116
PID 792 wrote to memory of 3760	792	cmd.exe	116
PID 3760 wrote to memory of 1700	3760	services.exe	117
PID 3760 wrote to memory of 1700	3760	services.exe	117
PID 1700 wrote to memory of 4040	1700	cmd.exe	119
PID 1700 wrote to memory of 4040	1700	cmd.exe	119
PID 1700 wrote to memory of 2672	1700	cmd.exe	120
PID 1700 wrote to memory of 2672	1700	cmd.exe	120
PID 1700 wrote to memory of 1632	1700	cmd.exe	121
PID 1700 wrote to memory of 1632	1700	cmd.exe	121
PID 1632 wrote to memory of 1608	1632	services.exe	123
PID 1632 wrote to memory of 1608	1632	services.exe	123
PID 1608 wrote to memory of 2980	1608	cmd.exe	125
PID 1608 wrote to memory of 2980	1608	cmd.exe	125
PID 1608 wrote to memory of 1572	1608	cmd.exe	126
PID 1608 wrote to memory of 1572	1608	cmd.exe	126
PID 1608 wrote to memory of 1520	1608	cmd.exe	127
PID 1608 wrote to memory of 1520	1608	cmd.exe	127
PID 1520 wrote to memory of 2304	1520	services.exe	128
PID 1520 wrote to memory of 2304	1520	services.exe	128
PID 2304 wrote to memory of 2296	2304	cmd.exe	130
PID 2304 wrote to memory of 2296	2304	cmd.exe	130
PID 2304 wrote to memory of 1048	2304	cmd.exe	131
PID 2304 wrote to memory of 1048	2304	cmd.exe	131
PID 2304 wrote to memory of 1564	2304	cmd.exe	132
PID 2304 wrote to memory of 1564	2304	cmd.exe	132
PID 1564 wrote to memory of 4092	1564	services.exe	133
PID 1564 wrote to memory of 4092	1564	services.exe	133
PID 4092 wrote to memory of 4576	4092	cmd.exe	135
PID 4092 wrote to memory of 4576	4092	cmd.exe	135
PID 4092 wrote to memory of 1028	4092	cmd.exe	136
PID 4092 wrote to memory of 1028	4092	cmd.exe	136
PID 4092 wrote to memory of 2240	4092	cmd.exe	137
PID 4092 wrote to memory of 2240	4092	cmd.exe	137
PID 2240 wrote to memory of 4628	2240	services.exe	138
PID 2240 wrote to memory of 4628	2240	services.exe	138
PID 4628 wrote to memory of 860	4628	cmd.exe	140
PID 4628 wrote to memory of 860	4628	cmd.exe	140
PID 4628 wrote to memory of 5012	4628	cmd.exe	141
PID 4628 wrote to memory of 5012	4628	cmd.exe	141
PID 4628 wrote to memory of 2604	4628	cmd.exe	142
PID 4628 wrote to memory of 2604	4628	cmd.exe	142
PID 2604 wrote to memory of 1600	2604	services.exe	143
PID 2604 wrote to memory of 1600	2604	services.exe	143
PID 1600 wrote to memory of 2560	1600	cmd.exe	145
PID 1600 wrote to memory of 2560	1600	cmd.exe	145
PID 1600 wrote to memory of 3148	1600	cmd.exe	146
PID 1600 wrote to memory of 3148	1600	cmd.exe	146
PID 1600 wrote to memory of 3224	1600	cmd.exe	147
PID 1600 wrote to memory of 3224	1600	cmd.exe	147
PID 3224 wrote to memory of 4232	3224	services.exe	148
PID 3224 wrote to memory of 4232	3224	services.exe	148
PID 4232 wrote to memory of 2324	4232	cmd.exe	150
PID 4232 wrote to memory of 2324	4232	cmd.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe
"C:\Users\Admin\AppData\Local\Temp\7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\glyo13nt\glyo13nt.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8647.tmp" "c:\Windows\System32\CSC71D949ED458841008CA73982A811241.TMP"
    3⤵
    PID:4252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RxMw7GFpg3.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4648
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:364
- - C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe
    "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3760
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nE1uIQLIWX.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4040
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2672
    - - C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\znx0BCuWHE.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1572
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R64HSi6Xsg.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:1048
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bCL7Nxg3GW.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:1028
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v5TcjuvxiT.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:5012
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nE1uIQLIWX.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3148
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xtlNdaBxkU.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1104
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AhXa08j1h6.bat"
        18⤵
        
        PID:2676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:1408
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lkMeKtMa8h.bat"
        20⤵
        
