glupteba | 15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7

Analysis

max time kernel
168s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
22-02-2022 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe
Size

7.8MB
MD5

806d297449de5c2277b26aab659a09fd
SHA1

27ae769be6454b62920856ce15443d6e4b45ae00
SHA256

15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7
SHA512

0fc3502436f6360bad3021ee79d636ed62cdf7880522ed65b0d33c89d77630e88154a8f53234053350382db0fc2d8ee7c9adcd81217d839207ea213cccab176e

Score

10^/10

glupteba metasploit smokeloader socelars backdoor discovery dropper evasion loader persistence spyware stealer trojan upx

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1924-143-0x00000000052B0000-0x0000000005BD6000-memory.dmp	family_glupteba
behavioral2/memory/1924-145-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/3652-174-0x0000000005330000-0x0000000005C56000-memory.dmp	family_glupteba
behavioral2/memory/3652-175-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/3660-194-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 3344 rUNdlL32.eXe
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	3344	rUNdlL32.eXe

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 3640 created 2092 3640 WerFault.exe rundll32.exe
PID 3480 created 3644 3480 WerFault.exe File.exe
Downloads MZ/PE file

description	pid	process	target process
PID 3640 created 2092	3640	WerFault.exe	rundll32.exe
PID 3480 created 3644	3480	WerFault.exe	File.exe

Executes dropped EXE 16 IoCs

Processes:

Updbdate.exeInfo.exeFolder.exemd9_1sjm.exeKRSetp.exeInstall.exeFolder.exeFile.exepub2.exeFiles.exejfiag3g_gg.exejfiag3g_gg.exeInfo.execsrss.exeinjector.exeG1lR6sPntolQqQACgqjNxUvz.exe

pid	process
1700	Updbdate.exe
1924	Info.exe
2304	Folder.exe
960	md9_1sjm.exe
2280	KRSetp.exe
208	Install.exe
1620	Folder.exe
3644	File.exe
3800	pub2.exe
2540	Files.exe
3332	jfiag3g_gg.exe
1512	jfiag3g_gg.exe
3652	Info.exe
3660	csrss.exe
3640	injector.exe
3524	G1lR6sPntolQqQACgqjNxUvz.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exeFolder.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	File.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2092 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2092	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeInfo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DivinePaper = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

144 ipinfo.io
71 ip-api.com
143 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
144	ipinfo.io
71	ip-api.com
143	ipinfo.io

Drops file in Windows directory 3 IoCs

Processes:

WerFault.exeInfo.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\rss	Info.exe
File created	C:\Windows\rss\csrss.exe	Info.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3596 2092 WerFault.exe rundll32.exe
2004 2092 WerFault.exe rundll32.exe
556 3644 WerFault.exe File.exe

pid	pid_target	process	target process
3596	2092	WerFault.exe	rundll32.exe
2004	2092	WerFault.exe	rundll32.exe
556	3644	WerFault.exe	File.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1180 schtasks.exe

pid	process
1180	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3448 taskkill.exe

pid	process
3448	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	Info.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exe

pid	process
3800	pub2.exe
3800	pub2.exe
1512	jfiag3g_gg.exe
1512	jfiag3g_gg.exe
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2532
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

3800 pub2.exe

pid	process
2532

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

Install.exeKRSetp.exetaskkill.exeWerFault.exemd9_1sjm.exeInfo.exeInfo.execsrss.exe

