glupteba | c3b536ff860e68e9a0821b133a6858aa4f985c265a2619237396a0cde8e17b6f

Analysis

max time kernel
88s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2023 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

237KB
MD5

4bf04827f621e897a1032d9b8bde68ab
SHA1

9db60a63745b44d5341df6150bf58bed781f0919
SHA256

c3b536ff860e68e9a0821b133a6858aa4f985c265a2619237396a0cde8e17b6f
SHA512

2bc1847aa32769e51f02693e39307d72e8762e5b01d4c5726f4859278ebbc21fefdcab13626ffa9ae8b848a134affadc014a5562af3a4e8f3d3f325552dbe4c1
SSDEEP

3072:JLFmtP/Al+PUvLzYJlBisZ4Omno54oiRFAVZ5OeTC8L:mtPoEPUvXwlBisZ4ZopCY3T

Malware Config

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://humydrole.com/tmp/index.php

http://trunk-co.ru/tmp/index.php

http://weareelight.com/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

redline

Botnet

LogsDiller Cloud (Bot: @logsdillabot)

57.128.155.22:20154

Extracted

Family

lumma

http://opposesicknessopw.pw/api

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\D57B.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\D57B.exe	family_zgrat_v1
behavioral2/memory/1492-23-0x0000000000C60000-0x0000000001174000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2160-53-0x0000000002EA0000-0x000000000378B000-memory.dmp	family_glupteba
behavioral2/memory/2160-54-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2160-242-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2160-281-0x0000000002EA0000-0x000000000378B000-memory.dmp	family_glupteba
behavioral2/memory/2160-428-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2160-424-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2160-544-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3240-29-0x0000000000980000-0x0000000000996000-memory.dmp	family_raccoon_v2
behavioral2/memory/3240-31-0x0000000000400000-0x000000000085E000-memory.dmp	family_raccoon_v2
behavioral2/memory/3240-64-0x0000000000400000-0x000000000085E000-memory.dmp	family_raccoon_v2

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2968-469-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

3601.exeConhost.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3601.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Conhost.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2160 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3601.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Conhost.exe

pid	process
2160	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3601.exeConhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3601.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3601.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Conhost.exe

Deletes itself 1 IoCs

Processes:

pid process

3340

pid	process
3340

Executes dropped EXE 16 IoCs

Processes:

D57B.exeD6F3.exeE5F9.exeEC72.exeFF30.exeFF30.tmpmdeliverylib.exemdeliverylib.exe28E1.exe28E1.tmp3601.exeMaildelivery.exesvchost.exeMaildelivery.exeEC72.exeConhost.exe

pid	process
1492	D57B.exe
3240	D6F3.exe
3896	E5F9.exe
2160	EC72.exe
4032	FF30.exe
4772	FF30.tmp
4988	mdeliverylib.exe
1964	mdeliverylib.exe
4616	28E1.exe
3432	28E1.tmp
4560	3601.exe
2948	Maildelivery.exe
2912	svchost.exe
64	Maildelivery.exe
4648	EC72.exe
536	Conhost.exe

Loads dropped DLL 8 IoCs

Processes:

regsvr32.exeFF30.tmpD57B.exe28E1.tmp

pid process

3044 regsvr32.exe
4772 FF30.tmp
4772 FF30.tmp
4772 FF30.tmp
1492 D57B.exe
3432 28E1.tmp
3432 28E1.tmp
3432 28E1.tmp

pid	process
3044	regsvr32.exe
4772	FF30.tmp
4772	FF30.tmp
4772	FF30.tmp
1492	D57B.exe
3432	28E1.tmp
3432	28E1.tmp
3432	28E1.tmp

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3601.exe	themida
C:\Users\Admin\AppData\Local\Temp\3601.exe	themida
behavioral2/memory/4560-443-0x0000000000210000-0x0000000000AA2000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\mi.exe	themida
C:\Users\Admin\AppData\Local\Temp\mi.exe	themida
C:\Users\Admin\AppData\Local\Temp\mi.exe	themida
behavioral2/memory/536-584-0x00007FF68D850000-0x00007FF68E5BE000-memory.dmp	themida
behavioral2/memory/536-586-0x00007FF68D850000-0x00007FF68E5BE000-memory.dmp	themida
behavioral2/memory/536-588-0x00007FF68D850000-0x00007FF68E5BE000-memory.dmp	themida
C:\ProgramData\Google\Chrome\updater.exe	themida
C:\ProgramData\Google\Chrome\updater.exe	themida

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

3601.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3601.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

3601.exeConhost.exe

pid process

4560 3601.exe
536 Conhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3601.exe

pid	process
4560	3601.exe
536	Conhost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

D57B.exesvchost.exe

description	pid	process	target process
PID 1492 set thread context of 1088	1492	D57B.exe	RegSvcs.exe
PID 2912 set thread context of 2968	2912	svchost.exe	AppLaunch.exe

Drops file in Program Files directory 64 IoCs

Processes:

