fabookie | 7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b

Analysis

max time kernel
61s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe
Size

10.8MB
MD5

97436c741eddd9af54aafb15a62e3129
SHA1

73e97cbdb33acdb6b957bd8e6549d62be0d7b559
SHA256

7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b
SHA512

067df592f831e26a0767abff09cc7e36fcf41c1cebddf3e1515ab7d8bfc31d9527d03c09d00347e6b506ecae65ee9c24feb82cdf9b1c78581592ba15e26c1f30
SSDEEP

196608:MCQmGCXM5YPyZf/d4PQqKCQmGCXM5YPyZf/d4PQqP3228zP4bgkECeT:kvCcKy/d8IvCcKy/d8N+74sMe

Score

10^/10

fabookie glupteba smokeloader up3 backdoor discovery dropper evasion loader persistence spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

fabookie

http://app.nnnaajjjgc.com/check/safe

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral2/memory/2008-130-0x0000000003070000-0x00000000031A1000-memory.dmp	family_fabookie
behavioral2/memory/2008-180-0x0000000003070000-0x00000000031A1000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 20 IoCs

resource	yara_rule
behavioral2/memory/2160-50-0x0000000004B10000-0x00000000053FB000-memory.dmp	family_glupteba
behavioral2/memory/2160-68-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba
behavioral2/memory/4480-69-0x0000000004A10000-0x00000000052FB000-memory.dmp	family_glupteba
behavioral2/memory/4480-74-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba
behavioral2/memory/2160-134-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba
behavioral2/memory/4480-135-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba
behavioral2/memory/4480-160-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba
behavioral2/memory/2160-187-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba
behavioral2/memory/4480-188-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba
behavioral2/memory/2160-268-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba
behavioral2/memory/4480-269-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba
behavioral2/memory/2160-367-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba
behavioral2/memory/3320-369-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba
behavioral2/memory/4112-425-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba
behavioral2/memory/3320-435-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba
behavioral2/memory/4112-535-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba
behavioral2/memory/3604-538-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba
behavioral2/memory/3604-578-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba
behavioral2/memory/3604-591-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba
behavioral2/memory/3604-600-0x0000000000400000-0x0000000002985000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
1012	netsh.exe
4748	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	kos1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	kos.exe

Executes dropped EXE 14 IoCs

pid	Process
2160	e0cbefcb1af40c7d4aff4aca26621a98.exe
3544	previewer.exe
4480	31839b57a4f11171d6abc8bbc4451ee4.exe
2008	opee37.exe
5016	toolspub2.exe
4740	kos1.exe
1440	set16.exe
4632	kos.exe
5064	is-6Q4S8.tmp
3544	previewer.exe
3180	previewer.exe
3320	31839b57a4f11171d6abc8bbc4451ee4.exe
4112	e0cbefcb1af40c7d4aff4aca26621a98.exe
3604	csrss.exe

Loads dropped DLL 3 IoCs

pid	Process
5064	is-6Q4S8.tmp
5064	is-6Q4S8.tmp
5064	is-6Q4S8.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023223-586.dat	upx
behavioral2/files/0x0007000000023223-588.dat	upx
behavioral2/files/0x0007000000023223-590.dat	upx
behavioral2/memory/3544-592-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4768-601-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x0006000000023229-631.dat	upx
behavioral2/files/0x0006000000023229-633.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	e0cbefcb1af40c7d4aff4aca26621a98.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	injector.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	Conhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3544 set thread context of 5016	3544	previewer.exe	90

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe
File opened (read-only)	\??\VBoxMiniRdrDN	e0cbefcb1af40c7d4aff4aca26621a98.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PA Previewer\is-VOEDP.tmp	is-6Q4S8.tmp
File created	C:\Program Files (x86)\PA Previewer\is-2E7NL.tmp	is-6Q4S8.tmp
File created	C:\Program Files (x86)\PA Previewer\is-TM0S5.tmp	is-6Q4S8.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\unins000.dat	is-6Q4S8.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\previewer.exe	is-6Q4S8.tmp
File created	C:\Program Files (x86)\PA Previewer\unins000.dat	is-6Q4S8.tmp
File created	C:\Program Files (x86)\PA Previewer\is-9HS12.tmp	is-6Q4S8.tmp

