ecab58d9e2edf6539e3cca667a72cb0ced2567bf30073f9f216af4a872c5beaf

Resubmissions

23/08/2024, 00:34

240823-aw7gxawdjg 9

Analysis

max time kernel
15s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20240802-it
resource tags

arch:x64arch:x86image:win10v2004-20240802-itlocale:it-itos:windows10-2004-x64systemwindows
submitted
23/08/2024, 00:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

release/map/Map.exe
Size

416KB
MD5

36c50332466b6e921edb79ea4b240278
SHA1

5b858fb375235e7638b7cef22ca972d27ce9cacc
SHA256

0a76f7d189b368598ee017d0094a6698ffff66d0f981f85769971170ca29e042
SHA512

fbc23c9d21e9dd3fbb7eac87fcee7e9db52d6c6450402ec90a7ba43940029af00d4ab9db8f0e662f30d8f99a34326673f26051932e2ae7afcfb377d053f4cc41
SSDEEP

12288:rbNG38Jf2mCsCTyTH8+vtQ7BWD24cVLxSf0:rbNG38Jf2mCsCTMc+laBH4cVLxSf

Score

8^/10

defense_evasion persistence

Malware Config

Signatures

Modify Registry: Disable Windows Driver Blocklist 2 TTPs 1 IoCs

Disable Windows Driver Blocklist via Registry.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0"	Map.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Roblox Corporation\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Roblox Corporation"	Map.exe

Executes dropped EXE 2 IoCs

pid	Process
2248	dismhost.exe
1620	dismhost.exe

Loads dropped DLL 38 IoCs

pid	Process
2248	dismhost.exe
2248	dismhost.exe
2248	dismhost.exe
2248	dismhost.exe
2248	dismhost.exe
2248	dismhost.exe
2248	dismhost.exe
2248	dismhost.exe
2248	dismhost.exe
2248	dismhost.exe
2248	dismhost.exe
2248	dismhost.exe
2248	dismhost.exe
2248	dismhost.exe
2248	dismhost.exe
2248	dismhost.exe
2248	dismhost.exe
2248	dismhost.exe
2248	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe
1620	dismhost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1352	Map.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeBackupPrivilege	4580	Dism.exe
Token: SeRestorePrivilege	4580	Dism.exe
Token: SeBackupPrivilege	4956	Dism.exe
Token: SeRestorePrivilege	4956	Dism.exe
Token: SeShutdownPrivilege	4492	shutdown.exe
Token: SeRemoteShutdownPrivilege	4492	shutdown.exe
Token: SeLoadDriverPrivilege	1352	Map.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4380	LogonUI.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1284	1352	Map.exe	85
PID 1352 wrote to memory of 1284	1352	Map.exe	85
PID 1284 wrote to memory of 4580	1284	cmd.exe	86
PID 1284 wrote to memory of 4580	1284	cmd.exe	86
PID 4580 wrote to memory of 2248	4580	Dism.exe	87
PID 4580 wrote to memory of 2248	4580	Dism.exe	87
PID 1352 wrote to memory of 2000	1352	Map.exe	97
PID 1352 wrote to memory of 2000	1352	Map.exe	97
PID 2000 wrote to memory of 4956	2000	cmd.exe	98
PID 2000 wrote to memory of 4956	2000	cmd.exe	98
PID 4956 wrote to memory of 1620	4956	Dism.exe	99
PID 4956 wrote to memory of 1620	4956	Dism.exe	99
PID 1352 wrote to memory of 1256	1352	Map.exe	102
PID 1352 wrote to memory of 1256	1352	Map.exe	102
PID 1256 wrote to memory of 4492	1256	cmd.exe	103
PID 1256 wrote to memory of 4492	1256	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\release\map\Map.exe
"C:\Users\Admin\AppData\Local\Temp\release\map\Map.exe"
1⤵
- Modify Registry: Disable Windows Driver Blocklist
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dism /online /get-featureinfo /featurename:VirtualMachinePlatform
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\system32\Dism.exe
    dism /online /get-featureinfo /featurename:VirtualMachinePlatform
    3⤵
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\dismhost.exe
      C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\dismhost.exe {2736C147-1867-47ED-A31F-D19A7603F096}
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dism /online /get-featureinfo /featurename:HypervisorPlatform
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\system32\Dism.exe
    dism /online /get-featureinfo /featurename:HypervisorPlatform
    3⤵
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Users\Admin\AppData\Local\Temp\C782E3EC-B31A-4D86-BF84-1EBE82132E6A\dismhost.exe
      C:\Users\Admin\AppData\Local\Temp\C782E3EC-B31A-4D86-BF84-1EBE82132E6A\dismhost.exe {66F5B280-1A3F-4E3B-99D4-319DFE3B4710}
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown /r /t 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\system32\shutdown.exe
    shutdown /r /t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4492