        PID:2680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4716
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hNUloleJD7.bat"
        22⤵
        
        PID:728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1120
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:212
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4OUXFRIcf.bat"
        24⤵
        
        PID:1420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:404
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uBGyBJCOAj.bat"
        26⤵
        
        PID:2856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\fr-FR\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
406d15a76e2ddca1229bdfb1d4b9518a

SHA1
88c455ec9a9c46e422f92e34c56afee4a2e1ef67

SHA256
b3962e6d42e27ef9361243e90b4d1aab348c15b2a592bf5d9fbf1fd95b5bed73

SHA512
eb7eadcb0fa846fe41a5001ef3227962863f9341a1970ae3c1183086e16e853f1196858b1b198f8ae49d9cec06f59e1c655c1f0e4bf60246a9f05d8a5f5c8653

Download Submit
C:\Users\Admin\AppData\Local\Temp\AhXa08j1h6.bat

Filesize
194B

MD5
3b2f816f30ab6c586f3e7f6c8af0038d

SHA1
07de38342230831913a8101e5f70396b7b2babe9

SHA256
ef99871ed1df9ae43fc41f742edf8dc89cc572b50686919d2e8aa3cc96956c19

SHA512
bb34c72d45ff9301eb83b7296b8203728ee866294e86a2230931a5e561516eb589fda9d1e0a64025cd5df124846bed98cf68cadde882b94133e57c6227c7a6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4OUXFRIcf.bat

Filesize
242B

MD5
446f13d603625590ded24b98746b18c4

SHA1
47f971741a4dbe18e5cba0252e9908c0882f316c

SHA256
f29a2e32465e6a93326c043c9576f3b03adaca8448fe7b61b58efacd6f90b1dd

SHA512
40fcaed8388a368477c79e95ec366022a771a369e5453dedbdb5a1d1cc4d661bb8a36aaa1e3efa387db6cc5b1a373c5fd5c433e8623f6e19bf5e4bc7e5689db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\R64HSi6Xsg.bat

Filesize
194B

MD5
f41138acd60d2057656222278a0f03f4

SHA1
cc367bad5635869b319364be65f3478a16693730

SHA256
697aa94c1a48f824b0daa5fe712b82cf962d6a872357f1c87d8cd5c4511f0e65

SHA512
ce15d6242eb42a58b6981d5e28859d6b420f471418d1b83af115cf7c959e84c77bd853c3e272defa60b548c17d87e667acb73f0da999f8190ea5aa0d626cd17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8647.tmp

Filesize
1KB

MD5
17b4807115a12260443bdc02a7658e42

SHA1
7d0f701a9d4b8e3f779a75e9814657fdac802c5c

SHA256
f5572a63fd691281f7e8b3a6e688f3bab2ace6d068aa3556d86d9eaebf29de68

SHA512
592492ce3a3cc70349d0e2b6c86faa37ca2d663fa6a3679e3ddb677ad2c4b8a66c3947edb943003348c3022aa1a87e48a9b338eb8519e0b7e5a9d08f480942cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RxMw7GFpg3.bat

Filesize
194B

MD5
22fa00dec6b9156ec167d2a0bc3781ea

SHA1
638cd38966cdb821e9ee5bdc725ea4e63104aabd

SHA256
3118da0e5a346875d4075b2fe185f44e1efeb00826b6df6e1b5a589a56d2ee6c

SHA512
7db8e806af569d19ed913676adb1489ce031c6c4ce9fb95f0d513a8dcfb1fa9b41450046aab1fe4e9dbfd4d5cb0fb5bec096caeb042ae0b4f7596bc00b4ab606

Download Submit
C:\Users\Admin\AppData\Local\Temp\bCL7Nxg3GW.bat

Filesize
194B

MD5
2a922c7f5da4411e6699208c6a3968d1

SHA1
8720885a164f0fc09b3e15dbb634f15beff607d4

SHA256
4aae8cdb492d3768c70913980a6b6c9bcf7108eabe1bce7de084cdb467f8ffdf

SHA512
629c7bfe683234b9a14e611dcc392155019e683a867beea3006510149ff8793583e05ccdfba3974fb9870241f505661f312874bb75b13edf148800cb834fb896

Download Submit
C:\Users\Admin\AppData\Local\Temp\hNUloleJD7.bat

Filesize
194B

MD5
26fbafe3b08e6158e92ee55691b0f73f

SHA1
abb31e59aea765db450060a0c6c47c05e9a24725

SHA256
532846493772bcc9424dc16d8ce3a8a43293cc792ef4183b13e9faa43c8a9e8b

SHA512
d7a1c7600d7cbdc9f8ccce5f3aa352e5b54c952fb567c3e1f3113f518518e7db9136d11455f0cf2ad6f3e69953877bd0f8b807293a7543050a98f94270c606a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkMeKtMa8h.bat

Filesize
242B

MD5
7dd8dbef29dc152425331dd63e332252

SHA1
e823ce31172ce534c2368f657972a3987aefc292

SHA256
cc37bd7a35414f452410a93ea95ec7c484c6569da4a907d6adfce56fdcea2118

SHA512
9d0aa281f3ede645769affbbaef854cb65f2a953532457c83078cb2b57e17bca3c5eaa3c7c9b6eae016fa3a8ed78dc350ab1e51a5f6367f8219d539dd4877a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\nE1uIQLIWX.bat

Filesize
242B

MD5
3904aaf8f4c95f0e4d15a1e10ee10e3d

SHA1
9732a9da40e2c423e219cca3d82a9208abafca40

SHA256
a3130a44eed97b38c05dd62e9051c772e33979abb665789f6dcaaf6fa3aedf1c

SHA512
cc359af9bcb418140d8b70d064dba6ebe36b79789f5e208ddc40f2421ab70f623019376164f1cdf0a8e2d54198da8fc81f4f41ecb5cd305f53dffd243b788991

Download Submit
C:\Users\Admin\AppData\Local\Temp\uBGyBJCOAj.bat

Filesize
194B

MD5
7e9d2cb364826fd9b8987297d42bfa20

SHA1
42d363cd4cad304c80440f9eeb54a4a611eda457

SHA256
d48198f9cad7e46e0c0c580782296b8bf2efb80b30d7dc39e6efba18f60c74e9

SHA512
ecfa8df5983bdeb319c54d226c838a9cecc8253ec3579a300354cac783a06ce49d640a601f0f36d5061cdbeb8ffbe7fd7c3c55953a198e8c965d5f04addecfa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\v5TcjuvxiT.bat

Filesize
194B

MD5
ca3f4a3117e48a63fd59ffaea14a4aea

SHA1
5d438dc9143857778090e8c894a9af3b6b2e774a

SHA256
33f5cd0fac61cf42100c1d81eb60798a3a05d0ad20fb25d9fd349834612b4290

SHA512
c6f88b2995d920333301f0ab2a8e133910f75439eaa9762f76aa2da6753891bdacb6cfa5f21aa0a8e40bba92b388c4d48384bfd28708569fa5110135d339097b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtlNdaBxkU.bat

Filesize
242B

MD5
701924a116bef34224d65c2b0c8e42d7

SHA1
328e42599d9f7d333741092bda313dd264cad46f

SHA256
893e4c4ed8dd888ffaf5746e93e6689ac2b0f6faadceefabb8afc530d97f9da5

SHA512
48e0f79a27ab4ad3a44ee19994f0f6de0872c35db2ab1a5a597d1a823f0cf9b77dcdfe364c463a51d585ea6316ba96b72e14a3c9676fea3d73949b9c9531122a

Download Submit
C:\Users\Admin\AppData\Local\Temp\znx0BCuWHE.bat

Filesize
242B

MD5
2780db6068dfc588959617f81cafc2da

SHA1
0e623eb72a04a8cc069ab858f652a2222864afa1

SHA256
29ce5e6f25372b2301649bee3d8720b7af28ca0f7b27070420688a56b6833d9c

SHA512
9e9ae0a0fb5b061b7c1618cd9bd2f3b30b1ed24476ad0959e0f60b6651829925d96ae4049f9ec04a9ef150e796f66cb77a1adc99e41b8cf2a42bd14e18728ef7

Download Submit
C:\Windows\fr-FR\unsecapp.exe

Filesize
1.8MB

MD5
a827a96f84fd96ff687d1011c924ff12

SHA1
b7c77ebf0dd9b9276ffa980d19a18d1b38cccac0

SHA256
7f5c96ca278229949de22c06aaf092e73ffdad1e96230261017ce52f1691d03f

SHA512
0bd5643d74c9bd673eacd89e2356596dad638d116b0e6022fcbb462b60609686675ca7f1c93fa6820ee2c6d964bdf085894374a62a401ca056591339f86180f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\glyo13nt\glyo13nt.0.cs

Filesize
386B

MD5
6f23d4169a0453ded734470e2128298f

SHA1
2ded09de46d7134dc3036e824bb78f44270fb8a9

SHA256
b7ad28fd58092174074b696cf76e40ae1f09ff673a36f21ffda03feed7ab1849

SHA512
17074b86b592d143d389caa93c09edfe5ba127684d39ad7263732e26e39b6847fe2c9abac84af6e4f244374f3901f06f7e745ef2c474ec9ec2b4285d8bcfeeed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\glyo13nt\glyo13nt.cmdline

Filesize
235B

MD5
a16ddde72f288f01b82b6f3447571ccf

SHA1
9622b706a06e8d1ec630ed3eca9302037e8c0e45

SHA256
ec26bf8a682f9c21318623b3a9b35ccf8f14f4ce18594d59a3f37f4f8331aaa8

SHA512
c243019cf05cedf18f6dd91cf84769611bb2b73e419d969b5334f1dd62db8009299e331fdf2b90e96f160b8491fb3bc7da4a2a2a6b2c006b4b816220258d0573

Download Submit
\??\c:\Windows\System32\CSC71D949ED458841008CA73982A811241.TMP

Filesize
1KB

MD5
034975df584775df51df835472ae2f29

SHA1
2e9efa14024f8c6ac3b29957246141f6d8c055c7

SHA256
98f71b6bcf1a73d6d1204fb62d3c18dd4274b7cfbbcdf8847fdf2585212907c3

SHA512
15733f1f18a1b270bc42f17a2ededf7d52ba11783b9b2b4c10bcc3161de3a03aa02ff390131d28ec4de98b4a19c3d7c6bdd0417c0a5d9d8949bd01d788b7e6c4

Download Submit
memory/608-465-0x000000001CC10000-0x000000001CD12000-memory.dmp

Filesize
1.0MB

Download
memory/1632-137-0x00007FFA2FAD0000-0x00007FFA30591000-memory.dmp

Filesize
10.8MB

Download
memory/1632-121-0x00007FFA2FAD0000-0x00007FFA30591000-memory.dmp

Filesize
10.8MB

Download
memory/1632-123-0x00007FFA4C580000-0x00007FFA4C63E000-memory.dmp

Filesize
760KB

Download
memory/1632-124-0x00007FFA4C580000-0x00007FFA4C63E000-memory.dmp

Filesize
760KB

Download
memory/1632-130-0x00007FFA4C520000-0x00007FFA4C521000-memory.dmp

Filesize
4KB

Download
memory/1632-132-0x00007FFA4C510000-0x00007FFA4C511000-memory.dmp

Filesize
4KB

Download
memory/1632-134-0x00007FFA4C500000-0x00007FFA4C501000-memory.dmp

Filesize
4KB

Download
memory/1860-76-0x00007FFA2FBD0000-0x00007FFA30691000-memory.dmp

Filesize
10.8MB

Download
memory/1860-18-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/1860-37-0x00007FFA4C580000-0x00007FFA4C63E000-memory.dmp

Filesize
760KB

Download
memory/1860-40-0x000000001C370000-0x000000001C3CA000-memory.dmp

Filesize
360KB

Download
memory/1860-39-0x00007FFA4C4E0000-0x00007FFA4C4E1000-memory.dmp

Filesize
4KB

Download
memory/1860-41-0x00007FFA4C580000-0x00007FFA4C63E000-memory.dmp

Filesize
760KB

Download
memory/1860-43-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/1860-44-0x00007FFA4C4D0000-0x00007FFA4C4D1000-memory.dmp

Filesize
4KB

Download
memory/1860-47-0x000000001B1E0000-0x000000001B1EE000-memory.dmp

Filesize
56KB

Download
memory/1860-45-0x00007FFA4C4C0000-0x00007FFA4C4C1000-memory.dmp

Filesize
4KB

Download
memory/1860-36-0x00007FFA4C4F0000-0x00007FFA4C4F1000-memory.dmp

Filesize
4KB

Download
memory/1860-35-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/1860-33-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/1860-31-0x00007FFA2FBD0000-0x00007FFA30691000-memory.dmp

Filesize
10.8MB

Download
memory/1860-30-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/1860-0-0x00000000000B0000-0x000000000027C000-memory.dmp

Filesize
1.8MB

Download
memory/1860-77-0x00007FFA4C580000-0x00007FFA4C63E000-memory.dmp

Filesize
760KB

Download
memory/1860-28-0x0000000000B80000-0x0000000000B8E000-memory.dmp

Filesize
56KB

Download
memory/1860-1-0x00007FFA2FBD0000-0x00007FFA30691000-memory.dmp

Filesize
10.8MB

Download
memory/1860-2-0x0000000000B10000-0x0000000000B16000-memory.dmp

Filesize
24KB

Download
memory/1860-3-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/1860-6-0x00007FFA4C580000-0x00007FFA4C63E000-memory.dmp

Filesize
760KB

Download
memory/1860-7-0x00007FFA4C570000-0x00007FFA4C571000-memory.dmp

Filesize
4KB

Download
memory/1860-5-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Filesize
56KB

Download
memory/1860-8-0x00007FFA4C580000-0x00007FFA4C63E000-memory.dmp

Filesize
760KB

Download
memory/1860-10-0x0000000002440000-0x000000000245C000-memory.dmp

Filesize
112KB

Download
memory/1860-11-0x00007FFA4C560000-0x00007FFA4C561000-memory.dmp

Filesize
4KB

Download
memory/1860-12-0x000000001B1F0000-0x000000001B240000-memory.dmp

Filesize
320KB

Download
memory/1860-14-0x0000000002460000-0x0000000002478000-memory.dmp

Filesize
96KB

Download
memory/1860-15-0x00007FFA4C550000-0x00007FFA4C551000-memory.dmp

Filesize
4KB

Download
memory/1860-16-0x00007FFA4C540000-0x00007FFA4C541000-memory.dmp

Filesize
4KB

Download
memory/1860-32-0x00007FFA4C500000-0x00007FFA4C501000-memory.dmp

Filesize
4KB

Download
memory/1860-20-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/1860-21-0x00007FFA4C530000-0x00007FFA4C531000-memory.dmp

Filesize
4KB

Download
memory/1860-22-0x00007FFA4C520000-0x00007FFA4C521000-memory.dmp

Filesize
4KB

Download
memory/1860-26-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/1860-24-0x000000001C2F0000-0x000000001C302000-memory.dmp

Filesize
72KB

Download
memory/1860-25-0x00007FFA4C510000-0x00007FFA4C511000-memory.dmp

Filesize
4KB

Download
memory/3128-427-0x000000001C8C0000-0x000000001C9C2000-memory.dmp

Filesize
1.0MB

Download
memory/3760-103-0x00007FFA4C4F0000-0x00007FFA4C4F1000-memory.dmp

Filesize
4KB

Download
memory/3760-110-0x00007FFA4C4C0000-0x00007FFA4C4C1000-memory.dmp

Filesize
4KB

Download
memory/3760-107-0x00007FFA4C4D0000-0x00007FFA4C4D1000-memory.dmp

Filesize
4KB

Download
memory/3760-106-0x00007FFA4C580000-0x00007FFA4C63E000-memory.dmp

Filesize
760KB

Download
memory/3760-118-0x00007FFA4C580000-0x00007FFA4C63E000-memory.dmp

Filesize
760KB

Download
memory/3760-104-0x00007FFA4C4E0000-0x00007FFA4C4E1000-memory.dmp

Filesize
4KB

Download
memory/3760-102-0x00007FFA2FAD0000-0x00007FFA30591000-memory.dmp

Filesize
10.8MB

Download
memory/3760-100-0x00007FFA4C500000-0x00007FFA4C501000-memory.dmp

Filesize
4KB

Download
memory/3760-96-0x00007FFA4C520000-0x00007FFA4C521000-memory.dmp

Filesize
4KB

Download
memory/3760-97-0x00007FFA4C510000-0x00007FFA4C511000-memory.dmp

Filesize
4KB

Download
memory/3760-90-0x00007FFA4C550000-0x00007FFA4C551000-memory.dmp

Filesize
4KB

Download
memory/3760-91-0x00007FFA4C540000-0x00007FFA4C541000-memory.dmp

Filesize
4KB

Download
memory/3760-94-0x00007FFA4C530000-0x00007FFA4C531000-memory.dmp

Filesize
4KB

Download
memory/3760-87-0x00007FFA4C560000-0x00007FFA4C561000-memory.dmp

Filesize
4KB

Download
memory/3760-117-0x00007FFA2FAD0000-0x00007FFA30591000-memory.dmp

Filesize
10.8MB

Download
memory/3760-86-0x00007FFA4C580000-0x00007FFA4C63E000-memory.dmp

Filesize
760KB

Download
memory/3760-85-0x00007FFA4C570000-0x00007FFA4C571000-memory.dmp

Filesize
4KB

Download
memory/3760-84-0x00007FFA4C580000-0x00007FFA4C63E000-memory.dmp

Filesize
760KB

Download
memory/3760-82-0x00007FFA2FAD0000-0x00007FFA30591000-memory.dmp

Filesize
10.8MB

Download
memory/4704-497-0x000000001D940000-0x000000001DAAA000-memory.dmp

Filesize
1.4MB

Download