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	e0cbefcb1af40c7d4aff4aca26621a98.exe
File created	C:\Windows\rss\csrss.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
220	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5080	schtasks.exe
2192	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	injector.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	injector.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5016	toolspub2.exe
5016	toolspub2.exe
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3144	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5016	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4632	kos.exe
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeDebugPrivilege	3544	previewer.exe
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeDebugPrivilege	3180	previewer.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeDebugPrivilege	4480	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	4480	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeDebugPrivilege	2160	e0cbefcb1af40c7d4aff4aca26621a98.exe
Token: SeImpersonatePrivilege	2160	e0cbefcb1af40c7d4aff4aca26621a98.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2160	e0cbefcb1af40c7d4aff4aca26621a98.exe
Token: SeImpersonatePrivilege	2160	e0cbefcb1af40c7d4aff4aca26621a98.exe
Token: SeDebugPrivilege	736	injector.exe
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeDebugPrivilege	4656	Conhost.exe
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2160	2960	7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe	86
PID 2960 wrote to memory of 2160	2960	7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe	86
PID 2960 wrote to memory of 2160	2960	7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe	86
PID 2960 wrote to memory of 3544	2960	7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe	103
PID 2960 wrote to memory of 3544	2960	7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe	103
PID 2960 wrote to memory of 3544	2960	7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe	103
PID 2960 wrote to memory of 4480	2960	7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe	88
PID 2960 wrote to memory of 4480	2960	7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe	88
PID 2960 wrote to memory of 4480	2960	7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe	88
PID 2960 wrote to memory of 2008	2960	7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe	89
PID 2960 wrote to memory of 2008	2960	7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe	89
PID 3544 wrote to memory of 5016	3544	previewer.exe	90
PID 3544 wrote to memory of 5016	3544	previewer.exe	90
PID 3544 wrote to memory of 5016	3544	previewer.exe	90
PID 3544 wrote to memory of 5016	3544	previewer.exe	90
PID 3544 wrote to memory of 5016	3544	previewer.exe	90
PID 3544 wrote to memory of 5016	3544	previewer.exe	90
PID 2960 wrote to memory of 4740	2960	7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe	91
PID 2960 wrote to memory of 4740	2960	7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe	91
PID 2960 wrote to memory of 4740	2960	7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe	91
PID 4740 wrote to memory of 1440	4740	kos1.exe	93
PID 4740 wrote to memory of 1440	4740	kos1.exe	93
PID 4740 wrote to memory of 1440	4740	kos1.exe	93
PID 4740 wrote to memory of 4632	4740	kos1.exe	94
PID 4740 wrote to memory of 4632	4740	kos1.exe	94
PID 1440 wrote to memory of 5064	1440	set16.exe	96
PID 1440 wrote to memory of 5064	1440	set16.exe	96
PID 1440 wrote to memory of 5064	1440	set16.exe	96
PID 5064 wrote to memory of 1448	5064	is-6Q4S8.tmp	105
PID 5064 wrote to memory of 1448	5064	is-6Q4S8.tmp	105
PID 5064 wrote to memory of 1448	5064	is-6Q4S8.tmp	105
PID 5064 wrote to memory of 3544	5064	is-6Q4S8.tmp	103
PID 5064 wrote to memory of 3544	5064	is-6Q4S8.tmp	103
PID 5064 wrote to memory of 3544	5064	is-6Q4S8.tmp	103
PID 1448 wrote to memory of 3232	1448	net.exe	106
PID 1448 wrote to memory of 3232	1448	net.exe	106
PID 1448 wrote to memory of 3232	1448	net.exe	106
PID 5064 wrote to memory of 3180	5064	is-6Q4S8.tmp	107
PID 5064 wrote to memory of 3180	5064	is-6Q4S8.tmp	107
PID 5064 wrote to memory of 3180	5064	is-6Q4S8.tmp	107
PID 2160 wrote to memory of 4248	2160	e0cbefcb1af40c7d4aff4aca26621a98.exe	110
PID 4480 wrote to memory of 3964	4480	31839b57a4f11171d6abc8bbc4451ee4.exe	109
PID 2160 wrote to memory of 4248	2160	e0cbefcb1af40c7d4aff4aca26621a98.exe	110
PID 4480 wrote to memory of 3964	4480	31839b57a4f11171d6abc8bbc4451ee4.exe	109
PID 2160 wrote to memory of 4248	2160	e0cbefcb1af40c7d4aff4aca26621a98.exe	110
PID 4480 wrote to memory of 3964	4480	31839b57a4f11171d6abc8bbc4451ee4.exe	109
PID 3320 wrote to memory of 2076	3320	31839b57a4f11171d6abc8bbc4451ee4.exe	119
PID 3320 wrote to memory of 2076	3320	31839b57a4f11171d6abc8bbc4451ee4.exe	119
PID 3320 wrote to memory of 2076	3320	31839b57a4f11171d6abc8bbc4451ee4.exe	119
PID 4112 wrote to memory of 736	4112	e0cbefcb1af40c7d4aff4aca26621a98.exe	149
PID 4112 wrote to memory of 736	4112	e0cbefcb1af40c7d4aff4aca26621a98.exe	149
PID 4112 wrote to memory of 736	4112	e0cbefcb1af40c7d4aff4aca26621a98.exe	149
PID 3320 wrote to memory of 3516	3320	31839b57a4f11171d6abc8bbc4451ee4.exe	124
PID 3320 wrote to memory of 3516	3320	31839b57a4f11171d6abc8bbc4451ee4.exe	124
PID 3516 wrote to memory of 1012	3516	cmd.exe	126
PID 3516 wrote to memory of 1012	3516	cmd.exe	126
PID 3320 wrote to memory of 4656	3320	31839b57a4f11171d6abc8bbc4451ee4.exe	148
PID 3320 wrote to memory of 4656	3320	31839b57a4f11171d6abc8bbc4451ee4.exe	148
PID 3320 wrote to memory of 4656	3320	31839b57a4f11171d6abc8bbc4451ee4.exe	148
PID 4112 wrote to memory of 516	4112	e0cbefcb1af40c7d4aff4aca26621a98.exe	129
PID 4112 wrote to memory of 516	4112	e0cbefcb1af40c7d4aff4aca26621a98.exe	129
PID 516 wrote to memory of 4748	516	cmd.exe	131
PID 516 wrote to memory of 4748	516	cmd.exe	131
PID 4112 wrote to memory of 5000	4112	e0cbefcb1af40c7d4aff4aca26621a98.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe
"C:\Users\Admin\AppData\Local\Temp\7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
  "C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4248
- - C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
    "C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:516
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:4748
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:5000
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:3296
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:3544
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:5016
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3964
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:2076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3516
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1012
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4656
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:4852
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Executes dropped EXE
      PID:3604
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4464
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Modifies data under HKEY_USERS
        