description	pid	process
Token: SeCreateTokenPrivilege	208	Install.exe
Token: SeAssignPrimaryTokenPrivilege	208	Install.exe
Token: SeLockMemoryPrivilege	208	Install.exe
Token: SeIncreaseQuotaPrivilege	208	Install.exe
Token: SeMachineAccountPrivilege	208	Install.exe
Token: SeTcbPrivilege	208	Install.exe
Token: SeSecurityPrivilege	208	Install.exe
Token: SeTakeOwnershipPrivilege	208	Install.exe
Token: SeLoadDriverPrivilege	208	Install.exe
Token: SeSystemProfilePrivilege	208	Install.exe
Token: SeSystemtimePrivilege	208	Install.exe
Token: SeProfSingleProcessPrivilege	208	Install.exe
Token: SeIncBasePriorityPrivilege	208	Install.exe
Token: SeCreatePagefilePrivilege	208	Install.exe
Token: SeCreatePermanentPrivilege	208	Install.exe
Token: SeBackupPrivilege	208	Install.exe
Token: SeRestorePrivilege	208	Install.exe
Token: SeShutdownPrivilege	208	Install.exe
Token: SeDebugPrivilege	208	Install.exe
Token: SeAuditPrivilege	208	Install.exe
Token: SeSystemEnvironmentPrivilege	208	Install.exe
Token: SeChangeNotifyPrivilege	208	Install.exe
Token: SeRemoteShutdownPrivilege	208	Install.exe
Token: SeUndockPrivilege	208	Install.exe
Token: SeSyncAgentPrivilege	208	Install.exe
Token: SeEnableDelegationPrivilege	208	Install.exe
Token: SeManageVolumePrivilege	208	Install.exe
Token: SeImpersonatePrivilege	208	Install.exe
Token: SeCreateGlobalPrivilege	208	Install.exe
Token: 31	208	Install.exe
Token: 32	208	Install.exe
Token: 33	208	Install.exe
Token: 34	208	Install.exe
Token: 35	208	Install.exe
Token: SeDebugPrivilege	2280	KRSetp.exe
Token: SeDebugPrivilege	3448	taskkill.exe
Token: SeRestorePrivilege	3596	WerFault.exe
Token: SeBackupPrivilege	3596	WerFault.exe
Token: SeBackupPrivilege	3596	WerFault.exe
Token: SeManageVolumePrivilege	960	md9_1sjm.exe
Token: SeShutdownPrivilege	2532
Token: SeCreatePagefilePrivilege	2532
Token: SeDebugPrivilege	1924	Info.exe
Token: SeImpersonatePrivilege	1924	Info.exe
Token: SeSystemEnvironmentPrivilege	3652	Info.exe
Token: SeShutdownPrivilege	2532
Token: SeCreatePagefilePrivilege	2532
Token: SeSystemEnvironmentPrivilege	3660	csrss.exe
Token: SeManageVolumePrivilege	960	md9_1sjm.exe
Token: SeShutdownPrivilege	2532
Token: SeCreatePagefilePrivilege	2532
Token: SeManageVolumePrivilege	960	md9_1sjm.exe
Token: SeShutdownPrivilege	2532
Token: SeCreatePagefilePrivilege	2532
Token: SeManageVolumePrivilege	960	md9_1sjm.exe
Token: SeShutdownPrivilege	2532
Token: SeCreatePagefilePrivilege	2532
Token: SeManageVolumePrivilege	960	md9_1sjm.exe
Token: SeShutdownPrivilege	2532
Token: SeCreatePagefilePrivilege	2532

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

File.exe

pid process

3644 File.exe

pid	process
3644	File.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exeFolder.exeInstall.exeFiles.execmd.exerUNdlL32.eXerundll32.exeWerFault.exeInfo.execmd.execsrss.exeFile.exeWerFault.exe

