glupteba | a58e48ffbc29d8dd0a8d518e4665d478ce641aa60754c38b29634e9650135e75

Analysis

max time kernel
150s
max time network
153s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
08-12-2023 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a58e48ffbc29d8dd0a8d518e4665d478ce641aa60754c38b29634e9650135e75.exe
Size

238KB
MD5

be9d02e68254f125e51577acaba81f25
SHA1

87a2a3ed4ae400b6c03e73d3298d37a2b9f27aea
SHA256

a58e48ffbc29d8dd0a8d518e4665d478ce641aa60754c38b29634e9650135e75
SHA512

1a524616e7b4cdbffa77ee6503c575c1f110906a594b517a70de77ca7557a3f7debc2580551cd7b8257167622d228b9c5833b341b4ea1fcef5f351a3956138c3
SSDEEP

3072:A0OuGN405qDf+O8sIrVAJvyMqRoR5oGiWHqTCK:q9NrqDft83hAJrv3BHqT

Malware Config

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://humydrole.com/tmp/index.php

http://trunk-co.ru/tmp/index.php

http://weareelight.com/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

lumma

http://opposesicknessopw.pw/api

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4C37.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\4C37.exe	family_zgrat_v1
behavioral1/memory/616-29-0x0000000000230000-0x0000000000744000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4484-162-0x0000000002D40000-0x000000000362B000-memory.dmp	family_glupteba
behavioral1/memory/4484-166-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4484-241-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4484-525-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4484-834-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4484-844-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4400-1097-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4400-1386-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4400-1612-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/5048-1880-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3244-46-0x0000000000400000-0x000000000085E000-memory.dmp	family_raccoon_v2
behavioral1/memory/3244-44-0x0000000000990000-0x00000000009A6000-memory.dmp	family_raccoon_v2
behavioral1/memory/3244-72-0x0000000000400000-0x000000000085E000-memory.dmp	family_raccoon_v2

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

7E58.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	7E58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	7E58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7E58.exe = "0"	7E58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	7E58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	7E58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	7E58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	7E58.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

C343.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C343.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

4216 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	C343.exe

pid	process
4216	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

C343.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	C343.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	C343.exe

Deletes itself 1 IoCs

Processes:

pid process

3264

pid	process
3264

Executes dropped EXE 16 IoCs

Processes:

4C37.exe4D41.exe4E9A.exe74F1.exe7E58.exe9ACA.exe9ACA.tmpBC1E.exeBC1E.tmpC343.exe7E58.execsrss.exeA519.exeinjector.exewindefender.exewindefender.exe

pid	process
616	4C37.exe
3244	4D41.exe
1256	4E9A.exe
3500	74F1.exe
4484	7E58.exe
4172	9ACA.exe
2012	9ACA.tmp
2368	BC1E.exe
2948	BC1E.tmp
4920	C343.exe
4400	7E58.exe
5048	csrss.exe
3256	A519.exe
1404	injector.exe
2920	windefender.exe
4456	windefender.exe

Loads dropped DLL 9 IoCs

Processes:

regsvr32.exe4C37.exe9ACA.tmpBC1E.tmpA519.exe

pid process

4464 regsvr32.exe
616 4C37.exe
2012 9ACA.tmp
2012 9ACA.tmp
2012 9ACA.tmp
2948 BC1E.tmp
2948 BC1E.tmp
2948 BC1E.tmp
3256 A519.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4464	regsvr32.exe
616	4C37.exe
2012	9ACA.tmp
2012	9ACA.tmp
2012	9ACA.tmp
2948	BC1E.tmp
2948	BC1E.tmp
2948	BC1E.tmp
3256	A519.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\C343.exe	themida
C:\Users\Admin\AppData\Local\Temp\C343.exe	themida

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

7E58.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	7E58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	7E58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	7E58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7E58.exe = "0"	7E58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	7E58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	7E58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	7E58.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7E58.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	7E58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

C343.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C343.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	C343.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

C343.exe

pid process

4920 C343.exe

pid	process
4920	C343.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

4E9A.exe4C37.exeA519.exe

description	pid	process	target process
PID 1256 set thread context of 3664	1256	4E9A.exe	AppLaunch.exe
PID 616 set thread context of 2708	616	4C37.exe	RegSvcs.exe
PID 3256 set thread context of 164	3256	A519.exe	RegSvcs.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

7E58.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 7E58.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	7E58.exe

Drops file in Program Files directory 10 IoCs

Processes:

9ACA.tmpBC1E.tmp

description	ioc	process
File created	C:\Program Files (x86)\MDeliveryLIB\uninstall\unins000.dat	9ACA.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\stuff\is-E4LJ4.tmp	9ACA.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\stuff\is-SDQMC.tmp	9ACA.tmp
File created	C:\Program Files (x86)\Maildelivery\uninstall\is-NNM0S.tmp	BC1E.tmp
File created	C:\Program Files (x86)\Maildelivery\stuff\is-R2948.tmp	BC1E.tmp
File created	C:\Program Files (x86)\Maildelivery\stuff\is-FR148.tmp	BC1E.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\uninstall\is-TJ6I1.tmp	9ACA.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\stuff\is-9Q4HB.tmp	9ACA.tmp
File created	C:\Program Files (x86)\Maildelivery\uninstall\unins000.dat	BC1E.tmp
File created	C:\Program Files (x86)\Maildelivery\stuff\is-P6OTC.tmp	BC1E.tmp

Drops file in Windows directory 4 IoCs

Processes:

csrss.exe7E58.exe

description	ioc	process
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	7E58.exe
File created	C:\Windows\rss\csrss.exe	7E58.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4140 sc.exe

pid	process
4140	sc.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a58e48ffbc29d8dd0a8d518e4665d478ce641aa60754c38b29634e9650135e75.exe74F1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a58e48ffbc29d8dd0a8d518e4665d478ce641aa60754c38b29634e9650135e75.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a58e48ffbc29d8dd0a8d518e4665d478ce641aa60754c38b29634e9650135e75.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a58e48ffbc29d8dd0a8d518e4665d478ce641aa60754c38b29634e9650135e75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	74F1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	74F1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	74F1.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

768 schtasks.exe
4912 schtasks.exe

pid	process
768	schtasks.exe
4912	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exe7E58.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	7E58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	7E58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	7E58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	7E58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	7E58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	7E58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	7E58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	7E58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	7E58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	7E58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	7E58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	7E58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	7E58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	7E58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	7E58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	7E58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	7E58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	7E58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	7E58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	7E58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	7E58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	7E58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	7E58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	7E58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a58e48ffbc29d8dd0a8d518e4665d478ce641aa60754c38b29634e9650135e75.exe

pid	process
2496	a58e48ffbc29d8dd0a8d518e4665d478ce641aa60754c38b29634e9650135e75.exe
2496	a58e48ffbc29d8dd0a8d518e4665d478ce641aa60754c38b29634e9650135e75.exe
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

a58e48ffbc29d8dd0a8d518e4665d478ce641aa60754c38b29634e9650135e75.exe74F1.exe

pid process

2496 a58e48ffbc29d8dd0a8d518e4665d478ce641aa60754c38b29634e9650135e75.exe
3500 74F1.exe
3264
3264
3264
3264

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.exepowershell.exe7E58.exepowershell.exeC343.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeDebugPrivilege	3664	AppLaunch.exe
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeDebugPrivilege	4484	7E58.exe
Token: SeImpersonatePrivilege	4484	7E58.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	4920	C343.exe
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeDebugPrivilege	228	powershell.exe
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeShutdownPrivilege	3264

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4E9A.exeregsvr32.exe4C37.exe9ACA.exeBC1E.exe7E58.exe7E58.exe