FF30.tmp28E1.tmp

description	ioc	process
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-T5A00.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-1E93H.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\lessmsi\is-P5CER.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\plugins\internal\is-O3ALQ.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-RFVS3.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\uninstall\is-L701L.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-AEIDB.tmp	FF30.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-JBVDM.tmp	28E1.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-K2QS4.tmp	28E1.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-2G3K0.tmp	28E1.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-V833B.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-7UKOI.tmp	FF30.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-EJ0I3.tmp	28E1.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-P8QDR.tmp	28E1.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-DF418.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-HPMTN.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-TMSO5.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-V6LGK.tmp	FF30.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-QMPKS.tmp	28E1.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-74I4F.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-NHM9G.tmp	FF30.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-3UTR6.tmp	28E1.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-SL3EE.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-5F7L0.tmp	FF30.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-5M6TU.tmp	28E1.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-LFEVQ.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-3LI8F.tmp	FF30.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-36RLF.tmp	28E1.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\stuff\is-FAHCN.tmp	FF30.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\plugins\internal\is-9V104.tmp	28E1.tmp
File opened for modification	C:\Program Files (x86)\Maildelivery\Maildelivery.exe	28E1.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-TO237.tmp	FF30.tmp
File opened for modification	C:\Program Files (x86)\MDeliveryLIB\mdeliverylib.exe	FF30.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-9NUGT.tmp	28E1.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\stuff\is-20JN7.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-I5BD3.tmp	FF30.tmp
File created	C:\Program Files (x86)\Maildelivery\uninstall\unins000.dat	28E1.tmp
File created	C:\Program Files (x86)\Maildelivery\stuff\is-MG53U.tmp	28E1.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-VCQLK.tmp	28E1.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-TGDC3.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-E35MH.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-JC79F.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-1HUOL.tmp	FF30.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-9U26G.tmp	28E1.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-5BCJQ.tmp	28E1.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-F0BBK.tmp	28E1.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-680EI.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\plugins\internal\is-LO7RU.tmp	FF30.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-HD9O9.tmp	28E1.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-CPBO8.tmp	FF30.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-5IEB7.tmp	28E1.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-BM08J.tmp	FF30.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-DPLEK.tmp	28E1.tmp
File opened for modification	C:\Program Files (x86)\Maildelivery\uninstall\unins000.dat	28E1.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-GLAMF.tmp	FF30.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-4GUGH.tmp	28E1.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-UV6IR.tmp	28E1.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-Q5US5.tmp	28E1.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-SCI8M.tmp	28E1.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-MI0JU.tmp	28E1.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-65GA3.tmp	28E1.tmp
File created	C:\Program Files (x86)\Maildelivery\stuff\is-QAFK4.tmp	28E1.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-BBL3S.tmp	FF30.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\bin\x86\is-D0UFC.tmp	FF30.tmp

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1564	sc.exe
1432	sc.exe
3196	sc.exe
1688	sc.exe
3200	sc.exe
4652	sc.exe
2288	sc.exe
3192	sc.exe
4012	sc.exe
4832	sc.exe
4560	sc.exe
1700	sc.exe
4632	sc.exe
4572	sc.exe
2648	sc.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3324 1088 WerFault.exe RegSvcs.exe
4408 3240 WerFault.exe D6F3.exe

pid	pid_target	process	target process
3324	1088	WerFault.exe	RegSvcs.exe
4408	3240	WerFault.exe	D6F3.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exeE5F9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E5F9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E5F9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E5F9.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

408 schtasks.exe
3584 schtasks.exe

pid	process
408	schtasks.exe
3584	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

EC72.exeConhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	EC72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	EC72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	EC72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	EC72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	EC72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	EC72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	EC72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	EC72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	EC72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	EC72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	EC72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	EC72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	EC72.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
1020	file.exe
1020	file.exe
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3340
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

file.exeE5F9.exe

pid process

1020 file.exe
3896 E5F9.exe
3340
3340
3340
3340

pid	process
3340

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeAppLaunch.exe

description	pid	process
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeDebugPrivilege	2968	AppLaunch.exe
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeDebugPrivilege	2160
Token: SeImpersonatePrivilege	2160

