amadey | ddc7a9963c1c75fe62b5a93b7411424c58d2dd849cecc019fa5554e8cd55ab5d

Analysis

max time kernel
106s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2023 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddc7a9963c1c75fe62b5a93b7411424c58d2dd849cecc019fa5554e8cd55ab5dexe.exe
Size

251KB
MD5

965b7cbab5230f0610ecd96184b42cca
SHA1

903524674e6ba12dc8fbbbb18d102b406cff4fc9
SHA256

ddc7a9963c1c75fe62b5a93b7411424c58d2dd849cecc019fa5554e8cd55ab5d
SHA512

9c20bc8f1e6d037c40c55009718d2cbe74eb6d66cc3fe66f663d7b4532dc3ab11644347839d37d0f82fbad6cf9ebe4c4da5613e13ff158c3ad6b6f3dea4ef2f5
SSDEEP

3072:0Dpag5zPOTbWvICkrEj6eSgpWmssCMmWhDO5JqA8qr5ROVbzZ3:qb5jO2ZtJS2Wm5WQA8ma

Malware Config

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://humydrole.com/tmp/index.php

http://trunk-co.ru/tmp/index.php

http://weareelight.com/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Bot: @logsdillabot)

194.49.94.181:40264

Extracted

Family

djvu

http://zexeq.com/lancer/get.php

Attributes

extension
.gycc
offline_id
nN1rRlTxKTPo66pmJEAHwufZ2Dhz4MsNxIlOk6t1
payload_url
http://brusuax.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-CDZ4hMgp2X Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0829ASdw

rsa_pubkey.plain

Extracted

Family

amadey

Version

4.12

http://185.172.128.19

Attributes

install_dir
cd1f156d67
install_file
Utsysc.exe
strings_key
0dd3e5ee91b367c60c9e575983554b30
url_paths
/ghsdh39s/index.php

rc4.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3552-78-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3848-80-0x0000000004840000-0x000000000495B000-memory.dmp	family_djvu
behavioral2/memory/3552-85-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3552-94-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3552-83-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3552-205-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4204-281-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4204-283-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4204-285-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/956-274-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1784-334-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1784-376-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/956-378-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/956-384-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4444-387-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/744-442-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4444-525-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4444-562-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/744-581-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4396-59-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

11FE.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 11FE.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

2496 netsh.exe
4644 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	11FE.exe

pid	process
2496	netsh.exe
4644	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

11FE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	11FE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	11FE.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

34AC.exe3DC7.exeBA3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	34AC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	3DC7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	BA3.exe

Deletes itself 1 IoCs

Processes:

pid process

3368

pid	process
3368

Executes dropped EXE 22 IoCs

Processes:

BA3.exe11FE.exe1403.exe25B7.exe34AC.exe38F3.exeBA3.exehtssgfd3DC7.exe288c47bbc1871b439df19ff4df68f076.exeInstallSetup8.exeBroom.exed21cbe21e38b385a41a68c5e6dd32f4c.exetoolspub2.exeInstallSetup9.exeBroom.exetoolspub2.exeBA3.exed21cbe21e38b385a41a68c5e6dd32f4c.exe288c47bbc1871b439df19ff4df68f076.exe3DC7.exe

pid	process
3848	BA3.exe
5020	11FE.exe
1796	1403.exe
3764	25B7.exe
3996	34AC.exe
2260	38F3.exe
3552	BA3.exe
3672	htssgfd
2500	3DC7.exe
956	288c47bbc1871b439df19ff4df68f076.exe
1056	InstallSetup8.exe
884	Broom.exe
1784	d21cbe21e38b385a41a68c5e6dd32f4c.exe
3220
4400	toolspub2.exe
3676	InstallSetup9.exe
3636	Broom.exe
4276	toolspub2.exe
4204	BA3.exe
4444	d21cbe21e38b385a41a68c5e6dd32f4c.exe
744	288c47bbc1871b439df19ff4df68f076.exe
5052	3DC7.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4936 regsvr32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4292 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4936	regsvr32.exe

pid	process
4292	icacls.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\11FE.exe	themida
C:\Users\Admin\AppData\Local\Temp\11FE.exe	themida
behavioral2/memory/5020-46-0x00000000005C0000-0x0000000000DF2000-memory.dmp	themida

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

BA3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7b9c379b-4528-4f91-a6e2-34c137383714\\BA3.exe\" --AutoStart"	BA3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

11FE.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 11FE.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

57 api.2ip.ua
58 api.2ip.ua

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	11FE.exe

flow	ioc
57	api.2ip.ua
58	api.2ip.ua

Drops file in System32 directory 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

11FE.exe

pid process

5020 11FE.exe

pid	process
5020	11FE.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

1403.exeBA3.exetoolspub2.exe

description	pid	process	target process
PID 1796 set thread context of 4396	1796	1403.exe	AppLaunch.exe
PID 3848 set thread context of 3552	3848	BA3.exe	BA3.exe
PID 4400 set thread context of 4276	4400	toolspub2.exe	toolspub2.exe
PID 3220 set thread context of 4204	3220		BA3.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN d21cbe21e38b385a41a68c5e6dd32f4c.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2068 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3384 4204 WerFault.exe BA3.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	d21cbe21e38b385a41a68c5e6dd32f4c.exe

pid	process
2068	sc.exe

pid	pid_target	process	target process
3384	4204	WerFault.exe	BA3.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

25B7.exetoolspub2.exeddc7a9963c1c75fe62b5a93b7411424c58d2dd849cecc019fa5554e8cd55ab5dexe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	25B7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	25B7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ddc7a9963c1c75fe62b5a93b7411424c58d2dd849cecc019fa5554e8cd55ab5dexe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ddc7a9963c1c75fe62b5a93b7411424c58d2dd849cecc019fa5554e8cd55ab5dexe.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	25B7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ddc7a9963c1c75fe62b5a93b7411424c58d2dd849cecc019fa5554e8cd55ab5dexe.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4732 schtasks.exe
3896 schtasks.exe
1384 schtasks.exe

pid	process
4732	schtasks.exe
3896	schtasks.exe
1384	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exepowershell.exepowershell.exeConhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ddc7a9963c1c75fe62b5a93b7411424c58d2dd849cecc019fa5554e8cd55ab5dexe.exe

pid	process
4784	ddc7a9963c1c75fe62b5a93b7411424c58d2dd849cecc019fa5554e8cd55ab5dexe.exe
4784	ddc7a9963c1c75fe62b5a93b7411424c58d2dd849cecc019fa5554e8cd55ab5dexe.exe
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3368
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