description	pid	process	target process
PID 3264 wrote to memory of 616	3264		4C37.exe
PID 3264 wrote to memory of 616	3264		4C37.exe
PID 3264 wrote to memory of 616	3264		4C37.exe
PID 3264 wrote to memory of 3244	3264		4D41.exe
PID 3264 wrote to memory of 3244	3264		4D41.exe
PID 3264 wrote to memory of 3244	3264		4D41.exe
PID 3264 wrote to memory of 1256	3264		4E9A.exe
PID 3264 wrote to memory of 1256	3264		4E9A.exe
PID 3264 wrote to memory of 1256	3264		4E9A.exe
PID 1256 wrote to memory of 3664	1256	4E9A.exe	AppLaunch.exe
PID 1256 wrote to memory of 3664	1256	4E9A.exe	AppLaunch.exe
PID 1256 wrote to memory of 3664	1256	4E9A.exe	AppLaunch.exe
PID 1256 wrote to memory of 3664	1256	4E9A.exe	AppLaunch.exe
PID 1256 wrote to memory of 3664	1256	4E9A.exe	AppLaunch.exe
PID 1256 wrote to memory of 3664	1256	4E9A.exe	AppLaunch.exe
PID 1256 wrote to memory of 3664	1256	4E9A.exe	AppLaunch.exe
PID 1256 wrote to memory of 3664	1256	4E9A.exe	AppLaunch.exe
PID 3264 wrote to memory of 452	3264		regsvr32.exe
PID 3264 wrote to memory of 452	3264		regsvr32.exe
PID 452 wrote to memory of 4464	452	regsvr32.exe	regsvr32.exe
PID 452 wrote to memory of 4464	452	regsvr32.exe	regsvr32.exe
PID 452 wrote to memory of 4464	452	regsvr32.exe	regsvr32.exe
PID 3264 wrote to memory of 3500	3264		74F1.exe
PID 3264 wrote to memory of 3500	3264		74F1.exe
PID 3264 wrote to memory of 3500	3264		74F1.exe
PID 3264 wrote to memory of 4484	3264		7E58.exe
PID 3264 wrote to memory of 4484	3264		7E58.exe
PID 3264 wrote to memory of 4484	3264		7E58.exe
PID 616 wrote to memory of 2708	616	4C37.exe	RegSvcs.exe
PID 616 wrote to memory of 2708	616	4C37.exe	RegSvcs.exe
PID 616 wrote to memory of 2708	616	4C37.exe	RegSvcs.exe
PID 616 wrote to memory of 2708	616	4C37.exe	RegSvcs.exe
PID 616 wrote to memory of 2708	616	4C37.exe	RegSvcs.exe
PID 616 wrote to memory of 2708	616	4C37.exe	RegSvcs.exe
PID 616 wrote to memory of 2708	616	4C37.exe	RegSvcs.exe
PID 616 wrote to memory of 2708	616	4C37.exe	RegSvcs.exe
PID 616 wrote to memory of 2708	616	4C37.exe	RegSvcs.exe
PID 3264 wrote to memory of 4172	3264		9ACA.exe
PID 3264 wrote to memory of 4172	3264		9ACA.exe
PID 3264 wrote to memory of 4172	3264		9ACA.exe
PID 4172 wrote to memory of 2012	4172	9ACA.exe	9ACA.tmp
PID 4172 wrote to memory of 2012	4172	9ACA.exe	9ACA.tmp
PID 4172 wrote to memory of 2012	4172	9ACA.exe	9ACA.tmp
PID 3264 wrote to memory of 2368	3264		BC1E.exe
PID 3264 wrote to memory of 2368	3264		BC1E.exe
PID 3264 wrote to memory of 2368	3264		BC1E.exe
PID 2368 wrote to memory of 2948	2368	BC1E.exe	BC1E.tmp
PID 2368 wrote to memory of 2948	2368	BC1E.exe	BC1E.tmp
PID 2368 wrote to memory of 2948	2368	BC1E.exe	BC1E.tmp
PID 4484 wrote to memory of 4792	4484	7E58.exe	powershell.exe
PID 4484 wrote to memory of 4792	4484	7E58.exe	powershell.exe
PID 4484 wrote to memory of 4792	4484	7E58.exe	powershell.exe
PID 3264 wrote to memory of 4920	3264		C343.exe
PID 3264 wrote to memory of 4920	3264		C343.exe
PID 3264 wrote to memory of 4920	3264		C343.exe
PID 3264 wrote to memory of 4568	3264		explorer.exe
PID 3264 wrote to memory of 4568	3264		explorer.exe
PID 3264 wrote to memory of 4568	3264		explorer.exe
PID 3264 wrote to memory of 4568	3264		explorer.exe
PID 3264 wrote to memory of 1700	3264		explorer.exe
PID 3264 wrote to memory of 1700	3264		explorer.exe
PID 3264 wrote to memory of 1700	3264		explorer.exe
PID 4400 wrote to memory of 4100	4400	7E58.exe	powershell.exe
PID 4400 wrote to memory of 4100	4400	7E58.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\a58e48ffbc29d8dd0a8d518e4665d478ce641aa60754c38b29634e9650135e75.exe
"C:\Users\Admin\AppData\Local\Temp\a58e48ffbc29d8dd0a8d518e4665d478ce641aa60754c38b29634e9650135e75.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2496

C:\Users\Admin\AppData\Local\Temp\4C37.exe
C:\Users\Admin\AppData\Local\Temp\4C37.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\4D41.exe
C:\Users\Admin\AppData\Local\Temp\4D41.exe
1⤵
- Executes dropped EXE
PID:3244

C:\Users\Admin\AppData\Local\Temp\4E9A.exe
C:\Users\Admin\AppData\Local\Temp\4E9A.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\609C.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\609C.dll
2⤵
- Loads dropped DLL
PID:4464

C:\Users\Admin\AppData\Local\Temp\74F1.exe
C:\Users\Admin\AppData\Local\Temp\74F1.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3500

C:\Users\Admin\AppData\Local\Temp\7E58.exe
C:\Users\Admin\AppData\Local\Temp\7E58.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Users\Admin\AppData\Local\Temp\7E58.exe
"C:\Users\Admin\AppData\Local\Temp\7E58.exe"
2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:1352