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

powershell.exeFF30.exeFF30.tmpAppLaunch.exeD57B.exe28E1.exe28E1.tmpEC72.exe

description	pid	process	target process
PID 3340 wrote to memory of 1492	3340		D57B.exe
PID 3340 wrote to memory of 1492	3340		D57B.exe
PID 3340 wrote to memory of 1492	3340		D57B.exe
PID 3340 wrote to memory of 3240	3340		D6F3.exe
PID 3340 wrote to memory of 3240	3340		D6F3.exe
PID 3340 wrote to memory of 3240	3340		D6F3.exe
PID 3340 wrote to memory of 2316	3340		regsvr32.exe
PID 3340 wrote to memory of 2316	3340		regsvr32.exe
PID 2316 wrote to memory of 3044	2316	powershell.exe	regsvr32.exe
PID 2316 wrote to memory of 3044	2316	powershell.exe	regsvr32.exe
PID 2316 wrote to memory of 3044	2316	powershell.exe	regsvr32.exe
PID 3340 wrote to memory of 3896	3340		E5F9.exe
PID 3340 wrote to memory of 3896	3340		E5F9.exe
PID 3340 wrote to memory of 3896	3340		E5F9.exe
PID 3340 wrote to memory of 2160	3340		EC72.exe
PID 3340 wrote to memory of 2160	3340		EC72.exe
PID 3340 wrote to memory of 2160	3340		EC72.exe
PID 3340 wrote to memory of 4032	3340		FF30.exe
PID 3340 wrote to memory of 4032	3340		FF30.exe
PID 3340 wrote to memory of 4032	3340		FF30.exe
PID 4032 wrote to memory of 4772	4032	FF30.exe	FF30.tmp
PID 4032 wrote to memory of 4772	4032	FF30.exe	FF30.tmp
PID 4032 wrote to memory of 4772	4032	FF30.exe	FF30.tmp
PID 4772 wrote to memory of 980	4772	FF30.tmp	schtasks.exe
PID 4772 wrote to memory of 980	4772	FF30.tmp	schtasks.exe
PID 4772 wrote to memory of 980	4772	FF30.tmp	schtasks.exe
PID 4772 wrote to memory of 4988	4772	FF30.tmp	mdeliverylib.exe
PID 4772 wrote to memory of 4988	4772	FF30.tmp	mdeliverylib.exe
PID 4772 wrote to memory of 4988	4772	FF30.tmp	mdeliverylib.exe
PID 4772 wrote to memory of 2968	4772	FF30.tmp	AppLaunch.exe
PID 4772 wrote to memory of 2968	4772	FF30.tmp	AppLaunch.exe
PID 4772 wrote to memory of 2968	4772	FF30.tmp	AppLaunch.exe
PID 4772 wrote to memory of 1964	4772	FF30.tmp	mdeliverylib.exe
PID 4772 wrote to memory of 1964	4772	FF30.tmp	mdeliverylib.exe
PID 4772 wrote to memory of 1964	4772	FF30.tmp	mdeliverylib.exe
PID 2968 wrote to memory of 4608	2968	AppLaunch.exe	net1.exe
PID 2968 wrote to memory of 4608	2968	AppLaunch.exe	net1.exe
PID 2968 wrote to memory of 4608	2968	AppLaunch.exe	net1.exe
PID 1492 wrote to memory of 1088	1492	D57B.exe	RegSvcs.exe
PID 1492 wrote to memory of 1088	1492	D57B.exe	RegSvcs.exe
PID 1492 wrote to memory of 1088	1492	D57B.exe	RegSvcs.exe
PID 1492 wrote to memory of 1088	1492	D57B.exe	RegSvcs.exe
PID 1492 wrote to memory of 1088	1492	D57B.exe	RegSvcs.exe
PID 1492 wrote to memory of 1088	1492	D57B.exe	RegSvcs.exe
PID 1492 wrote to memory of 1088	1492	D57B.exe	RegSvcs.exe
PID 1492 wrote to memory of 1088	1492	D57B.exe	RegSvcs.exe
PID 1492 wrote to memory of 1088	1492	D57B.exe	RegSvcs.exe
PID 3340 wrote to memory of 4616	3340		28E1.exe
PID 3340 wrote to memory of 4616	3340		28E1.exe
PID 3340 wrote to memory of 4616	3340		28E1.exe
PID 4616 wrote to memory of 3432	4616	28E1.exe	28E1.tmp
PID 4616 wrote to memory of 3432	4616	28E1.exe	28E1.tmp
PID 4616 wrote to memory of 3432	4616	28E1.exe	28E1.tmp
PID 3340 wrote to memory of 4560	3340		3601.exe
PID 3340 wrote to memory of 4560	3340		3601.exe
PID 3340 wrote to memory of 4560	3340		3601.exe
PID 3432 wrote to memory of 1768	3432	28E1.tmp	schtasks.exe
PID 3432 wrote to memory of 1768	3432	28E1.tmp	schtasks.exe
PID 3432 wrote to memory of 1768	3432	28E1.tmp	schtasks.exe
PID 3432 wrote to memory of 2948	3432	28E1.tmp	Maildelivery.exe
PID 3432 wrote to memory of 2948	3432	28E1.tmp	Maildelivery.exe
PID 3432 wrote to memory of 2948	3432	28E1.tmp	Maildelivery.exe
PID 2160 wrote to memory of 2316	2160	EC72.exe	powershell.exe
PID 2160 wrote to memory of 2316	2160	EC72.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1020

C:\Users\Admin\AppData\Local\Temp\D57B.exe
C:\Users\Admin\AppData\Local\Temp\D57B.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 760
3⤵
- Program crash
PID:3324

C:\Users\Admin\AppData\Local\Temp\D6F3.exe
C:\Users\Admin\AppData\Local\Temp\D6F3.exe
1⤵
- Executes dropped EXE
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 7948
2⤵
- Program crash
PID:4408

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\DD5D.dll
1⤵
PID:2316

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\DD5D.dll
2⤵
- Loads dropped DLL
PID:3044

C:\Users\Admin\AppData\Local\Temp\E5F9.exe
C:\Users\Admin\AppData\Local\Temp\E5F9.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3896

C:\Users\Admin\AppData\Local\Temp\EC72.exe
C:\Users\Admin\AppData\Local\Temp\EC72.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\EC72.exe
"C:\Users\Admin\AppData\Local\Temp\EC72.exe"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:2704

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:1528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:4024

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
PID:2856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3860

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:408

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:4408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
PID:468

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:3584

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:4960

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:4652

C:\Users\Admin\AppData\Local\Temp\FF30.exe
C:\Users\Admin\AppData\Local\Temp\FF30.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Local\Temp\is-Q94OV.tmp\FF30.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q94OV.tmp\FF30.tmp" /SL5="$C007C,7932209,54272,C:\Users\Admin\AppData\Local\Temp\FF30.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
3⤵
PID:980

C:\Program Files (x86)\MDeliveryLIB\mdeliverylib.exe
"C:\Program Files (x86)\MDeliveryLIB\mdeliverylib.exe" -i
3⤵
- Executes dropped EXE
PID:4988