ddc7a9963c1c75fe62b5a93b7411424c58d2dd849cecc019fa5554e8cd55ab5dexe.exe25B7.exetoolspub2.exe

pid process

4784 ddc7a9963c1c75fe62b5a93b7411424c58d2dd849cecc019fa5554e8cd55ab5dexe.exe
3368
3368
3368
3368
3764 25B7.exe
4276 toolspub2.exe

pid	process
3368

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

38F3.exeAppLaunch.exe11FE.exepowershell.exepowershell.exed21cbe21e38b385a41a68c5e6dd32f4c.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exeConhost.exe

description	pid	process
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeDebugPrivilege	2260	38F3.exe
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeDebugPrivilege	4396	AppLaunch.exe
Token: SeDebugPrivilege	5020	11FE.exe
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeDebugPrivilege	1784	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeImpersonatePrivilege	1784	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeDebugPrivilege	956	288c47bbc1871b439df19ff4df68f076.exe
Token: SeImpersonatePrivilege	956	288c47bbc1871b439df19ff4df68f076.exe
Token: SeDebugPrivilege	956	288c47bbc1871b439df19ff4df68f076.exe
Token: SeImpersonatePrivilege	956	288c47bbc1871b439df19ff4df68f076.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeDebugPrivilege	4868	Conhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Broom.exeBroom.exe

pid process

884 Broom.exe
3636 Broom.exe

pid	process
884	Broom.exe
3636	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe1403.exeBA3.exe34AC.exe3DC7.exeInstallSetup8.exe

description	pid	process	target process
PID 3368 wrote to memory of 3848	3368		BA3.exe
PID 3368 wrote to memory of 3848	3368		BA3.exe
PID 3368 wrote to memory of 3848	3368		BA3.exe
PID 3368 wrote to memory of 644	3368		regsvr32.exe
PID 3368 wrote to memory of 644	3368		regsvr32.exe
PID 644 wrote to memory of 4936	644	regsvr32.exe	regsvr32.exe
PID 644 wrote to memory of 4936	644	regsvr32.exe	regsvr32.exe
PID 644 wrote to memory of 4936	644	regsvr32.exe	regsvr32.exe
PID 3368 wrote to memory of 5020	3368		11FE.exe
PID 3368 wrote to memory of 5020	3368		11FE.exe
PID 3368 wrote to memory of 5020	3368		11FE.exe
PID 3368 wrote to memory of 1796	3368		1403.exe
PID 3368 wrote to memory of 1796	3368		1403.exe
PID 3368 wrote to memory of 1796	3368		1403.exe
PID 3368 wrote to memory of 3764	3368		25B7.exe
PID 3368 wrote to memory of 3764	3368		25B7.exe
PID 3368 wrote to memory of 3764	3368		25B7.exe
PID 1796 wrote to memory of 4524	1796	1403.exe	AppLaunch.exe
PID 1796 wrote to memory of 4524	1796	1403.exe	AppLaunch.exe
PID 1796 wrote to memory of 4524	1796	1403.exe	AppLaunch.exe
PID 1796 wrote to memory of 4396	1796	1403.exe	AppLaunch.exe
PID 1796 wrote to memory of 4396	1796	1403.exe	AppLaunch.exe
PID 1796 wrote to memory of 4396	1796	1403.exe	AppLaunch.exe
PID 1796 wrote to memory of 4396	1796	1403.exe	AppLaunch.exe
PID 1796 wrote to memory of 4396	1796	1403.exe	AppLaunch.exe
PID 1796 wrote to memory of 4396	1796	1403.exe	AppLaunch.exe
PID 1796 wrote to memory of 4396	1796	1403.exe	AppLaunch.exe
PID 1796 wrote to memory of 4396	1796	1403.exe	AppLaunch.exe
PID 3368 wrote to memory of 3996	3368		34AC.exe
PID 3368 wrote to memory of 3996	3368		34AC.exe
PID 3368 wrote to memory of 3996	3368		34AC.exe
PID 3368 wrote to memory of 2260	3368		38F3.exe
PID 3368 wrote to memory of 2260	3368		38F3.exe
PID 3368 wrote to memory of 2260	3368		38F3.exe
PID 3848 wrote to memory of 3552	3848	BA3.exe	BA3.exe
PID 3848 wrote to memory of 3552	3848	BA3.exe	BA3.exe
PID 3848 wrote to memory of 3552	3848	BA3.exe	BA3.exe
PID 3848 wrote to memory of 3552	3848	BA3.exe	BA3.exe
PID 3848 wrote to memory of 3552	3848	BA3.exe	BA3.exe
PID 3848 wrote to memory of 3552	3848	BA3.exe	BA3.exe
PID 3848 wrote to memory of 3552	3848	BA3.exe	BA3.exe
PID 3848 wrote to memory of 3552	3848	BA3.exe	BA3.exe
PID 3848 wrote to memory of 3552	3848	BA3.exe	BA3.exe
PID 3848 wrote to memory of 3552	3848	BA3.exe	BA3.exe
PID 3368 wrote to memory of 2500	3368		3DC7.exe
PID 3368 wrote to memory of 2500	3368		3DC7.exe
PID 3368 wrote to memory of 2500	3368		3DC7.exe
PID 3368 wrote to memory of 1816	3368		explorer.exe
PID 3368 wrote to memory of 1816	3368		explorer.exe
PID 3368 wrote to memory of 1816	3368		explorer.exe
PID 3368 wrote to memory of 1816	3368		explorer.exe
PID 3996 wrote to memory of 956	3996	34AC.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 3996 wrote to memory of 956	3996	34AC.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 3996 wrote to memory of 956	3996	34AC.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 2500 wrote to memory of 1384	2500	3DC7.exe	svchost.exe
PID 2500 wrote to memory of 1384	2500	3DC7.exe	svchost.exe
PID 2500 wrote to memory of 1384	2500	3DC7.exe	svchost.exe
PID 3368 wrote to memory of 3992	3368		explorer.exe
PID 3368 wrote to memory of 3992	3368		explorer.exe
PID 3368 wrote to memory of 3992	3368		explorer.exe
PID 3996 wrote to memory of 1056	3996	34AC.exe	InstallSetup8.exe
PID 3996 wrote to memory of 1056	3996	34AC.exe	InstallSetup8.exe
PID 3996 wrote to memory of 1056	3996	34AC.exe	InstallSetup8.exe
PID 1056 wrote to memory of 884	1056	InstallSetup8.exe	Broom.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\ddc7a9963c1c75fe62b5a93b7411424c58d2dd849cecc019fa5554e8cd55ab5dexe.exe
"C:\Users\Admin\AppData\Local\Temp\ddc7a9963c1c75fe62b5a93b7411424c58d2dd849cecc019fa5554e8cd55ab5dexe.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4784