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:5048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:768

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:4668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
PID:1404

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:4912

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
- Executes dropped EXE
PID:2920

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:5000

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:4140

C:\Users\Admin\AppData\Local\Temp\9ACA.exe
C:\Users\Admin\AppData\Local\Temp\9ACA.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172

C:\Users\Admin\AppData\Local\Temp\is-O9TOA.tmp\9ACA.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O9TOA.tmp\9ACA.tmp" /SL5="$6020E,7932209,54272,C:\Users\Admin\AppData\Local\Temp\9ACA.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2012

C:\Users\Admin\AppData\Local\Temp\BC1E.exe
C:\Users\Admin\AppData\Local\Temp\BC1E.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Local\Temp\is-INKOE.tmp\BC1E.tmp
"C:\Users\Admin\AppData\Local\Temp\is-INKOE.tmp\BC1E.tmp" /SL5="$8023A,7905477,54272,C:\Users\Admin\AppData\Local\Temp\BC1E.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2948

C:\Users\Admin\AppData\Local\Temp\C343.exe
C:\Users\Admin\AppData\Local\Temp\C343.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4568

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\A519.exe
C:\Users\Admin\AppData\Local\Temp\A519.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:3052

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Maildelivery\stuff\is-R2948.tmp

Filesize
1KB

MD5
257d1bf38fa7859ffc3717ef36577c04

SHA1
a9d2606cfc35e17108d7c079a355a4db54c7c2ee

SHA256
dfacc2f208ebf6d6180ee6e882117c31bb58e8b6a76a26fb07ac4f40e245a0cb

SHA512
e13a6f489c9c5ba840502f73acd152d366e0ccdd9d3d8e74b65ff89fdc70cd46f52e42eee0b4ba9f151323ec07c4168cf82446334564adaa8666624f7b8035f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C37.exe

Filesize
5.1MB

MD5
7f4f98a26d4835578f46224112cc6a15

SHA1
c5cbaf07ef86ee77e7a079ece95e749e7b93a0f0

SHA256
c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276

SHA512
c2fe13271b35c799ea871b54f0d73a61a2ceed5b4f8fa7464bc758908f35185bfe1c43d38c54941c9fef18284334d61ddab506121d7d993ec87752a77eea8c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C37.exe

Filesize
5.1MB

MD5
7f4f98a26d4835578f46224112cc6a15

SHA1
c5cbaf07ef86ee77e7a079ece95e749e7b93a0f0

SHA256
c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276

SHA512
c2fe13271b35c799ea871b54f0d73a61a2ceed5b4f8fa7464bc758908f35185bfe1c43d38c54941c9fef18284334d61ddab506121d7d993ec87752a77eea8c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D41.exe

Filesize
237KB

MD5
22a51b329fa194d51f68705a25d7396d

SHA1
aada03d8b7f1e28dbf6d72c1503981ccc5bb94da

SHA256
82857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742

SHA512
0d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D41.exe

Filesize
237KB

MD5
22a51b329fa194d51f68705a25d7396d

SHA1
aada03d8b7f1e28dbf6d72c1503981ccc5bb94da

SHA256
82857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742

SHA512
0d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E9A.exe

Filesize
382KB

MD5
d8aff64273bcd3ef2208d6c4b0214d24

SHA1
593273f5f0e1bc79e15a18b5ca19a51ecdf1e9b1

SHA256
a9d74ae5f8e2319b1333b898747853bd0d39907eba2f4575db81156b67630283

SHA512
bebac874198ac8e006e2549086436e8f0fd71e7d4de21c81434b504d8cbf8000d2ff32f0e1757236df73399b0bfab2ea22ca7a5caeb4306bcaa617f14816649b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E9A.exe

Filesize
382KB

MD5
d8aff64273bcd3ef2208d6c4b0214d24

SHA1
593273f5f0e1bc79e15a18b5ca19a51ecdf1e9b1

SHA256
a9d74ae5f8e2319b1333b898747853bd0d39907eba2f4575db81156b67630283

SHA512
bebac874198ac8e006e2549086436e8f0fd71e7d4de21c81434b504d8cbf8000d2ff32f0e1757236df73399b0bfab2ea22ca7a5caeb4306bcaa617f14816649b

Download Submit
C:\Users\Admin\AppData\Local\Temp\609C.dll

Filesize
4.1MB

MD5
184fc62aeb4c9d78891eb8d509c429e5

SHA1
4456d00e767b918a5118741985f2e1bc924b8e53

SHA256
6b2a111ace1e8469a99e2696a6313352cadf138f5b431d68fdb36a7268df1052

SHA512
100eb18ee1ef332862b668769fc64b37429df107873525b3ffcd5a8ccea8ad31fe57bba97cb103c2b444d62113a999a58f7743eb0b8266bb9ff8f116472d854b