description	pid	process	target process
PID 2684 wrote to memory of 1700	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	Updbdate.exe
PID 2684 wrote to memory of 1700	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	Updbdate.exe
PID 2684 wrote to memory of 1700	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	Updbdate.exe
PID 2684 wrote to memory of 1924	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	Info.exe
PID 2684 wrote to memory of 1924	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	Info.exe
PID 2684 wrote to memory of 1924	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	Info.exe
PID 2684 wrote to memory of 2304	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	Folder.exe
PID 2684 wrote to memory of 2304	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	Folder.exe
PID 2684 wrote to memory of 2304	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	Folder.exe
PID 2684 wrote to memory of 960	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	md9_1sjm.exe
PID 2684 wrote to memory of 960	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	md9_1sjm.exe
PID 2684 wrote to memory of 960	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	md9_1sjm.exe
PID 2684 wrote to memory of 2280	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	KRSetp.exe
PID 2684 wrote to memory of 2280	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	KRSetp.exe
PID 2684 wrote to memory of 208	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	Install.exe
PID 2684 wrote to memory of 208	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	Install.exe
PID 2684 wrote to memory of 208	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	Install.exe
PID 2304 wrote to memory of 1620	2304	Folder.exe	Folder.exe
PID 2304 wrote to memory of 1620	2304	Folder.exe	Folder.exe
PID 2304 wrote to memory of 1620	2304	Folder.exe	Folder.exe
PID 2684 wrote to memory of 3644	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	File.exe
PID 2684 wrote to memory of 3644	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	File.exe
PID 2684 wrote to memory of 3644	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	File.exe
PID 2684 wrote to memory of 3800	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	pub2.exe
PID 2684 wrote to memory of 3800	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	pub2.exe
PID 2684 wrote to memory of 3800	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	pub2.exe
PID 208 wrote to memory of 3148	208	Install.exe	cmd.exe
PID 208 wrote to memory of 3148	208	Install.exe	cmd.exe
PID 208 wrote to memory of 3148	208	Install.exe	cmd.exe
PID 2684 wrote to memory of 2540	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	Files.exe
PID 2684 wrote to memory of 2540	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	Files.exe
PID 2684 wrote to memory of 2540	2684	15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe	Files.exe
PID 2540 wrote to memory of 3332	2540	Files.exe	jfiag3g_gg.exe
PID 2540 wrote to memory of 3332	2540	Files.exe	jfiag3g_gg.exe
PID 2540 wrote to memory of 3332	2540	Files.exe	jfiag3g_gg.exe
PID 3148 wrote to memory of 3448	3148	cmd.exe	taskkill.exe
PID 3148 wrote to memory of 3448	3148	cmd.exe	taskkill.exe
PID 3148 wrote to memory of 3448	3148	cmd.exe	taskkill.exe
PID 2240 wrote to memory of 2092	2240	rUNdlL32.eXe	rundll32.exe
PID 2240 wrote to memory of 2092	2240	rUNdlL32.eXe	rundll32.exe
PID 2240 wrote to memory of 2092	2240	rUNdlL32.eXe	rundll32.exe
PID 2540 wrote to memory of 1512	2540	Files.exe	jfiag3g_gg.exe
PID 2540 wrote to memory of 1512	2540	Files.exe	jfiag3g_gg.exe
PID 2540 wrote to memory of 1512	2540	Files.exe	jfiag3g_gg.exe
PID 2092 wrote to memory of 3596	2092	rundll32.exe	WerFault.exe
PID 2092 wrote to memory of 3596	2092	rundll32.exe	WerFault.exe
PID 2092 wrote to memory of 3596	2092	rundll32.exe	WerFault.exe
PID 3640 wrote to memory of 2092	3640	WerFault.exe	rundll32.exe
PID 3640 wrote to memory of 2092	3640	WerFault.exe	rundll32.exe
PID 3652 wrote to memory of 3500	3652	Info.exe	cmd.exe
PID 3652 wrote to memory of 3500	3652	Info.exe	cmd.exe
PID 3500 wrote to memory of 1952	3500	cmd.exe	netsh.exe
PID 3500 wrote to memory of 1952	3500	cmd.exe	netsh.exe
PID 3652 wrote to memory of 3660	3652	Info.exe	csrss.exe
PID 3652 wrote to memory of 3660	3652	Info.exe	csrss.exe
PID 3652 wrote to memory of 3660	3652	Info.exe	csrss.exe
PID 3660 wrote to memory of 3640	3660	csrss.exe	injector.exe
PID 3660 wrote to memory of 3640	3660	csrss.exe	injector.exe
PID 3644 wrote to memory of 3524	3644	File.exe	G1lR6sPntolQqQACgqjNxUvz.exe
PID 3644 wrote to memory of 3524	3644	File.exe	G1lR6sPntolQqQACgqjNxUvz.exe
PID 3480 wrote to memory of 3644	3480	WerFault.exe	File.exe
PID 3480 wrote to memory of 3644	3480	WerFault.exe	File.exe