        PID:3416
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:3800
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:5080
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4360
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:2192
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        
        PID:3544
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:220
    - - C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
        5⤵
        
        PID:980
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "csrss" /f
        6⤵
        
        PID:3672
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "ScheduledUpdate" /f
        6⤵
        
        PID:2740
- C:\Users\Admin\AppData\Local\Temp\opee37.exe
  "C:\Users\Admin\AppData\Local\Temp\opee37.exe"
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\kos1.exe
  "C:\Users\Admin\AppData\Local\Temp\kos1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\set16.exe
    "C:\Users\Admin\AppData\Local\Temp\set16.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\is-G5EDQ.tmp\is-6Q4S8.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-G5EDQ.tmp\is-6Q4S8.tmp" /SL4 $B00E4 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Program Files (x86)\PA Previewer\previewer.exe
        
        "C:\Program Files (x86)\PA Previewer\previewer.exe" -i
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3544
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 8
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1448
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 8
        6⤵
        
        PID:3232
    - - C:\Program Files (x86)\PA Previewer\previewer.exe
        
        "C:\Program Files (x86)\PA Previewer\previewer.exe" -s
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3180
- - C:\Users\Admin\AppData\Local\Temp\kos.exe
    "C:\Users\Admin\AppData\Local\Temp\kos.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4632