Download Submit
C:\Users\Admin\AppData\Local\Temp\74F1.exe

Filesize
238KB

MD5
3360e36d09f1a80dfe8c8f5361c5ad6a

SHA1
bcbf2ea75ba44949c378ffaa42c28c17a94838fe

SHA256
c569124751e16898835e2c3e7bf749631ad07e3845661ceb8505a810ee8d0cba

SHA512
3f2324d73749ecae57d155464e8c04be27e8e027f39f05d1ffd6db7ee99219a882f7c9c04208139f108922e174fa8c4719e47824cac82d567c2092c719d5b076

Download Submit
C:\Users\Admin\AppData\Local\Temp\74F1.exe

Filesize
238KB

MD5
3360e36d09f1a80dfe8c8f5361c5ad6a

SHA1
bcbf2ea75ba44949c378ffaa42c28c17a94838fe

SHA256
c569124751e16898835e2c3e7bf749631ad07e3845661ceb8505a810ee8d0cba

SHA512
3f2324d73749ecae57d155464e8c04be27e8e027f39f05d1ffd6db7ee99219a882f7c9c04208139f108922e174fa8c4719e47824cac82d567c2092c719d5b076

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E58.exe

Filesize
4.1MB

MD5
f4cc12ca64e579ab32dfbf8c431d69e6

SHA1
d52d72c9a22032b5148d4ded20529eb757dcd244

SHA256
70baed950fbcd28d695bedcf44d7042d0b32fae088188a4b8492d47f72320dbd

SHA512
e24d017f6b28f74443f6f7feeb2319c1205a74ab238bc086c79597be22ab9468eac54439c91b52b407b3782442f1ada4b928eece7dcde94035774b69ef3fd858

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E58.exe

Filesize
4.1MB

MD5
f4cc12ca64e579ab32dfbf8c431d69e6

SHA1
d52d72c9a22032b5148d4ded20529eb757dcd244

SHA256
70baed950fbcd28d695bedcf44d7042d0b32fae088188a4b8492d47f72320dbd

SHA512
e24d017f6b28f74443f6f7feeb2319c1205a74ab238bc086c79597be22ab9468eac54439c91b52b407b3782442f1ada4b928eece7dcde94035774b69ef3fd858

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E58.exe

Filesize
4.1MB

MD5
f4cc12ca64e579ab32dfbf8c431d69e6

SHA1
d52d72c9a22032b5148d4ded20529eb757dcd244

SHA256
70baed950fbcd28d695bedcf44d7042d0b32fae088188a4b8492d47f72320dbd

SHA512
e24d017f6b28f74443f6f7feeb2319c1205a74ab238bc086c79597be22ab9468eac54439c91b52b407b3782442f1ada4b928eece7dcde94035774b69ef3fd858

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ACA.exe

Filesize
7.8MB

MD5
ed16b69ced2918ba59c703fd7ff7be8e

SHA1
ec5d8cd15e4efa76a9e179da8213ed29c2133d7a

SHA256
dd92b0e6389678ee73ca443c1426b1e050c4de79d35791062b6982399428ad69

SHA512
af723c6d7887e63cc016a6970f131b1072e58eb48668c8663f2ad4a010a2b65d49a80e22b8c40e391b80b5448ca1275e39dd4953688d9f1c3db78967278ecab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ACA.exe

Filesize
7.8MB

MD5
ed16b69ced2918ba59c703fd7ff7be8e

SHA1
ec5d8cd15e4efa76a9e179da8213ed29c2133d7a

SHA256
dd92b0e6389678ee73ca443c1426b1e050c4de79d35791062b6982399428ad69

SHA512
af723c6d7887e63cc016a6970f131b1072e58eb48668c8663f2ad4a010a2b65d49a80e22b8c40e391b80b5448ca1275e39dd4953688d9f1c3db78967278ecab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A519.exe

Filesize
6.4MB

MD5
a4ce9eab6facc5c9a722e408f735ee2a

SHA1
d36c9f8b0c205dc821aa18b65536e1619ea54b69

SHA256
3e2dde3ce6cb7daee5e76108d39449b867e592e22faefe63991ebbf282834483

SHA512
270f906ae6101d57c2672671aa7bf7bd120f8e4eda6e2135bbc7aeb3a3b16bbf3a11099a66b81d0d58c3fa4a7fbb6bd1688516b5be5706b9f1471b6d816d03d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\A519.exe

