xmrig | 0049147ea9abb61beeae3f5cc878917bf5c81effc49dc8b7bc735dfa6962e74b

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe
Size

104KB
MD5

9a24a00438a4d06d64fe4820061a1b45
SHA1

6e59989652dff276a6dfa0f287b6c468a2f04842
SHA256

66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54
SHA512

80e97c8c389554ba0512b7f496dd03e82f2a627568eca631a6393033d540a70779fc7eae2485d1b9ca3657beb8ae9a86fd08ecd5dba678407bf8e63bef9a4629
SSDEEP

1536:KlULHCIFmav82fkJMTZ0imzS6ussgExLXCxnbKG:wUDeO9TZH6SngYsbKG

Score

10^/10

xmrig evasion miner persistence spyware stealer trojan

Malware Config

Signatures

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

sysblardsv.exesyslmgrsvc.exesyslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	syslmgrsvc.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

3981811977.exewupgrdsv.exe

description	pid	process	target process
PID 1832 created 1212	1832	3981811977.exe	Explorer.EXE
PID 1832 created 1212	1832	3981811977.exe	Explorer.EXE
PID 1684 created 1212	1684	wupgrdsv.exe	Explorer.EXE
PID 1684 created 1212	1684	wupgrdsv.exe	Explorer.EXE

Windows security bypass 2 TTPs 24 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysblardsv.exewinqlsdrvcs.exesyslmgrsvc.exesyslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1684-189-0x000000013FDA0000-0x0000000140316000-memory.dmp	xmrig
behavioral1/memory/2808-215-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2808-246-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2808-247-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2808-258-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2808-267-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2808-277-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2808-288-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2808-291-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 32 IoCs

Processes:

sysblardsv.exe3111711213.exesyslmgrsvc.exe42713306.exewinqlsdrvcs.exe636523735.exe3185727556.exe1963417490.exeWindows Security Upgrade Service.exe967315877.exe3213218731.exe3659712554.exe44917359.exe324089906.exeWindows Security Upgrade Service.exe1223933781.exe215331352.exe110822101.exe3981811977.exe1608422680.exewupgrdsv.exeWindows Security Upgrade Service.exe1635913855.exe270062585.exe771214800.exesyslmgrsvc.exe130125863.exe1893430724.exe561722154.exe3052613277.exe308024452.exe3107728395.exe

pid	process
2380	sysblardsv.exe
2748	3111711213.exe
2248	syslmgrsvc.exe
3052	42713306.exe
2536	winqlsdrvcs.exe
2352	636523735.exe
1068	3185727556.exe
1596	1963417490.exe
2096	Windows Security Upgrade Service.exe
2548	967315877.exe
2800	3213218731.exe
3032	3659712554.exe
1636	44917359.exe
1044	324089906.exe
1440	Windows Security Upgrade Service.exe
1256	1223933781.exe
1628	215331352.exe
2028	110822101.exe
1832	3981811977.exe
2452	1608422680.exe
1684	wupgrdsv.exe
1804	Windows Security Upgrade Service.exe
1652	1635913855.exe
1000	270062585.exe
3008	771214800.exe
2212	syslmgrsvc.exe
2616	130125863.exe
2492	1893430724.exe
2768	561722154.exe
1772	3052613277.exe
2320	308024452.exe
1040	3107728395.exe

Loads dropped DLL 35 IoCs

Processes:

sysblardsv.exesyslmgrsvc.exewinqlsdrvcs.exe3185727556.exe3213218731.exetaskeng.exe771214800.exesyslmgrsvc.exe

pid	process
2380	sysblardsv.exe
2380	sysblardsv.exe
2380	sysblardsv.exe
2248	syslmgrsvc.exe
2248	syslmgrsvc.exe
2380	sysblardsv.exe
2536	winqlsdrvcs.exe
1068	3185727556.exe
2248	syslmgrsvc.exe
2380	sysblardsv.exe
2536	winqlsdrvcs.exe
2248	syslmgrsvc.exe
2380	sysblardsv.exe
1068	3185727556.exe
2536	winqlsdrvcs.exe
2248	syslmgrsvc.exe
2380	sysblardsv.exe
2800	3213218731.exe
2248	syslmgrsvc.exe
2876	taskeng.exe
1068	3185727556.exe
2248	syslmgrsvc.exe
2380	sysblardsv.exe
2380	sysblardsv.exe
2248	syslmgrsvc.exe
2248	syslmgrsvc.exe
3008	771214800.exe
3008	771214800.exe
2212	syslmgrsvc.exe
2212	syslmgrsvc.exe
2212	syslmgrsvc.exe
2212	syslmgrsvc.exe
2212	syslmgrsvc.exe
2212	syslmgrsvc.exe
2212	syslmgrsvc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 28 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