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa394c855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\AppxProvider.dll

Filesize
554KB

MD5
a7927846f2bd5e6ab6159fbe762990b1

SHA1
8e3b40c0783cc88765bbc02ccc781960e4592f3f

SHA256
913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

SHA512
1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\AssocProvider.dll

Filesize
112KB

MD5
94dc379aa020d365ea5a32c4fab7f6a3

SHA1
7270573fd7df3f3c996a772f85915e5982ad30a1

SHA256
dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907

SHA512
998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\DismCore.dll

Filesize
402KB

MD5
b1f793773dc727b4af1648d6d61f5602

SHA1
be7ed4e121c39989f2fb343558171ef8b5f7af68

SHA256
af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e

SHA512
66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\DmiProvider.dll

Filesize
415KB

MD5
ea8488990b95ce4ef6b4e210e0d963b2

SHA1
cd8bf723aa9690b8ca9a0215321e8148626a27d1

SHA256
04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98

SHA512
56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\FfuProvider.dll

Filesize
619KB

MD5
df785c5e4aacaee3bd16642d91492815

SHA1
286330d2ab07512e1f636b90613afcd6529ada1e

SHA256
56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271

SHA512
3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\FolderProvider.dll

Filesize
59KB

MD5
4f3250ecb7a170a5eb18295aa768702d

SHA1
70eb14976ddab023f85bc778621ade1d4b5f4d9d

SHA256
a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461

SHA512
e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\GenericProvider.dll

Filesize
149KB

MD5
ef7e2760c0a24453fc78359aea3d7869

SHA1
0ea67f1fd29df2615da43e023e86046e8e46e2e1

SHA256
d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a

SHA512
be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\IBSProvider.dll

Filesize
59KB

MD5
120f0a2022f423fc9aadb630250f52c4

SHA1
826df2b752c4f1bba60a77e2b2cf908dd01d3cf7

SHA256
5425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0

SHA512
23e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\ImagingProvider.dll

Filesize
218KB

MD5
35e989a1df828378baa340f4e0b2dfcb

SHA1
59ecc73a0b3f55e43dace3b05ff339f24ec2c406

SHA256
874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d

SHA512
c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\IntlProvider.dll

Filesize
296KB

MD5
510e132215cef8d09be40402f355879b

SHA1
cae8659f2d3fd54eb321a8f690267ba93d56c6f1

SHA256
1bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52

SHA512
2f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\MsiProvider.dll

Filesize
207KB

MD5
9a760ddc9fdca758501faf7e6d9ec368

SHA1
5d395ad119ceb41b776690f9085f508eaaddb263

SHA256
7ff3939e1ef015da8c9577af4edfdd46f0029a2cfe4e3dac574d3175516e095f

SHA512
59d095246b62a7777e7d2d50c2474f4b633a1ae96056e4a4cb5265ccf7432fed0ea5df9b350f44d70b55a726241da10f228d8b5cbee9b0890c0b9dc9e810b139

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\OfflineSetupProvider.dll

Filesize
182KB

MD5
9cd7292cca75d278387d2bdfb940003c

SHA1
bab579889ed3ac9cb0f124842c3e495cb2ec92ac

SHA256
b38d322af8e614cc54299effd2164247c75bd7e68e0eb1a428376fcedaca9a6f

SHA512
ebf96839e47bef9e240836b1d02065c703547a2424e05074467fe70f83c1ebf3db6cb71bf0d38848ec25e2e81b4cbb506ced7973b85e2ab2d8e4273de720779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\ProvProvider.dll

Filesize
753KB

MD5
70c34975e700a9d7e120aaecf9d8f14b

SHA1
e24d47f025c0ec0f60ec187bfc664e9347dc2c9c

SHA256
a3e652c0bbe2082f2e0290da73485fb2c6e35c33ac60daa51a65f8c782dbd7a7

SHA512
7f6a24345f5724d710e0b6c23b3b251e96d656fac58ea67b2b84d7d9a38d7723eae2c278e6e218e7f69f79d1cce240d91a8b0fd0d99960cacc65d82eb614a260