Filesize
6.4MB

MD5
a4ce9eab6facc5c9a722e408f735ee2a

SHA1
d36c9f8b0c205dc821aa18b65536e1619ea54b69

SHA256
3e2dde3ce6cb7daee5e76108d39449b867e592e22faefe63991ebbf282834483

SHA512
270f906ae6101d57c2672671aa7bf7bd120f8e4eda6e2135bbc7aeb3a3b16bbf3a11099a66b81d0d58c3fa4a7fbb6bd1688516b5be5706b9f1471b6d816d03d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC1E.exe

Filesize
7.8MB

MD5
8e4ababd8277cb8fd39a6866789d6a33

SHA1
145d8720b4c49948bf679d3baf47a738252ece62

SHA256
8d4b655539b3756721a3c26394ac2af82db97ccb04f1672881c5496d0a2f2e71

SHA512
7d9f98770da3a1f1ae77229cf6928541c624e1bf47e3270228599a93448c312e27f32bcfe172a51225b3086d2ca5e806145423fc1b95fc8a828a9e30edde576e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC1E.exe

Filesize
7.8MB

MD5
8e4ababd8277cb8fd39a6866789d6a33

SHA1
145d8720b4c49948bf679d3baf47a738252ece62

SHA256
8d4b655539b3756721a3c26394ac2af82db97ccb04f1672881c5496d0a2f2e71

SHA512
7d9f98770da3a1f1ae77229cf6928541c624e1bf47e3270228599a93448c312e27f32bcfe172a51225b3086d2ca5e806145423fc1b95fc8a828a9e30edde576e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C343.exe

Filesize
3.0MB

MD5
f4cb9c8b7e02e8084008cd61e1899390

SHA1
af1a95a823a8c24cab9d8e8aaf46d69b3612dd4b

SHA256
a9ef0a36e9924f9742af01b648d7c89624e1e360716adb8fe7f58a6f28c4865e

SHA512
e808e95a5f57a13e61f8b77502f0f01c7faf66f2663d4de0b61a308f39520da8d649f32ed886edf446eefd88cf324854bcca059f8c0a6f46148388242e6b65b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\C343.exe

Filesize
3.0MB

MD5
f4cb9c8b7e02e8084008cd61e1899390

SHA1
af1a95a823a8c24cab9d8e8aaf46d69b3612dd4b

SHA256
a9ef0a36e9924f9742af01b648d7c89624e1e360716adb8fe7f58a6f28c4865e

SHA512
e808e95a5f57a13e61f8b77502f0f01c7faf66f2663d4de0b61a308f39520da8d649f32ed886edf446eefd88cf324854bcca059f8c0a6f46148388242e6b65b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0p32vanr.spo.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-INKOE.tmp\BC1E.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-INKOE.tmp\BC1E.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O9TOA.tmp\9ACA.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O9TOA.tmp\9ACA.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q09IE.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q09IE.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q09IE.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Roaming\urahhtw

Filesize
238KB

MD5
3360e36d09f1a80dfe8c8f5361c5ad6a

SHA1
bcbf2ea75ba44949c378ffaa42c28c17a94838fe

SHA256
c569124751e16898835e2c3e7bf749631ad07e3845661ceb8505a810ee8d0cba

SHA512
3f2324d73749ecae57d155464e8c04be27e8e027f39f05d1ffd6db7ee99219a882f7c9c04208139f108922e174fa8c4719e47824cac82d567c2092c719d5b076

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
43aa508112bf7bb875d5dfe0f3d6c6fa

SHA1
6b61c08db61e34ef1af5f805a15e216990468e5b

SHA256
97b012421596434e6106162c2abe5437469dcfaf260314e237608181df871cd7

SHA512
29e8b4dc943f048ea175c005cfc364505af146d6a3b9864d9c7253a1830f87b8c3d9fa10391357eda138577633fcb98115d2a8abc5f63fc4e5b7aff6aefd6963

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
1835105ffbe764929b5796bb3c7599c4

SHA1
1641323c6e75facb6496ccc0776a6e5dc986223b

SHA256
402499b939f9902c269f33b2ae579e6377799486b87fc72ee848e54d32883f01

SHA512
2fd2d3d66e4f8e226b3618edf3a6dcbb8aa6ca5cb0019fed09c5470002d1c64f481c734bb9056ebba5eaa5d9847dd3ac90751c4971ed64512fb6f19bdd445850

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
46949704b71012acb57621768170ff61