C:\Program Files (x86)\MDeliveryLIB\mdeliverylib.exe
"C:\Program Files (x86)\MDeliveryLIB\mdeliverylib.exe" -s
3⤵
- Executes dropped EXE
PID:1964

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
3⤵
PID:2968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
4⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1088 -ip 1088
1⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\28E1.exe
C:\Users\Admin\AppData\Local\Temp\28E1.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616

C:\Users\Admin\AppData\Local\Temp\is-2TAD1.tmp\28E1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2TAD1.tmp\28E1.tmp" /SL5="$800DC,7905477,54272,C:\Users\Admin\AppData\Local\Temp\28E1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
3⤵
PID:1768

C:\Program Files (x86)\Maildelivery\Maildelivery.exe
"C:\Program Files (x86)\Maildelivery\Maildelivery.exe" -i
3⤵
- Executes dropped EXE
PID:2948

C:\Program Files (x86)\Maildelivery\Maildelivery.exe
"C:\Program Files (x86)\Maildelivery\Maildelivery.exe" -s
3⤵
- Executes dropped EXE
PID:64

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
3⤵
PID:4716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
4⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\3601.exe
C:\Users\Admin\AppData\Local\Temp\3601.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4560

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3240 -ip 3240
1⤵
PID:4284

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3976

C:\Users\Admin\AppData\Local\Temp\39FA.exe
C:\Users\Admin\AppData\Local\Temp\39FA.exe
1⤵
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\mi.exe
"C:\Users\Admin\AppData\Local\Temp\mi.exe"
3⤵
PID:536

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
PID:4608

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
4⤵
- Launches sc.exe
PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:3624

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:416

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:4560

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
4⤵
- Launches sc.exe
PID:1700

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
4⤵
- Launches sc.exe
PID:3196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Modifies data under HKEY_USERS
PID:1060

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
4⤵
- Launches sc.exe
PID:1688

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
PID:2408

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
PID:1284

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
4⤵
- Launches sc.exe
PID:1564

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
PID:3220

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
PID:4980

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
4⤵
- Launches sc.exe
PID:2648

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
4⤵
- Launches sc.exe
PID:4012

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:2288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2912

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
PID:508

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
PID:2512

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:2752

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:1580

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:1432

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:3200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:536

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:4832

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:4632

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:5036

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:2040

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:3012

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:3148

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:3584

C:\Windows\explorer.exe
explorer.exe
2⤵
PID:2336

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MDeliveryLIB\mdeliverylib.exe

Filesize
3.5MB

MD5
b059487c088313cc077fadae5ed4f6e6

SHA1
1ecdfc58d1949fa96302232a9021acd6192fe9c0

SHA256
3cb709f9a03313d8a89a5628f9f43de69adadb27b657b9631c1460f0640f0344

SHA512
59c20706353889691d257f6603decd6159b40c1ba546e0bb70b95359962e2d69b76c63ef82a1d6f5a8bf877793abefe9661f8e5b30cc0e19b8430e20366368d5

Download Submit
C:\Program Files (x86)\MDeliveryLIB\mdeliverylib.exe

Filesize
3.5MB

MD5
b059487c088313cc077fadae5ed4f6e6

SHA1
1ecdfc58d1949fa96302232a9021acd6192fe9c0

SHA256
3cb709f9a03313d8a89a5628f9f43de69adadb27b657b9631c1460f0640f0344

SHA512
59c20706353889691d257f6603decd6159b40c1ba546e0bb70b95359962e2d69b76c63ef82a1d6f5a8bf877793abefe9661f8e5b30cc0e19b8430e20366368d5

Download Submit
C:\Program Files (x86)\MDeliveryLIB\mdeliverylib.exe

Filesize
3.5MB

MD5
b059487c088313cc077fadae5ed4f6e6

SHA1
1ecdfc58d1949fa96302232a9021acd6192fe9c0

SHA256
3cb709f9a03313d8a89a5628f9f43de69adadb27b657b9631c1460f0640f0344

SHA512
59c20706353889691d257f6603decd6159b40c1ba546e0bb70b95359962e2d69b76c63ef82a1d6f5a8bf877793abefe9661f8e5b30cc0e19b8430e20366368d5

Download Submit
C:\Program Files (x86)\Maildelivery\Maildelivery.exe

Filesize
3.5MB

MD5
27afd644b9ee5bf5b70c6a7793842ffb

SHA1
9e6e7cfbd05127413f629e743f8b917d2827ca36

SHA256
e19cfb7de1b988ac75beb15b974d03bc1366c94daf8f65110243234147281e1c

SHA512
4c3efcbcbfe1b7e234362da27a3e9bd493cadb594a2590c72a7afcc2c92d47863d2d98ce11d7b3339cc67b5e2fb37f3d39397651eeb5c091fb3f162eccd1f9a1

Download Submit
C:\Program Files (x86)\Maildelivery\Maildelivery.exe

Filesize
3.5MB

MD5
27afd644b9ee5bf5b70c6a7793842ffb

SHA1
9e6e7cfbd05127413f629e743f8b917d2827ca36

SHA256
e19cfb7de1b988ac75beb15b974d03bc1366c94daf8f65110243234147281e1c

SHA512
4c3efcbcbfe1b7e234362da27a3e9bd493cadb594a2590c72a7afcc2c92d47863d2d98ce11d7b3339cc67b5e2fb37f3d39397651eeb5c091fb3f162eccd1f9a1