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\SetupPlatformProvider.dll

Filesize
159KB

MD5
1ae66f4524911b2728201fff6776903c

SHA1
68bea62eb0f616af0729dbcbb80dc27de5816a83

SHA256
367e73f97318b6663018a83a11019147e67b62ab83988730ebbda93984664dd3

SHA512
7abf07d1338e08dc8b65b4f987eaff96d99aa46c892b5d2d79684ca7cf5f139d2634d9b990e5f6730f7f8a647e4fbb3d5905f9f2a5680250852671599f15ee69

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\SmiProvider.dll

Filesize
246KB

MD5
ad7bbb62335f6dc36214d8c9fe1aaca0

SHA1
f03cb2db64c361d47a1c21f6d714e090d695b776

SHA256
ac1e7407317859981d253fd9d977e246a4d0da24572c45efe0ade1745376bffb

SHA512
4ad7132f0ad5a7228ec116c28d23ee9acfdbf4adf535b0b9995f2e7eec8776e652a0a18539c02b6f4b3e0c8fa2f75d5181577dec16993fa55cb971d7e82faac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\SysprepProvider.dll

Filesize
778KB

MD5
8bd67d87dbdcf881fb9c1f4f6bf83f46

SHA1
10bd2e541b6a125c29f05958f496edf31ff9abb1

SHA256
f9b4d0afe87f434e8319556961b292ddc7d3a8c6fc06b8a08a50b5a96e28a204

SHA512
258a4075a3149669ccd6ff602f71a721b195c9d15dea22d994d4d3e35cdf27beb0b8b8f5da8f52914f769642f89edbb1d9d857087778be713a874571a2ec6f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\TransmogProvider.dll

Filesize
1.3MB

MD5
84ae9659e8d28c2bd19d45dbe32b6736

SHA1
2a47058eafab4135a55575a359fbd22390788e93

SHA256
943ea79ccbbb9790723f411720777af386acc03efab709ac2cbfeb7bd040a3e4

SHA512
d108a4a8699cd98576a5de9ce2f925697ece546fb441a76db6a922564ea70c54449cb1e8ac049a203979331c2c0ee7790d090ae5bb72d8d5e02786ef1cca530d

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\UnattendProvider.dll

Filesize
228KB

MD5
f7bd21c4170b1397eb098fa18ef45d4b

SHA1
05d36abc4853eda468eab68d289337962c76195f

SHA256
05da5af89fafe492adf5255a7dbf16468be6d130ee8a9d713ab2182c72346db0

SHA512
8a804bfe27f25b9d7c87cfb6951e1f1254e984ff9eada0b1547c30352397438d2c9e2f1c3b42c2db43f693b08224e0c7b7a17cd0b21ced893e12c330b91355ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\VhdProvider.dll

Filesize
560KB

MD5
c6488a9b3569230669c72f3239cbc108

SHA1
87b9b2ab5de52f246c1936480463bd402ad519b9

SHA256
4ed23b46188dae12523f96a2755434c0574cd27584f9921133b0b4c1017b8a36

SHA512
47ae886893032306e9b69b2d1c736ce23061b5be7552d2ed1d680b91e45fe0225b5acb12b83f6d572ef0b270dbaa47af3320516f4bfadb0a2889a9ffed45a66f

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\WimProvider.dll

Filesize
589KB

MD5
229df404d67e69e57f9e284a66f2adeb

SHA1
7f4f703dbe8c274f5104d4d104dafcadf0c3857b

SHA256
8b7821a1fb9170c6aa1ec25eea378f43661812eba25064bb95999156b472c377

SHA512
917912cdfcf1d46f691cadc6e7aaae1a302a66721beec0e9b22e394592b290605caf410221045f2ce89896e5d9602ee4946202f2de9390e92c8aaa5a609b3a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\dismprov.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\en-US\IBSProvider.dll.mui

Filesize
2KB

MD5
d4b67a347900e29392613b5d86fe4ac2

SHA1
fb84756d11bfd638c4b49268b96d0007b26ba2fb

SHA256
4ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5

SHA512
af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\en-US\SysprepProvider.dll.mui

Filesize
3KB

MD5
93d076056dd01dfc64d95d4c552a2dff

SHA1
a90fd06a62c6d63d87e00f5f7e9646b44d2c726a

SHA256
4389362a9dc662aa3c7a1d830498472bc586e00f0d269a8541975a34b03a1aa4

SHA512
b089574d4be0ccae205219c9e256de34c039081a547f05acfe4165d036b175de5d9676160effc3c19d87bbb41d0f415da598e507ed8f7b302cdbfdfb81f694ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\AppxProvider.dll.mui