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4768

C:\Users\Admin\AppData\Roaming\dbwwgug
C:\Users\Admin\AppData\Roaming\dbwwgug
1⤵
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
21bdc4635e67b42af297b5d422b47cdc

SHA1
da08dd00ae5bc0da5ec6433569bcc68c4a8a9410

SHA256
f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287

SHA512
626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
21bdc4635e67b42af297b5d422b47cdc

SHA1
da08dd00ae5bc0da5ec6433569bcc68c4a8a9410

SHA256
f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287

SHA512
626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
21bdc4635e67b42af297b5d422b47cdc

SHA1
da08dd00ae5bc0da5ec6433569bcc68c4a8a9410

SHA256
f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287

SHA512
626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
21bdc4635e67b42af297b5d422b47cdc

SHA1
da08dd00ae5bc0da5ec6433569bcc68c4a8a9410

SHA256
f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287

SHA512
626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
116B

MD5
ec6aae2bb7d8781226ea61adca8f0586

SHA1
d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3

SHA256
b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599

SHA512
aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vtkjwora.qh2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Filesize
99KB

MD5
09031a062610d77d685c9934318b4170

SHA1
880f744184e7774f3d14c1bb857e21cc7fe89a6d

SHA256
778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

SHA512
9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
4.2MB

MD5
e21f9bd6e1b35f9583f1239db6ea6ba2

SHA1
c11170224637d4ec914f637731fa321e9b687f7d

SHA256
f467550c990a7d7c02c98945ded9fb8234a37171c5664fa1617e28a5429ad494

SHA512
3fd7aed88c49b88d63fdca0be31186378c1cfc2a18b0e5f9e0658448969cdc0d0a14c4707c26dcbf6c1254b45770b64ccb7da662cfaff5e828bbd15e6647a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
4.2MB

MD5
e21f9bd6e1b35f9583f1239db6ea6ba2

SHA1
c11170224637d4ec914f637731fa321e9b687f7d

SHA256
f467550c990a7d7c02c98945ded9fb8234a37171c5664fa1617e28a5429ad494

SHA512
3fd7aed88c49b88d63fdca0be31186378c1cfc2a18b0e5f9e0658448969cdc0d0a14c4707c26dcbf6c1254b45770b64ccb7da662cfaff5e828bbd15e6647a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
4.2MB

MD5
e21f9bd6e1b35f9583f1239db6ea6ba2

SHA1
c11170224637d4ec914f637731fa321e9b687f7d

SHA256
f467550c990a7d7c02c98945ded9fb8234a37171c5664fa1617e28a5429ad494

SHA512
3fd7aed88c49b88d63fdca0be31186378c1cfc2a18b0e5f9e0658448969cdc0d0a14c4707c26dcbf6c1254b45770b64ccb7da662cfaff5e828bbd15e6647a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
4.2MB

MD5
e21f9bd6e1b35f9583f1239db6ea6ba2

SHA1
c11170224637d4ec914f637731fa321e9b687f7d

SHA256
f467550c990a7d7c02c98945ded9fb8234a37171c5664fa1617e28a5429ad494

SHA512
3fd7aed88c49b88d63fdca0be31186378c1cfc2a18b0e5f9e0658448969cdc0d0a14c4707c26dcbf6c1254b45770b64ccb7da662cfaff5e828bbd15e6647a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G5EDQ.tmp\is-6Q4S8.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G5EDQ.tmp\is-6Q4S8.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UMK2P.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UMK2P.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UMK2P.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\opee37.exe

Filesize
636KB

MD5
35d2f720e73634c46f23135dde876bcb

SHA1
312ffc2ae812086301d1e9e4544e24f945af3aa5

SHA256
5cb22bfe2e305bfa94cff485065c5cbfb868f8eb45509e6ea1d9164236d72a13

SHA512
16a021676c3edcc9727b7786bc4b90366ad6e93b78606bef5c07e0e2476a8a45b970f683b4a7810ad30d179ef5c37b29e095d2eb88a591b18e3e71c4ed24f7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\opee37.exe