C:\Users\Admin\AppData\Local\Temp\BA3.exe
C:\Users\Admin\AppData\Local\Temp\BA3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3848

C:\Users\Admin\AppData\Local\Temp\BA3.exe
C:\Users\Admin\AppData\Local\Temp\BA3.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3552

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\7b9c379b-4528-4f91-a6e2-34c137383714" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:4292

C:\Users\Admin\AppData\Local\Temp\BA3.exe
"C:\Users\Admin\AppData\Local\Temp\BA3.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\BA3.exe
"C:\Users\Admin\AppData\Local\Temp\BA3.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 572
5⤵
- Program crash
PID:3384

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EA2.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\EA2.dll
2⤵
- Loads dropped DLL
PID:4936

C:\Users\Admin\AppData\Local\Temp\11FE.exe
C:\Users\Admin\AppData\Local\Temp\11FE.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Users\Admin\AppData\Local\Temp\1403.exe
C:\Users\Admin\AppData\Local\Temp\1403.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:4524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Users\Admin\AppData\Local\Temp\25B7.exe
C:\Users\Admin\AppData\Local\Temp\25B7.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3764

C:\Users\Admin\AppData\Roaming\htssgfd
C:\Users\Admin\AppData\Roaming\htssgfd
1⤵
- Executes dropped EXE
PID:3672

C:\Users\Admin\AppData\Local\Temp\34AC.exe
C:\Users\Admin\AppData\Local\Temp\34AC.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996

C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:884

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
3⤵
- Executes dropped EXE
PID:744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:3536

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:4644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\38F3.exe
C:\Users\Admin\AppData\Local\Temp\38F3.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
PID:4040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
PID:1796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\3DC7.exe
C:\Users\Admin\AppData\Local\Temp\3DC7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN 3DC7.exe /TR "C:\Users\Admin\AppData\Local\Temp\3DC7.exe" /F
2⤵
- Creates scheduled task(s)
PID:1384

C:\Users\Admin\AppData\Local\Temp\1000008001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Users\Admin\AppData\Local\Temp\1000008001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
3⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
PID:4444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:4700

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:2496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3844

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
PID:4032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:2928

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:3188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:3592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:3016

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:3896

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:5000

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
- Launches sc.exe
PID:2068

C:\Users\Admin\AppData\Local\Temp\1000009001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\toolspub2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4400

C:\Users\Admin\AppData\Local\Temp\1000009001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\toolspub2.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4276

C:\Users\Admin\AppData\Local\Temp\1000010001\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\1000010001\InstallSetup9.exe"
2⤵
- Executes dropped EXE
PID:3676

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3636

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1816

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4204 -ip 4204
2⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\3DC7.exe
C:\Users\Admin\AppData\Local\Temp\3DC7.exe
1⤵
- Executes dropped EXE
PID:5052

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
ce37f6e91c2378919b810b17ad2144df

SHA1
bac00ebeda1ba1e90a986bf6df7ae0191dec4a71

SHA256
8111edcc7482d098bc8b5e135bafe991c2b4dda5b04c89f11e15a2337fd054d5

SHA512
b652f070f6c2569ac92b3a8bede1d557ae0aa1da7337b71260f67d9cb81c3ac5943e2bbae31feeaba50935f69aa7ae8b3e5100c14691cf937f85f7c0db8f3f81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
41ed1b640144cf839c1f9afa832a1b2c

SHA1
2153ef10fcaf3a7833cb28520380d5fde2f6df67

SHA256
ccef2ca3fe87124e4f41509e4d6129276b979188702919e8b0dcad1d8cce2ff9

SHA512
23b894fa29e5ab0e2022c0a306ae1a877673b711fe98904826194dd24b6cb3868081b5743411a05ac9cd5d1572a0540c920cfbfab66579e55f2c7a62147e8403

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
8098f22cdd828af7e3b7311fef6765ab

SHA1
2b3d4fbc3267040d11ea977453521b4d534e332f

SHA256
5976651497a566d6d14c6388d1fc4ce945d4355844e6909aae9aa8b63d9035b3

SHA512
9672c88454d970f2163b50c08254bb61a6664f9b0eb51798ecab5f184ca9a27bde2257fe7ddac5f86924d2ee0648cb063aee11d41ba4079707f681b7f792c7aa

Download Submit
C:\Users\Admin\AppData\Local\7b9c379b-4528-4f91-a6e2-34c137383714\BA3.exe
Filesize
832KB

MD5
ef4690a39d2df67899b879f38704d0bd

SHA1
3625f5087fec6b89977f4f49a9cae32d731aaebc

SHA256
00ea9e04a21a848eb1751c907bf12a9dfbfe7229499b3e2143dc41e5dda79214

SHA512
283ba9a22c3916deaecd632c880e47a1092b4ab8f0ccdc7c31ffc55d174dc16bec5e247d5fe93a012bc537e57eefa92b90f424cccb38271efb8a06388bb09084

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
a6ea7bfcd3aac150c0caef765cb52281

SHA1
037dc22c46a0eb0b9ad4c74088129e387cffe96b

SHA256
f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9

SHA512
c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
4.2MB

MD5
949ec0b69598677e2a1413d267e96c29

SHA1
bf67d63774bb568441bdd3357d9af1c8a36c8912

SHA256
e3782310fc1c0bf50b836e4bee87785564b4d0b05c87d363651164fc9dc64d67

SHA512
4e5c53d4e57890543665fa7e083de2159ebd9a3a1433d1e10a65f37f887c09f01ddcb3a69223a45514f7f0285882924da97dbf41ff1939df79278d18c1a7ca7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
4.2MB

MD5
949ec0b69598677e2a1413d267e96c29

SHA1
bf67d63774bb568441bdd3357d9af1c8a36c8912

SHA256
e3782310fc1c0bf50b836e4bee87785564b4d0b05c87d363651164fc9dc64d67

SHA512
4e5c53d4e57890543665fa7e083de2159ebd9a3a1433d1e10a65f37f887c09f01ddcb3a69223a45514f7f0285882924da97dbf41ff1939df79278d18c1a7ca7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
4.2MB

MD5
949ec0b69598677e2a1413d267e96c29

SHA1
bf67d63774bb568441bdd3357d9af1c8a36c8912

SHA256
e3782310fc1c0bf50b836e4bee87785564b4d0b05c87d363651164fc9dc64d67

SHA512
4e5c53d4e57890543665fa7e083de2159ebd9a3a1433d1e10a65f37f887c09f01ddcb3a69223a45514f7f0285882924da97dbf41ff1939df79278d18c1a7ca7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
4.2MB

