amadey | f5567dd956a8dcf2d1323af9f5fcf9ef30d90f80a7eb047960febdc66e5f8cc4

Resubmissions

25/08/2023, 12:28

230825-pngc3sbf67 10

25/08/2023, 09:45

230825-lrc82scc6w 10

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5567dd956a8dcf2d1323af9f5fcf9ef30d90f80a7eb047960febdc66e5f8cc4.exe
Size

270KB
MD5

068a2ba3114e26ff02bfac1bc81b4716
SHA1

f950ff81c7719c771faebd5557b4bf9ad48b84fc
SHA256

f5567dd956a8dcf2d1323af9f5fcf9ef30d90f80a7eb047960febdc66e5f8cc4
SHA512

5fa57bd2540fc4aa22ec1efe2aabe3b89fbe1682ad39eab43520aab8a8e6702e7850d42d74d292b3388c127c3e0b22bc52a71e8f781a6438adfd528733f60770
SSDEEP

6144:IgAT5LKsVtsy/cNi8RgefkKh0u4JjXTaR:IgAT5Os7sXSe8//J/a

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://taibi.at/tmp/

http://01stroy.ru/tmp/

http://mal-net.com/tmp/

http://gromograd.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/raud/get.php

http://zexeq.com/lancer/get.php

Attributes

extension
.wztt
offline_id
pGPY4MKNHaEeN9pLKNW37rI0mblzUZFtPsjZ8Ht1
payload_url
http://colisumy.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-E3ktviSmlG Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0768zSjfr

rsa_pubkey.plain

Extracted

Family

redline

Botnet

lux3

176.123.9.142:14845

Attributes

auth_value
e94dff9a76da90d6b000642c4a52574b

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

149.202.0.242:31728

Attributes

auth_value
3a050df92d0cf082b2cdaf87863616be

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

amadey

Version

3.87

79.137.192.18/9bDc8sQ/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral1/memory/1628-281-0x0000000003660000-0x0000000003791000-memory.dmp	family_fabookie

Detected Djvu ransomware 32 IoCs

resource	yara_rule
behavioral1/memory/3928-22-0x0000000004190000-0x00000000042AB000-memory.dmp	family_djvu
behavioral1/memory/2112-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2112-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2112-33-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2112-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1780-38-0x0000000004050000-0x000000000416B000-memory.dmp	family_djvu
behavioral1/memory/1600-44-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1600-48-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1600-41-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4256-58-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4256-61-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4256-55-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1600-39-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1600-109-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4256-108-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2112-110-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4676-152-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4676-158-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4676-162-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1520-163-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1520-159-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4676-167-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1520-156-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3724-150-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4996-147-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3724-146-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3724-143-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4996-141-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4996-139-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4208-185-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4208-183-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4208-192-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

resource	yara_rule
behavioral1/memory/5084-248-0x00000000047E0000-0x00000000050CB000-memory.dmp	family_glupteba
behavioral1/memory/5084-256-0x0000000000400000-0x00000000026D1000-memory.dmp	family_glupteba
behavioral1/memory/5084-282-0x00000000047E0000-0x00000000050CB000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4124	netsh.exe

Executes dropped EXE 35 IoCs

pid	Process
3928	C6DA.exe
3448	C871.exe
2112	C6DA.exe
1780	CA09.exe
1600	CA09.exe
4904	CC4C.exe
4832	CF1B.exe
4256	CC4C.exe
4608	D239.exe
4004	DAB6.exe
452	C6DA.exe
1512	CC4C.exe
2720	CA09.exe
3560	cmd.exe
4996	yiueea.exe
3724	CA09.exe
4676	2D2D.exe
1520	C6DA.exe
2172	2D2D.exe
1416	4DC5.exe
4208	2D2D.exe
1628	aafg31.exe
3544	toolspub2.exe
5084	31839b57a4f11171d6abc8bbc4451ee4.exe
4836	toolspub2.exe
1772	latestplayer.exe
2024	yiueea.exe
4996	yiueea.exe
1648	31839b57a4f11171d6abc8bbc4451ee4.exe
3840	csrss.exe
2760	injector.exe
4824	2318.exe
452	windefender.exe
556	windefender.exe
2252	yiueea.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4972	icacls.exe
5032	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b0880d75-8975-4d36-85af-e32c8e3bfe83\\C6DA.exe\" --AutoStart"	C6DA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\88567397-3847-46e3-a80b-5d0ce50afac3\\CC4C.exe\" --AutoStart"	CC4C.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	api.2ip.ua
29	api.2ip.ua
52	api.2ip.ua
26	api.2ip.ua
27	api.2ip.ua

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 3928 set thread context of 2112	3928	C6DA.exe	93
PID 1780 set thread context of 1600	1780	CA09.exe	95
PID 4904 set thread context of 4256	4904	CC4C.exe	101
PID 4608 set thread context of 4912	4608	D239.exe	110
PID 4832 set thread context of 376	4832	CF1B.exe	111
PID 1512 set thread context of 4996	1512	CC4C.exe	147
PID 2720 set thread context of 3724	2720	CA09.exe	114
PID 3560 set thread context of 4676	3560	cmd.exe	125
PID 452 set thread context of 1520	452	C6DA.exe	115
PID 2172 set thread context of 4208	2172	2D2D.exe	126
PID 3544 set thread context of 4836	3544	toolspub2.exe	134

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1948	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
3928	4996	WerFault.exe	113
2244	1520	WerFault.exe	115
3920	3724	WerFault.exe	114
640	4208	WerFault.exe	126
2352	5084	WerFault.exe	131
4920	4824	WerFault.exe	174

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4464	schtasks.exe
4756	schtasks.exe
2556	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	windefender.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2940	f5567dd956a8dcf2d1323af9f5fcf9ef30d90f80a7eb047960febdc66e5f8cc4.exe
2940	f5567dd956a8dcf2d1323af9f5fcf9ef30d90f80a7eb047960febdc66e5f8cc4.exe
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found
2560	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2560	Process not Found