C:\Users\Admin\AppData\Local\Temp\15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe
"C:\Users\Admin\AppData\Local\Temp\15ae8d4360e20c1b7541046cb2d71e954d7f08d50a1b6e7b281d1900dc4587c7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:1700

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:1952

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1180

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:3640

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2304

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:1620

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3644

C:\Users\Admin\Pictures\Adobe Films\G1lR6sPntolQqQACgqjNxUvz.exe
"C:\Users\Admin\Pictures\Adobe Films\G1lR6sPntolQqQACgqjNxUvz.exe"
3⤵
- Executes dropped EXE
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 2096
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:556

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3800

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:3332

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 604
3⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 604
3⤵
- Program crash
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2092 -ip 2092
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3644 -ip 3644
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
cbafd60beffb18c666ff85f1517a76f9

SHA1
9e015cba7168b610969bfc299a4ffe4763f4fd5f

SHA256
d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d

SHA512
ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
cbafd60beffb18c666ff85f1517a76f9

SHA1
9e015cba7168b610969bfc299a4ffe4763f4fd5f

SHA256
d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d

SHA512
ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
de6daadfa11ac53a540cd70d175171d3

SHA1
40f5b2437b5a0a517dacfc056b9cce20eba446ad

SHA256
c0844630ee2863cdc89e46e44c83c0bae659cf1246ff6ba878a4798583350a0e

SHA512
9aa5f7d437d3ae38c9ae8ac94dd9910b6284ff62e1693df67760f721c47e0c5c8eefa5954d8289ac3232693786043d3867d720954bebd587d31d5c6cc61f4dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
de6daadfa11ac53a540cd70d175171d3

SHA1
40f5b2437b5a0a517dacfc056b9cce20eba446ad

SHA256
c0844630ee2863cdc89e46e44c83c0bae659cf1246ff6ba878a4798583350a0e

SHA512
9aa5f7d437d3ae38c9ae8ac94dd9910b6284ff62e1693df67760f721c47e0c5c8eefa5954d8289ac3232693786043d3867d720954bebd587d31d5c6cc61f4dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
de6daadfa11ac53a540cd70d175171d3

SHA1
40f5b2437b5a0a517dacfc056b9cce20eba446ad

SHA256
c0844630ee2863cdc89e46e44c83c0bae659cf1246ff6ba878a4798583350a0e

SHA512
9aa5f7d437d3ae38c9ae8ac94dd9910b6284ff62e1693df67760f721c47e0c5c8eefa5954d8289ac3232693786043d3867d720954bebd587d31d5c6cc61f4dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
992a30dec0b76e19f0644cab152e0888

SHA1
38b13055600cbd801666377630cdc196d806ece8

SHA256
a63201ba5d88041eb789ddba10d28b79afa40325350f2833c67e655e5964d1c6

SHA512
84f75a40d426e93a0f337cbe216abc333c5da9556bb283a7a4aed7d2b4a27176ce439668069c71c69d0ace86a94f72512dc0eb2f56dd9a8930f004dd960133cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
992a30dec0b76e19f0644cab152e0888

SHA1
38b13055600cbd801666377630cdc196d806ece8

SHA256
a63201ba5d88041eb789ddba10d28b79afa40325350f2833c67e655e5964d1c6

SHA512
84f75a40d426e93a0f337cbe216abc333c5da9556bb283a7a4aed7d2b4a27176ce439668069c71c69d0ace86a94f72512dc0eb2f56dd9a8930f004dd960133cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
3f97a3023b77068e35c1e7980e8ef9f9

SHA1
e4173318930678d25c47fa175ad296894a353d51

SHA256
962cb8a9638d3b53dac92fc70a4c56749bc63b8ee92d562b0a264e222b86071f

SHA512
355b57e73066c132b6fe363aaadf0d7afc3128fc2ea3a5d3f0a06ff9a805f765c7f9cd0176056e05d4486b095eb0b10c3cf6b800292d3ea3a7a6c6c7595b21af