Filesize
636KB

MD5
35d2f720e73634c46f23135dde876bcb

SHA1
312ffc2ae812086301d1e9e4544e24f945af3aa5

SHA256
5cb22bfe2e305bfa94cff485065c5cbfb868f8eb45509e6ea1d9164236d72a13

SHA512
16a021676c3edcc9727b7786bc4b90366ad6e93b78606bef5c07e0e2476a8a45b970f683b4a7810ad30d179ef5c37b29e095d2eb88a591b18e3e71c4ed24f7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\opee37.exe

Filesize
636KB

MD5
35d2f720e73634c46f23135dde876bcb

SHA1
312ffc2ae812086301d1e9e4544e24f945af3aa5

SHA256
5cb22bfe2e305bfa94cff485065c5cbfb868f8eb45509e6ea1d9164236d72a13

SHA512
16a021676c3edcc9727b7786bc4b90366ad6e93b78606bef5c07e0e2476a8a45b970f683b4a7810ad30d179ef5c37b29e095d2eb88a591b18e3e71c4ed24f7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
305KB

MD5
bb924d501954bee604c97534385ecbda

SHA1
05a480d2489f18329fb302171f1b077aa5da6fd2

SHA256
c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372

SHA512
23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
305KB

MD5
bb924d501954bee604c97534385ecbda

SHA1
05a480d2489f18329fb302171f1b077aa5da6fd2

SHA256
c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372

SHA512
23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
305KB

MD5
bb924d501954bee604c97534385ecbda

SHA1
05a480d2489f18329fb302171f1b077aa5da6fd2

SHA256
c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372

SHA512
23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
305KB

MD5
bb924d501954bee604c97534385ecbda

SHA1
05a480d2489f18329fb302171f1b077aa5da6fd2

SHA256
c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372

SHA512
23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

Download Submit
C:\Users\Admin\AppData\Roaming\dbwwgug

Filesize
305KB

MD5
bb924d501954bee604c97534385ecbda

SHA1
05a480d2489f18329fb302171f1b077aa5da6fd2

SHA256
c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372

SHA512
23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

Download Submit
C:\Users\Admin\AppData\Roaming\dbwwgug

Filesize
305KB

MD5
bb924d501954bee604c97534385ecbda

SHA1
05a480d2489f18329fb302171f1b077aa5da6fd2

SHA256
c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372

SHA512
23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
59ca9ebc738010dba422fb1f8c135ae5

SHA1
df05428a43c9ae9b25f1869236c391d30e43ced3

SHA256
f76cdde0161bf262e9786378ea3c7fdc50871ecc862502e792fddf4a272cb645

SHA512
13876fe75dfd71d539c45cdc3dd540290caf240a5691d1dee40942c03efdcb76f7d375daaf277f4dbbd8db1c922265d7059234236d2036a0781941adc8460049

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2339e8b9c1ad885466c33671762f63e0

SHA1
dfd3fe15b9b692255618dbf9887cc252fbb1a368

SHA256
cfd91f614c18976dc9c21350ff97dc82cbe4ffb10c41fe36e57dfe6a9662c4fb

SHA512
bc10da677e5f661e35e1c3572f8e7c4e7b65a8dc469dc698392b3696078703ef974486e764e36c4ce931dcab8488a66709f35be3973730b4190f4bbfddac8232

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2339e8b9c1ad885466c33671762f63e0

SHA1
dfd3fe15b9b692255618dbf9887cc252fbb1a368

SHA256
cfd91f614c18976dc9c21350ff97dc82cbe4ffb10c41fe36e57dfe6a9662c4fb

SHA512
bc10da677e5f661e35e1c3572f8e7c4e7b65a8dc469dc698392b3696078703ef974486e764e36c4ce931dcab8488a66709f35be3973730b4190f4bbfddac8232

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
8b1d79e537dbdbbdc0aee871733b4606

SHA1
4ebe3ea59e097ec35c6f7defcca536fefc59ecbc

SHA256
eb96f3ddce3f022d37529ddd90a97f3da0d3979843760b39b9d9833215e64300

SHA512
fbcb541909579b4e4f8648101eb373c7a05847b6586afea2b131c16c61a642719868cec6101d5d16e5fa60a7819685d79c87c6726f7dcb1758eb643b75fd69a8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
8b1d79e537dbdbbdc0aee871733b4606