syslmgrsvc.exewinqlsdrvcs.exesyslmgrsvc.exesysblardsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winqlsdrvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe3111711213.exe42713306.exe771214800.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysblardsv.exe"	66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syslmgrsvc.exe"	3111711213.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winqlsdrvcs.exe"	42713306.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\syslmgrsvc.exe"	771214800.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wupgrdsv.exe

description pid process target process

PID 1684 set thread context of 2808 1684 wupgrdsv.exe notepad.exe

description	pid	process	target process
PID 1684 set thread context of 2808	1684	wupgrdsv.exe	notepad.exe

Drops file in Windows directory 7 IoCs

Processes:

42713306.exe771214800.exe66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe3111711213.exe

description	ioc	process
File opened for modification	C:\Windows\winqlsdrvcs.exe	42713306.exe
File created	C:\Windows\syslmgrsvc.exe	771214800.exe
File created	C:\Windows\sysblardsv.exe	66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe
File opened for modification	C:\Windows\sysblardsv.exe	66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe
File created	C:\Windows\syslmgrsvc.exe	3111711213.exe
File opened for modification	C:\Windows\syslmgrsvc.exe	3111711213.exe
File created	C:\Windows\winqlsdrvcs.exe	42713306.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2200 schtasks.exe
2112 schtasks.exe

pid	process
2200	schtasks.exe
2112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

3981811977.exepowershell.exewupgrdsv.exepowershell.exe

pid	process
1832	3981811977.exe
1832	3981811977.exe
2644	powershell.exe
1832	3981811977.exe
1832	3981811977.exe
1684	wupgrdsv.exe
1684	wupgrdsv.exe
1336	powershell.exe
1684	wupgrdsv.exe
1684	wupgrdsv.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

syslmgrsvc.exe

pid process

2248 syslmgrsvc.exe

pid	process
2248	syslmgrsvc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeLockMemoryPrivilege	2808	notepad.exe
Token: SeLockMemoryPrivilege	2808	notepad.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

notepad.exe

pid	process
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

notepad.exe

pid	process
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe
2808	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exesysblardsv.exe3111711213.exe42713306.exesyslmgrsvc.exewinqlsdrvcs.exe3185727556.exe