Download Submit
C:\Program Files (x86)\Maildelivery\Maildelivery.exe

Filesize
3.5MB

MD5
27afd644b9ee5bf5b70c6a7793842ffb

SHA1
9e6e7cfbd05127413f629e743f8b917d2827ca36

SHA256
e19cfb7de1b988ac75beb15b974d03bc1366c94daf8f65110243234147281e1c

SHA512
4c3efcbcbfe1b7e234362da27a3e9bd493cadb594a2590c72a7afcc2c92d47863d2d98ce11d7b3339cc67b5e2fb37f3d39397651eeb5c091fb3f162eccd1f9a1

Download Submit
C:\Program Files (x86)\Maildelivery\bin\x86\is-HJQAI.tmp

Filesize
110KB

MD5
bdb65dce335ac29eccbc2ca7a7ad36b7

SHA1
ce7678dcf7af0dbf9649b660db63db87325e6f69

SHA256
7ec9ee07bfd67150d1bc26158000436b63ca8dbb2623095c049e06091fa374c3

SHA512
8aabca6be47a365acd28df8224f9b9b5e1654f67e825719286697fb9e1b75478dddf31671e3921f06632eed5bb3dda91d81e48d4550c2dcd8e2404d566f1bc29

Download Submit
C:\Program Files (x86)\Maildelivery\stuff\is-MG53U.tmp

Filesize
1KB

MD5
992c00beab194ce392117bb419f53051

SHA1
8f9114c95e2a2c9f9c65b9243d941dcb5cea40de

SHA256
9e35c8e29ca055ce344e4c206e7b8ff1736158d0b47bf7b3dbc362f7ec7e722c

SHA512
facdca78ae7d874300eacbe3014a9e39868c93493b9cd44aae1ab39afa4d2e0868e167bca34f8c445aa7ccc9ddb27e1b607d739af94aa4840789a3f01e7bed9d

Download Submit
C:\Program Files (x86)\Maildelivery\stuff\is-RFOUI.tmp

Filesize
1KB

MD5
257d1bf38fa7859ffc3717ef36577c04

SHA1
a9d2606cfc35e17108d7c079a355a4db54c7c2ee

SHA256
dfacc2f208ebf6d6180ee6e882117c31bb58e8b6a76a26fb07ac4f40e245a0cb

SHA512
e13a6f489c9c5ba840502f73acd152d366e0ccdd9d3d8e74b65ff89fdc70cd46f52e42eee0b4ba9f151323ec07c4168cf82446334564adaa8666624f7b8035f3

Download Submit
C:\ProgramData\Google\Chrome\updater.exe

Filesize
8.1MB

MD5
b0161afbab78849d10cb7d3f00bb4ec3

SHA1
542faa594a2a90b9f37c290a5d6a39bf776ce380

SHA256
aac4360aef3be725b0ea05262031a6cfe237fb11dac457d3da66305dacaf1684

SHA512
84778ad9f7755c259f4fbdf24287734eb43a1c5ab4fe5bd635ec83c4e982bbaa0f7efc65da7c80ed8aa8a96519ee550337c6e61f609eb9555727f52716fb80dc

Download Submit
C:\ProgramData\Google\Chrome\updater.exe

Filesize
8.1MB

MD5
b0161afbab78849d10cb7d3f00bb4ec3

SHA1
542faa594a2a90b9f37c290a5d6a39bf776ce380

SHA256
aac4360aef3be725b0ea05262031a6cfe237fb11dac457d3da66305dacaf1684

SHA512
84778ad9f7755c259f4fbdf24287734eb43a1c5ab4fe5bd635ec83c4e982bbaa0f7efc65da7c80ed8aa8a96519ee550337c6e61f609eb9555727f52716fb80dc

Download Submit
C:\ProgramData\SHelperTrack\SHelperTrack.exe

Filesize
3.5MB

MD5
27afd644b9ee5bf5b70c6a7793842ffb

SHA1
9e6e7cfbd05127413f629e743f8b917d2827ca36

SHA256
e19cfb7de1b988ac75beb15b974d03bc1366c94daf8f65110243234147281e1c

SHA512
4c3efcbcbfe1b7e234362da27a3e9bd493cadb594a2590c72a7afcc2c92d47863d2d98ce11d7b3339cc67b5e2fb37f3d39397651eeb5c091fb3f162eccd1f9a1

Download Submit
C:\ProgramData\resource.dat

Filesize
128B

MD5
785bb7f0b0cef59c39b9f5e21cd2fd04

SHA1
1e1ffdee1584a00bde18bd7bd19c02988301c250

SHA256
90b35ec0c6b41acec2c9bb51cddcb6339fb035c222766a4ca4cbb15b7a7d8853

SHA512
6d2449e111f7f059734960b83b0b090a7239ee2d93eb70f839ecddaa640658b90667f123cfb4fe8e0f5dc0a854a47b62aa2fcaf971d08b9118cac840dbf999eb

Download Submit
C:\ProgramData\ts.dat

Filesize
8B

MD5
2397bc9861942283c65887c37794d068

SHA1
cee6cdd3aac5e5b6f3004d6b551f9259aef54edb

SHA256
3aad4ca2e879df8404bcc9046383c31a94ea1e951da2df82ead08ab831d9c2c3

SHA512
ecfe752a0bb9d2c9ac00af51223a94b2e05bf5d833dacf8856293a44c539b83ff3f4f6f5ce902954753b303aaf5fab88a3406c83bb6f91e859832f392427abb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\28E1.exe