Filesize
25KB

MD5
beaa6c9c4e67cc2e6a18775dc7b6da19

SHA1
e30f58a2a6d9b634be80c965f23aac9fc2d0c3c4

SHA256
cbb34cf67dc87b2a060d4b75e3c94730f4565650210bd251a0b73e07588213d4

SHA512
ab24d242cb9129ae8f851fba689a5e868e03cf9b9342bb68c145436f2adec77b70f51c7c31d1b27acd210732f421828be645e21716a5a95a3d4cfac6614ef81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\AssocProvider.dll.mui

Filesize
9KB

MD5
5b467c45cdd1f5df351c88e2aba85a11

SHA1
6d6732a51199b1a90c0fbea2b4f555bd36231ced

SHA256
2239cbeb285351230632a7dfd39feeee1fca91cee314676121a7cb71bd31d6bc

SHA512
6bb3854c22ead036d38c9ae6b968eca3f573d7f17d69a5c2e9fc5e9d79f392240f3b010f67a2fb272aedd65c2d752fc70a8b4e5fd0188aad0108e24c97ba676a

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\CbsProvider.dll.mui

Filesize
60KB

MD5
94ff160e9844b094a59a6ade787a1fb8

SHA1
8d8e5d3bad491325f8701767908c5c8db902aa3a

SHA256
41d2932082117e8a0495524255a5b384862413e471083aba58f05c0805a403e2

SHA512
a8f8ace61f53989174b7211312ebd35c868d079a575e93ffd95a7abc193075527ea686e7d7142412c1e3f8bdc8b37bf8cd1d07f601eb1e79f152754d97307447

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\DismCore.dll.mui

Filesize
8KB

MD5
0e4351e98c2720e0dbe098746aac8de8

SHA1
77171dddee21dd1f8801cd3ab421ed59a1bd6735

SHA256
aecec5cfbfabb1c8646b7efd4c2cee17ba3ad056c4dae44c420da736ecb61365

SHA512
a4f26a0b4f153eb4aff21434a3c06cd00369c006d1b706b22c7e24fc315d4db13d34f233e78dac3f3f37c32acdc4df64877c0d6728a0865f075cec34b0fcab57

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\DmiProvider.dll.mui

Filesize
19KB

MD5
e008f678d3e0f7263ef4af05a8e86c6c

SHA1
6367a747b8a3c3cca488cba17e5cc4d1f9fd2d0d

SHA256
0b08fe0aa971ad3fda569c129b1f6e4605bf025c264b107828d3abdfcdebc58e

SHA512
89d720b44e35d53ff6899e8eb6aae99482a55895190c9dc20575930c44c343231caa5e7f9ed212b02e2d2ee294d6c3db06a29a60de1d1c8c6e13a18248ece8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\FfuProvider.dll.mui

Filesize
9KB

MD5
c6f85c85f5e5bcd13003dbb6ffaf0b94

SHA1
693007ff47a374dedfd408abd858f6a55adee82a

SHA256
dbcbb5218ad6363845f4f7615d2d3c775fef1e421f7a0f1918c4ac54288e06f9

SHA512
607a4f990e36da572d980d24599769518c235653d3d0cf9c12287770eebd3962d7538eb112899bc0b6b8dbbff9c1ec0fad220e25ed39344264a5a4e321e47bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\FolderProvider.dll.mui

Filesize
2KB

MD5
8e8f3a993636d31c04c4454b94b3cee8

SHA1
76ac076a72cf98ee8c118bb97f7a83861a9a2ca0

SHA256
996fe201d45099fd72b7ef93495fb11c875cffea770d6b41e90f815e64090174

SHA512
12dad2ac3cb3e6d5de4a4ce3a20d7c6bc8c4d1a36dd2726e279fa25232c585693ee8540ed35078633bd2ee0fd41f09747e91defab60da71fc0a6e790b12ae65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\GenericProvider.dll.mui

Filesize
5KB

MD5
9c1cd51ae8e1b13f88aef5d06c724e13

SHA1
15b5b2150832e32aed0bd4e6f6750cf8fde92ac2

SHA256
81e744ae77bdfdfa7602b808b97e5c9f7066b8994e79630d155d87fc6eecc5e9

SHA512
ba17a831a77110a3a6ae592e97191663b0bbc8dd15f8b597c5cd1634625e696f47b1195265194f23a576aec02ae80b6c595e524409e25a5be5abaa4579288628