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
3f97a3023b77068e35c1e7980e8ef9f9

SHA1
e4173318930678d25c47fa175ad296894a353d51

SHA256
962cb8a9638d3b53dac92fc70a4c56749bc63b8ee92d562b0a264e222b86071f

SHA512
355b57e73066c132b6fe363aaadf0d7afc3128fc2ea3a5d3f0a06ff9a805f765c7f9cd0176056e05d4486b095eb0b10c3cf6b800292d3ea3a7a6c6c7595b21af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
e0d7a00d5d1d17d549330622d5efbc57

SHA1
e3abe1626a305c75b223bc17a9de9245290c1571

SHA256
aae3cdeedc940844c30f81a0df1c1da150fc890c604fc81f0f81da729831e51f

SHA512
8931fd7e2b00fe4fc3386eaaf8bfd0d30005e5fda3795d105a866505c83e3c5aca59725a5d8dd6369cc43a426920f6eab1f9fc62e40755ea7c905ec9d27464da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
e0d7a00d5d1d17d549330622d5efbc57

SHA1
e3abe1626a305c75b223bc17a9de9245290c1571

SHA256
aae3cdeedc940844c30f81a0df1c1da150fc890c604fc81f0f81da729831e51f

SHA512
8931fd7e2b00fe4fc3386eaaf8bfd0d30005e5fda3795d105a866505c83e3c5aca59725a5d8dd6369cc43a426920f6eab1f9fc62e40755ea7c905ec9d27464da

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
602be07217529eff0b6df3c7c2d2416c

SHA1
7a73ebc16b1a1156f539b68f61d8799942488a2b

SHA256
81a0111b2965dd7a297919288f24c38419b2877098144ee1da06d2de49c3a02e

SHA512
b10340ce380ed74c9857449ea5d6ac519accdadf66ad3889849c91337a2aa1b9d3ca9d9267d86d6751d55ebfa17a62c329f44c1d29e67e6c9965ede13dfe096b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ecd7365422db60cf4f55f3c6f4ed49bf

SHA1
e4b914e366e854fc076b0faa955d4f52ae6f840d

SHA256
77041a33e4f52b86a78b12d80a21e48ba25e4d4c430090f33ba69a08f12a83a7

SHA512
a6a3b539765c31957564ee166dd8f2539ff4cfb73e76eda3cae1120f15abea410cc735bd8b0e759d69971ed788e58191b8d1c6f18081236aa7a431c8f88b0a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ecd7365422db60cf4f55f3c6f4ed49bf

SHA1
e4b914e366e854fc076b0faa955d4f52ae6f840d

SHA256
77041a33e4f52b86a78b12d80a21e48ba25e4d4c430090f33ba69a08f12a83a7

SHA512
a6a3b539765c31957564ee166dd8f2539ff4cfb73e76eda3cae1120f15abea410cc735bd8b0e759d69971ed788e58191b8d1c6f18081236aa7a431c8f88b0a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
b37ced4de047a71e60d801aca4f11fe6

SHA1
c995feee1f6d9327e214fa7eb9a028eb7463be2b

SHA256
f91ca4cbb5a5b31317843d3f9859d1423825847c95646e6ba4973c885388e3df

SHA512
c32d66db61d0a16c1bce23fcf2a0a714ca47bf6dfa48df7e1c015a43232a38294da780f04696b3feb7a587f6894224b6b4c3db70c2ab0d6991f073873ace2e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
b37ced4de047a71e60d801aca4f11fe6

SHA1
c995feee1f6d9327e214fa7eb9a028eb7463be2b

SHA256
f91ca4cbb5a5b31317843d3f9859d1423825847c95646e6ba4973c885388e3df

SHA512
c32d66db61d0a16c1bce23fcf2a0a714ca47bf6dfa48df7e1c015a43232a38294da780f04696b3feb7a587f6894224b6b4c3db70c2ab0d6991f073873ace2e0a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\G1lR6sPntolQqQACgqjNxUvz.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\G1lR6sPntolQqQACgqjNxUvz.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Windows\rss\csrss.exe
MD5
de6daadfa11ac53a540cd70d175171d3