SHA1
4ebe3ea59e097ec35c6f7defcca536fefc59ecbc

SHA256
eb96f3ddce3f022d37529ddd90a97f3da0d3979843760b39b9d9833215e64300

SHA512
fbcb541909579b4e4f8648101eb373c7a05847b6586afea2b131c16c61a642719868cec6101d5d16e5fa60a7819685d79c87c6726f7dcb1758eb643b75fd69a8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e3b6dadc1098eb83e4125cc2e1ffcf92

SHA1
b2ee0314c88a17bd617d64990860c7c8cf405d9c

SHA256
2083542355ee183e2d67aafd64dc795683bcfcfdd351825c96220eee8eb6d5e9

SHA512
f2409f7e2ae4b9d51f99ce1538f64ff9aeb943aeee7566ab69cd41af0fc98b6cac53aff878337e2b7be0bb78aaae54a529a18a93859f11d9a511c877fe8f41c4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e3b6dadc1098eb83e4125cc2e1ffcf92

SHA1
b2ee0314c88a17bd617d64990860c7c8cf405d9c

SHA256
2083542355ee183e2d67aafd64dc795683bcfcfdd351825c96220eee8eb6d5e9

SHA512
f2409f7e2ae4b9d51f99ce1538f64ff9aeb943aeee7566ab69cd41af0fc98b6cac53aff878337e2b7be0bb78aaae54a529a18a93859f11d9a511c877fe8f41c4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
17987b026154cd4cdcd0704739491b32

SHA1
b11e08c280cc0e3ffb7dfabb8db8b04d47dd28ea

SHA256
260b12dcd5ffd597ab294b09c9ea653f48ca9882f1a2f7d1b8e07aa2719aabf3

SHA512
e1f0d6476d02f1311209f70422bc2c0f7883c5606f29c098ad05fc524d16c91aff70457d32f4a95d936296d126d278092d7a489cb5c32a1e445049165d2bb0c4

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
21bdc4635e67b42af297b5d422b47cdc

SHA1
da08dd00ae5bc0da5ec6433569bcc68c4a8a9410

SHA256
f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287

SHA512
626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
21bdc4635e67b42af297b5d422b47cdc

SHA1
da08dd00ae5bc0da5ec6433569bcc68c4a8a9410

SHA256
f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287

SHA512
626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/1440-88-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1440-162-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2008-180-0x0000000003070000-0x00000000031A1000-memory.dmp

Filesize
1.2MB

Download
memory/2008-59-0x00007FF7F74C0000-0x00007FF7F7562000-memory.dmp

Filesize
648KB

Download
memory/2008-129-0x0000000002EF0000-0x0000000003061000-memory.dmp

Filesize
1.4MB

Download
memory/2008-130-0x0000000003070000-0x00000000031A1000-memory.dmp

Filesize
1.2MB

Download
memory/2160-367-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/2160-131-0x0000000004610000-0x0000000004A0A000-memory.dmp

Filesize
4.0MB

Download
memory/2160-68-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/2160-187-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/2160-45-0x0000000004610000-0x0000000004A0A000-memory.dmp

Filesize
4.0MB

Download
memory/2160-50-0x0000000004B10000-0x00000000053FB000-memory.dmp

Filesize
8.9MB

Download
memory/2160-134-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/2160-268-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/2960-1-0x0000000000B60000-0x0000000001626000-memory.dmp

Filesize
10.8MB

Download
memory/2960-0-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2960-66-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/3144-107-0x00000000011B0000-0x00000000011C6000-memory.dmp

Filesize
88KB

Download
memory/3180-322-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/3180-541-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/3180-181-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/3180-603-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/3180-177-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/3180-580-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/3180-439-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/3180-595-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/3320-435-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/3320-369-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/3544-35-0x0000000002660000-0x0000000002760000-memory.dmp

Filesize
1024KB

Download
memory/3544-173-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/3544-169-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/3544-168-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/3544-592-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3544-39-0x0000000002630000-0x0000000002639000-memory.dmp