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\ImagingProvider.dll.mui

Filesize
19KB

MD5
95e04f99f554382c19c632b5856ff54d

SHA1
d4292e03c213f92b43e965be2a6e506807d0f374

SHA256
e29c8a3872a4c2e7d9f98c38fe90d40d471a46219b20fd0916708f55b9ae8a32

SHA512
a86c047020316dd575c96f5aeb78162ca199b04c3d7b44a680326b87fdfe2b9e1b6adf1ce54631fa1a5d9d8cf4dfe904192a5082f061484fd444265e0dd8e248

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\IntlProvider.dll.mui

Filesize
32KB

MD5
4906d8cf79603c4b485440c04a832e7c

SHA1
0ccc3ddb7a4a0c425271537094b0a5670bb27993

SHA256
b7bef046cf104c8eaf0697007ea35261d0c8a5500d584fb707cfad9f9055fd78

SHA512
7c2ab03cbcf25e2bf4883c4a8410ef86be78cdd75dafe1b115bf6ea01d1272d4b36e90ae688673fc34a483c930663a1bfd518524a8de30bed54d8bbef6651106

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\LogProvider.dll.mui

Filesize
6KB

MD5
11e473163495717bd22c340353a9f0ea

SHA1
a162c63c1f5b15676b5898480061f47e131277cd

SHA256
9c96c8b812c0603525985f6b6f83df016064d513cdbd321db6982750f39bad07

SHA512
3e23c991353ee843b464977e10b6f56a2977d93b7cf666ad92724a029bfd8c6a51d3c74d99a614756d5f675cccae23c3e5f5d1cd936ab57f3a3d940fd8c7b19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\MsiProvider.dll.mui

Filesize
17KB

MD5
a675898b9ba9d64864c18c74f1c412c5

SHA1
d774dd3d6266d36901176644440f2d04ec5d8b61

SHA256
6759d936ceb9e1568c6f8c2b536aa665528666a4bb1bc36a4e7cc1418584d3d8

SHA512
e5de32652f7b3d3c56df9d1aa2a7f99046d235d58e088bf8a918a1b3fe273801142b09672bdf17b54d067e765936f469a050992fcb10f56c6d23d378079be4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\OSProvider.dll.mui

Filesize
3KB

MD5
107de92a12daac69d7d35db6383f3288

SHA1
1ac50d3531ba1fe26db66a80dc5bab328584f3a8

SHA256
1593b71998aea17dbe2d79dcb724c8e322cf2b42f1085287aecc4846c6110fc7

SHA512
4b63c5889e9fa68570459cc9d6b365443e2efee6a962a356c53749c0d873ce5766cf98e4de6dd4f0653073055241679a26c74df789791dd9f216fb5cd90a5ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\OfflineSetupProvider.dll.mui

Filesize
2KB

MD5
f3c9a0354a32371faa1ef99d5f95e4ab

SHA1
ac20b37ff15cfdf11b9bcbe327335a474a1b3ffd

SHA256
7786258c88638cef31b2f012dcc6982ddb504575b4197b2d35004531d644c676

SHA512
53f9e8dae08aa8cb4297721ba5e47d4855ef6b35066ce727a416468d2ccfa574b0caf432e9bf2411490a06dc0fe00529e5ba7652f78423c1a320625d8b50b81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\ProvProvider.dll.mui

Filesize
4KB

MD5
3a9147271851e3cf031227e616c7d710

SHA1
33f789539bf7cd1ec71532a361b858e96aecd450

SHA256
dd3129c091c6a6606f5ed2155cf08b3fc8145de346afb0d1cf61c9ce41c94784

SHA512
19587e2dc95f8be9158e3b8a723dd2a9ae31024267ee8939fbdad81ae962a9f2a4329df2b9ed9aba7edb97c52553de3f78410903d37aa76f7c6a81e92a7aee35

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\SetupPlatformProvider.dll.mui

Filesize
6KB

MD5
4de5ad5431eb5aa8b8598edcad003479

SHA1
933f68c3facd43eed511711fa4b684328b9350fa

SHA256
69aa27c46af765eff41bb9d3d89b8103e088cf2d675ca7f8f75b2863685293c4

SHA512
b643c984dcdfd43928a3d48d8bccf22c90fc9ec368216cd79b697f6b9f857ab09d522220a878c20d8a32d2defb4a94fc483f2e403169ceed7edd920a8346ad05