MD5
949ec0b69598677e2a1413d267e96c29

SHA1
bf67d63774bb568441bdd3357d9af1c8a36c8912

SHA256
e3782310fc1c0bf50b836e4bee87785564b4d0b05c87d363651164fc9dc64d67

SHA512
4e5c53d4e57890543665fa7e083de2159ebd9a3a1433d1e10a65f37f887c09f01ddcb3a69223a45514f7f0285882924da97dbf41ff1939df79278d18c1a7ca7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\toolspub2.exe
Filesize
289KB

MD5
85745cf10b15ccdcaf76d598765d5b65

SHA1
2530a66f5d89466c40311138543ca5fc2f9d5906

SHA256
0e108094c03f03787a8bad88b11746a478f9cc25255542682eee92723a9c273b

SHA512
adc85bd3efe9ab48b5340cf9c023987a0394f6174661e67d16ad10d9cde236244c346775c4505f73ce00a90a0c818a70332fffbd4abfa1e2bced7e9f28d1bddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\toolspub2.exe
Filesize
289KB

MD5
85745cf10b15ccdcaf76d598765d5b65

SHA1
2530a66f5d89466c40311138543ca5fc2f9d5906

SHA256
0e108094c03f03787a8bad88b11746a478f9cc25255542682eee92723a9c273b

SHA512
adc85bd3efe9ab48b5340cf9c023987a0394f6174661e67d16ad10d9cde236244c346775c4505f73ce00a90a0c818a70332fffbd4abfa1e2bced7e9f28d1bddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\toolspub2.exe
Filesize
289KB

MD5
85745cf10b15ccdcaf76d598765d5b65

SHA1
2530a66f5d89466c40311138543ca5fc2f9d5906

SHA256
0e108094c03f03787a8bad88b11746a478f9cc25255542682eee92723a9c273b

SHA512
adc85bd3efe9ab48b5340cf9c023987a0394f6174661e67d16ad10d9cde236244c346775c4505f73ce00a90a0c818a70332fffbd4abfa1e2bced7e9f28d1bddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\toolspub2.exe
Filesize
289KB

MD5
85745cf10b15ccdcaf76d598765d5b65

SHA1
2530a66f5d89466c40311138543ca5fc2f9d5906

SHA256
0e108094c03f03787a8bad88b11746a478f9cc25255542682eee92723a9c273b

SHA512
adc85bd3efe9ab48b5340cf9c023987a0394f6174661e67d16ad10d9cde236244c346775c4505f73ce00a90a0c818a70332fffbd4abfa1e2bced7e9f28d1bddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\InstallSetup9.exe
Filesize
2.3MB

MD5
51b67c2a8363d569d304cc830d24e42a

SHA1
722970afe105b6865b327ca14e083805305f9e99

SHA256
30a3b83f898aa7f305cb2a494573531863c44c1938b3650622ef70fa6f120f03

SHA512
93d7f0d35a8a64d2367e63c19c4dfd0ed562bbc380b5312fcdc704b49c6fcd82b0029360dd68fdb77c9a1d40a3fc04b54b083cefa8025d82dc5ac7b6ace3c1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\InstallSetup9.exe
Filesize
2.3MB

MD5
51b67c2a8363d569d304cc830d24e42a

SHA1
722970afe105b6865b327ca14e083805305f9e99

SHA256
30a3b83f898aa7f305cb2a494573531863c44c1938b3650622ef70fa6f120f03

SHA512
93d7f0d35a8a64d2367e63c19c4dfd0ed562bbc380b5312fcdc704b49c6fcd82b0029360dd68fdb77c9a1d40a3fc04b54b083cefa8025d82dc5ac7b6ace3c1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\InstallSetup9.exe
Filesize
2.3MB

MD5
51b67c2a8363d569d304cc830d24e42a

SHA1
722970afe105b6865b327ca14e083805305f9e99

SHA256
30a3b83f898aa7f305cb2a494573531863c44c1938b3650622ef70fa6f120f03

SHA512
93d7f0d35a8a64d2367e63c19c4dfd0ed562bbc380b5312fcdc704b49c6fcd82b0029360dd68fdb77c9a1d40a3fc04b54b083cefa8025d82dc5ac7b6ace3c1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\11FE.exe
Filesize
2.9MB

MD5
2f084751d838cb9bfcc8538401245ca6

SHA1
6353a9b23d8e4b50e85cd8e352d4f8d33111b9c0

SHA256
c189f0fb469d1614cabaf2c7ecad116504f2a89da8c51f371dd28571dc45a13c

SHA512
93b8fc0d072f4c162267dcfe9e25e1ec5fe305f4e6e0a87dd84698ded16089430c2bda52129064efdfe22c8ea66566d85e55829837e044459c0fe7e0be55011d

Download Submit
C:\Users\Admin\AppData\Local\Temp\11FE.exe
Filesize
2.9MB

MD5
2f084751d838cb9bfcc8538401245ca6

SHA1
6353a9b23d8e4b50e85cd8e352d4f8d33111b9c0

SHA256
c189f0fb469d1614cabaf2c7ecad116504f2a89da8c51f371dd28571dc45a13c

SHA512
93b8fc0d072f4c162267dcfe9e25e1ec5fe305f4e6e0a87dd84698ded16089430c2bda52129064efdfe22c8ea66566d85e55829837e044459c0fe7e0be55011d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1403.exe
Filesize
1.1MB

MD5
acfa549f63796da0e45b5d96755c425b

SHA1
e0b9ab6d6878926c95e7ead1dd5578aec686566a

SHA256
4d588cff4cf07df5dc8e999f0962c2bfc83f69e8e6ec8df6acb06eb729b26480

SHA512
95d5f5c71e25aa327b723893a0aefc7545993448d7c7e99fb2aa7dfbf7f699e2e5584ab745dcb1c18867520a0bb558c0a33371709174cf1c80c0be2e7e025743

Download Submit
C:\Users\Admin\AppData\Local\Temp\1403.exe
Filesize
1.1MB

MD5
acfa549f63796da0e45b5d96755c425b

SHA1
e0b9ab6d6878926c95e7ead1dd5578aec686566a

SHA256
4d588cff4cf07df5dc8e999f0962c2bfc83f69e8e6ec8df6acb06eb729b26480

SHA512
95d5f5c71e25aa327b723893a0aefc7545993448d7c7e99fb2aa7dfbf7f699e2e5584ab745dcb1c18867520a0bb558c0a33371709174cf1c80c0be2e7e025743