Filesize
7.8MB

MD5
8e4ababd8277cb8fd39a6866789d6a33

SHA1
145d8720b4c49948bf679d3baf47a738252ece62

SHA256
8d4b655539b3756721a3c26394ac2af82db97ccb04f1672881c5496d0a2f2e71

SHA512
7d9f98770da3a1f1ae77229cf6928541c624e1bf47e3270228599a93448c312e27f32bcfe172a51225b3086d2ca5e806145423fc1b95fc8a828a9e30edde576e

Download Submit
C:\Users\Admin\AppData\Local\Temp\28E1.exe

Filesize
7.8MB

MD5
8e4ababd8277cb8fd39a6866789d6a33

SHA1
145d8720b4c49948bf679d3baf47a738252ece62

SHA256
8d4b655539b3756721a3c26394ac2af82db97ccb04f1672881c5496d0a2f2e71

SHA512
7d9f98770da3a1f1ae77229cf6928541c624e1bf47e3270228599a93448c312e27f32bcfe172a51225b3086d2ca5e806145423fc1b95fc8a828a9e30edde576e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3601.exe

Filesize
3.0MB

MD5
f4cb9c8b7e02e8084008cd61e1899390

SHA1
af1a95a823a8c24cab9d8e8aaf46d69b3612dd4b

SHA256
a9ef0a36e9924f9742af01b648d7c89624e1e360716adb8fe7f58a6f28c4865e

SHA512
e808e95a5f57a13e61f8b77502f0f01c7faf66f2663d4de0b61a308f39520da8d649f32ed886edf446eefd88cf324854bcca059f8c0a6f46148388242e6b65b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3601.exe

Filesize
3.0MB

MD5
f4cb9c8b7e02e8084008cd61e1899390

SHA1
af1a95a823a8c24cab9d8e8aaf46d69b3612dd4b

SHA256
a9ef0a36e9924f9742af01b648d7c89624e1e360716adb8fe7f58a6f28c4865e

SHA512
e808e95a5f57a13e61f8b77502f0f01c7faf66f2663d4de0b61a308f39520da8d649f32ed886edf446eefd88cf324854bcca059f8c0a6f46148388242e6b65b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\39FA.exe

Filesize
439KB

MD5
b51bc8f85b7ba047b35022f505066b72

SHA1
4dd8e61f706c3057995a447d8f1c0c08f8ce6d9a

SHA256
fd7e4e6d5b75b5479a9c38e601d6cd2a89c33e65887e6fae2ca6b16735a32757

SHA512
7b00852c88bfee57e89415508e0c209faea3733402a6aafb9f87dccde21fe7af9f8f9b9717e6acad9be3c58a6d1d079331e1bb72faae3ce02ca98295966ac3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\39FA.exe

Filesize
439KB

MD5
b51bc8f85b7ba047b35022f505066b72

SHA1
4dd8e61f706c3057995a447d8f1c0c08f8ce6d9a

SHA256
fd7e4e6d5b75b5479a9c38e601d6cd2a89c33e65887e6fae2ca6b16735a32757

SHA512
7b00852c88bfee57e89415508e0c209faea3733402a6aafb9f87dccde21fe7af9f8f9b9717e6acad9be3c58a6d1d079331e1bb72faae3ce02ca98295966ac3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\D57B.exe

Filesize
5.1MB

MD5
7f4f98a26d4835578f46224112cc6a15

SHA1
c5cbaf07ef86ee77e7a079ece95e749e7b93a0f0

SHA256
c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276

SHA512
c2fe13271b35c799ea871b54f0d73a61a2ceed5b4f8fa7464bc758908f35185bfe1c43d38c54941c9fef18284334d61ddab506121d7d993ec87752a77eea8c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D57B.exe

Filesize
5.1MB

MD5
7f4f98a26d4835578f46224112cc6a15

SHA1
c5cbaf07ef86ee77e7a079ece95e749e7b93a0f0

SHA256
c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276

SHA512
c2fe13271b35c799ea871b54f0d73a61a2ceed5b4f8fa7464bc758908f35185bfe1c43d38c54941c9fef18284334d61ddab506121d7d993ec87752a77eea8c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6F3.exe

Filesize
237KB

MD5
22a51b329fa194d51f68705a25d7396d

SHA1
aada03d8b7f1e28dbf6d72c1503981ccc5bb94da

SHA256
82857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742

SHA512
0d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6F3.exe

Filesize
237KB

MD5
22a51b329fa194d51f68705a25d7396d

SHA1
aada03d8b7f1e28dbf6d72c1503981ccc5bb94da

SHA256
82857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742

SHA512
0d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD5D.dll

Filesize
4.1MB

MD5
184fc62aeb4c9d78891eb8d509c429e5

SHA1
4456d00e767b918a5118741985f2e1bc924b8e53

SHA256
6b2a111ace1e8469a99e2696a6313352cadf138f5b431d68fdb36a7268df1052

SHA512
100eb18ee1ef332862b668769fc64b37429df107873525b3ffcd5a8ccea8ad31fe57bba97cb103c2b444d62113a999a58f7743eb0b8266bb9ff8f116472d854b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD5D.dll

Filesize
4.1MB

MD5
184fc62aeb4c9d78891eb8d509c429e5

SHA1
4456d00e767b918a5118741985f2e1bc924b8e53

SHA256
6b2a111ace1e8469a99e2696a6313352cadf138f5b431d68fdb36a7268df1052

SHA512
100eb18ee1ef332862b668769fc64b37429df107873525b3ffcd5a8ccea8ad31fe57bba97cb103c2b444d62113a999a58f7743eb0b8266bb9ff8f116472d854b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5F9.exe

Filesize
230KB

MD5
5d41949bed012250026e0d4b090c1687

SHA1
bdc468f92299a309a041d7d1ee21a07066e738be

SHA256
0a74a18fe824e8366e19583d77ec32e4d9d1ed3c8e7268b93405ca7184741653

SHA512
07faae9abd5b1a473c04bdc3585c229887e4459365ff66eb8b19788b628d75e44062d3dfe3f6640186d53997d221fc3a7508619f61b8ae1f84394927b8e0c52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5F9.exe

Filesize
230KB

MD5
5d41949bed012250026e0d4b090c1687

SHA1
bdc468f92299a309a041d7d1ee21a07066e738be

SHA256
0a74a18fe824e8366e19583d77ec32e4d9d1ed3c8e7268b93405ca7184741653

SHA512
07faae9abd5b1a473c04bdc3585c229887e4459365ff66eb8b19788b628d75e44062d3dfe3f6640186d53997d221fc3a7508619f61b8ae1f84394927b8e0c52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC72.exe

Filesize
4.1MB

MD5
5d920278e0c6a27628803b31a19aa70c

SHA1
404ba085ddb7f6f7a4577f758bc0e3fbbd95eac6

SHA256
fd5e43111ccc8e390ce0f91e81bd0ea7043f4b4ef5a5f8830c7bc2f8a9e28831

SHA512
f597605024be8e2c741e953bee18e71cc46828df67a862f27a00d0718119f33e2dcbb9af3d90dd77b459780497ae95edf470807ffe10d382d5b27fadb1447128

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC72.exe

Filesize
4.1MB

MD5
5d920278e0c6a27628803b31a19aa70c

SHA1
404ba085ddb7f6f7a4577f758bc0e3fbbd95eac6

SHA256
fd5e43111ccc8e390ce0f91e81bd0ea7043f4b4ef5a5f8830c7bc2f8a9e28831

SHA512
f597605024be8e2c741e953bee18e71cc46828df67a862f27a00d0718119f33e2dcbb9af3d90dd77b459780497ae95edf470807ffe10d382d5b27fadb1447128

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC72.exe

Filesize
4.1MB

MD5
5d920278e0c6a27628803b31a19aa70c

SHA1
404ba085ddb7f6f7a4577f758bc0e3fbbd95eac6

SHA256
fd5e43111ccc8e390ce0f91e81bd0ea7043f4b4ef5a5f8830c7bc2f8a9e28831

SHA512
f597605024be8e2c741e953bee18e71cc46828df67a862f27a00d0718119f33e2dcbb9af3d90dd77b459780497ae95edf470807ffe10d382d5b27fadb1447128

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF30.exe

Filesize
7.8MB

MD5
694d97658ad3c64671a08dd5e096de95

SHA1
fd00300f089e866183d78de4faa129f779a159a2

SHA256
65243d77df2822bbdf43ab71d5cccf077279da57a664f63c0912673c8541bb78

SHA512
1c5c6428b7acea709e49e07fc8e9905c0897019bf33bf32fd68e7005361ca89f88ea9575b7476e73d4ade35e8d4a260b4a6bd55efe0c5bd89b6380cde459c45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF30.exe

Filesize
7.8MB

MD5
694d97658ad3c64671a08dd5e096de95

SHA1
fd00300f089e866183d78de4faa129f779a159a2

SHA256
65243d77df2822bbdf43ab71d5cccf077279da57a664f63c0912673c8541bb78

SHA512
1c5c6428b7acea709e49e07fc8e9905c0897019bf33bf32fd68e7005361ca89f88ea9575b7476e73d4ade35e8d4a260b4a6bd55efe0c5bd89b6380cde459c45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xep3okhp.znj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2TAD1.tmp\28E1.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2TAD1.tmp\28E1.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3D0BJ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3D0BJ.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3D0BJ.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ETAGC.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ETAGC.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ETAGC.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ETAGC.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ETAGC.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ETAGC.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q94OV.tmp\FF30.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q94OV.tmp\FF30.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mi.exe

Filesize
8.1MB

MD5
b0161afbab78849d10cb7d3f00bb4ec3

SHA1
542faa594a2a90b9f37c290a5d6a39bf776ce380

SHA256
aac4360aef3be725b0ea05262031a6cfe237fb11dac457d3da66305dacaf1684

SHA512
84778ad9f7755c259f4fbdf24287734eb43a1c5ab4fe5bd635ec83c4e982bbaa0f7efc65da7c80ed8aa8a96519ee550337c6e61f609eb9555727f52716fb80dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mi.exe

Filesize
8.1MB

MD5
b0161afbab78849d10cb7d3f00bb4ec3

SHA1
542faa594a2a90b9f37c290a5d6a39bf776ce380

SHA256
aac4360aef3be725b0ea05262031a6cfe237fb11dac457d3da66305dacaf1684

SHA512
84778ad9f7755c259f4fbdf24287734eb43a1c5ab4fe5bd635ec83c4e982bbaa0f7efc65da7c80ed8aa8a96519ee550337c6e61f609eb9555727f52716fb80dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mi.exe