SHA1
32b0e1e4b05a7db9a64e30cde92a90e28f758189

SHA256
599bf60a6d4a70b3ac8d07b2fabee9fface00a00a5220dc25be1e2f3d8ebdd3d

SHA512
28a6e232407466dab675f12d046f1cce0213ff0b513087f3a33209d35c123e4c9688f4b7c1a5e627f103060c0be2a02c7627a257183db9fd87e6f8bdc26fb625

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
ca64cc5ba6e622d7f4813a84bfa60bf9

SHA1
7883b430a295131caa43aa61c506e7ddb59a1e55

SHA256
39f7627ae8942278ce5432f96158879bd1bb2a27c634d4b537ca81586ce5783e

SHA512
b059125225aac8bb9012dc9d163065698b987074fe224db852a2de227e0b1bb0c45c8840335cc02a1b9a5d8089e3d53821b1ab56c471a3789b32fbdf47f0cfa5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
7b1aea1eab0befe04058990003fec692

SHA1
e9f00b71f710487045a1c1ddd49fda49521eb455

SHA256
3ba7390bfd83c8ebd1eb4d1a01af4e9750dcd2af7fdc21d7e0de4d90b19b9cac

SHA512
599efc15dfd9604814bb3fc6468793986dc63c86d62c73da7a1b22ca625e1658ac6cc316349374eefcc6c1e34e5d5eb2f514c3304c78348d338036032c740e6f

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
f4cc12ca64e579ab32dfbf8c431d69e6

SHA1
d52d72c9a22032b5148d4ded20529eb757dcd244

SHA256
70baed950fbcd28d695bedcf44d7042d0b32fae088188a4b8492d47f72320dbd

SHA512
e24d017f6b28f74443f6f7feeb2319c1205a74ab238bc086c79597be22ab9468eac54439c91b52b407b3782442f1ada4b928eece7dcde94035774b69ef3fd858

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
f4cc12ca64e579ab32dfbf8c431d69e6

SHA1
d52d72c9a22032b5148d4ded20529eb757dcd244

SHA256
70baed950fbcd28d695bedcf44d7042d0b32fae088188a4b8492d47f72320dbd

SHA512
e24d017f6b28f74443f6f7feeb2319c1205a74ab238bc086c79597be22ab9468eac54439c91b52b407b3782442f1ada4b928eece7dcde94035774b69ef3fd858

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\Users\Admin\AppData\Local\Temp\609C.dll

Filesize
4.1MB

MD5
184fc62aeb4c9d78891eb8d509c429e5

SHA1
4456d00e767b918a5118741985f2e1bc924b8e53

SHA256
6b2a111ace1e8469a99e2696a6313352cadf138f5b431d68fdb36a7268df1052

SHA512
100eb18ee1ef332862b668769fc64b37429df107873525b3ffcd5a8ccea8ad31fe57bba97cb103c2b444d62113a999a58f7743eb0b8266bb9ff8f116472d854b

Download Submit
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
\Users\Admin\AppData\Local\Temp\is-1FN31.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-1FN31.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-1FN31.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q09IE.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q09IE.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q09IE.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
memory/616-38-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/616-129-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/616-124-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/616-122-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/616-131-0x0000000007530000-0x0000000007630000-memory.dmp

Filesize
1024KB

Download
memory/616-26-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/616-137-0x0000000007530000-0x0000000007630000-memory.dmp

Filesize
1024KB

Download
memory/616-120-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/616-142-0x0000000007530000-0x0000000007630000-memory.dmp

Filesize
1024KB

Download
memory/616-117-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/616-141-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/616-118-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/616-126-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/616-107-0x0000000006E10000-0x0000000006FA2000-memory.dmp

Filesize
1.6MB

Download
memory/616-96-0x0000000005AB0000-0x0000000005CD8000-memory.dmp

Filesize
2.2MB

Download
memory/616-497-0x0000000007530000-0x0000000007630000-memory.dmp

Filesize
1024KB

Download
memory/616-37-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

Filesize
40KB

Download
memory/616-29-0x0000000000230000-0x0000000000744000-memory.dmp

Filesize
5.1MB

Download
memory/616-35-0x00000000051F0000-0x000000000528C000-memory.dmp

Filesize
624KB

Download
memory/616-34-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/616-32-0x00000000054B0000-0x00000000059AE000-memory.dmp

Filesize
5.0MB

Download
memory/1700-527-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

Filesize
48KB

Download
memory/2012-507-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2012-266-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2368-456-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2368-603-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2496-5-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/2496-2-0x00000000008D0000-0x00000000008DB000-memory.dmp

Filesize
44KB

Download
memory/2496-1-0x0000000000950000-0x0000000000A50000-memory.dmp

Filesize
1024KB

Download
memory/2496-3-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/2708-130-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2708-127-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2708-133-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2708-144-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2948-614-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2948-465-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3244-44-0x0000000000990000-0x00000000009A6000-memory.dmp