Download Submit
C:\Users\Admin\AppData\Local\Temp\25B7.exe
Filesize
288KB

MD5
13b437650b3d45f7d1fc626148e3f6ad

SHA1
e0f41e327518dbda682284230c82ffd50ed476ab

SHA256
594f26aae07ea07ef05b4fc5b57c697dc8a2297c113b9c94baac091cb24874b9

SHA512
77c99c6e1278916a3cd17fb083b2c50e9f8f018f5cb250ec14db530964358a76c99b10f831abb87b1f86dcbd23727bedbc50c8123964700aec21319f114ec201

Download Submit
C:\Users\Admin\AppData\Local\Temp\25B7.exe
Filesize
288KB

MD5
13b437650b3d45f7d1fc626148e3f6ad

SHA1
e0f41e327518dbda682284230c82ffd50ed476ab

SHA256
594f26aae07ea07ef05b4fc5b57c697dc8a2297c113b9c94baac091cb24874b9

SHA512
77c99c6e1278916a3cd17fb083b2c50e9f8f018f5cb250ec14db530964358a76c99b10f831abb87b1f86dcbd23727bedbc50c8123964700aec21319f114ec201

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Filesize
4.2MB

MD5
890bfdf3c7eecbb505c0fdc415f466b3

SHA1
90889e27be89519f23d85915956d989b75793c8d

SHA256
e617e19dce9f15496c331be6daf2006a03573d50e42b34f2ae9ee4aee2bc8c72

SHA512
e08f327a03ede89a8e8df0a50244458095ed8afd132be8f21323cb81cfe5fb09d18266d0f5186dfd12d48649ffbb2dd1c8ec35951702f2b99adb1075fd776ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Filesize
4.2MB

MD5
890bfdf3c7eecbb505c0fdc415f466b3

SHA1
90889e27be89519f23d85915956d989b75793c8d

SHA256
e617e19dce9f15496c331be6daf2006a03573d50e42b34f2ae9ee4aee2bc8c72

SHA512
e08f327a03ede89a8e8df0a50244458095ed8afd132be8f21323cb81cfe5fb09d18266d0f5186dfd12d48649ffbb2dd1c8ec35951702f2b99adb1075fd776ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Filesize
4.2MB

MD5
890bfdf3c7eecbb505c0fdc415f466b3

SHA1
90889e27be89519f23d85915956d989b75793c8d

SHA256
e617e19dce9f15496c331be6daf2006a03573d50e42b34f2ae9ee4aee2bc8c72

SHA512
e08f327a03ede89a8e8df0a50244458095ed8afd132be8f21323cb81cfe5fb09d18266d0f5186dfd12d48649ffbb2dd1c8ec35951702f2b99adb1075fd776ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Filesize
4.2MB

MD5
890bfdf3c7eecbb505c0fdc415f466b3

SHA1
90889e27be89519f23d85915956d989b75793c8d

SHA256
e617e19dce9f15496c331be6daf2006a03573d50e42b34f2ae9ee4aee2bc8c72

SHA512
e08f327a03ede89a8e8df0a50244458095ed8afd132be8f21323cb81cfe5fb09d18266d0f5186dfd12d48649ffbb2dd1c8ec35951702f2b99adb1075fd776ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\34AC.exe
Filesize
6.4MB

MD5
faa78f58b4f091f8c56ea622d8576703

SHA1
2bd05e7cf298f79bc7408f400e2f2fd37fc8bdf1

SHA256
464c7ab944886103d617e334c94320344761a543de5395c6b541ae386b448ea0

SHA512
3037aef0866b9957fd9f56691baa0e6557a9f46cd3695016dc3c829fc270393360b05e39fba19dc10cac06c2f51998716b3c15c57c3f0afe8c11b2a3709d467b

Download Submit
C:\Users\Admin\AppData\Local\Temp\34AC.exe
Filesize
6.4MB

MD5
faa78f58b4f091f8c56ea622d8576703

SHA1
2bd05e7cf298f79bc7408f400e2f2fd37fc8bdf1

SHA256
464c7ab944886103d617e334c94320344761a543de5395c6b541ae386b448ea0

SHA512
3037aef0866b9957fd9f56691baa0e6557a9f46cd3695016dc3c829fc270393360b05e39fba19dc10cac06c2f51998716b3c15c57c3f0afe8c11b2a3709d467b

Download Submit
C:\Users\Admin\AppData\Local\Temp\38F3.exe
Filesize
1.8MB

MD5
fac406eb3a620ec45654e087f68ccd9e

SHA1
02c21bd71ec411685102670cd4342a332ebaade0

SHA256
de955b499b42824606d86071bdb1f1555df518b3f12b0254d674a20876e9d340

SHA512
2668c162ccc01f61a1a9ffec6b35a0c2f64b6f0f5a724f1563b3b23460ed17faa7e64d6817f0eaf7f9c38f3a1ac4fb730351d197b9fff051f25d6e1aac4d2b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\38F3.exe
Filesize
1.8MB

MD5
fac406eb3a620ec45654e087f68ccd9e

SHA1
02c21bd71ec411685102670cd4342a332ebaade0

SHA256
de955b499b42824606d86071bdb1f1555df518b3f12b0254d674a20876e9d340

SHA512
2668c162ccc01f61a1a9ffec6b35a0c2f64b6f0f5a724f1563b3b23460ed17faa7e64d6817f0eaf7f9c38f3a1ac4fb730351d197b9fff051f25d6e1aac4d2b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DC7.exe
Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DC7.exe
Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DC7.exe
Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA3.exe
Filesize
832KB

MD5
ef4690a39d2df67899b879f38704d0bd

SHA1
3625f5087fec6b89977f4f49a9cae32d731aaebc

SHA256
00ea9e04a21a848eb1751c907bf12a9dfbfe7229499b3e2143dc41e5dda79214

SHA512
283ba9a22c3916deaecd632c880e47a1092b4ab8f0ccdc7c31ffc55d174dc16bec5e247d5fe93a012bc537e57eefa92b90f424cccb38271efb8a06388bb09084

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA3.exe
Filesize
832KB

MD5
ef4690a39d2df67899b879f38704d0bd

SHA1
3625f5087fec6b89977f4f49a9cae32d731aaebc

SHA256
00ea9e04a21a848eb1751c907bf12a9dfbfe7229499b3e2143dc41e5dda79214

SHA512
283ba9a22c3916deaecd632c880e47a1092b4ab8f0ccdc7c31ffc55d174dc16bec5e247d5fe93a012bc537e57eefa92b90f424cccb38271efb8a06388bb09084