Filesize
36KB

Download
memory/3604-538-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/3604-578-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/3604-591-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/3604-600-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/3964-221-0x0000000007670000-0x00000000076E6000-memory.dmp

Filesize
472KB

Download
memory/3964-228-0x0000000007A70000-0x0000000007AA2000-memory.dmp

Filesize
200KB

Download
memory/3964-222-0x0000000073200000-0x00000000739B0000-memory.dmp

Filesize
7.7MB

Download
memory/3964-223-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/3964-225-0x0000000006B40000-0x0000000006B5A000-memory.dmp

Filesize
104KB

Download
memory/3964-182-0x0000000004F30000-0x0000000004F66000-memory.dmp

Filesize
216KB

Download
memory/3964-213-0x0000000006020000-0x0000000006374000-memory.dmp

Filesize
3.3MB

Download
memory/3964-227-0x000000007F240000-0x000000007F250000-memory.dmp

Filesize
64KB

Download
memory/3964-184-0x0000000073200000-0x00000000739B0000-memory.dmp

Filesize
7.7MB

Download
memory/3964-215-0x0000000006540000-0x000000000658C000-memory.dmp

Filesize
304KB

Download
memory/3964-232-0x00000000721F0000-0x0000000072544000-memory.dmp

Filesize
3.3MB

Download
memory/3964-185-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/3964-230-0x0000000072090000-0x00000000720DC000-memory.dmp

Filesize
304KB

Download
memory/3964-189-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/3964-220-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/3964-192-0x0000000005410000-0x0000000005432000-memory.dmp

Filesize
136KB

Download
memory/3964-214-0x00000000064F0000-0x000000000650E000-memory.dmp

Filesize
120KB

Download
memory/3964-193-0x0000000005E40000-0x0000000005EA6000-memory.dmp

Filesize
408KB

Download
memory/3964-194-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/3964-217-0x0000000006900000-0x0000000006944000-memory.dmp

Filesize
272KB

Download
memory/4112-535-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/4112-425-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/4248-191-0x00000000056D0000-0x0000000005CF8000-memory.dmp

Filesize
6.2MB

Download
memory/4248-224-0x0000000007F50000-0x00000000085CA000-memory.dmp

Filesize
6.5MB

Download
memory/4248-218-0x0000000073200000-0x00000000739B0000-memory.dmp

Filesize
7.7MB

Download
memory/4248-183-0x0000000073200000-0x00000000739B0000-memory.dmp

Filesize
7.7MB

Download
memory/4248-219-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/4248-226-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/4248-190-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/4248-242-0x0000000007A90000-0x0000000007AAE000-memory.dmp

Filesize
120KB

Download
memory/4248-229-0x0000000072090000-0x00000000720DC000-memory.dmp

Filesize
304KB

Download
memory/4248-186-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/4248-231-0x00000000721F0000-0x0000000072544000-memory.dmp

Filesize
3.3MB

Download
memory/4480-188-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/4480-74-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/4480-161-0x0000000004500000-0x0000000004901000-memory.dmp

Filesize
4.0MB

Download
memory/4480-269-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/4480-80-0x0000000004500000-0x0000000004901000-memory.dmp

Filesize
4.0MB

Download
memory/4480-160-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/4480-135-0x0000000000400000-0x0000000002985000-memory.dmp

Filesize
37.5MB

Download
memory/4480-69-0x0000000004A10000-0x00000000052FB000-memory.dmp

Filesize
8.9MB

Download
memory/4632-106-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/4632-111-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

Filesize
64KB

Download
memory/4632-167-0x00007FFA5BF70000-0x00007FFA5CA31000-memory.dmp

Filesize
10.8MB

Download
memory/4632-172-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

Filesize
64KB

Download
memory/4632-176-0x00007FFA5BF70000-0x00007FFA5CA31000-memory.dmp

Filesize
10.8MB

Download
memory/4632-105-0x00007FFA5BF70000-0x00007FFA5CA31000-memory.dmp

Filesize
10.8MB

Download
memory/4740-71-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4740-114-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4740-64-0x0000000000210000-0x0000000000384000-memory.dmp

Filesize
1.5MB

Download
memory/4768-601-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/5016-51-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5016-70-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5016-108-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5064-153-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/5064-179-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download