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2940	f5567dd956a8dcf2d1323af9f5fcf9ef30d90f80a7eb047960febdc66e5f8cc4.exe
4004	DAB6.exe
4836	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeDebugPrivilege	3448	C871.exe
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeDebugPrivilege	376	AppLaunch.exe
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeDebugPrivilege	4912	AppLaunch.exe
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeDebugPrivilege	228	powershell.exe
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found
Token: SeShutdownPrivilege	2560	Process not Found
Token: SeCreatePagefilePrivilege	2560	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 3928	2560	Process not Found	90
PID 2560 wrote to memory of 3928	2560	Process not Found	90
PID 2560 wrote to memory of 3928	2560	Process not Found	90
PID 2560 wrote to memory of 3448	2560	Process not Found	91
PID 2560 wrote to memory of 3448	2560	Process not Found	91
PID 2560 wrote to memory of 3448	2560	Process not Found	91
PID 3928 wrote to memory of 2112	3928	C6DA.exe	93
PID 3928 wrote to memory of 2112	3928	C6DA.exe	93
PID 3928 wrote to memory of 2112	3928	C6DA.exe	93
PID 3928 wrote to memory of 2112	3928	C6DA.exe	93
PID 3928 wrote to memory of 2112	3928	C6DA.exe	93
PID 3928 wrote to memory of 2112	3928	C6DA.exe	93
PID 3928 wrote to memory of 2112	3928	C6DA.exe	93
PID 3928 wrote to memory of 2112	3928	C6DA.exe	93
PID 3928 wrote to memory of 2112	3928	C6DA.exe	93
PID 3928 wrote to memory of 2112	3928	C6DA.exe	93
PID 2560 wrote to memory of 1780	2560	Process not Found	94
PID 2560 wrote to memory of 1780	2560	Process not Found	94
PID 2560 wrote to memory of 1780	2560	Process not Found	94
PID 1780 wrote to memory of 1600	1780	CA09.exe	95
PID 1780 wrote to memory of 1600	1780	CA09.exe	95
PID 1780 wrote to memory of 1600	1780	CA09.exe	95
PID 1780 wrote to memory of 1600	1780	CA09.exe	95
PID 1780 wrote to memory of 1600	1780	CA09.exe	95
PID 1780 wrote to memory of 1600	1780	CA09.exe	95
PID 1780 wrote to memory of 1600	1780	CA09.exe	95
PID 1780 wrote to memory of 1600	1780	CA09.exe	95
PID 1780 wrote to memory of 1600	1780	CA09.exe	95
PID 1780 wrote to memory of 1600	1780	CA09.exe	95
PID 2560 wrote to memory of 4904	2560	Process not Found	96
PID 2560 wrote to memory of 4904	2560	Process not Found	96
PID 2560 wrote to memory of 4904	2560	Process not Found	96
PID 4904 wrote to memory of 4256	4904	CC4C.exe	101
PID 4904 wrote to memory of 4256	4904	CC4C.exe	101
PID 4904 wrote to memory of 4256	4904	CC4C.exe	101
PID 2560 wrote to memory of 4832	2560	Process not Found	97
PID 2560 wrote to memory of 4832	2560	Process not Found	97
PID 2560 wrote to memory of 4832	2560	Process not Found	97
PID 4904 wrote to memory of 4256	4904	CC4C.exe	101
PID 4904 wrote to memory of 4256	4904	CC4C.exe	101
PID 4904 wrote to memory of 4256	4904	CC4C.exe	101
PID 4904 wrote to memory of 4256	4904	CC4C.exe	101
PID 4904 wrote to memory of 4256	4904	CC4C.exe	101
PID 4904 wrote to memory of 4256	4904	CC4C.exe	101
PID 4904 wrote to memory of 4256	4904	CC4C.exe	101
PID 2560 wrote to memory of 4608	2560	Process not Found	99
PID 2560 wrote to memory of 4608	2560	Process not Found	99
PID 2560 wrote to memory of 4608	2560	Process not Found	99
PID 2112 wrote to memory of 5032	2112	C6DA.exe	103
PID 2112 wrote to memory of 5032	2112	C6DA.exe	103
PID 2112 wrote to memory of 5032	2112	C6DA.exe	103
PID 4256 wrote to memory of 4972	4256	CC4C.exe	102
PID 4256 wrote to memory of 4972	4256	CC4C.exe	102
PID 4256 wrote to memory of 4972	4256	CC4C.exe	102
PID 2560 wrote to memory of 4004	2560	Process not Found	105
PID 2560 wrote to memory of 4004	2560	Process not Found	105
PID 2560 wrote to memory of 4004	2560	Process not Found	105
PID 4256 wrote to memory of 1512	4256	CC4C.exe	106
PID 4256 wrote to memory of 1512	4256	CC4C.exe	106
PID 4256 wrote to memory of 1512	4256	CC4C.exe	106
PID 1600 wrote to memory of 2720	1600	CA09.exe	109
PID 1600 wrote to memory of 2720	1600	CA09.exe	109
PID 1600 wrote to memory of 2720	1600	CA09.exe	109
PID 2112 wrote to memory of 452	2112	C6DA.exe	108

C:\Users\Admin\AppData\Local\Temp\f5567dd956a8dcf2d1323af9f5fcf9ef30d90f80a7eb047960febdc66e5f8cc4.exe
"C:\Users\Admin\AppData\Local\Temp\f5567dd956a8dcf2d1323af9f5fcf9ef30d90f80a7eb047960febdc66e5f8cc4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2940

C:\Users\Admin\AppData\Local\Temp\C6DA.exe
C:\Users\Admin\AppData\Local\Temp\C6DA.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Users\Admin\AppData\Local\Temp\C6DA.exe
  C:\Users\Admin\AppData\Local\Temp\C6DA.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\b0880d75-8975-4d36-85af-e32c8e3bfe83" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:5032
- - C:\Users\Admin\AppData\Local\Temp\C6DA.exe
    "C:\Users\Admin\AppData\Local\Temp\C6DA.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:452
  - - C:\Users\Admin\AppData\Local\Temp\C6DA.exe
      "C:\Users\Admin\AppData\Local\Temp\C6DA.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      PID:1520
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 568
        5⤵
        Program crash
        
        PID:2244

C:\Users\Admin\AppData\Local\Temp\C871.exe
C:\Users\Admin\AppData\Local\Temp\C871.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Users\Admin\AppData\Local\Temp\CA09.exe
C:\Users\Admin\AppData\Local\Temp\CA09.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\CA09.exe
  C:\Users\Admin\AppData\Local\Temp\CA09.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\CA09.exe
    "C:\Users\Admin\AppData\Local\Temp\CA09.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\CA09.exe
      "C:\Users\Admin\AppData\Local\Temp\CA09.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      PID:3724
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 576
        5⤵
        Program crash
        