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA3.exe
Filesize
832KB

MD5
ef4690a39d2df67899b879f38704d0bd

SHA1
3625f5087fec6b89977f4f49a9cae32d731aaebc

SHA256
00ea9e04a21a848eb1751c907bf12a9dfbfe7229499b3e2143dc41e5dda79214

SHA512
283ba9a22c3916deaecd632c880e47a1092b4ab8f0ccdc7c31ffc55d174dc16bec5e247d5fe93a012bc537e57eefa92b90f424cccb38271efb8a06388bb09084

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA3.exe
Filesize
832KB

MD5
ef4690a39d2df67899b879f38704d0bd

SHA1
3625f5087fec6b89977f4f49a9cae32d731aaebc

SHA256
00ea9e04a21a848eb1751c907bf12a9dfbfe7229499b3e2143dc41e5dda79214

SHA512
283ba9a22c3916deaecd632c880e47a1092b4ab8f0ccdc7c31ffc55d174dc16bec5e247d5fe93a012bc537e57eefa92b90f424cccb38271efb8a06388bb09084

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA3.exe
Filesize
832KB

MD5
ef4690a39d2df67899b879f38704d0bd

SHA1
3625f5087fec6b89977f4f49a9cae32d731aaebc

SHA256
00ea9e04a21a848eb1751c907bf12a9dfbfe7229499b3e2143dc41e5dda79214

SHA512
283ba9a22c3916deaecd632c880e47a1092b4ab8f0ccdc7c31ffc55d174dc16bec5e247d5fe93a012bc537e57eefa92b90f424cccb38271efb8a06388bb09084

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe
Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe
Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe
Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA2.dll
Filesize
1.6MB

MD5
4164fa66f608eb71f038fa7ee6ece5bc

SHA1
d879704e3d4f1ddb97cde3100962dfb684458c27

SHA256
b43fbe5adf27e984234a4abff46adc22241bcb5b894ce7b518aa024a4c6556f8

SHA512
35dbc13c03cb155ad920fc82de78456cc0aa174671a7ac96953693111596be2bd30e4a0d35e2002f66ddc4e3341f90c3a2d71f35607eaca4673e6a5b6b76edb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA2.dll
Filesize
1.6MB

MD5
4164fa66f608eb71f038fa7ee6ece5bc

SHA1
d879704e3d4f1ddb97cde3100962dfb684458c27

SHA256
b43fbe5adf27e984234a4abff46adc22241bcb5b894ce7b518aa024a4c6556f8

SHA512
35dbc13c03cb155ad920fc82de78456cc0aa174671a7ac96953693111596be2bd30e4a0d35e2002f66ddc4e3341f90c3a2d71f35607eaca4673e6a5b6b76edb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
2.3MB

MD5
d56df2995b539368495f3300e48d8e18

SHA1
8d2d02923afb5fb5e09ce1592104db17a3128246

SHA256
b87fd3c98383089618d2f66cbbecd2b0ed91db6923135235eb52a671f8dd7cb6

SHA512
2b25f9b2ff56abafcd8aa0a5fbae4ea78e9e95cec3d4cb832a7a3c5ec13af7d9ecf3ef26ec5c7144805868801aacb8de4113490c3bd665fda4e23ec05b9d8008

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
2.3MB

MD5
d56df2995b539368495f3300e48d8e18

SHA1
8d2d02923afb5fb5e09ce1592104db17a3128246

SHA256
b87fd3c98383089618d2f66cbbecd2b0ed91db6923135235eb52a671f8dd7cb6

SHA512
2b25f9b2ff56abafcd8aa0a5fbae4ea78e9e95cec3d4cb832a7a3c5ec13af7d9ecf3ef26ec5c7144805868801aacb8de4113490c3bd665fda4e23ec05b9d8008

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
2.3MB

MD5
d56df2995b539368495f3300e48d8e18

SHA1
8d2d02923afb5fb5e09ce1592104db17a3128246

SHA256
b87fd3c98383089618d2f66cbbecd2b0ed91db6923135235eb52a671f8dd7cb6

SHA512
2b25f9b2ff56abafcd8aa0a5fbae4ea78e9e95cec3d4cb832a7a3c5ec13af7d9ecf3ef26ec5c7144805868801aacb8de4113490c3bd665fda4e23ec05b9d8008

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_itnoi43x.uk4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Roaming\htssgfd
Filesize
251KB

MD5
965b7cbab5230f0610ecd96184b42cca

SHA1
903524674e6ba12dc8fbbbb18d102b406cff4fc9

SHA256
ddc7a9963c1c75fe62b5a93b7411424c58d2dd849cecc019fa5554e8cd55ab5d

SHA512
9c20bc8f1e6d037c40c55009718d2cbe74eb6d66cc3fe66f663d7b4532dc3ab11644347839d37d0f82fbad6cf9ebe4c4da5613e13ff158c3ad6b6f3dea4ef2f5

Download Submit
C:\Users\Admin\AppData\Roaming\htssgfd
Filesize
251KB

MD5
965b7cbab5230f0610ecd96184b42cca

SHA1
903524674e6ba12dc8fbbbb18d102b406cff4fc9

SHA256
ddc7a9963c1c75fe62b5a93b7411424c58d2dd849cecc019fa5554e8cd55ab5d

SHA512
9c20bc8f1e6d037c40c55009718d2cbe74eb6d66cc3fe66f663d7b4532dc3ab11644347839d37d0f82fbad6cf9ebe4c4da5613e13ff158c3ad6b6f3dea4ef2f5

Download Submit
C:\Users\Admin\AppData\Roaming\sessgfd
Filesize
288KB

MD5
13b437650b3d45f7d1fc626148e3f6ad

SHA1
e0f41e327518dbda682284230c82ffd50ed476ab

SHA256
594f26aae07ea07ef05b4fc5b57c697dc8a2297c113b9c94baac091cb24874b9

SHA512
77c99c6e1278916a3cd17fb083b2c50e9f8f018f5cb250ec14db530964358a76c99b10f831abb87b1f86dcbd23727bedbc50c8123964700aec21319f114ec201

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
4e8b52bf9abcafc8ce0eecb66d93af0c

SHA1
ca5688697b1ed9f52632830b8af25210bc2f334d

SHA256
e6cd3c0f39b872b01557f45228d559770ef38df62bb8863c2a57fd56c32dbdd8

SHA512
d75db248288ff9f2a40b16b080626c7dfa264b8d2fcf1d75db1cf05eb7b2e1af5819cde48b9d2f1e4a7c33dfd5574940bec00d7aeaa3fecafb9f3489c137d26e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
d01c50e4be5981cbb2c7e8a439ae7e9c