description	pid	process	target process
PID 1756 wrote to memory of 2380	1756	66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe	sysblardsv.exe
PID 1756 wrote to memory of 2380	1756	66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe	sysblardsv.exe
PID 1756 wrote to memory of 2380	1756	66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe	sysblardsv.exe
PID 1756 wrote to memory of 2380	1756	66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe	sysblardsv.exe
PID 2380 wrote to memory of 2748	2380	sysblardsv.exe	3111711213.exe
PID 2380 wrote to memory of 2748	2380	sysblardsv.exe	3111711213.exe
PID 2380 wrote to memory of 2748	2380	sysblardsv.exe	3111711213.exe
PID 2380 wrote to memory of 2748	2380	sysblardsv.exe	3111711213.exe
PID 2748 wrote to memory of 2248	2748	3111711213.exe	syslmgrsvc.exe
PID 2748 wrote to memory of 2248	2748	3111711213.exe	syslmgrsvc.exe
PID 2748 wrote to memory of 2248	2748	3111711213.exe	syslmgrsvc.exe
PID 2748 wrote to memory of 2248	2748	3111711213.exe	syslmgrsvc.exe
PID 2380 wrote to memory of 3052	2380	sysblardsv.exe	42713306.exe
PID 2380 wrote to memory of 3052	2380	sysblardsv.exe	42713306.exe
PID 2380 wrote to memory of 3052	2380	sysblardsv.exe	42713306.exe
PID 2380 wrote to memory of 3052	2380	sysblardsv.exe	42713306.exe
PID 3052 wrote to memory of 2536	3052	42713306.exe	winqlsdrvcs.exe
PID 3052 wrote to memory of 2536	3052	42713306.exe	winqlsdrvcs.exe
PID 3052 wrote to memory of 2536	3052	42713306.exe	winqlsdrvcs.exe
PID 3052 wrote to memory of 2536	3052	42713306.exe	winqlsdrvcs.exe
PID 2248 wrote to memory of 2352	2248	syslmgrsvc.exe	636523735.exe
PID 2248 wrote to memory of 2352	2248	syslmgrsvc.exe	636523735.exe
PID 2248 wrote to memory of 2352	2248	syslmgrsvc.exe	636523735.exe
PID 2248 wrote to memory of 2352	2248	syslmgrsvc.exe	636523735.exe
PID 2380 wrote to memory of 1068	2380	sysblardsv.exe	3185727556.exe
PID 2380 wrote to memory of 1068	2380	sysblardsv.exe	3185727556.exe
PID 2380 wrote to memory of 1068	2380	sysblardsv.exe	3185727556.exe
PID 2380 wrote to memory of 1068	2380	sysblardsv.exe	3185727556.exe
PID 2536 wrote to memory of 1596	2536	winqlsdrvcs.exe	1963417490.exe
PID 2536 wrote to memory of 1596	2536	winqlsdrvcs.exe	1963417490.exe
PID 2536 wrote to memory of 1596	2536	winqlsdrvcs.exe	1963417490.exe
PID 2536 wrote to memory of 1596	2536	winqlsdrvcs.exe	1963417490.exe
PID 1068 wrote to memory of 2096	1068	3185727556.exe	Windows Security Upgrade Service.exe
PID 1068 wrote to memory of 2096	1068	3185727556.exe	Windows Security Upgrade Service.exe
PID 1068 wrote to memory of 2096	1068	3185727556.exe	Windows Security Upgrade Service.exe
PID 1068 wrote to memory of 2096	1068	3185727556.exe	Windows Security Upgrade Service.exe
PID 2248 wrote to memory of 2548	2248	syslmgrsvc.exe	967315877.exe
PID 2248 wrote to memory of 2548	2248	syslmgrsvc.exe	967315877.exe
PID 2248 wrote to memory of 2548	2248	syslmgrsvc.exe	967315877.exe
PID 2248 wrote to memory of 2548	2248	syslmgrsvc.exe	967315877.exe
PID 2380 wrote to memory of 2800	2380	sysblardsv.exe	3213218731.exe
PID 2380 wrote to memory of 2800	2380	sysblardsv.exe	3213218731.exe
PID 2380 wrote to memory of 2800	2380	sysblardsv.exe	3213218731.exe
PID 2380 wrote to memory of 2800	2380	sysblardsv.exe	3213218731.exe
PID 2536 wrote to memory of 3032	2536	winqlsdrvcs.exe	3659712554.exe
PID 2536 wrote to memory of 3032	2536	winqlsdrvcs.exe	3659712554.exe
PID 2536 wrote to memory of 3032	2536	winqlsdrvcs.exe	3659712554.exe
PID 2536 wrote to memory of 3032	2536	winqlsdrvcs.exe	3659712554.exe
PID 2248 wrote to memory of 1636	2248	syslmgrsvc.exe	44917359.exe
PID 2248 wrote to memory of 1636	2248	syslmgrsvc.exe	44917359.exe
PID 2248 wrote to memory of 1636	2248	syslmgrsvc.exe	44917359.exe
PID 2248 wrote to memory of 1636	2248	syslmgrsvc.exe	44917359.exe
PID 2380 wrote to memory of 1044	2380	sysblardsv.exe	324089906.exe
PID 2380 wrote to memory of 1044	2380	sysblardsv.exe	324089906.exe
PID 2380 wrote to memory of 1044	2380	sysblardsv.exe	324089906.exe
PID 2380 wrote to memory of 1044	2380	sysblardsv.exe	324089906.exe
PID 1068 wrote to memory of 1440	1068	3185727556.exe	Windows Security Upgrade Service.exe
PID 1068 wrote to memory of 1440	1068	3185727556.exe	Windows Security Upgrade Service.exe
PID 1068 wrote to memory of 1440	1068	3185727556.exe	Windows Security Upgrade Service.exe
PID 1068 wrote to memory of 1440	1068	3185727556.exe	Windows Security Upgrade Service.exe
PID 2536 wrote to memory of 1256	2536	winqlsdrvcs.exe	1223933781.exe
PID 2536 wrote to memory of 1256	2536	winqlsdrvcs.exe	1223933781.exe
PID 2536 wrote to memory of 1256	2536	winqlsdrvcs.exe	1223933781.exe
PID 2536 wrote to memory of 1256	2536	winqlsdrvcs.exe	1223933781.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe
  "C:\Users\Admin\AppData\Local\Temp\66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\sysblardsv.exe
    C:\Windows\sysblardsv.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\3111711213.exe
      C:\Users\Admin\AppData\Local\Temp\3111711213.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\syslmgrsvc.exe
        