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\SmiProvider.dll.mui

Filesize
2KB

MD5
3c544db581cd2b12c2e1243f146ae7f4

SHA1
e4160b0837f701a8ee886774396cdcc5564b961f

SHA256
523cb94c141e426b66e9b3be4ee07a6ff9212d77cb968c18f36927252abcf63e

SHA512
f8515d62e6093983d631d38ff011fb2a7d2ce0f6893de4df0ff9acc980b5786288744c80a922148d0fbf82c08933202f56d68c679d1aea2837c5f4c92bfbcc3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\TransmogProvider.dll.mui

Filesize
18KB

MD5
604a38894edcbf4a5e5a80ffc1152867

SHA1
baa59863ba8394035d81cea801af73ad03c5ab05

SHA256
8f35db3053ba5c4fd7d6cffcd250fb483c0796754b2d70de6410314e86fb23d7

SHA512
0061d8b7c699b7b132e81e29aefe646067e7383c9d86e408bee1979c2d4068dbf6833d305e6ee749be73aa9d27553cbb3b454aa6c7df1f934871c65d5ea3daef

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\UnattendProvider.dll.mui

Filesize
5KB

MD5
74ef7fe50beca88b126dc4fc16b39876

SHA1
d740740bd0e9fe889e5d88d6733261966f880c34

SHA256
bdeebe8e6233c79e8e951325ee86ea56921dffce60d6198ac506428b1c303d80

SHA512
9d7bb5cdb52b344e8a2700f5321cda483c77cf8949720a1968f678c85bfc23a1b1392643bc6b825ba454ea06d6fbd2fba22cde4bff799fd4269d4a80aa803773

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\VhdProvider.dll.mui

Filesize
8KB

MD5
cbdcb943ab6ca6c3d52e99a1a2cddddd

SHA1
a08440ffebc85b123427e11b6892ce7c49a73d37

SHA256
8e024654cf1869d28cc7b0ae5e170ad2ca815e5ea67823c79dd383faf0231171

SHA512
63535d89d28d1b1a34ba6afd3f6c4c31e49d4dce20e212220efa88128f15e36ef4d28ca3ed7ee02d7ed01650bb890bf614cbe18d9a93348fb278cda19c4e4c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\WimProvider.dll.mui

Filesize
31KB

MD5
84ef0cde36b5c8073d4ab7ee2d55d5ce

SHA1
3802a7da41170976de01af537f44eabb1217d807

SHA256
34cffaf476ce3ffc41aa6d43818bd541d65eb4b8a7760d0d085049961da303b8

SHA512
3d69fa4a00f548fc4a2962870db17382fb66fcc0ad59023977587e18cf5495b63e09a5735f24f6073bb2b24e41e6261e4253df9dc5ef5730bcd8540bce29e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\813DDE53-3E99-4DCE-9E52-5E36A25B2AFA\it-IT\dismprov.dll.mui

Filesize
2KB

MD5
1f7ff9949dabba4ad3cdbf4d0759b033

SHA1
9b12cd640830ec801427155d77c693d68091c326

SHA256
5feb00e3b46a7097453b6b4d4c133a8cfcba60a677e5e349634224746717db21

SHA512
edb16133a8deec5a8f19eee31a301766338bcb2c7631d171962b4142c698d08e32c4d38febc95adefabf089bcb190eb9b42d3f944a3aa4594347681fbed48a69

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
221KB

MD5
a0c4418b1a9e92eb65b4fe17744c7515

SHA1
4c81c3fd45dfccc3db57f6782e281400cb291a26

SHA256
496c82ec602ea43553ba71ad61e7801f110edc782f16f76ba415f7d2f859fb5c

SHA512
155d9c87c4bedc47fbc7461b7d5dd2f6d5e425adc181f86679ef1e2e267247f06d78de43804d1dda4c8819bf821d0c55b971f540e00128a2b58c9ffb9efc8d31

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
244KB

MD5
fc65a6b7f8e22f37a7781524e2ef78f2

SHA1
dbfd0d4d4b9dd2dd5758bf291308b6f9e96b7b69

SHA256
7eb95cc48ff803a0216c960e851883a4055263d2a60e3d9b041880c0e1235098

SHA512
fbf145ecc621be3e79d57cb6f3eb70681d8b975ba62d9a0ee5459caec41094f28260e1bc9dfa75333f8f5575e39cb711ef8c954b294a719c4cb4e1c081cb53c2

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads