glupteba | cb06f831ee9395ed528e0e5a5b5cf72307c4b187e7328394c5953a05c518f4b3

Analysis

max time kernel
72s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2023 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

913924d8bd636db613f0c2378e8623f2.exe
Size

231KB
MD5

913924d8bd636db613f0c2378e8623f2
SHA1

f74a9431546b19755c75b44436b05128e95e463a
SHA256

cb06f831ee9395ed528e0e5a5b5cf72307c4b187e7328394c5953a05c518f4b3
SHA512

9c139e54a99beb874f06506e7888c3d06c03e3f5af5f58dc6ffe5631ba7525302f3b2f7c1686b0220081592b740bbca4b80dce14d6accb40f69c4f3c8fc9f9dc
SSDEEP

3072:o3F1g7UIzn82zaacuiqHKIyAuWG02BjRWo7toGiWHOK:GigIb822DeHKsiY6BH

Malware Config

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://humydrole.com/tmp/index.php

http://trunk-co.ru/tmp/index.php

http://weareelight.com/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

redline

Botnet

LogsDiller Cloud (Bot: @logsdillabot)

57.128.155.22:20154

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\F79E.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\F79E.exe	family_zgrat_v1
behavioral2/memory/3576-23-0x00000000005A0000-0x0000000000AB4000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3724-53-0x0000000002DC0000-0x00000000036AB000-memory.dmp	family_glupteba
behavioral2/memory/3724-54-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3724-237-0x0000000002DC0000-0x00000000036AB000-memory.dmp	family_glupteba
behavioral2/memory/3724-282-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3724-532-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2648-663-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2648-676-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2600-790-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2432-31-0x00000000009B0000-0x00000000009C6000-memory.dmp	family_raccoon_v2
behavioral2/memory/2432-32-0x0000000000400000-0x000000000085E000-memory.dmp	family_raccoon_v2
behavioral2/memory/2432-216-0x0000000000400000-0x000000000085E000-memory.dmp	family_raccoon_v2

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/740-499-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

302A.exemi.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 302A.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ mi.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

4544 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	302A.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mi.exe

pid	process
4544	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mi.exe302A.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	302A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	302A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mi.exe

Deletes itself 1 IoCs

Processes:

pid process

3308

pid	process
3308

Executes dropped EXE 17 IoCs

Processes:

F79E.exeF8C8.exe211.exe6C5.exe1184.exe1184.tmpmdeliverylib.exemdeliverylib.exe28F5.exe28F5.tmp302A.exeMaildelivery.exeWerFault.exeMaildelivery.exe6C5.exemi.execsrss.exe

pid	process
3576	F79E.exe
2432	F8C8.exe
4736	211.exe
3724	6C5.exe
2040	1184.exe
2288	1184.tmp
3880	mdeliverylib.exe
4924	mdeliverylib.exe
1308	28F5.exe
4216	28F5.tmp
4056	302A.exe
4592	Maildelivery.exe
3056	WerFault.exe
3536	Maildelivery.exe
2648	6C5.exe
380	mi.exe
2600	csrss.exe

Loads dropped DLL 8 IoCs

Processes:

regsvr32.exe1184.tmpF79E.exe28F5.tmp

pid process

3892 regsvr32.exe
2288 1184.tmp
2288 1184.tmp
2288 1184.tmp
3576 F79E.exe
4216 28F5.tmp
4216 28F5.tmp
4216 28F5.tmp

pid	process
3892	regsvr32.exe
2288	1184.tmp
2288	1184.tmp
2288	1184.tmp
3576	F79E.exe
4216	28F5.tmp
4216	28F5.tmp
4216	28F5.tmp

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\302A.exe	themida
C:\Users\Admin\AppData\Local\Temp\302A.exe	themida
C:\Users\Admin\AppData\Local\Temp\mi.exe	themida
C:\Users\Admin\AppData\Local\Temp\mi.exe	themida
C:\Users\Admin\AppData\Local\Temp\mi.exe	themida
behavioral2/memory/380-665-0x00007FF6B8660000-0x00007FF6B93CE000-memory.dmp	themida
behavioral2/memory/380-670-0x00007FF6B8660000-0x00007FF6B93CE000-memory.dmp	themida
behavioral2/memory/380-671-0x00007FF6B8660000-0x00007FF6B93CE000-memory.dmp	themida
C:\ProgramData\Google\Chrome\updater.exe	themida
C:\ProgramData\Google\Chrome\updater.exe	themida

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe	upx
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe	upx

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6C5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	6C5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

302A.exemi.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	302A.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mi.exe

Drops file in System32 directory 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeConhost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	Conhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

302A.exemi.exe

pid process

4056 302A.exe
380 mi.exe

pid	process
4056	302A.exe
380	mi.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

F79E.exeWerFault.exe

description	pid	process	target process
PID 3576 set thread context of 1868	3576	F79E.exe	RegSvcs.exe
PID 3056 set thread context of 740	3056	WerFault.exe	AppLaunch.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

6C5.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 6C5.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	6C5.exe

Drops file in Program Files directory 64 IoCs

Processes:

28F5.tmp1184.tmp

description	ioc	process
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-V8U2J.tmp	28F5.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-5VUGF.tmp	28F5.tmp
File opened for modification	C:\Program Files (x86)\Maildelivery\Maildelivery.exe	28F5.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-EPVD7.tmp	28F5.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-TN91J.tmp	1184.tmp
File created	C:\Program Files (x86)\Maildelivery\uninstall\unins000.dat	28F5.tmp
File created	C:\Program Files (x86)\Maildelivery\uninstall\is-9ANTL.tmp	28F5.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-HMOGD.tmp	1184.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-P87LN.tmp	28F5.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-65E0U.tmp	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-MPAJ6.tmp	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-AEK4C.tmp	1184.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-5IRRM.tmp	28F5.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-9P30U.tmp	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-K3IL9.tmp	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-1KE6F.tmp	1184.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-ORPKQ.tmp	28F5.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-3G6BL.tmp	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-11B1T.tmp	1184.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-O8VO4.tmp	28F5.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-UGBT7.tmp	1184.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-92J93.tmp	28F5.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-6M2CE.tmp	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-TNSCO.tmp	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-QGNEL.tmp	1184.tmp
File created	C:\Program Files (x86)\Maildelivery\stuff\is-9CFKI.tmp	28F5.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-5251L.tmp	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-L3218.tmp	1184.tmp
File created	C:\Program Files (x86)\Maildelivery\stuff\is-2O5US.tmp	28F5.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-0BBNC.tmp	28F5.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-97INE.tmp	28F5.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-K1H6B.tmp	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-2Q325.tmp	1184.tmp
File created	C:\Program Files (x86)\Maildelivery\stuff\is-CH8AJ.tmp	28F5.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-6NEF9.tmp	1184.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-6ANGQ.tmp	28F5.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\lessmsi\is-RS20A.tmp	28F5.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-4DR7O.tmp	1184.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-26T63.tmp	28F5.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-EO2IF.tmp	28F5.tmp
File opened for modification	C:\Program Files (x86)\Maildelivery\uninstall\unins000.dat	28F5.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\uninstall\unins000.dat	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-NVD6D.tmp	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-6V1MQ.tmp	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-J50SO.tmp	1184.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-T2E64.tmp	28F5.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-11QJT.tmp	28F5.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\stuff\is-BR0NH.tmp	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-RMEQI.tmp	1184.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-4DOKE.tmp	28F5.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-JAA5C.tmp	28F5.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-A81DV.tmp	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-40M2V.tmp	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-1SIFH.tmp	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-SM9SH.tmp	1184.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-N9AJ4.tmp	28F5.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-1HHB1.tmp	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-3QB4G.tmp	1184.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-5APL5.tmp	1184.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-FKM0J.tmp	28F5.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-BKNC8.tmp	28F5.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-3VLR1.tmp	28F5.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-Q6R8C.tmp	28F5.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-TDMAJ.tmp	28F5.tmp

Drops file in Windows directory 2 IoCs

Processes:

6C5.exe

description ioc process

File opened for modification C:\Windows\rss 6C5.exe
File created C:\Windows\rss\csrss.exe 6C5.exe

description	ioc	process
File opened for modification	C:\Windows\rss	6C5.exe
File created	C:\Windows\rss\csrss.exe	6C5.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1800	sc.exe
964	sc.exe
5092	sc.exe
708	sc.exe
5024	sc.exe
4832	sc.exe
3576	sc.exe
1160	sc.exe
4260	sc.exe
4976	sc.exe
1800	sc.exe
756	sc.exe
3724	sc.exe
4176	sc.exe
2884	sc.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4684 1868 WerFault.exe RegSvcs.exe
1200 3724 WerFault.exe 6C5.exe
4380 2432 WerFault.exe F8C8.exe

pid	pid_target	process	target process
4684	1868	WerFault.exe	RegSvcs.exe
1200	3724	WerFault.exe	6C5.exe
4380	2432	WerFault.exe	F8C8.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

211.exe913924d8bd636db613f0c2378e8623f2.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	211.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	211.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	913924d8bd636db613f0c2378e8623f2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	913924d8bd636db613f0c2378e8623f2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	913924d8bd636db613f0c2378e8623f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	211.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4876 schtasks.exe
4364 schtasks.exe

pid	process
4876	schtasks.exe
4364	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

6C5.exepowershell.exepowershell.exeConhost.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	6C5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	6C5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	6C5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	6C5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	6C5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	6C5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	6C5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	6C5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	6C5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	6C5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	6C5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	6C5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	6C5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	6C5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	6C5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	6C5.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

913924d8bd636db613f0c2378e8623f2.exe

pid	process
1620	913924d8bd636db613f0c2378e8623f2.exe
1620	913924d8bd636db613f0c2378e8623f2.exe
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3308
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

913924d8bd636db613f0c2378e8623f2.exe211.exe

pid process

1620 913924d8bd636db613f0c2378e8623f2.exe
4736 211.exe
3308
3308
3308
3308

pid	process
3308

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exesc.exe

description	pid	process
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeDebugPrivilege	3724	sc.exe
Token: SeImpersonatePrivilege	3724	sc.exe
Token: SeShutdownPrivilege	3308

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe1184.exe1184.tmp302A.exe6C5.exeF79E.exe28F5.exe28F5.tmp

description	pid	process	target process
PID 3308 wrote to memory of 3576	3308		F79E.exe
PID 3308 wrote to memory of 3576	3308		F79E.exe
PID 3308 wrote to memory of 3576	3308		F79E.exe
PID 3308 wrote to memory of 2432	3308		F8C8.exe
PID 3308 wrote to memory of 2432	3308		F8C8.exe
PID 3308 wrote to memory of 2432	3308		F8C8.exe
PID 3308 wrote to memory of 1624	3308		regsvr32.exe
PID 3308 wrote to memory of 1624	3308		regsvr32.exe
PID 1624 wrote to memory of 3892	1624	regsvr32.exe	regsvr32.exe
PID 1624 wrote to memory of 3892	1624	regsvr32.exe	regsvr32.exe
PID 1624 wrote to memory of 3892	1624	regsvr32.exe	regsvr32.exe
PID 3308 wrote to memory of 4736	3308		211.exe
PID 3308 wrote to memory of 4736	3308		211.exe
PID 3308 wrote to memory of 4736	3308		211.exe
PID 3308 wrote to memory of 3724	3308		6C5.exe
PID 3308 wrote to memory of 3724	3308		6C5.exe
PID 3308 wrote to memory of 3724	3308		6C5.exe
PID 3308 wrote to memory of 2040	3308		1184.exe
PID 3308 wrote to memory of 2040	3308		1184.exe
PID 3308 wrote to memory of 2040	3308		1184.exe
PID 2040 wrote to memory of 2288	2040	1184.exe	1184.tmp
PID 2040 wrote to memory of 2288	2040	1184.exe	1184.tmp
PID 2040 wrote to memory of 2288	2040	1184.exe	1184.tmp
PID 2288 wrote to memory of 3624	2288	1184.tmp	schtasks.exe
PID 2288 wrote to memory of 3624	2288	1184.tmp	schtasks.exe
PID 2288 wrote to memory of 3624	2288	1184.tmp	schtasks.exe
PID 2288 wrote to memory of 3880	2288	1184.tmp	mdeliverylib.exe
PID 2288 wrote to memory of 3880	2288	1184.tmp	mdeliverylib.exe
PID 2288 wrote to memory of 3880	2288	1184.tmp	mdeliverylib.exe
PID 2288 wrote to memory of 4056	2288	1184.tmp	302A.exe
PID 2288 wrote to memory of 4056	2288	1184.tmp	302A.exe
PID 2288 wrote to memory of 4056	2288	1184.tmp	302A.exe
PID 2288 wrote to memory of 4924	2288	1184.tmp	mdeliverylib.exe
PID 2288 wrote to memory of 4924	2288	1184.tmp	mdeliverylib.exe
PID 2288 wrote to memory of 4924	2288	1184.tmp	mdeliverylib.exe
PID 4056 wrote to memory of 4840	4056	302A.exe	net1.exe
PID 4056 wrote to memory of 4840	4056	302A.exe	net1.exe
PID 4056 wrote to memory of 4840	4056	302A.exe	net1.exe
PID 3724 wrote to memory of 2836	3724	6C5.exe	powershell.exe
PID 3724 wrote to memory of 2836	3724	6C5.exe	powershell.exe
PID 3724 wrote to memory of 2836	3724	6C5.exe	powershell.exe
PID 3308 wrote to memory of 1308	3308		28F5.exe
PID 3308 wrote to memory of 1308	3308		28F5.exe
PID 3308 wrote to memory of 1308	3308		28F5.exe
PID 3576 wrote to memory of 1868	3576	F79E.exe	RegSvcs.exe
PID 3576 wrote to memory of 1868	3576	F79E.exe	RegSvcs.exe
PID 3576 wrote to memory of 1868	3576	F79E.exe	RegSvcs.exe
PID 3576 wrote to memory of 1868	3576	F79E.exe	RegSvcs.exe
PID 3576 wrote to memory of 1868	3576	F79E.exe	RegSvcs.exe
PID 3576 wrote to memory of 1868	3576	F79E.exe	RegSvcs.exe
PID 3576 wrote to memory of 1868	3576	F79E.exe	RegSvcs.exe
PID 3576 wrote to memory of 1868	3576	F79E.exe	RegSvcs.exe
PID 3576 wrote to memory of 1868	3576	F79E.exe	RegSvcs.exe
PID 1308 wrote to memory of 4216	1308	28F5.exe	28F5.tmp
PID 1308 wrote to memory of 4216	1308	28F5.exe	28F5.tmp
PID 1308 wrote to memory of 4216	1308	28F5.exe	28F5.tmp
PID 3308 wrote to memory of 4056	3308		302A.exe
PID 3308 wrote to memory of 4056	3308		302A.exe
PID 3308 wrote to memory of 4056	3308		302A.exe
PID 4216 wrote to memory of 5096	4216	28F5.tmp	schtasks.exe
PID 4216 wrote to memory of 5096	4216	28F5.tmp	schtasks.exe
PID 4216 wrote to memory of 5096	4216	28F5.tmp	schtasks.exe
PID 4216 wrote to memory of 4592	4216	28F5.tmp	Maildelivery.exe
PID 4216 wrote to memory of 4592	4216	28F5.tmp	Maildelivery.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\913924d8bd636db613f0c2378e8623f2.exe
"C:\Users\Admin\AppData\Local\Temp\913924d8bd636db613f0c2378e8623f2.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1620

C:\Users\Admin\AppData\Local\Temp\F79E.exe
C:\Users\Admin\AppData\Local\Temp\F79E.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 740
3⤵
- Program crash
PID:4684

C:\Users\Admin\AppData\Local\Temp\F8C8.exe
C:\Users\Admin\AppData\Local\Temp\F8C8.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 7300
2⤵
- Program crash
PID:4380

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FCB1.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\FCB1.dll
2⤵
- Loads dropped DLL
PID:3892

C:\Users\Admin\AppData\Local\Temp\211.exe
C:\Users\Admin\AppData\Local\Temp\211.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4736

C:\Users\Admin\AppData\Local\Temp\6C5.exe
C:\Users\Admin\AppData\Local\Temp\6C5.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 988
2⤵
- Program crash
PID:1200

C:\Users\Admin\AppData\Local\Temp\6C5.exe
"C:\Users\Admin\AppData\Local\Temp\6C5.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:3156

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4988

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
PID:2600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3464

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:4876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2228

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:2244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Modifies data under HKEY_USERS
PID:2224

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
PID:2492

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:4364

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:228

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:1160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
4⤵
PID:3384

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "csrss" /f
5⤵
PID:2156

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "ScheduledUpdate" /f
5⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\1184.exe
C:\Users\Admin\AppData\Local\Temp\1184.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\is-34DDK.tmp\1184.tmp
"C:\Users\Admin\AppData\Local\Temp\is-34DDK.tmp\1184.tmp" /SL5="$501EE,7932209,54272,C:\Users\Admin\AppData\Local\Temp\1184.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
3⤵
PID:3624

C:\Program Files (x86)\MDeliveryLIB\mdeliverylib.exe
"C:\Program Files (x86)\MDeliveryLIB\mdeliverylib.exe" -i
3⤵
- Executes dropped EXE
PID:3880

C:\Program Files (x86)\MDeliveryLIB\mdeliverylib.exe
"C:\Program Files (x86)\MDeliveryLIB\mdeliverylib.exe" -s
3⤵
- Executes dropped EXE
PID:4924

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
3⤵
PID:4056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
4⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\is-NPGJT.tmp\28F5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NPGJT.tmp\28F5.tmp" /SL5="$501F2,7905477,54272,C:\Users\Admin\AppData\Local\Temp\28F5.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
2⤵
PID:5096

C:\Program Files (x86)\Maildelivery\Maildelivery.exe
"C:\Program Files (x86)\Maildelivery\Maildelivery.exe" -i
2⤵
- Executes dropped EXE
PID:4592

C:\Program Files (x86)\Maildelivery\Maildelivery.exe
"C:\Program Files (x86)\Maildelivery\Maildelivery.exe" -s
2⤵
- Executes dropped EXE
PID:3536

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
2⤵
PID:4756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
3⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\302A.exe
C:\Users\Admin\AppData\Local\Temp\302A.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4056

C:\Users\Admin\AppData\Local\Temp\28F5.exe
C:\Users\Admin\AppData\Local\Temp\28F5.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1868 -ip 1868
1⤵
PID:4632

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4800

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4156

C:\Users\Admin\AppData\Local\Temp\32CB.exe
C:\Users\Admin\AppData\Local\Temp\32CB.exe
1⤵
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\mi.exe
"C:\Users\Admin\AppData\Local\Temp\mi.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:380

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:2996

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:3600

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
4⤵
- Launches sc.exe
PID:5092

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:708

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
4⤵
- Launches sc.exe
PID:5024

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
4⤵
- Launches sc.exe
PID:1800

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
4⤵
- Launches sc.exe
PID:756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2228

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
PID:3884

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
PID:964

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
PID:4468

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
PID:3260

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
4⤵
- Launches sc.exe
PID:4176

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
4⤵
- Launches sc.exe
PID:4260

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:4832

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
4⤵
- Launches sc.exe
PID:3576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3724 -ip 3724
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2432 -ip 2432
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3056

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
PID:4180

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
PID:4540

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:3456

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:2420

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:4976

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:2884

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:964

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:1892

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:3236

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:5108

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:1784

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4372

C:\Windows\explorer.exe
explorer.exe
2⤵
PID:3184

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MDeliveryLIB\mdeliverylib.exe

Filesize
3.5MB

MD5
b059487c088313cc077fadae5ed4f6e6

SHA1
1ecdfc58d1949fa96302232a9021acd6192fe9c0

SHA256
3cb709f9a03313d8a89a5628f9f43de69adadb27b657b9631c1460f0640f0344

SHA512
59c20706353889691d257f6603decd6159b40c1ba546e0bb70b95359962e2d69b76c63ef82a1d6f5a8bf877793abefe9661f8e5b30cc0e19b8430e20366368d5

Download Submit
C:\Program Files (x86)\MDeliveryLIB\mdeliverylib.exe

Filesize
3.5MB

MD5
b059487c088313cc077fadae5ed4f6e6

SHA1
1ecdfc58d1949fa96302232a9021acd6192fe9c0

SHA256
3cb709f9a03313d8a89a5628f9f43de69adadb27b657b9631c1460f0640f0344

SHA512
59c20706353889691d257f6603decd6159b40c1ba546e0bb70b95359962e2d69b76c63ef82a1d6f5a8bf877793abefe9661f8e5b30cc0e19b8430e20366368d5

Download Submit
C:\Program Files (x86)\MDeliveryLIB\mdeliverylib.exe

Filesize
3.5MB

MD5
b059487c088313cc077fadae5ed4f6e6

SHA1
1ecdfc58d1949fa96302232a9021acd6192fe9c0

SHA256
3cb709f9a03313d8a89a5628f9f43de69adadb27b657b9631c1460f0640f0344

SHA512
59c20706353889691d257f6603decd6159b40c1ba546e0bb70b95359962e2d69b76c63ef82a1d6f5a8bf877793abefe9661f8e5b30cc0e19b8430e20366368d5

Download Submit
C:\Program Files (x86)\Maildelivery\Maildelivery.exe

Filesize
3.5MB

MD5
27afd644b9ee5bf5b70c6a7793842ffb

SHA1
9e6e7cfbd05127413f629e743f8b917d2827ca36

SHA256
e19cfb7de1b988ac75beb15b974d03bc1366c94daf8f65110243234147281e1c

SHA512
4c3efcbcbfe1b7e234362da27a3e9bd493cadb594a2590c72a7afcc2c92d47863d2d98ce11d7b3339cc67b5e2fb37f3d39397651eeb5c091fb3f162eccd1f9a1

Download Submit
C:\Program Files (x86)\Maildelivery\Maildelivery.exe

Filesize
3.5MB

MD5
27afd644b9ee5bf5b70c6a7793842ffb

SHA1
9e6e7cfbd05127413f629e743f8b917d2827ca36

SHA256
e19cfb7de1b988ac75beb15b974d03bc1366c94daf8f65110243234147281e1c

SHA512
4c3efcbcbfe1b7e234362da27a3e9bd493cadb594a2590c72a7afcc2c92d47863d2d98ce11d7b3339cc67b5e2fb37f3d39397651eeb5c091fb3f162eccd1f9a1

Download Submit
C:\Program Files (x86)\Maildelivery\Maildelivery.exe

Filesize
3.5MB

MD5
27afd644b9ee5bf5b70c6a7793842ffb

SHA1
9e6e7cfbd05127413f629e743f8b917d2827ca36

SHA256
e19cfb7de1b988ac75beb15b974d03bc1366c94daf8f65110243234147281e1c

SHA512
4c3efcbcbfe1b7e234362da27a3e9bd493cadb594a2590c72a7afcc2c92d47863d2d98ce11d7b3339cc67b5e2fb37f3d39397651eeb5c091fb3f162eccd1f9a1

Download Submit
C:\Program Files (x86)\Maildelivery\bin\x86\is-A2JIA.tmp

Filesize
110KB

MD5
bdb65dce335ac29eccbc2ca7a7ad36b7

SHA1
ce7678dcf7af0dbf9649b660db63db87325e6f69

SHA256
7ec9ee07bfd67150d1bc26158000436b63ca8dbb2623095c049e06091fa374c3

SHA512
8aabca6be47a365acd28df8224f9b9b5e1654f67e825719286697fb9e1b75478dddf31671e3921f06632eed5bb3dda91d81e48d4550c2dcd8e2404d566f1bc29

Download Submit
C:\Program Files (x86)\Maildelivery\stuff\is-CH8AJ.tmp

Filesize
1KB

MD5
992c00beab194ce392117bb419f53051

SHA1
8f9114c95e2a2c9f9c65b9243d941dcb5cea40de

SHA256
9e35c8e29ca055ce344e4c206e7b8ff1736158d0b47bf7b3dbc362f7ec7e722c

SHA512
facdca78ae7d874300eacbe3014a9e39868c93493b9cd44aae1ab39afa4d2e0868e167bca34f8c445aa7ccc9ddb27e1b607d739af94aa4840789a3f01e7bed9d

Download Submit
C:\Program Files (x86)\Maildelivery\stuff\is-GMH0P.tmp

Filesize
1KB

MD5
257d1bf38fa7859ffc3717ef36577c04

SHA1
a9d2606cfc35e17108d7c079a355a4db54c7c2ee

SHA256
dfacc2f208ebf6d6180ee6e882117c31bb58e8b6a76a26fb07ac4f40e245a0cb

SHA512
e13a6f489c9c5ba840502f73acd152d366e0ccdd9d3d8e74b65ff89fdc70cd46f52e42eee0b4ba9f151323ec07c4168cf82446334564adaa8666624f7b8035f3

Download Submit
C:\ProgramData\Google\Chrome\updater.exe

Filesize
8.1MB

MD5
b0161afbab78849d10cb7d3f00bb4ec3

SHA1
542faa594a2a90b9f37c290a5d6a39bf776ce380

SHA256
aac4360aef3be725b0ea05262031a6cfe237fb11dac457d3da66305dacaf1684

SHA512
84778ad9f7755c259f4fbdf24287734eb43a1c5ab4fe5bd635ec83c4e982bbaa0f7efc65da7c80ed8aa8a96519ee550337c6e61f609eb9555727f52716fb80dc

Download Submit
C:\ProgramData\Google\Chrome\updater.exe

Filesize
8.1MB

MD5
b0161afbab78849d10cb7d3f00bb4ec3

SHA1
542faa594a2a90b9f37c290a5d6a39bf776ce380

SHA256
aac4360aef3be725b0ea05262031a6cfe237fb11dac457d3da66305dacaf1684

SHA512
84778ad9f7755c259f4fbdf24287734eb43a1c5ab4fe5bd635ec83c4e982bbaa0f7efc65da7c80ed8aa8a96519ee550337c6e61f609eb9555727f52716fb80dc

Download Submit
C:\ProgramData\SHelperTrack\SHelperTrack.exe

Filesize
3.5MB

MD5
27afd644b9ee5bf5b70c6a7793842ffb

SHA1
9e6e7cfbd05127413f629e743f8b917d2827ca36

SHA256
e19cfb7de1b988ac75beb15b974d03bc1366c94daf8f65110243234147281e1c

SHA512
4c3efcbcbfe1b7e234362da27a3e9bd493cadb594a2590c72a7afcc2c92d47863d2d98ce11d7b3339cc67b5e2fb37f3d39397651eeb5c091fb3f162eccd1f9a1

Download Submit
C:\ProgramData\resource.dat

Filesize
128B

MD5
785bb7f0b0cef59c39b9f5e21cd2fd04

SHA1
1e1ffdee1584a00bde18bd7bd19c02988301c250

SHA256
90b35ec0c6b41acec2c9bb51cddcb6339fb035c222766a4ca4cbb15b7a7d8853

SHA512
6d2449e111f7f059734960b83b0b090a7239ee2d93eb70f839ecddaa640658b90667f123cfb4fe8e0f5dc0a854a47b62aa2fcaf971d08b9118cac840dbf999eb

Download Submit
C:\ProgramData\ts.dat

Filesize
8B

MD5
ae56970804d6007998afb6a582f471ce

SHA1
1136ec78b964c5e39512d3021b7250a56c9362d5

SHA256
e8351dd20f07263cf128f4fc589039ac4a1f9e6bc09460bdb98c4bf00c21cbbb

SHA512
b228aa0fbe555df799a09ad3c4d53b9999a30c86ec500d369243361fa9ae22e37ffa56133c1656e084a35be902a3aa2a7313f9c62271f20de2216861191b500a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1184.exe

Filesize
7.8MB

MD5
2610f02d471413638a0803fb123446ed

SHA1
1ca5fee0846ee82ae32aec2094fcdfc18f171ed5

SHA256
25d108b6c1ecfab91963895718024c74f56a6695b29176b41506da20cb82bc86

SHA512
a928921308eb605aff9571ea52fb3abfc3f5dc28956197d477a1c435993804d843f8602b61c51511bbd323051f8aaa1d1fb1f18907bea77fc2533fa7f415db80

Download Submit
C:\Users\Admin\AppData\Local\Temp\1184.exe

Filesize
7.8MB

MD5
2610f02d471413638a0803fb123446ed

SHA1
1ca5fee0846ee82ae32aec2094fcdfc18f171ed5

SHA256
25d108b6c1ecfab91963895718024c74f56a6695b29176b41506da20cb82bc86

SHA512
a928921308eb605aff9571ea52fb3abfc3f5dc28956197d477a1c435993804d843f8602b61c51511bbd323051f8aaa1d1fb1f18907bea77fc2533fa7f415db80

Download Submit
C:\Users\Admin\AppData\Local\Temp\211.exe

Filesize
230KB

MD5
5d41949bed012250026e0d4b090c1687

SHA1
bdc468f92299a309a041d7d1ee21a07066e738be

SHA256
0a74a18fe824e8366e19583d77ec32e4d9d1ed3c8e7268b93405ca7184741653

SHA512
07faae9abd5b1a473c04bdc3585c229887e4459365ff66eb8b19788b628d75e44062d3dfe3f6640186d53997d221fc3a7508619f61b8ae1f84394927b8e0c52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\211.exe

Filesize
230KB

MD5
5d41949bed012250026e0d4b090c1687

SHA1
bdc468f92299a309a041d7d1ee21a07066e738be

SHA256
0a74a18fe824e8366e19583d77ec32e4d9d1ed3c8e7268b93405ca7184741653

SHA512
07faae9abd5b1a473c04bdc3585c229887e4459365ff66eb8b19788b628d75e44062d3dfe3f6640186d53997d221fc3a7508619f61b8ae1f84394927b8e0c52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\28F5.exe

Filesize
7.8MB

MD5
8e4ababd8277cb8fd39a6866789d6a33

SHA1
145d8720b4c49948bf679d3baf47a738252ece62

SHA256
8d4b655539b3756721a3c26394ac2af82db97ccb04f1672881c5496d0a2f2e71

SHA512
7d9f98770da3a1f1ae77229cf6928541c624e1bf47e3270228599a93448c312e27f32bcfe172a51225b3086d2ca5e806145423fc1b95fc8a828a9e30edde576e

Download Submit
C:\Users\Admin\AppData\Local\Temp\28F5.exe

Filesize
7.8MB

MD5
8e4ababd8277cb8fd39a6866789d6a33

SHA1
145d8720b4c49948bf679d3baf47a738252ece62

SHA256
8d4b655539b3756721a3c26394ac2af82db97ccb04f1672881c5496d0a2f2e71

SHA512
7d9f98770da3a1f1ae77229cf6928541c624e1bf47e3270228599a93448c312e27f32bcfe172a51225b3086d2ca5e806145423fc1b95fc8a828a9e30edde576e

Download Submit
C:\Users\Admin\AppData\Local\Temp\302A.exe

Filesize
3.0MB

MD5
f4cb9c8b7e02e8084008cd61e1899390

SHA1
af1a95a823a8c24cab9d8e8aaf46d69b3612dd4b

SHA256
a9ef0a36e9924f9742af01b648d7c89624e1e360716adb8fe7f58a6f28c4865e

SHA512
e808e95a5f57a13e61f8b77502f0f01c7faf66f2663d4de0b61a308f39520da8d649f32ed886edf446eefd88cf324854bcca059f8c0a6f46148388242e6b65b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\302A.exe

Filesize
3.0MB

MD5
f4cb9c8b7e02e8084008cd61e1899390

SHA1
af1a95a823a8c24cab9d8e8aaf46d69b3612dd4b

SHA256
a9ef0a36e9924f9742af01b648d7c89624e1e360716adb8fe7f58a6f28c4865e

SHA512
e808e95a5f57a13e61f8b77502f0f01c7faf66f2663d4de0b61a308f39520da8d649f32ed886edf446eefd88cf324854bcca059f8c0a6f46148388242e6b65b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\32CB.exe

Filesize
439KB

MD5
b51bc8f85b7ba047b35022f505066b72

SHA1
4dd8e61f706c3057995a447d8f1c0c08f8ce6d9a

SHA256
fd7e4e6d5b75b5479a9c38e601d6cd2a89c33e65887e6fae2ca6b16735a32757

SHA512
7b00852c88bfee57e89415508e0c209faea3733402a6aafb9f87dccde21fe7af9f8f9b9717e6acad9be3c58a6d1d079331e1bb72faae3ce02ca98295966ac3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\32CB.exe

Filesize
439KB

MD5
b51bc8f85b7ba047b35022f505066b72

SHA1
4dd8e61f706c3057995a447d8f1c0c08f8ce6d9a

SHA256
fd7e4e6d5b75b5479a9c38e601d6cd2a89c33e65887e6fae2ca6b16735a32757

SHA512
7b00852c88bfee57e89415508e0c209faea3733402a6aafb9f87dccde21fe7af9f8f9b9717e6acad9be3c58a6d1d079331e1bb72faae3ce02ca98295966ac3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C5.exe

Filesize
4.1MB

MD5
5d920278e0c6a27628803b31a19aa70c

SHA1
404ba085ddb7f6f7a4577f758bc0e3fbbd95eac6

SHA256
fd5e43111ccc8e390ce0f91e81bd0ea7043f4b4ef5a5f8830c7bc2f8a9e28831

SHA512
f597605024be8e2c741e953bee18e71cc46828df67a862f27a00d0718119f33e2dcbb9af3d90dd77b459780497ae95edf470807ffe10d382d5b27fadb1447128

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C5.exe

Filesize
4.1MB

MD5
5d920278e0c6a27628803b31a19aa70c

SHA1
404ba085ddb7f6f7a4577f758bc0e3fbbd95eac6

SHA256
fd5e43111ccc8e390ce0f91e81bd0ea7043f4b4ef5a5f8830c7bc2f8a9e28831

SHA512
f597605024be8e2c741e953bee18e71cc46828df67a862f27a00d0718119f33e2dcbb9af3d90dd77b459780497ae95edf470807ffe10d382d5b27fadb1447128

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C5.exe

Filesize
4.1MB

MD5
5d920278e0c6a27628803b31a19aa70c

SHA1
404ba085ddb7f6f7a4577f758bc0e3fbbd95eac6

SHA256
fd5e43111ccc8e390ce0f91e81bd0ea7043f4b4ef5a5f8830c7bc2f8a9e28831

SHA512
f597605024be8e2c741e953bee18e71cc46828df67a862f27a00d0718119f33e2dcbb9af3d90dd77b459780497ae95edf470807ffe10d382d5b27fadb1447128

Download Submit
C:\Users\Admin\AppData\Local\Temp\F79E.exe

Filesize
5.1MB

MD5
7f4f98a26d4835578f46224112cc6a15

SHA1
c5cbaf07ef86ee77e7a079ece95e749e7b93a0f0

SHA256
c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276

SHA512
c2fe13271b35c799ea871b54f0d73a61a2ceed5b4f8fa7464bc758908f35185bfe1c43d38c54941c9fef18284334d61ddab506121d7d993ec87752a77eea8c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F79E.exe

Filesize
5.1MB

MD5
7f4f98a26d4835578f46224112cc6a15

SHA1
c5cbaf07ef86ee77e7a079ece95e749e7b93a0f0

SHA256
c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276

SHA512
c2fe13271b35c799ea871b54f0d73a61a2ceed5b4f8fa7464bc758908f35185bfe1c43d38c54941c9fef18284334d61ddab506121d7d993ec87752a77eea8c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C8.exe

Filesize
237KB

MD5
22a51b329fa194d51f68705a25d7396d

SHA1
aada03d8b7f1e28dbf6d72c1503981ccc5bb94da

SHA256
82857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742

SHA512
0d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C8.exe

Filesize
237KB

MD5
22a51b329fa194d51f68705a25d7396d

SHA1
aada03d8b7f1e28dbf6d72c1503981ccc5bb94da

SHA256
82857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742

SHA512
0d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCB1.dll

Filesize
4.1MB

MD5
184fc62aeb4c9d78891eb8d509c429e5

SHA1
4456d00e767b918a5118741985f2e1bc924b8e53

SHA256
6b2a111ace1e8469a99e2696a6313352cadf138f5b431d68fdb36a7268df1052

SHA512
100eb18ee1ef332862b668769fc64b37429df107873525b3ffcd5a8ccea8ad31fe57bba97cb103c2b444d62113a999a58f7743eb0b8266bb9ff8f116472d854b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCB1.dll

Filesize
4.1MB

MD5
184fc62aeb4c9d78891eb8d509c429e5

SHA1
4456d00e767b918a5118741985f2e1bc924b8e53

SHA256
6b2a111ace1e8469a99e2696a6313352cadf138f5b431d68fdb36a7268df1052

SHA512
100eb18ee1ef332862b668769fc64b37429df107873525b3ffcd5a8ccea8ad31fe57bba97cb103c2b444d62113a999a58f7743eb0b8266bb9ff8f116472d854b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_faotg1oz.34u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-34DDK.tmp\1184.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-34DDK.tmp\1184.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D05H9.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D05H9.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D05H9.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D05H9.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D05H9.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D05H9.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NPGJT.tmp\28F5.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NPGJT.tmp\28F5.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RBF3P.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RBF3P.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RBF3P.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mi.exe

Filesize
8.1MB

MD5
b0161afbab78849d10cb7d3f00bb4ec3

SHA1
542faa594a2a90b9f37c290a5d6a39bf776ce380

SHA256
aac4360aef3be725b0ea05262031a6cfe237fb11dac457d3da66305dacaf1684

SHA512
84778ad9f7755c259f4fbdf24287734eb43a1c5ab4fe5bd635ec83c4e982bbaa0f7efc65da7c80ed8aa8a96519ee550337c6e61f609eb9555727f52716fb80dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mi.exe

Filesize
8.1MB

MD5
b0161afbab78849d10cb7d3f00bb4ec3

SHA1
542faa594a2a90b9f37c290a5d6a39bf776ce380

SHA256
aac4360aef3be725b0ea05262031a6cfe237fb11dac457d3da66305dacaf1684

SHA512
84778ad9f7755c259f4fbdf24287734eb43a1c5ab4fe5bd635ec83c4e982bbaa0f7efc65da7c80ed8aa8a96519ee550337c6e61f609eb9555727f52716fb80dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mi.exe

Filesize
8.1MB

MD5
b0161afbab78849d10cb7d3f00bb4ec3

SHA1
542faa594a2a90b9f37c290a5d6a39bf776ce380

SHA256
aac4360aef3be725b0ea05262031a6cfe237fb11dac457d3da66305dacaf1684

SHA512
84778ad9f7755c259f4fbdf24287734eb43a1c5ab4fe5bd635ec83c4e982bbaa0f7efc65da7c80ed8aa8a96519ee550337c6e61f609eb9555727f52716fb80dc

Download Submit
C:\Users\Admin\AppData\Roaming\fbjhaad

Filesize
230KB

MD5
5d41949bed012250026e0d4b090c1687

SHA1
bdc468f92299a309a041d7d1ee21a07066e738be

SHA256
0a74a18fe824e8366e19583d77ec32e4d9d1ed3c8e7268b93405ca7184741653

SHA512
07faae9abd5b1a473c04bdc3585c229887e4459365ff66eb8b19788b628d75e44062d3dfe3f6640186d53997d221fc3a7508619f61b8ae1f84394927b8e0c52f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
eb97ee768b23f84e0e06f156ac2486f6

SHA1
7420148e66e04b36429eb8eb5af7dd8c59ad01da

SHA256
e152332337abaaa4a750c59a734af0668844df4bff97998a0f04b31d28300890

SHA512
410293a69c3ad6c1b2b003462c9690db2a73f7187dd84f631821148095466092be0912d16cf142e438e09f2511ea99fd2f60e8fb199eee1f461b5c0aa435e496

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
bdee5dab8f0b73e00666044f2d81c8c1

SHA1
5189ec1e98f014c421fc4f3970acf1f29451c8ae

SHA256
4d4b18315dcee02eb1bfee193a9bf06d340068000f9a11ac2af152852838289f

SHA512
088fccfd7ad60d2698acced02a12c109b0eb55a7baa3a1d28208c4277d5d69950eec4ebce2ab1afaa1cda1a46de5db59f7eed553dc7a47a8e7b3c623c71469c3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
1f87e348340f8d199944f8e22347c5dc

SHA1
eda6a416ded1667c2b5072a7d1c83f61d0ac5126

SHA256
72216ddb159f37adaa212f718edea890f0c54a6cec0519763b770f477c7ddd22

SHA512
2f3c19a09c03aed2ba0526636b589bbbed07724a4b2c8bd78ffbedd952f48bc529b92a5cb7e84f253169d26c585393298738f587a60155e312e3a0a49554d1a9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
500a61339dd095b746c6b0672272a26d

SHA1
25c842f7b65ab567b835161c8ba5796d1db23c72

SHA256
c50517031ed8b28295dd9d40a270afb309901c6fb71b1be8e259e33e792800a3

SHA512
a54fcd44604ee8c31ddea2ff0f694ad3d53bfdcb2404f45e311c766f31a8316645a6ea700588e7445db06749ffdd972b364cb87fb394d78cb17a01bb56216ef5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
0de6ea9cb3dfe318518a0f839ebd39af

SHA1
e4920b0cee59921ddba726f98fbc48d7a7f56f97

SHA256
3ed147f357e8dda85bd86409c84859ae81e24139ce7e6909c2cf6127dc933bf5

SHA512
1494aaab30ebd46b03ee76613e439c0a0f1781ffe0d2eda0eed076d80d2d45205e7ab948c0ea2c74fac8c1e7e043b6768835198d1cffeed3858e83509be5ec06

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
eb2d232d05bc785b8f5c1e21a1ca0b0e

SHA1
b0f38640593f9e02ca18219bd75863ff8a668f78

SHA256
77c648b6e84cc30df97871051d4f3de3ccd1dd47f2d974bc60d244c78eecd22d

SHA512
8ade46fac3e882904aa8f21c8c5f2c273b8172366d84232ef588991e9e5112bb287935ff2567ab69e729063a4f1ad105277b711e25d36e2eb3cfd4f6c6a1cb64

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
5d920278e0c6a27628803b31a19aa70c

SHA1
404ba085ddb7f6f7a4577f758bc0e3fbbd95eac6

SHA256
fd5e43111ccc8e390ce0f91e81bd0ea7043f4b4ef5a5f8830c7bc2f8a9e28831

SHA512
f597605024be8e2c741e953bee18e71cc46828df67a862f27a00d0718119f33e2dcbb9af3d90dd77b459780497ae95edf470807ffe10d382d5b27fadb1447128

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
5d920278e0c6a27628803b31a19aa70c

SHA1
404ba085ddb7f6f7a4577f758bc0e3fbbd95eac6

SHA256
fd5e43111ccc8e390ce0f91e81bd0ea7043f4b4ef5a5f8830c7bc2f8a9e28831

SHA512
f597605024be8e2c741e953bee18e71cc46828df67a862f27a00d0718119f33e2dcbb9af3d90dd77b459780497ae95edf470807ffe10d382d5b27fadb1447128

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
2d29fd3ae57f422e2b2121141dc82253

SHA1
c2464c857779c0ab4f5e766f5028fcc651a6c6b7

SHA256
80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4

SHA512
077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/380-671-0x00007FF6B8660000-0x00007FF6B93CE000-memory.dmp

Filesize
13.4MB

Download
memory/380-670-0x00007FF6B8660000-0x00007FF6B93CE000-memory.dmp

Filesize
13.4MB

Download
memory/380-665-0x00007FF6B8660000-0x00007FF6B93CE000-memory.dmp

Filesize
13.4MB

Download
memory/740-499-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1308-267-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1308-283-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1620-2-0x00000000008F0000-0x00000000008FB000-memory.dmp

Filesize
44KB

Download
memory/1620-3-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/1620-5-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/1620-1-0x0000000000940000-0x0000000000A40000-memory.dmp

Filesize
1024KB

Download
memory/1868-277-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1868-273-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1868-271-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1868-286-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2040-59-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2040-284-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2288-81-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2288-474-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2432-29-0x0000000000BF0000-0x0000000000CF0000-memory.dmp

Filesize
1024KB

Download
memory/2432-32-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/2432-216-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/2432-31-0x00000000009B0000-0x00000000009C6000-memory.dmp

Filesize
88KB

Download
memory/2432-214-0x0000000000BF0000-0x0000000000CF0000-memory.dmp

Filesize
1024KB

Download
memory/2600-790-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2648-663-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2648-676-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2836-250-0x00000000055A0000-0x00000000058F4000-memory.dmp

Filesize
3.3MB

Download
memory/2836-235-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2836-236-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2836-249-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/2836-244-0x0000000005350000-0x00000000053B6000-memory.dmp

Filesize
408KB

Download
memory/2836-444-0x0000000006D60000-0x0000000006DD6000-memory.dmp

Filesize
472KB

Download
memory/2836-251-0x0000000005A30000-0x0000000005A4E000-memory.dmp

Filesize
120KB

Download
memory/2836-238-0x0000000004C80000-0x0000000004CA2000-memory.dmp

Filesize
136KB

Download
memory/2836-233-0x0000000004CB0000-0x00000000052D8000-memory.dmp

Filesize
6.2MB

Download
memory/2836-232-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/2836-231-0x0000000002420000-0x0000000002456000-memory.dmp

Filesize
216KB

Download
memory/2836-429-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2836-285-0x0000000005F80000-0x0000000005FC4000-memory.dmp

Filesize
272KB

Download
memory/2836-252-0x0000000005A70000-0x0000000005ABC000-memory.dmp

Filesize
304KB

Download
memory/3308-217-0x0000000002A40000-0x0000000002A56000-memory.dmp

Filesize
88KB

Download
memory/3308-4-0x0000000002640000-0x0000000002656000-memory.dmp

Filesize
88KB

Download
memory/3536-589-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/3536-716-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/3536-800-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/3576-25-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/3576-261-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3576-23-0x00000000005A0000-0x0000000000AB4000-memory.dmp

Filesize
5.1MB

Download
memory/3576-24-0x0000000005BB0000-0x0000000006154000-memory.dmp

Filesize
5.6MB

Download
memory/3576-254-0x00000000074D0000-0x0000000007662000-memory.dmp

Filesize
1.6MB

Download
memory/3576-26-0x00000000057A0000-0x000000000583C000-memory.dmp

Filesize
624KB

Download
memory/3576-262-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/3576-264-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/3576-268-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/3576-22-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/3576-270-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/3576-276-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/3576-33-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/3576-219-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/3576-35-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/3576-253-0x0000000006160000-0x0000000006388000-memory.dmp

Filesize
2.2MB

Download
memory/3576-278-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/3576-209-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/3576-274-0x0000000007C50000-0x0000000007D50000-memory.dmp

Filesize
1024KB

Download
memory/3724-237-0x0000000002DC0000-0x00000000036AB000-memory.dmp

Filesize
8.9MB

Download
memory/3724-53-0x0000000002DC0000-0x00000000036AB000-memory.dmp

Filesize
8.9MB

Download
memory/3724-234-0x00000000029B0000-0x0000000002DB5000-memory.dmp

Filesize
4.0MB

Download
memory/3724-532-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3724-52-0x00000000029B0000-0x0000000002DB5000-memory.dmp

Filesize
4.0MB

Download
memory/3724-282-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3724-54-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3880-210-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/3880-215-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/3892-36-0x0000000010000000-0x0000000010418000-memory.dmp

Filesize
4.1MB

Download
memory/3892-211-0x00000000024A0000-0x00000000025E3000-memory.dmp

Filesize
1.3MB

Download
memory/3892-228-0x00000000005C0000-0x00000000006E7000-memory.dmp

Filesize
1.2MB

Download
memory/3892-225-0x00000000005C0000-0x00000000006E7000-memory.dmp

Filesize
1.2MB

Download
memory/3892-229-0x00000000005C0000-0x00000000006E7000-memory.dmp

Filesize
1.2MB

Download
memory/3892-37-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/4056-434-0x0000000001000000-0x0000000001892000-memory.dmp

Filesize
8.6MB

Download
memory/4056-451-0x00000000753A0000-0x0000000075490000-memory.dmp

Filesize
960KB

Download
memory/4056-438-0x00000000753A0000-0x0000000075490000-memory.dmp

Filesize
960KB

Download
memory/4056-443-0x00000000753A0000-0x0000000075490000-memory.dmp

Filesize
960KB

Download
memory/4056-440-0x00000000753A0000-0x0000000075490000-memory.dmp

Filesize
960KB

Download
memory/4056-435-0x00000000753A0000-0x0000000075490000-memory.dmp

Filesize
960KB

Download
memory/4156-470-0x0000000000F90000-0x0000000000F9C000-memory.dmp

Filesize
48KB

Download
memory/4216-584-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4216-287-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4592-439-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/4592-449-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/4736-221-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/4736-47-0x00000000008E0000-0x00000000008EB000-memory.dmp

Filesize
44KB

Download
memory/4736-50-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/4736-45-0x0000000000AB0000-0x0000000000BB0000-memory.dmp

Filesize
1024KB

Download
memory/4800-458-0x0000000000A90000-0x0000000000AFB000-memory.dmp

Filesize
428KB

Download
memory/4924-224-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/4924-768-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/4924-636-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/4924-535-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download