Filesize
88KB

Download
memory/3244-46-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/3244-72-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/3244-43-0x0000000000B20000-0x0000000000C20000-memory.dmp

Filesize
1024KB

Download
memory/3244-205-0x0000000000B20000-0x0000000000C20000-memory.dmp

Filesize
1024KB

Download
memory/3264-156-0x0000000000E70000-0x0000000000E86000-memory.dmp

Filesize
88KB

Download
memory/3264-4-0x0000000000BD0000-0x0000000000BE6000-memory.dmp

Filesize
88KB

Download
memory/3500-160-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/3500-89-0x0000000002450000-0x000000000245B000-memory.dmp

Filesize
44KB

Download
memory/3500-88-0x0000000000880000-0x0000000000980000-memory.dmp

Filesize
1024KB

Download
memory/3500-90-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/3664-61-0x000000000A2C0000-0x000000000A336000-memory.dmp

Filesize
472KB

Download
memory/3664-85-0x000000000AFD0000-0x000000000B192000-memory.dmp

Filesize
1.8MB

Download
memory/3664-169-0x00000000094C0000-0x00000000094D0000-memory.dmp

Filesize
64KB

Download
memory/3664-47-0x0000000009420000-0x000000000946B000-memory.dmp

Filesize
300KB

Download
memory/3664-62-0x000000000A3C0000-0x000000000A3DE000-memory.dmp

Filesize
120KB

Download
memory/3664-45-0x00000000093E0000-0x000000000941E000-memory.dmp

Filesize
248KB

Download
memory/3664-154-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/3664-63-0x000000000A670000-0x000000000A6C0000-memory.dmp

Filesize
320KB

Download
memory/3664-42-0x00000000094D0000-0x00000000095DA000-memory.dmp

Filesize
1.0MB

Download
memory/3664-461-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/3664-40-0x0000000009380000-0x0000000009392000-memory.dmp

Filesize
72KB

Download
memory/3664-39-0x0000000009AE0000-0x000000000A0E6000-memory.dmp

Filesize
6.0MB

Download
memory/3664-36-0x00000000094C0000-0x00000000094D0000-memory.dmp

Filesize
64KB

Download
memory/3664-86-0x000000000B6D0000-0x000000000BBFC000-memory.dmp

Filesize
5.2MB

Download
memory/3664-33-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/3664-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3664-58-0x0000000009810000-0x0000000009876000-memory.dmp

Filesize
408KB

Download
memory/4172-481-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4172-199-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4172-209-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4400-1097-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4400-1386-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4400-1612-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4464-167-0x00000000043B0000-0x00000000044F3000-memory.dmp

Filesize
1.3MB

Download
memory/4464-56-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/4464-219-0x0000000004500000-0x0000000004627000-memory.dmp

Filesize
1.2MB

Download
memory/4464-200-0x0000000004500000-0x0000000004627000-memory.dmp

Filesize
1.2MB

Download
memory/4464-190-0x0000000004500000-0x0000000004627000-memory.dmp

Filesize
1.2MB

Download
memory/4464-55-0x0000000010000000-0x0000000010418000-memory.dmp

Filesize
4.1MB

Download
memory/4484-151-0x0000000002930000-0x0000000002D36000-memory.dmp

Filesize
4.0MB

Download
memory/4484-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4484-162-0x0000000002D40000-0x000000000362B000-memory.dmp

Filesize
8.9MB

Download
memory/4484-166-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4484-834-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4484-525-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4484-844-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4568-517-0x0000000002930000-0x000000000299B000-memory.dmp

Filesize
428KB

Download
memory/4792-499-0x00000000010E0000-0x0000000001116000-memory.dmp

Filesize
216KB

Download
memory/4792-501-0x00000000738B0000-0x0000000073F9E000-memory.dmp

Filesize
6.9MB

Download
memory/4792-505-0x0000000001120000-0x0000000001130000-memory.dmp

Filesize
64KB

Download
memory/4792-504-0x0000000007020000-0x0000000007648000-memory.dmp

Filesize
6.2MB

Download
memory/4920-500-0x0000000000EA0000-0x0000000001732000-memory.dmp

Filesize
8.6MB

Download
memory/4920-508-0x0000000074430000-0x0000000074500000-memory.dmp

Filesize
832KB

Download
memory/4920-503-0x0000000076590000-0x0000000076752000-memory.dmp

Filesize
1.8MB

Download
memory/4920-502-0x0000000076590000-0x0000000076752000-memory.dmp

Filesize
1.8MB

Download
memory/5048-1880-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download