SHA1
40f5b2437b5a0a517dacfc056b9cce20eba446ad

SHA256
c0844630ee2863cdc89e46e44c83c0bae659cf1246ff6ba878a4798583350a0e

SHA512
9aa5f7d437d3ae38c9ae8ac94dd9910b6284ff62e1693df67760f721c47e0c5c8eefa5954d8289ac3232693786043d3867d720954bebd587d31d5c6cc61f4dac

Download Submit
C:\Windows\rss\csrss.exe
MD5
de6daadfa11ac53a540cd70d175171d3

SHA1
40f5b2437b5a0a517dacfc056b9cce20eba446ad

SHA256
c0844630ee2863cdc89e46e44c83c0bae659cf1246ff6ba878a4798583350a0e

SHA512
9aa5f7d437d3ae38c9ae8ac94dd9910b6284ff62e1693df67760f721c47e0c5c8eefa5954d8289ac3232693786043d3867d720954bebd587d31d5c6cc61f4dac

Download Submit
memory/960-190-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/960-186-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/960-177-0x0000000004F30000-0x0000000004F38000-memory.dmp

Filesize
32KB

Download
memory/1700-189-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/1700-134-0x0000000002653000-0x0000000002675000-memory.dmp

Filesize
136KB

Download
memory/1700-197-0x0000000006C04000-0x0000000006C06000-memory.dmp

Filesize
8KB

Download
memory/1700-195-0x0000000006C02000-0x0000000006C03000-memory.dmp

Filesize
4KB

Download
memory/1700-191-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/1700-141-0x0000000002653000-0x0000000002675000-memory.dmp

Filesize
136KB

Download
memory/1700-185-0x0000000006BA0000-0x0000000006BDC000-memory.dmp

Filesize
240KB

Download
memory/1700-196-0x0000000006C03000-0x0000000006C04000-memory.dmp

Filesize
4KB

Download
memory/1700-184-0x0000000004600000-0x0000000004612000-memory.dmp

Filesize
72KB

Download
memory/1700-142-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1700-180-0x0000000006D10000-0x00000000072B4000-memory.dmp

Filesize
5.6MB

Download
memory/1700-183-0x00000000072C0000-0x00000000078D8000-memory.dmp

Filesize
6.1MB

Download
memory/1700-188-0x000000007206E000-0x000000007206F000-memory.dmp

Filesize
4KB

Download
memory/1924-145-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/1924-144-0x0000000004D73000-0x00000000051AF000-memory.dmp

Filesize
4.2MB

Download
memory/1924-143-0x00000000052B0000-0x0000000005BD6000-memory.dmp

Filesize
9.1MB

Download
memory/2280-151-0x0000000000B80000-0x0000000000BA0000-memory.dmp

Filesize
128KB

Download
memory/2532-187-0x0000000000FB0000-0x0000000000FC6000-memory.dmp

Filesize
88KB

Download
memory/3644-193-0x0000000004060000-0x000000000421D000-memory.dmp

Filesize
1.7MB

Download
memory/3652-175-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3652-174-0x0000000005330000-0x0000000005C56000-memory.dmp

Filesize
9.1MB

Download
memory/3652-173-0x0000000004EEB000-0x0000000005327000-memory.dmp

Filesize
4.2MB

Download
memory/3660-192-0x0000000005200000-0x000000000563C000-memory.dmp

Filesize
4.2MB

Download
memory/3660-194-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3800-167-0x0000000002F4E000-0x0000000002F57000-memory.dmp

Filesize
36KB

Download
memory/3800-156-0x0000000002F4E000-0x0000000002F57000-memory.dmp

Filesize
36KB

Download
memory/3800-169-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3800-168-0x0000000002D30000-0x0000000002D39000-memory.dmp

Filesize
36KB

Download