        C:\Windows\syslmgrsvc.exe
        5⤵
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Suspicious behavior: SetClipboardViewer
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Users\Admin\AppData\Local\Temp\636523735.exe
        
        C:\Users\Admin\AppData\Local\Temp\636523735.exe
        6⤵
        Executes dropped EXE
        
        PID:2352
      - C:\Users\Admin\AppData\Local\Temp\967315877.exe
        
        C:\Users\Admin\AppData\Local\Temp\967315877.exe
        6⤵
        Executes dropped EXE
        
        PID:2548
      - C:\Users\Admin\AppData\Local\Temp\44917359.exe
        
        C:\Users\Admin\AppData\Local\Temp\44917359.exe
        6⤵
        Executes dropped EXE
        
        PID:1636
      - C:\Users\Admin\AppData\Local\Temp\215331352.exe
        
        C:\Users\Admin\AppData\Local\Temp\215331352.exe
        6⤵
        Executes dropped EXE
        
        PID:1628
      - C:\Users\Admin\AppData\Local\Temp\1608422680.exe
        
        C:\Users\Admin\AppData\Local\Temp\1608422680.exe
        6⤵
        Executes dropped EXE
        
        PID:2452
      - C:\Users\Admin\AppData\Local\Temp\1635913855.exe
        
        C:\Users\Admin\AppData\Local\Temp\1635913855.exe
        6⤵
        Executes dropped EXE
        
        PID:1652
      - C:\Users\Admin\AppData\Local\Temp\771214800.exe
        
        C:\Users\Admin\AppData\Local\Temp\771214800.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3008
        
        C:\Users\Admin\syslmgrsvc.exe
        
        C:\Users\Admin\syslmgrsvc.exe
        7⤵
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\130125863.exe
        
        C:\Users\Admin\AppData\Local\Temp\130125863.exe
        8⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\1893430724.exe
        
        C:\Users\Admin\AppData\Local\Temp\1893430724.exe
        8⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\561722154.exe
        
        C:\Users\Admin\AppData\Local\Temp\561722154.exe
        8⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\3052613277.exe
        
        C:\Users\Admin\AppData\Local\Temp\3052613277.exe
        8⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\308024452.exe
        
        C:\Users\Admin\AppData\Local\Temp\308024452.exe
        8⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\3107728395.exe
        
        C:\Users\Admin\AppData\Local\Temp\3107728395.exe
        8⤵
        Executes dropped EXE
        
        PID:1040
  - - C:\Users\Admin\AppData\Local\Temp\42713306.exe
      C:\Users\Admin\AppData\Local\Temp\42713306.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\winqlsdrvcs.exe
        
        C:\Windows\winqlsdrvcs.exe
        5⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Users\Admin\AppData\Local\Temp\1963417490.exe
        
        C:\Users\Admin\AppData\Local\Temp\1963417490.exe
        6⤵
        Executes dropped EXE
        
        PID:1596
      - C:\Users\Admin\AppData\Local\Temp\3659712554.exe
        
        C:\Users\Admin\AppData\Local\Temp\3659712554.exe
        6⤵
        Executes dropped EXE
        
        PID:3032
      - C:\Users\Admin\AppData\Local\Temp\1223933781.exe
        
        C:\Users\Admin\AppData\Local\Temp\1223933781.exe
        6⤵
        Executes dropped EXE
        
        PID:1256
  - - C:\Users\Admin\AppData\Local\Temp\3185727556.exe
      C:\Users\Admin\AppData\Local\Temp\3185727556.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
        5⤵
        Executes dropped EXE
        
        PID:2096
    - - C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
        5⤵
        Executes dropped EXE
        
        PID:1440
    - - C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
        5⤵
        Executes dropped EXE
        
        PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\3213218731.exe
      C:\Users\Admin\AppData\Local\Temp\3213218731.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2800
    - - C:\Users\Admin\AppData\Local\Temp\3981811977.exe
        
        C:\Users\Admin\AppData\Local\Temp\3981811977.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1832
  - - C:\Users\Admin\AppData\Local\Temp\324089906.exe
      C:\Users\Admin\AppData\Local\Temp\324089906.exe
      4⤵
      Executes dropped EXE
      PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\110822101.exe
      C:\Users\Admin\AppData\Local\Temp\110822101.exe
      4⤵
      Executes dropped EXE
      PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\270062585.exe
      C:\Users\Admin\AppData\Local\Temp\270062585.exe
      4⤵
      Executes dropped EXE
      PID:1000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2200
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
  2⤵
  PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2112
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2808

C:\Windows\system32\taskeng.exe
taskeng.exe {53AE61E7-3DCF-4CF7-BA32-F677FB6C4557} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:2876
- C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
  "C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\_3[1]

Filesize
9KB

MD5
4c12165bc335a32cb559c828484a86a6

SHA1
c2e78c57f15a1a3a190be415aac3d1e3209ce785

SHA256
4831bd83c39ec9d898ccc1023858c81a03326b7c1c5dd8e24fdf9b2171707d1a

SHA512
f44df78b6f16255496b2fa35e28c185011c2bebf47730a68fd1369abf87f390684a8786a167319319d14a12da3768c1edef8e36037cde339a1ffe8c62c3ea87b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\2[1]

Filesize
14KB

MD5
202339099ee228628d08ccd9b9dff02f

SHA1
024f31908d986f3cca659da6c5f15c756e6b96eb

SHA256
b3395083c95e4e25611cb0e78be88790ea95b6e09f6d23298785fc4a0c08ce15

SHA512
dafc69ade061a15f67ba34b25204092b2ffa7e3a418b249b0fa7dc7bfa609d336b9146c4a6e31a01de92b5b00efbe0fa4e7a553cbbc0d9372d92288fbe634697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\5[1]

Filesize
8KB

MD5
8d82457b70c900a2424b5102fb14b488

SHA1
4ad15f68ca90468bfdadaa66d1ef7ce2e973621d

SHA256
6d0bb70919d36b939773006943cf62bb871d1ca7b51d2518f5197931dc1a0949

SHA512
9dfd54fdd18b33fedd0b91080fd45b7931b4a52c27ddd91b39444bcb52fcedd6ef3e6400e681435a6839f9388848d173a7cde10b6497decd4095a2a4829545ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\andrpup[1]

Filesize
93KB

MD5
d42f332184afc06d183db122eb16e7f7

SHA1
09666bad8ba602f1fc9b6df109f81d8df9209e8e

SHA256
7c9759a8583dc85e94b2314931f713d665c8096c224cab2e162dc5045e26a3aa

SHA512
9a27acc50818a656baf66cfb7b8f25faa856fb8a2cf944f95dbf4d0e67fbad01a96fccaffdd9c379318aee054a616cf0551d6625b7a7af3e4248ae387138d006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\4[1]

Filesize
10KB

MD5
226d4edd2a5253fc2e70808cf9efd76f

SHA1
82d59f9f392d5f1a3c8ba891f55f63332d501c0d

SHA256
8e45adf4b63d076d7cbf1066ec2b6168ec03ac78ce80b5531891fb380a90b4c1

SHA512
2a065783ddca61b606df788136b965a02c06043ca7adae02cda667de7f3f05c69ce1eb8fd6426548e96ac17873eca219563c75fdfe4a4c1a98bc4fb3a348a1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\44917359.exe

Filesize
10KB

MD5
4381ff636b5551a966838c23b152ab90

SHA1
ff2ffca3a584ff300648ea138fa3331c711771e0

SHA256
1e337ed3d9d65d6f6cb626dc086166fcae0a7dc0f81ee8163444856a19973408

SHA512
1c851552b24c7cc96a405dd879b599fa0c53fea043f34fe69d24b0fb0269c7278bd475e34df6dd519cff9198209e005cf8636d2647f0b850ca0e3e22a6fa80cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E6F4OJDD91NCYIYLTZNW.temp

Filesize
7KB

MD5
2a2808dc617314d2b96a53e5a10a6cc0

SHA1
165346ff304404efe4cc11d2e91a4ed651828d21

SHA256
668282cf75aef750f0c870042620b6470ce9efbac0f6f86006687caed27ae244

SHA512
482fe519edfb4d8f6dd91dc7156def1d1d7966f04067c3ec23b68ac21d5021864a828d4ae878dc2e7c36f40b9fb01eae476c396ab82c0d63debc76f9ac7f1faa

Download Submit
C:\Users\Admin\tbtcmds.dat

Filesize
287B

MD5
762a5fb075a2ed493e83ce8c2335adcc

SHA1
c703d1055a25a7fa9f930f7311322d03f9cbbdc3

SHA256
ab7add8c38bc51dd1c8e76fad079db676923a6368e59459d24b9164c5a975496

SHA512
b51a49388068267b40d5dfa044f69278d3077ae12659212bf3f5b6e98f954dc1458ddccc3cae83ec3ff2b89acbd0a53c9d4a274d5304c096711c7976eff9f500

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
73c9785e5a55bf6409040bbab02d33b5

SHA1
25d023feb4eee3b372064a60991c5d377701fcda

SHA256
5e5efb8c2371cd971d5a795f928d256bf7e62cf4a13e91ee5e9cb8a14c1072e7

SHA512
fc21deb12c386568495c6f2b7372560453ec9e769a3f444894413837363a2ad905c415ea9757b7c96f85fe6a8d6f8bff7c9d9044485ee30041b26060f521e76e

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
7422156abd03b6468b8acdf49117cbd3

SHA1
9b09b9fa201c44b72659b81fed0d6abeb59aa094

SHA256
9b60e692752e14d8f4379acf9fc8d7f8820e97cf1f2a68cfbc906edcd3066400

SHA512
a2ef3939a346b27debf2f53a4f8b66fb904b35946dcd3d1c7712abe73b95ed691df3e0556492dbd9500b2946586ffe1b6c8e453cf7ac7df7e5877bffc7550ff5

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
b6020d219f8733658e84bff6d5d1ea48

SHA1
c841662c9fcabd8b7f5aae8bf20390dfb10e8731

SHA256
771c51d34c1064e708c906c6c461d3787e42b336eea2fd82e05e53ef7f1e8c90

SHA512
607046e23f4cc4fd981f7581f933bba95d620bb1779f01c1ea47784cb6dff0b0c6bd408e560c1735962c1937b5cacc13192104cd77de7402d853d6eee9f64754

Download Submit
C:\Windows\sysblardsv.exe

Filesize
104KB

MD5
9a24a00438a4d06d64fe4820061a1b45

SHA1
6e59989652dff276a6dfa0f287b6c468a2f04842

SHA256
66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54

SHA512
80e97c8c389554ba0512b7f496dd03e82f2a627568eca631a6393033d540a70779fc7eae2485d1b9ca3657beb8ae9a86fd08ecd5dba678407bf8e63bef9a4629

Download Submit
\Users\Admin\AppData\Local\Temp\110822101.exe

Filesize
11KB

MD5
cafd277c4132f5d0f202e7ea07a27d5c

SHA1
72c8c16a94cce56a3e01d91bc1276dafc65b351d

SHA256
e5162fa594811f0f01fc76f4acbd9fe99b2265df9cfcbc346023f28775c19f1e

SHA512
7c87d1dec61b78e0f223e8f9fec019d96509813fa6d96129289aab00b2d6f05bf91fe1fafd680b7d9e746f4c2c8cbe48a3028bcaad479048d00d79a19f71b196

Download Submit
\Users\Admin\AppData\Local\Temp\1963417490.exe

Filesize
8KB

MD5
9b8a3fb66b93c24c52e9c68633b00f37

SHA1
2a9290e32d1582217eac32b977961ada243ada9a

SHA256
8a169cf165f635ecb6c55cacecb2c202c5fc6ef5fa82ec9cdb7d4b0300f35293

SHA512
117da1ec9850212e4cafce6669c2cfffc8078627f5c3ccdfd6a1bf3bee2d351290071087a4c206578d23852fa5e69c2ebefd71905c85b1eaed4220932bb71a39

Download Submit
\Users\Admin\AppData\Local\Temp\3111711213.exe

Filesize
93KB

MD5
a318cc45e79498b93e40d5e5b9b76be4

SHA1
4ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5

SHA256
4b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2

SHA512
3131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c

Download Submit
\Users\Admin\AppData\Local\Temp\3185727556.exe

Filesize
10KB

MD5
47340d40e7f73e62cf09ac60fd16ad68

SHA1
effd38f6561155802d3e5090f5714589eae5ce6e

SHA256
e8a0c46342abd882318dbfdb17b7d3cb93d7138564878a15c5b91229ed81689c

SHA512
2d5fbacad67eba3c42c2be95c3bf64d787d15cf96d5afe827d6f9bdb175295859e684202ff5afc773202f4b9d0b3135e913c997bbe72026cd7a7ca96ecf5aa08

Download Submit
\Users\Admin\AppData\Local\Temp\3213218731.exe

Filesize
10KB

MD5
c8cf446ead193a3807472fbd294c5f23

SHA1
2162f28c919222f75ce5f52e4bb1155255ae5368

SHA256
e5d12658a690c62af7d4fc7b26735affc7210e3bfb6b2241de1bf90aebdc0717

SHA512
fc94014fabf204ecd57990db4b05b81cbda0a314b621cbfa755296ddf5493ec55fb129d12eff5f92863d9f1d7fea679dc2aeb62baf898791448cb4fe34b595c1

Download Submit
\Users\Admin\AppData\Local\Temp\324089906.exe

Filesize
8KB

MD5
11d2f27fb4f0c424ab696573e79db18c

SHA1
d08ece21a657bfa6ea4d2db9b21fbb960d7f4331

SHA256
dee9dca027009b7d2885ace7b968d2e9505a41b34756b08343338f8ef259e9be

SHA512
a60de41caa6113430ab4ab944b800579f574f9b964c362f9c62bbfc1bd85dccd01b628809367e15cfe6baaba32c1255f8db07e434ff7bcf5e90d9b3d1f6a4cd4

Download Submit
\Users\Admin\AppData\Local\Temp\3981811977.exe

Filesize
5.4MB

MD5
41ab08c1955fce44bfd0c76a64d1945a

SHA1
2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

SHA256
dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

SHA512
38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

Download Submit
\Users\Admin\AppData\Local\Temp\42713306.exe

Filesize
14KB

MD5
686899bd841d603551a0429d09cb906c

SHA1
c827bc460766c0c39fa9ad27918fb0f409379eb3

SHA256
483142a79ce1fce6474da5dcfeea48104eda46a960c7eb9b9581d555dd6cfc77

SHA512
850919af70b4b0548fc985b49fa35f5613c31bde6fb46b19753b181c25e0251c52b121a26459c230a969e8ae23fb1dccd547be6a34d2a73dfe4e0d31e6874b76

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe

Filesize
20KB

MD5
35dc584405379993ceb29d5314d15d99

SHA1
2dbb31a27bf5cee87fd81a9431bb97ca6e07f9bc

SHA256
22be0689856c5e26d3b742120386b3895a3749e9a2e76d3b356eed2ea2df5f94

SHA512
9ab4a6027b8ecd8fef7af684286a95d15024fb130ac1c924db3345532a91da77e7b12200ea687ba0722756457e4266ee2afcfec4a24aae979e92e341c13dd377

Download Submit
memory/1336-185-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/1336-186-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1684-189-0x000000013FDA0000-0x0000000140316000-memory.dmp

Filesize
5.5MB

Download
memory/1832-164-0x000000013F190000-0x000000013F706000-memory.dmp

Filesize
5.5MB

Download
memory/2644-160-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/2644-161-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2808-215-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2808-246-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2808-247-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2808-190-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2808-258-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2808-267-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2808-277-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2808-288-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2808-291-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download