SHA1
ae1e49884e2423f5efca59b64fae3d461d2d3587

SHA256
12bf3224156d46bdeacdf5f9aadd291b18e121839ebace48cb639d4e138516f6

SHA512
d609c4c703510506fb4adc644b2d387d814760c2728a166924d4d58b946d3a8b726743e79ca9305da5bead10591b175e4e64c0e06b0aa9826bda8564ff8c9181

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
db92e791a2967e2298be8acb57874491

SHA1
f54baf36e496b6eb67c192a6235701a56837cfc6

SHA256
1bfd5cc072ebb3024b14a6ced39d1b346a1b884779c28a6b33f099f62f2bf99f

SHA512
1fd126cbc929c6eed130163341666859211b9c5816a322e6f17c4de9eba6cd694046e9f615657c7f01515d46ceb747fdb442d07b1f4282f2a8c29ab5797b1e00

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
50757537a62aa91644d08c62fbae8423

SHA1
83c3a4c1a3341b21c86c71b247ccab6816b89c78

SHA256
39088630feaada372270831218238adfe6b97b9e8b0102097e55e0cb65590e82

SHA512
67a60c8fabba46fe2c59a80c0e1f2f0aac7e0009b00d3dfbdd7b70d49a59785bb6e04c9b5899b07ddd09cf97a3747c7cd9fa5a791fa7eb851e028b397d94595a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
5a4156d029ebf631db7681fce119f4fb

SHA1
5777e872f89194a513ec4faa9a1ee0ee26cefd86

SHA256
9ca0c10c18b06a80386bb0124f821fc356fd10b63b6d7f13905b3d7a4e05a4fd

SHA512
4a0b6aac1901de58d79e474d694c3f1d540d8c8bf59980f11320033cabd51d30448879d26eb21ae7c864f8d110d45feae68fa5e046846418ffd42486500d4d4e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
5a4156d029ebf631db7681fce119f4fb

SHA1
5777e872f89194a513ec4faa9a1ee0ee26cefd86

SHA256
9ca0c10c18b06a80386bb0124f821fc356fd10b63b6d7f13905b3d7a4e05a4fd

SHA512
4a0b6aac1901de58d79e474d694c3f1d540d8c8bf59980f11320033cabd51d30448879d26eb21ae7c864f8d110d45feae68fa5e046846418ffd42486500d4d4e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
73e2a57dbafd6a5428f176b57540392e

SHA1
30a8002814de21a4e6cf9079fa41c17cc9129761

SHA256
9c92bfc7ce6e0dbeab8c604563cffcfd38a05c48e1ee95275af30c72e6dce311

SHA512
5b95015a264d53d8bfe7d6c76be137c777d6c3e7a4132ef4320f42859b39e8ba6c5bd6bb266cdf1e1ca9cac884f4028a161a5e2d7c36251c32c0d2d07932ca2a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
ce46ecee1eecb7f1101631897365d55a

SHA1
d62ad22cf3039e0d0e686c3a9cfdf90737e1b6bb

SHA256
a24b3a202be7cb40f13c3a643c4930f8ab92ff3d724eee50325be2af236e51c4

SHA512
45e885ad8c25c8d8616a77ecb7ccc98b7b4899a1723bcea86134401e4f3b6a39a4d0f96f9213959ee7f6c16e93757876159d0a06ab33bc3e8ad9720caae754ed

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.2MB

MD5
949ec0b69598677e2a1413d267e96c29

SHA1
bf67d63774bb568441bdd3357d9af1c8a36c8912

SHA256
e3782310fc1c0bf50b836e4bee87785564b4d0b05c87d363651164fc9dc64d67

SHA512
4e5c53d4e57890543665fa7e083de2159ebd9a3a1433d1e10a65f37f887c09f01ddcb3a69223a45514f7f0285882924da97dbf41ff1939df79278d18c1a7ca7e

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.2MB

MD5
949ec0b69598677e2a1413d267e96c29

SHA1
bf67d63774bb568441bdd3357d9af1c8a36c8912

SHA256
e3782310fc1c0bf50b836e4bee87785564b4d0b05c87d363651164fc9dc64d67

SHA512
4e5c53d4e57890543665fa7e083de2159ebd9a3a1433d1e10a65f37f887c09f01ddcb3a69223a45514f7f0285882924da97dbf41ff1939df79278d18c1a7ca7e

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/744-442-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/744-581-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/884-246-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/884-176-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/956-384-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/956-378-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/956-274-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1784-334-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1784-376-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1816-108-0x0000000000C60000-0x0000000000CD5000-memory.dmp

Filesize
468KB

Download
memory/1816-110-0x0000000000520000-0x000000000058B000-memory.dmp

Filesize
428KB

Download
memory/1816-168-0x0000000000520000-0x000000000058B000-memory.dmp

Filesize
428KB

Download
memory/1816-102-0x0000000000520000-0x000000000058B000-memory.dmp

Filesize
428KB

Download
memory/2260-114-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2260-259-0x0000000073530000-0x0000000073CE0000-memory.dmp

Filesize
7.7MB

Download
memory/2260-87-0x0000000073530000-0x0000000073CE0000-memory.dmp

Filesize
7.7MB

Download
memory/2260-167-0x0000000005BF0000-0x0000000005C34000-memory.dmp

Filesize
272KB

Download
memory/2260-86-0x0000000000840000-0x0000000000A08000-memory.dmp

Filesize
1.8MB

Download
memory/2260-89-0x0000000004C30000-0x0000000004CCC000-memory.dmp

Filesize
624KB

Download
memory/3368-194-0x0000000008BD0000-0x0000000008BE6000-memory.dmp

Filesize
88KB

Download
memory/3368-4-0x0000000003330000-0x0000000003346000-memory.dmp

Filesize
88KB

Download
memory/3368-286-0x0000000001550000-0x0000000001566000-memory.dmp

Filesize
88KB

Download
memory/3552-94-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3552-85-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3552-83-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3552-205-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3552-78-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3636-247-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/3636-254-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/3764-198-0x0000000000400000-0x0000000002ABF000-memory.dmp