        PID:3920

C:\Users\Admin\AppData\Local\Temp\CC4C.exe
C:\Users\Admin\AppData\Local\Temp\CC4C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\CC4C.exe
  C:\Users\Admin\AppData\Local\Temp\CC4C.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\88567397-3847-46e3-a80b-5d0ce50afac3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4972
- - C:\Users\Admin\AppData\Local\Temp\CC4C.exe
    "C:\Users\Admin\AppData\Local\Temp\CC4C.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\CC4C.exe
      "C:\Users\Admin\AppData\Local\Temp\CC4C.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:4996
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 580
        5⤵
        Program crash
        
        PID:3928

C:\Users\Admin\AppData\Local\Temp\CF1B.exe
C:\Users\Admin\AppData\Local\Temp\CF1B.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:376

C:\Users\Admin\AppData\Local\Temp\D239.exe
C:\Users\Admin\AppData\Local\Temp\D239.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4912

C:\Users\Admin\AppData\Local\Temp\DAB6.exe
C:\Users\Admin\AppData\Local\Temp\DAB6.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:4004

C:\Users\Admin\AppData\Local\Temp\2D2D.exe
C:\Users\Admin\AppData\Local\Temp\2D2D.exe
1⤵
PID:3560
- C:\Users\Admin\AppData\Local\Temp\2D2D.exe
  C:\Users\Admin\AppData\Local\Temp\2D2D.exe
  2⤵
  - Executes dropped EXE
  PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1520 -ip 1520
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4996 -ip 4996
1⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\2D2D.exe
"C:\Users\Admin\AppData\Local\Temp\2D2D.exe" --Admin IsNotAutoStart IsNotTask
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2172
- C:\Users\Admin\AppData\Local\Temp\2D2D.exe
  "C:\Users\Admin\AppData\Local\Temp\2D2D.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Executes dropped EXE
  PID:4208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 568
    3⤵
    - Program crash
    PID:640

C:\Users\Admin\AppData\Local\Temp\4DC5.exe
C:\Users\Admin\AppData\Local\Temp\4DC5.exe
1⤵
- Executes dropped EXE
PID:1416
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3544
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: MapViewOfSection
    PID:4836
- C:\Users\Admin\AppData\Local\Temp\aafg31.exe
  "C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  PID:5084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:1648
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:4376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:1104
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:4124
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2964
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2584
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Manipulates WinMonFS driver.
      Drops file in Windows directory
      PID:3840
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4516
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:4756
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:5028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4120
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3428
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        
        PID:2760
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:2556
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        Executes dropped EXE
        
        PID:452
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:1948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 824
    3⤵
    - Program crash
    PID:2352
- C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
  "C:\Users\Admin\AppData\Local\Temp\latestplayer.exe"
  2⤵
  - Executes dropped EXE
  PID:1772
- - C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
    "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
    3⤵
    - Executes dropped EXE
    PID:2024
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
      4⤵
      PID:3696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3560
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "yiueea.exe" /P "Admin:N"
        5⤵
        
        PID:4248
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "yiueea.exe" /P "Admin:R" /E
        5⤵
        
        PID:2376
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\577f58beff" /P "Admin:R" /E
        5⤵
        
        PID:3536
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\577f58beff" /P "Admin:N"
        5⤵
        
        PID:4796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3220
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3724 -ip 3724
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4208 -ip 4208
1⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5084 -ip 5084
1⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\2318.exe
C:\Users\Admin\AppData\Local\Temp\2318.exe
1⤵
- Executes dropped EXE
PID:4824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 3028
  2⤵
  - Program crash
  PID:4920

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4824 -ip 4824
1⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
1⤵
- Executes dropped EXE
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
2047c5276498695b2aae5fab09708b18

SHA1
e6e47381a8f7ad1d552ca6e587a38c68cc4eb5a7

SHA256
ef854bb906dc4d7d50d2c8cf812999276848c574c35bd342762b2fe2305db9bf

SHA512
4266e74e941befc8e51f377f1025554d2b82de50a7883d9d326420134253d8584b7133ca503476a1336e924e4d987f5f957e5d2379e9dc40e906eba97f3eb239

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
2047c5276498695b2aae5fab09708b18

SHA1
e6e47381a8f7ad1d552ca6e587a38c68cc4eb5a7

SHA256
ef854bb906dc4d7d50d2c8cf812999276848c574c35bd342762b2fe2305db9bf

SHA512
4266e74e941befc8e51f377f1025554d2b82de50a7883d9d326420134253d8584b7133ca503476a1336e924e4d987f5f957e5d2379e9dc40e906eba97f3eb239

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
2047c5276498695b2aae5fab09708b18

SHA1
e6e47381a8f7ad1d552ca6e587a38c68cc4eb5a7

SHA256
ef854bb906dc4d7d50d2c8cf812999276848c574c35bd342762b2fe2305db9bf

SHA512
4266e74e941befc8e51f377f1025554d2b82de50a7883d9d326420134253d8584b7133ca503476a1336e924e4d987f5f957e5d2379e9dc40e906eba97f3eb239

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
ce12199317d03aeb98e9ab4deb8a2400

SHA1
83c807a97e94c4a5c943711282434fcaa52f23b0

SHA256
9bac42ac5078f27a66f09d9c94507ba81716ae946080673963ddca4c70f04688

SHA512
041bbf8cdd894eec2a2430625c6072778149684d86d274c5e307b2ca3d1964063ca50e9df7df7da3f5a93949dc053d8eb80d35661b905571a517e58c437b963e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
ce12199317d03aeb98e9ab4deb8a2400

SHA1
83c807a97e94c4a5c943711282434fcaa52f23b0

SHA256
9bac42ac5078f27a66f09d9c94507ba81716ae946080673963ddca4c70f04688

SHA512
041bbf8cdd894eec2a2430625c6072778149684d86d274c5e307b2ca3d1964063ca50e9df7df7da3f5a93949dc053d8eb80d35661b905571a517e58c437b963e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
ce12199317d03aeb98e9ab4deb8a2400

SHA1
83c807a97e94c4a5c943711282434fcaa52f23b0

SHA256
9bac42ac5078f27a66f09d9c94507ba81716ae946080673963ddca4c70f04688

SHA512
041bbf8cdd894eec2a2430625c6072778149684d86d274c5e307b2ca3d1964063ca50e9df7df7da3f5a93949dc053d8eb80d35661b905571a517e58c437b963e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
26d59b41a2deff3e9707ba8c4f359783

SHA1
ff9e24b2cee0611a1ccc0fa4c75d323304fd520f

SHA256
6ba468ae4531bccd7fa0016f936d8a99ea59a797aa0c300c39a1a581624419ea

SHA512
9d51a3c88a62d4bdc22a43c2c89d780ecbba3c8f3704412ac747bfa55cef5415a5cee3c8ac7f8ef38ba0d9dfb64b84893d3b4df41fe33cd4e7bb756a5d278691