Filesize
38.7MB

Download
memory/3764-160-0x0000000000400000-0x0000000002ABF000-memory.dmp

Filesize
38.7MB

Download
memory/3764-154-0x0000000002AD0000-0x0000000002ADB000-memory.dmp

Filesize
44KB

Download
memory/3764-143-0x0000000002AF0000-0x0000000002BF0000-memory.dmp

Filesize
1024KB

Download
memory/3848-80-0x0000000004840000-0x000000000495B000-memory.dmp

Filesize
1.1MB

Download
memory/3848-71-0x00000000047A0000-0x0000000004839000-memory.dmp

Filesize
612KB

Download
memory/3992-126-0x0000000001210000-0x0000000001217000-memory.dmp

Filesize
28KB

Download
memory/3992-131-0x0000000001200000-0x000000000120C000-memory.dmp

Filesize
48KB

Download
memory/3992-122-0x0000000001200000-0x000000000120C000-memory.dmp

Filesize
48KB

Download
memory/3996-70-0x0000000073530000-0x0000000073CE0000-memory.dmp

Filesize
7.7MB

Download
memory/3996-69-0x0000000000190000-0x0000000000804000-memory.dmp

Filesize
6.5MB

Download
memory/3996-132-0x0000000073530000-0x0000000073CE0000-memory.dmp

Filesize
7.7MB

Download
memory/4040-582-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/4040-583-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/4204-285-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4204-281-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4204-283-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4276-257-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4276-287-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4396-138-0x0000000073530000-0x0000000073CE0000-memory.dmp

Filesize
7.7MB

Download
memory/4396-60-0x0000000073530000-0x0000000073CE0000-memory.dmp

Filesize
7.7MB

Download
memory/4396-248-0x000000000A420000-0x000000000A5E2000-memory.dmp

Filesize
1.8MB

Download
memory/4396-59-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4396-159-0x00000000087F0000-0x0000000008856000-memory.dmp

Filesize
408KB

Download
memory/4396-249-0x000000000AB20000-0x000000000B04C000-memory.dmp

Filesize
5.2MB

Download
memory/4396-250-0x00000000069F0000-0x0000000006A40000-memory.dmp

Filesize
320KB

Download
memory/4396-178-0x0000000007ED0000-0x0000000007EE0000-memory.dmp

Filesize
64KB

Download
memory/4396-61-0x0000000007ED0000-0x0000000007EE0000-memory.dmp

Filesize
64KB

Download
memory/4400-256-0x0000000002B00000-0x0000000002B09000-memory.dmp

Filesize
36KB

Download
memory/4400-255-0x0000000002B80000-0x0000000002C80000-memory.dmp

Filesize
1024KB

Download
memory/4444-387-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4444-562-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4444-525-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4784-2-0x00000000006A0000-0x00000000006AB000-memory.dmp

Filesize
44KB

Download
memory/4784-3-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4784-5-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4784-1-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/4936-120-0x00000000024C0000-0x00000000025D0000-memory.dmp

Filesize
1.1MB

Download
memory/4936-137-0x00000000024C0000-0x00000000025D0000-memory.dmp

Filesize
1.1MB

Download
memory/4936-111-0x00000000024C0000-0x00000000025D0000-memory.dmp

Filesize
1.1MB

Download
memory/4936-68-0x0000000002390000-0x00000000024BD000-memory.dmp

Filesize
1.2MB

Download
memory/4936-22-0x0000000010000000-0x0000000010192000-memory.dmp

Filesize
1.6MB

Download
memory/4936-67-0x0000000010000000-0x0000000010192000-memory.dmp

Filesize
1.6MB

Download
memory/4936-21-0x0000000001FD0000-0x0000000001FD6000-memory.dmp

Filesize
24KB

Download
memory/5020-53-0x0000000007F40000-0x0000000007F7C000-memory.dmp

Filesize
240KB

Download
memory/5020-37-0x0000000076D50000-0x0000000076E40000-memory.dmp

Filesize
960KB

Download
memory/5020-51-0x0000000007FB0000-0x00000000080BA000-memory.dmp

Filesize
1.0MB

Download
memory/5020-91-0x0000000076D50000-0x0000000076E40000-memory.dmp

Filesize
960KB

Download
memory/5020-50-0x0000000008D50000-0x0000000009368000-memory.dmp

Filesize
6.1MB

Download
memory/5020-49-0x0000000007E00000-0x0000000007E0A000-memory.dmp

Filesize
40KB

Download
memory/5020-48-0x0000000007C70000-0x0000000007D02000-memory.dmp

Filesize
584KB

Download
memory/5020-47-0x0000000008180000-0x0000000008724000-memory.dmp

Filesize
5.6MB

Download
memory/5020-46-0x00000000005C0000-0x0000000000DF2000-memory.dmp

Filesize
8.2MB

Download
memory/5020-42-0x0000000077934000-0x0000000077936000-memory.dmp

Filesize
8KB

Download
memory/5020-40-0x0000000076D50000-0x0000000076E40000-memory.dmp

Filesize
960KB

Download
memory/5020-58-0x00000000080C0000-0x000000000810C000-memory.dmp

Filesize
304KB

Download
memory/5020-38-0x0000000076D50000-0x0000000076E40000-memory.dmp

Filesize
960KB

Download
memory/5020-52-0x0000000007EE0000-0x0000000007EF2000-memory.dmp

Filesize
72KB

Download
memory/5020-105-0x0000000076D50000-0x0000000076E40000-memory.dmp

Filesize
960KB

Download
memory/5020-36-0x0000000076D50000-0x0000000076E40000-memory.dmp

Filesize
960KB

Download
memory/5020-35-0x0000000076D50000-0x0000000076E40000-memory.dmp

Filesize
960KB

Download
memory/5020-30-0x0000000076D50000-0x0000000076E40000-memory.dmp

Filesize
960KB

Download
memory/5020-72-0x00000000005C0000-0x0000000000DF2000-memory.dmp

Filesize
8.2MB

Download
memory/5020-90-0x0000000076D50000-0x0000000076E40000-memory.dmp

Filesize
960KB

Download
memory/5020-34-0x0000000076D50000-0x0000000076E40000-memory.dmp

Filesize
960KB

Download
memory/5020-29-0x0000000076D50000-0x0000000076E40000-memory.dmp

Filesize
960KB

Download
memory/5020-27-0x00000000005C0000-0x0000000000DF2000-memory.dmp

Filesize
8.2MB

Download
memory/5020-124-0x0000000076D50000-0x0000000076E40000-memory.dmp

Filesize
960KB

Download
memory/5020-112-0x0000000076D50000-0x0000000076E40000-memory.dmp

Filesize
960KB

Download
memory/5020-75-0x0000000076D50000-0x0000000076E40000-memory.dmp

Filesize
960KB

Download
memory/5020-103-0x0000000076D50000-0x0000000076E40000-memory.dmp

Filesize
960KB

Download
memory/5020-84-0x0000000076D50000-0x0000000076E40000-memory.dmp

Filesize
960KB

Download