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
26d59b41a2deff3e9707ba8c4f359783

SHA1
ff9e24b2cee0611a1ccc0fa4c75d323304fd520f

SHA256
6ba468ae4531bccd7fa0016f936d8a99ea59a797aa0c300c39a1a581624419ea

SHA512
9d51a3c88a62d4bdc22a43c2c89d780ecbba3c8f3704412ac747bfa55cef5415a5cee3c8ac7f8ef38ba0d9dfb64b84893d3b4df41fe33cd4e7bb756a5d278691

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
26d59b41a2deff3e9707ba8c4f359783

SHA1
ff9e24b2cee0611a1ccc0fa4c75d323304fd520f

SHA256
6ba468ae4531bccd7fa0016f936d8a99ea59a797aa0c300c39a1a581624419ea

SHA512
9d51a3c88a62d4bdc22a43c2c89d780ecbba3c8f3704412ac747bfa55cef5415a5cee3c8ac7f8ef38ba0d9dfb64b84893d3b4df41fe33cd4e7bb756a5d278691

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
480e65943625d98d2ebff18a39d1e517

SHA1
0b803a873f722cc2d70d1ef57399c272ba1843d1

SHA256
9419b3e1a6434ab0c213fd2fe5dbb5e191df83afe3db7dc759059ac6b78c345d

SHA512
21e1741d941cd911f63f15afb416cc6890fc678c0bf82f8d1ff0ba1c3441ad44fab98e72715bdd34623475d45b95f2b1e87494a61758f2959fb18bb9eaba435f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
480e65943625d98d2ebff18a39d1e517

SHA1
0b803a873f722cc2d70d1ef57399c272ba1843d1

SHA256
9419b3e1a6434ab0c213fd2fe5dbb5e191df83afe3db7dc759059ac6b78c345d

SHA512
21e1741d941cd911f63f15afb416cc6890fc678c0bf82f8d1ff0ba1c3441ad44fab98e72715bdd34623475d45b95f2b1e87494a61758f2959fb18bb9eaba435f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
480e65943625d98d2ebff18a39d1e517

SHA1
0b803a873f722cc2d70d1ef57399c272ba1843d1

SHA256
9419b3e1a6434ab0c213fd2fe5dbb5e191df83afe3db7dc759059ac6b78c345d

SHA512
21e1741d941cd911f63f15afb416cc6890fc678c0bf82f8d1ff0ba1c3441ad44fab98e72715bdd34623475d45b95f2b1e87494a61758f2959fb18bb9eaba435f

Download Submit
C:\Users\Admin\AppData\Local\88567397-3847-46e3-a80b-5d0ce50afac3\CC4C.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\88567397-3847-46e3-a80b-5d0ce50afac3\CC4C.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
2KB

MD5
9b756bc85e5324eb8f87a69e3f9959ab

SHA1
1778b2e2d6a00c421578a284db1e743931611d66

SHA256
e347a39e49ca8c835cc47d3f039230969e7c4156089f2e83e8a0aed1df88016e

SHA512
c897af3307e3c3163762021f49934ac5fbeab27f123e814bc390bdf1f0ed46671afeadcc87a8a4b18ddf13f4abd0d8ef00343af91ff999d7d447c96505d866d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D2D.exe

Filesize
770KB

MD5
9e3aef070cdb67b7c341524a654d8e51

SHA1
f2998647d26b60b5b18d32f36b766ccf4b49a0d6

SHA256
1d0677d46bc267ec26080970cbe492a8139d9bd01e8c6c682635156ab3bf2142

SHA512
29e683053412fa197aae32e58b761e2adf625e54056f808fb0f7a11d120d7c6f0804147c4408a5cb9323ecb046b19fd10dfa622b0c3b8e5ce00144174493c813

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D2D.exe

Filesize
770KB

MD5
9e3aef070cdb67b7c341524a654d8e51

SHA1
f2998647d26b60b5b18d32f36b766ccf4b49a0d6

SHA256
1d0677d46bc267ec26080970cbe492a8139d9bd01e8c6c682635156ab3bf2142

SHA512
29e683053412fa197aae32e58b761e2adf625e54056f808fb0f7a11d120d7c6f0804147c4408a5cb9323ecb046b19fd10dfa622b0c3b8e5ce00144174493c813

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D2D.exe

Filesize
770KB

MD5
9e3aef070cdb67b7c341524a654d8e51

SHA1
f2998647d26b60b5b18d32f36b766ccf4b49a0d6

SHA256
1d0677d46bc267ec26080970cbe492a8139d9bd01e8c6c682635156ab3bf2142

SHA512
29e683053412fa197aae32e58b761e2adf625e54056f808fb0f7a11d120d7c6f0804147c4408a5cb9323ecb046b19fd10dfa622b0c3b8e5ce00144174493c813

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D2D.exe

Filesize
770KB

MD5
9e3aef070cdb67b7c341524a654d8e51

SHA1
f2998647d26b60b5b18d32f36b766ccf4b49a0d6

SHA256
1d0677d46bc267ec26080970cbe492a8139d9bd01e8c6c682635156ab3bf2142

SHA512
29e683053412fa197aae32e58b761e2adf625e54056f808fb0f7a11d120d7c6f0804147c4408a5cb9323ecb046b19fd10dfa622b0c3b8e5ce00144174493c813

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D2D.exe

Filesize
770KB

MD5
9e3aef070cdb67b7c341524a654d8e51

SHA1
f2998647d26b60b5b18d32f36b766ccf4b49a0d6

SHA256
1d0677d46bc267ec26080970cbe492a8139d9bd01e8c6c682635156ab3bf2142

SHA512
29e683053412fa197aae32e58b761e2adf625e54056f808fb0f7a11d120d7c6f0804147c4408a5cb9323ecb046b19fd10dfa622b0c3b8e5ce00144174493c813

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D2D.exe

Filesize
770KB

MD5
9e3aef070cdb67b7c341524a654d8e51

SHA1
f2998647d26b60b5b18d32f36b766ccf4b49a0d6

SHA256
1d0677d46bc267ec26080970cbe492a8139d9bd01e8c6c682635156ab3bf2142

SHA512
29e683053412fa197aae32e58b761e2adf625e54056f808fb0f7a11d120d7c6f0804147c4408a5cb9323ecb046b19fd10dfa622b0c3b8e5ce00144174493c813

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
bcde3bccef28eec15ea3222c5883c39b

SHA1
e5dc5fc0a8ef95b8c0d8e1cedb9efc271e9da7f5

SHA256
34b38e43149feff08e0ed5d6e29d04c416629057aad2588118a80e209566ddca

SHA512
3c6c8ada811272d3dfc37923fd13ab5593f4bc5b87e69349f64e0893b0f5307c390d33e29828ae0c039076023965a85e45328b626237cc06f829ae4526437755

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
bcde3bccef28eec15ea3222c5883c39b

SHA1
e5dc5fc0a8ef95b8c0d8e1cedb9efc271e9da7f5

SHA256
34b38e43149feff08e0ed5d6e29d04c416629057aad2588118a80e209566ddca

SHA512
3c6c8ada811272d3dfc37923fd13ab5593f4bc5b87e69349f64e0893b0f5307c390d33e29828ae0c039076023965a85e45328b626237cc06f829ae4526437755

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
bcde3bccef28eec15ea3222c5883c39b

SHA1
e5dc5fc0a8ef95b8c0d8e1cedb9efc271e9da7f5

SHA256
34b38e43149feff08e0ed5d6e29d04c416629057aad2588118a80e209566ddca

SHA512
3c6c8ada811272d3dfc37923fd13ab5593f4bc5b87e69349f64e0893b0f5307c390d33e29828ae0c039076023965a85e45328b626237cc06f829ae4526437755

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
bcde3bccef28eec15ea3222c5883c39b

SHA1
e5dc5fc0a8ef95b8c0d8e1cedb9efc271e9da7f5

SHA256
34b38e43149feff08e0ed5d6e29d04c416629057aad2588118a80e209566ddca

SHA512
3c6c8ada811272d3dfc37923fd13ab5593f4bc5b87e69349f64e0893b0f5307c390d33e29828ae0c039076023965a85e45328b626237cc06f829ae4526437755

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DC5.exe

Filesize
5.1MB

MD5
739ac92d82f9ae4f557923ee2689099a

SHA1
93583178a8a370778b95a89c508c6bb7ee304df7

SHA256
e9dc3c310187d5aa3a5451c4c6799792b5e6c501da776f0adeaf16302aa84e6e

SHA512
db8570f53b70606455581827d164d132b30a6afe0a1eed2138546a5ca356887fa4d274cd5f5487ac13cfa3e9464ff0fd9669ef989617c127cc6018d3545de0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DC5.exe

Filesize
5.1MB

MD5
739ac92d82f9ae4f557923ee2689099a

SHA1
93583178a8a370778b95a89c508c6bb7ee304df7

SHA256
e9dc3c310187d5aa3a5451c4c6799792b5e6c501da776f0adeaf16302aa84e6e

SHA512
db8570f53b70606455581827d164d132b30a6afe0a1eed2138546a5ca356887fa4d274cd5f5487ac13cfa3e9464ff0fd9669ef989617c127cc6018d3545de0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Filesize
307KB

MD5
55f845c433e637594aaf872e41fda207

SHA1
1188348ca7e52f075e7d1d0031918c2cea93362e

SHA256
f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

SHA512
5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Filesize
307KB

MD5
55f845c433e637594aaf872e41fda207

SHA1
1188348ca7e52f075e7d1d0031918c2cea93362e

SHA256
f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

SHA512
5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Filesize
307KB

MD5
55f845c433e637594aaf872e41fda207

SHA1
1188348ca7e52f075e7d1d0031918c2cea93362e

SHA256
f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

SHA512
5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6DA.exe

Filesize
770KB

MD5
9e3aef070cdb67b7c341524a654d8e51

SHA1
f2998647d26b60b5b18d32f36b766ccf4b49a0d6

SHA256
1d0677d46bc267ec26080970cbe492a8139d9bd01e8c6c682635156ab3bf2142

SHA512
29e683053412fa197aae32e58b761e2adf625e54056f808fb0f7a11d120d7c6f0804147c4408a5cb9323ecb046b19fd10dfa622b0c3b8e5ce00144174493c813

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6DA.exe

Filesize
770KB

MD5
9e3aef070cdb67b7c341524a654d8e51

SHA1
f2998647d26b60b5b18d32f36b766ccf4b49a0d6

SHA256
1d0677d46bc267ec26080970cbe492a8139d9bd01e8c6c682635156ab3bf2142

SHA512
29e683053412fa197aae32e58b761e2adf625e54056f808fb0f7a11d120d7c6f0804147c4408a5cb9323ecb046b19fd10dfa622b0c3b8e5ce00144174493c813

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6DA.exe

Filesize
770KB

MD5
9e3aef070cdb67b7c341524a654d8e51

SHA1
f2998647d26b60b5b18d32f36b766ccf4b49a0d6

SHA256
1d0677d46bc267ec26080970cbe492a8139d9bd01e8c6c682635156ab3bf2142

SHA512
29e683053412fa197aae32e58b761e2adf625e54056f808fb0f7a11d120d7c6f0804147c4408a5cb9323ecb046b19fd10dfa622b0c3b8e5ce00144174493c813

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6DA.exe

Filesize
770KB

MD5
9e3aef070cdb67b7c341524a654d8e51

SHA1
f2998647d26b60b5b18d32f36b766ccf4b49a0d6

SHA256
1d0677d46bc267ec26080970cbe492a8139d9bd01e8c6c682635156ab3bf2142

SHA512
29e683053412fa197aae32e58b761e2adf625e54056f808fb0f7a11d120d7c6f0804147c4408a5cb9323ecb046b19fd10dfa622b0c3b8e5ce00144174493c813

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6DA.exe

Filesize
770KB

MD5
9e3aef070cdb67b7c341524a654d8e51

SHA1
f2998647d26b60b5b18d32f36b766ccf4b49a0d6

SHA256
1d0677d46bc267ec26080970cbe492a8139d9bd01e8c6c682635156ab3bf2142

SHA512
29e683053412fa197aae32e58b761e2adf625e54056f808fb0f7a11d120d7c6f0804147c4408a5cb9323ecb046b19fd10dfa622b0c3b8e5ce00144174493c813

Download Submit
C:\Users\Admin\AppData\Local\Temp\C871.exe

Filesize
237KB

MD5
872d809faf6857be70216616ce0eae2f

SHA1
b240167f3054a54642cb03cdfadf4d17e5fb0005

SHA256
31712b36f255e5a75de26a4f167e363bacd38883f5ee58529ac5493a252e7d9e

SHA512
bbdaea6f78c501a642ac459bec2912e53fa547190f2148608daef29371ff69342767be0134f1c07e74587f04e938de9ca1f5c0dd2ea94783e888009521ad5516

Download Submit
C:\Users\Admin\AppData\Local\Temp\C871.exe

Filesize
237KB

MD5
872d809faf6857be70216616ce0eae2f

SHA1
b240167f3054a54642cb03cdfadf4d17e5fb0005

SHA256
31712b36f255e5a75de26a4f167e363bacd38883f5ee58529ac5493a252e7d9e

SHA512
bbdaea6f78c501a642ac459bec2912e53fa547190f2148608daef29371ff69342767be0134f1c07e74587f04e938de9ca1f5c0dd2ea94783e888009521ad5516

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA09.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA09.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA09.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA09.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA09.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4C.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4C.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4C.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4C.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4C.exe

Filesize
779KB

MD5
806598a8df4290eaed23b7d1e288fd44

SHA1
2b72b5b446d255f427a1f257abb9d3cbce7e2622

SHA256
e1c8c8fa297a9d73180f9e1df5ff9ad3119589946f8c566de2c807f024a15e09

SHA512
47804ad74affe4627127d3b5c3fdaee6d4ee5e718a2df5e367e3fd2a13f11fe3f1395956b6d10f61500f9dc46e6fd6d2757284088a596a0693c5ca0ea239abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF1B.exe

Filesize
1.4MB

MD5
c8ea6b5b15cb9a80ac43eb6fbd995d88

SHA1
9ba4841a610f8b54fb6f9fa131c273111617aafb

SHA256
b6dbf44a855da2e09df2862a403af7e16307cdcfd05e5bb73246bdb2aa5c9b01

SHA512
5ec305621d5b5b8a8a6206c95c5b7735d2010748592ed0c64ef5a7cff7eb49149e36bb21a922bbc26a6a7e5c98e366f88e20323632b4a7accb158e37d4f1ffcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF1B.exe

Filesize
1.4MB

MD5
c8ea6b5b15cb9a80ac43eb6fbd995d88

SHA1
9ba4841a610f8b54fb6f9fa131c273111617aafb

SHA256
b6dbf44a855da2e09df2862a403af7e16307cdcfd05e5bb73246bdb2aa5c9b01

SHA512
5ec305621d5b5b8a8a6206c95c5b7735d2010748592ed0c64ef5a7cff7eb49149e36bb21a922bbc26a6a7e5c98e366f88e20323632b4a7accb158e37d4f1ffcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\D239.exe

Filesize
1.4MB

MD5
c8ea6b5b15cb9a80ac43eb6fbd995d88

SHA1
9ba4841a610f8b54fb6f9fa131c273111617aafb

SHA256
b6dbf44a855da2e09df2862a403af7e16307cdcfd05e5bb73246bdb2aa5c9b01

SHA512
5ec305621d5b5b8a8a6206c95c5b7735d2010748592ed0c64ef5a7cff7eb49149e36bb21a922bbc26a6a7e5c98e366f88e20323632b4a7accb158e37d4f1ffcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\D239.exe

Filesize
1.4MB

MD5
c8ea6b5b15cb9a80ac43eb6fbd995d88

SHA1
9ba4841a610f8b54fb6f9fa131c273111617aafb

SHA256
b6dbf44a855da2e09df2862a403af7e16307cdcfd05e5bb73246bdb2aa5c9b01

SHA512
5ec305621d5b5b8a8a6206c95c5b7735d2010748592ed0c64ef5a7cff7eb49149e36bb21a922bbc26a6a7e5c98e366f88e20323632b4a7accb158e37d4f1ffcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAB6.exe

Filesize
271KB

MD5
8343ad6bb681aeed5801599b5a09d3ca

SHA1
2de20b5c732599669625361ef62ece1f6fa9ce91

SHA256
f4f808f9abe62956ef2ed21529c49167691eb559dea5cb8b9500ad90808447c3

SHA512
b7cf6cfc79719ea6e7a58f6556329e564162b988e72af6f57051cf9c07de8fc5ce62c6c1ba89b3f0b5434246d5d85a02be992ef1b452d35bfc232b4d69b3a305

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAB6.exe

Filesize
271KB

MD5
8343ad6bb681aeed5801599b5a09d3ca

SHA1
2de20b5c732599669625361ef62ece1f6fa9ce91

SHA256
f4f808f9abe62956ef2ed21529c49167691eb559dea5cb8b9500ad90808447c3

SHA512
b7cf6cfc79719ea6e7a58f6556329e564162b988e72af6f57051cf9c07de8fc5ce62c6c1ba89b3f0b5434246d5d85a02be992ef1b452d35bfc232b4d69b3a305

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yexgluh3.pq4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe

Filesize
397KB

MD5
e3031f99f17a7c8cef9f8ccf6f0dc28e

SHA1
ea6e9a506ca921d15eb7cf4c78dec5dc41733ab3

SHA256
fdca3a9eff84349214459acb7530451c244a66e5e3347ac8366e22c2bee4a0fd

SHA512
8bf8b203f7cfe13f6a98d2b2b2f4bcf816cc58f18f7fad9af13cea0459b1ba7a338fdb18c78379ad79f7ec7c2157fd1cef2e35ec10689aa18d1532579dcbb73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe

Filesize
397KB

MD5
e3031f99f17a7c8cef9f8ccf6f0dc28e

SHA1
ea6e9a506ca921d15eb7cf4c78dec5dc41733ab3

SHA256
fdca3a9eff84349214459acb7530451c244a66e5e3347ac8366e22c2bee4a0fd

SHA512
8bf8b203f7cfe13f6a98d2b2b2f4bcf816cc58f18f7fad9af13cea0459b1ba7a338fdb18c78379ad79f7ec7c2157fd1cef2e35ec10689aa18d1532579dcbb73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe

Filesize
397KB

MD5
e3031f99f17a7c8cef9f8ccf6f0dc28e

SHA1
ea6e9a506ca921d15eb7cf4c78dec5dc41733ab3

SHA256
fdca3a9eff84349214459acb7530451c244a66e5e3347ac8366e22c2bee4a0fd

SHA512
8bf8b203f7cfe13f6a98d2b2b2f4bcf816cc58f18f7fad9af13cea0459b1ba7a338fdb18c78379ad79f7ec7c2157fd1cef2e35ec10689aa18d1532579dcbb73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

Filesize
307KB

MD5
55f845c433e637594aaf872e41fda207

SHA1
1188348ca7e52f075e7d1d0031918c2cea93362e

SHA256
f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

SHA512
5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

Filesize
307KB

MD5
55f845c433e637594aaf872e41fda207

SHA1
1188348ca7e52f075e7d1d0031918c2cea93362e

SHA256
f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

SHA512
5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

Filesize
307KB

MD5
55f845c433e637594aaf872e41fda207

SHA1
1188348ca7e52f075e7d1d0031918c2cea93362e

SHA256
f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

SHA512
5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
271KB

MD5
222a4c7e494a2314e9e1d0a07abecee9

SHA1
dd8f2552f2fa5256fac01a51fa2c383759e84f8e

SHA256
60e8eef70c565ec2abbe7d16157a0edc4f8dbf8938363680ac6362620114c436

SHA512
fd419aa596c7f91f7cfbde0a1cb6a6801ebe684c9966b53d2e8541f7f6b0763427c251f371ba3d252acfe6ab2dc0c611273af8ca14d3ad738e3ca98b30d18d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
271KB

MD5
222a4c7e494a2314e9e1d0a07abecee9

SHA1
dd8f2552f2fa5256fac01a51fa2c383759e84f8e

SHA256
60e8eef70c565ec2abbe7d16157a0edc4f8dbf8938363680ac6362620114c436

SHA512
fd419aa596c7f91f7cfbde0a1cb6a6801ebe684c9966b53d2e8541f7f6b0763427c251f371ba3d252acfe6ab2dc0c611273af8ca14d3ad738e3ca98b30d18d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
271KB

MD5
222a4c7e494a2314e9e1d0a07abecee9

SHA1
dd8f2552f2fa5256fac01a51fa2c383759e84f8e

SHA256
60e8eef70c565ec2abbe7d16157a0edc4f8dbf8938363680ac6362620114c436

SHA512
fd419aa596c7f91f7cfbde0a1cb6a6801ebe684c9966b53d2e8541f7f6b0763427c251f371ba3d252acfe6ab2dc0c611273af8ca14d3ad738e3ca98b30d18d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
271KB

MD5
222a4c7e494a2314e9e1d0a07abecee9

SHA1
dd8f2552f2fa5256fac01a51fa2c383759e84f8e

SHA256
60e8eef70c565ec2abbe7d16157a0edc4f8dbf8938363680ac6362620114c436

SHA512
fd419aa596c7f91f7cfbde0a1cb6a6801ebe684c9966b53d2e8541f7f6b0763427c251f371ba3d252acfe6ab2dc0c611273af8ca14d3ad738e3ca98b30d18d11

Download Submit
C:\Users\Admin\AppData\Local\b0880d75-8975-4d36-85af-e32c8e3bfe83\C6DA.exe

Filesize
770KB

MD5
9e3aef070cdb67b7c341524a654d8e51

SHA1
f2998647d26b60b5b18d32f36b766ccf4b49a0d6

SHA256
1d0677d46bc267ec26080970cbe492a8139d9bd01e8c6c682635156ab3bf2142

SHA512
29e683053412fa197aae32e58b761e2adf625e54056f808fb0f7a11d120d7c6f0804147c4408a5cb9323ecb046b19fd10dfa622b0c3b8e5ce00144174493c813

Download Submit
C:\Users\Admin\AppData\Roaming\dhwwura

Filesize
271KB

MD5
8343ad6bb681aeed5801599b5a09d3ca

SHA1
2de20b5c732599669625361ef62ece1f6fa9ce91

SHA256
f4f808f9abe62956ef2ed21529c49167691eb559dea5cb8b9500ad90808447c3

SHA512
b7cf6cfc79719ea6e7a58f6556329e564162b988e72af6f57051cf9c07de8fc5ce62c6c1ba89b3f0b5434246d5d85a02be992ef1b452d35bfc232b4d69b3a305

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
c3a1be3d5947fe0de096cbdad2965a26

SHA1
b04e3951c715e02978e2b77d09765289ba70fddf

SHA256
2b9542ad0016d72d4f07ce358139702b3b81870fa5a0f8962a172fe25c3c6a34

SHA512
f92c47ddbfaf6fbbd9c687fe935f764091cb69a34f86eb517b805c4219ca67af18ca48701187034c65a538ce189de10c0497c3549910af4c3b5cf1a96bd72123

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
987c6a1dc4d9f980a6327572e8184913

SHA1
e0125e9431d79490cad3691ea5aa2014275e9598

SHA256
fd94c02d60fbd0111999870caceafa0f99ae10fd3e7fc7e06b1a0afcb4fef3fe

SHA512
608fdb9dfac6537702bb64e7b90f25a6f9ec59713b7c9fbc729f3ddd5563d2627c2c166353783bb2e5264876bdbb7c19a288f8a0f78ddfdd9970dec8453390b5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
9957a9e2f769eb0170eac50de60b178e

SHA1
e8e2b2ff749a0808f19843ff13fd6bba84ebadfc

SHA256
a07b11a326ce9607b2bd05948cf741780f849a9f8748378780f5c530f6cfb925

SHA512
046326803815dbe410601fd6f271fb2e3ed4507f6e1ee276ff0c34596e82e753b471134f8313e1ffebd97a66fb4d6848024adbb6ae887edd1d3b5039ac205fdc

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
bcde3bccef28eec15ea3222c5883c39b

SHA1
e5dc5fc0a8ef95b8c0d8e1cedb9efc271e9da7f5

SHA256
34b38e43149feff08e0ed5d6e29d04c416629057aad2588118a80e209566ddca

SHA512
3c6c8ada811272d3dfc37923fd13ab5593f4bc5b87e69349f64e0893b0f5307c390d33e29828ae0c039076023965a85e45328b626237cc06f829ae4526437755

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
bcde3bccef28eec15ea3222c5883c39b

SHA1
e5dc5fc0a8ef95b8c0d8e1cedb9efc271e9da7f5

SHA256
34b38e43149feff08e0ed5d6e29d04c416629057aad2588118a80e209566ddca

SHA512
3c6c8ada811272d3dfc37923fd13ab5593f4bc5b87e69349f64e0893b0f5307c390d33e29828ae0c039076023965a85e45328b626237cc06f829ae4526437755

Download Submit
memory/228-280-0x0000000004D50000-0x0000000005378000-memory.dmp

Filesize
6.2MB

Download
memory/228-276-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/228-289-0x0000000004CF0000-0x0000000004D12000-memory.dmp

Filesize
136KB

Download
memory/228-294-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/228-275-0x0000000073670000-0x0000000073E20000-memory.dmp

Filesize
7.7MB

Download
memory/228-273-0x00000000025C0000-0x00000000025F6000-memory.dmp

Filesize
216KB

Download
memory/376-160-0x0000000073670000-0x0000000073E20000-memory.dmp

Filesize
7.7MB

Download
memory/376-157-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/376-246-0x0000000073670000-0x0000000073E20000-memory.dmp

Filesize
7.7MB

Download
memory/376-244-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/1416-245-0x0000000073670000-0x0000000073E20000-memory.dmp

Filesize
7.7MB

Download
memory/1416-177-0x0000000073670000-0x0000000073E20000-memory.dmp

Filesize
7.7MB

Download
memory/1416-175-0x0000000000E10000-0x0000000001336000-memory.dmp

Filesize
5.1MB

Download
memory/1512-140-0x0000000003FF4000-0x0000000004085000-memory.dmp

Filesize
580KB

Download
memory/1520-163-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1520-159-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1520-156-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1600-39-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1600-41-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1600-109-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1600-48-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1600-44-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1628-279-0x00000000034E0000-0x0000000003651000-memory.dmp

Filesize
1.4MB

Download
memory/1628-209-0x00007FF7A6D30000-0x00007FF7A6D97000-memory.dmp

Filesize
412KB

Download
memory/1628-281-0x0000000003660000-0x0000000003791000-memory.dmp

Filesize
1.2MB

Download
memory/1780-38-0x0000000004050000-0x000000000416B000-memory.dmp

Filesize
1.1MB

Download
memory/1780-42-0x0000000003EA0000-0x0000000003F37000-memory.dmp

Filesize
604KB

Download
memory/2112-110-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2112-33-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2112-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2112-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2112-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2560-3-0x00000000023B0000-0x00000000023C6000-memory.dmp

Filesize
88KB

Download
memory/2560-116-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/2720-144-0x0000000003F75000-0x0000000004006000-memory.dmp

Filesize
580KB

Download
memory/2940-4-0x0000000000400000-0x0000000002432000-memory.dmp

Filesize
32.2MB

Download
memory/2940-7-0x0000000004180000-0x0000000004195000-memory.dmp

Filesize
84KB

Download
memory/2940-0-0x0000000004180000-0x0000000004195000-memory.dmp

Filesize
84KB

Download
memory/2940-2-0x0000000000400000-0x0000000002432000-memory.dmp

Filesize
32.2MB

Download
memory/2940-8-0x00000000041A0000-0x00000000041A9000-memory.dmp

Filesize
36KB

Download
memory/2940-1-0x00000000041A0000-0x00000000041A9000-memory.dmp

Filesize
36KB

Download
memory/3448-267-0x0000000073670000-0x0000000073E20000-memory.dmp

Filesize
7.7MB

Download
memory/3448-59-0x0000000004BB0000-0x00000000051C8000-memory.dmp

Filesize
6.1MB

Download
memory/3448-128-0x0000000004AB0000-0x0000000004B42000-memory.dmp

Filesize
584KB

Download
memory/3448-121-0x0000000005520000-0x0000000005596000-memory.dmp

Filesize
472KB

Download
memory/3448-193-0x00000000062F0000-0x00000000064B2000-memory.dmp

Filesize
1.8MB

Download
memory/3448-206-0x00000000064C0000-0x00000000069EC000-memory.dmp

Filesize
5.2MB

Download
memory/3448-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3448-28-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/3448-131-0x00000000055A0000-0x0000000005B44000-memory.dmp

Filesize
5.6MB

Download
memory/3448-62-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3448-67-0x0000000004A00000-0x0000000004A3C000-memory.dmp

Filesize
240KB

Download
memory/3448-63-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/3448-220-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/3448-174-0x0000000006250000-0x00000000062A0000-memory.dmp

Filesize
320KB

Download
memory/3448-176-0x0000000073670000-0x0000000073E20000-memory.dmp

Filesize
7.7MB

Download
memory/3448-56-0x0000000073670000-0x0000000073E20000-memory.dmp

Filesize
7.7MB

Download
memory/3448-135-0x0000000005CE0000-0x0000000005D46000-memory.dmp

Filesize
408KB

Download
memory/3448-60-0x00000000051D0000-0x00000000052DA000-memory.dmp

Filesize
1.0MB

Download
memory/3544-225-0x0000000002380000-0x0000000002480000-memory.dmp

Filesize
1024KB

Download
memory/3544-227-0x0000000002330000-0x0000000002339000-memory.dmp

Filesize
36KB

Download
memory/3724-146-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3724-143-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3724-150-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3928-21-0x00000000040F0000-0x0000000004182000-memory.dmp

Filesize
584KB

Download
memory/3928-22-0x0000000004190000-0x00000000042AB000-memory.dmp

Filesize
1.1MB

Download
memory/4004-133-0x00000000025A0000-0x00000000025A9000-memory.dmp

Filesize
36KB

Download
memory/4004-122-0x0000000000400000-0x0000000002432000-memory.dmp

Filesize
32.2MB

Download
memory/4004-132-0x0000000002580000-0x0000000002595000-memory.dmp

Filesize
84KB

Download
memory/4208-183-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4208-192-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4208-185-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4256-58-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4256-61-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4256-108-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4256-55-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4676-158-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4676-162-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4676-152-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4676-167-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4836-274-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4836-234-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4836-241-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4904-57-0x0000000002432000-0x00000000024C3000-memory.dmp

Filesize
580KB

Download
memory/4912-154-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/4912-106-0x0000000073670000-0x0000000073E20000-memory.dmp

Filesize
7.7MB

Download
memory/4912-298-0x0000000073670000-0x0000000073E20000-memory.dmp

Filesize
7.7MB

Download
memory/4912-104-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4912-230-0x0000000073670000-0x0000000073E20000-memory.dmp

Filesize
7.7MB

Download
memory/4912-243-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/4996-147-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4996-141-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4996-139-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5084-282-0x00000000047E0000-0x00000000050CB000-memory.dmp

Filesize
8.9MB

Download
memory/5084-256-0x0000000000400000-0x00000000026D1000-memory.dmp

Filesize
34.8MB

Download
memory/5084-248-0x00000000047E0000-0x00000000050CB000-memory.dmp

Filesize
8.9MB

Download
memory/5084-247-0x00000000043E0000-0x00000000047DF000-memory.dmp

Filesize
4.0MB

Download