Filesize
8.1MB

MD5
b0161afbab78849d10cb7d3f00bb4ec3

SHA1
542faa594a2a90b9f37c290a5d6a39bf776ce380

SHA256
aac4360aef3be725b0ea05262031a6cfe237fb11dac457d3da66305dacaf1684

SHA512
84778ad9f7755c259f4fbdf24287734eb43a1c5ab4fe5bd635ec83c4e982bbaa0f7efc65da7c80ed8aa8a96519ee550337c6e61f609eb9555727f52716fb80dc

Download Submit
C:\Users\Admin\AppData\Roaming\uhwtbjr

Filesize
230KB

MD5
5d41949bed012250026e0d4b090c1687

SHA1
bdc468f92299a309a041d7d1ee21a07066e738be

SHA256
0a74a18fe824e8366e19583d77ec32e4d9d1ed3c8e7268b93405ca7184741653

SHA512
07faae9abd5b1a473c04bdc3585c229887e4459365ff66eb8b19788b628d75e44062d3dfe3f6640186d53997d221fc3a7508619f61b8ae1f84394927b8e0c52f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
fd028fea523deeb4800655fa298437af

SHA1
3630fef6612f3f94f07c04c3ee9b9023996e4212

SHA256
b9879b71f5d8314e8ed0fb8697cdba3c38a00b0a315dedaea5f2fa00f205f9f9

SHA512
a3ef58ae46f703732a06073167a83dc06898e5c53dd2e9eef1b2fd0f106232150a86465c0b968278fabe8cc8841eefb8bf66a8d814bdb5981d16a6b867446ad6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
68f7b9256e00fe15fb934a4898ae31d5

SHA1
b98b8aaeb02c9e5a29a50cc910e73d1800f62093

SHA256
d7a3d954e8882aa05112262b4945cc27bcce1331e6ae5653ac40dcb70c68ddc4

SHA512
95a611416323f0047d9bbdd1a3df31752603be44a44c2b02183a888d146ea99cc88a5f8b9a811b2f9fab84a8dbd3014df0961d693c790fddf0bfda8fb2cb16a1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
72e87a054d5e586eb5abcc3abdc8ca0e

SHA1
e7b9971917c48530bd68b1cc63e6dec1f841ffac

SHA256
485b8c79b645ac9e5fc23be42b2a67dbae6c09b0a00871fddbffb8f80f821435

SHA512
eeab71f0ebc40a0293bc651a920958d92889ac5777ca5066f0322f0147a311a1bc85db8a6294a58f8fbc7db89970cd49bdb62fe0e86bbf7e207356c4468f35a9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
fda2aabc0ca13f4bd713feb7946aab53

SHA1
7fa55179264ef48fca3759062c5857a764d8f22f

SHA256
0749960178173d22d7712b4963fe39d0ca495dbc1dc506b5f45babcc45214b65

SHA512
621ed39b8c2e68f83bd0fccff2c6aacfc8fcdda5a94cbe8bc9da9825a92d7470ff0e3c2f88b4925109e8393ed54913c8355f238246fb9945cd8d12d20b89413e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2887eee848d772b1c9d820c9a660bc2b

SHA1
22aa75146b53c34a62ce503bc02f66d06fb73f38

SHA256
6ff0b264594fdac72c7879fdbb2ea3ba636405a3180de968cc83f13fa1d66b85

SHA512
35091f50063478e1103781c6a7da5535cc5522e9021e4b3d8f5453caa93ff1727a98cdab99a99de6413a977380302f1b54a26b312b17da195a675297c27ca4b3

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
5d920278e0c6a27628803b31a19aa70c

SHA1
404ba085ddb7f6f7a4577f758bc0e3fbbd95eac6

SHA256
fd5e43111ccc8e390ce0f91e81bd0ea7043f4b4ef5a5f8830c7bc2f8a9e28831

SHA512
f597605024be8e2c741e953bee18e71cc46828df67a862f27a00d0718119f33e2dcbb9af3d90dd77b459780497ae95edf470807ffe10d382d5b27fadb1447128

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
5d920278e0c6a27628803b31a19aa70c

SHA1
404ba085ddb7f6f7a4577f758bc0e3fbbd95eac6

SHA256
fd5e43111ccc8e390ce0f91e81bd0ea7043f4b4ef5a5f8830c7bc2f8a9e28831

SHA512
f597605024be8e2c741e953bee18e71cc46828df67a862f27a00d0718119f33e2dcbb9af3d90dd77b459780497ae95edf470807ffe10d382d5b27fadb1447128

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
2d29fd3ae57f422e2b2121141dc82253

SHA1
c2464c857779c0ab4f5e766f5028fcc651a6c6b7

SHA256
80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4

SHA512
077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/64-440-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/64-610-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/64-554-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/64-503-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/536-588-0x00007FF68D850000-0x00007FF68E5BE000-memory.dmp

Filesize
13.4MB

Download
memory/536-586-0x00007FF68D850000-0x00007FF68E5BE000-memory.dmp

Filesize
13.4MB

Download
memory/536-584-0x00007FF68D850000-0x00007FF68E5BE000-memory.dmp

Filesize
13.4MB

Download
memory/1020-6-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/1020-1-0x0000000000990000-0x0000000000A90000-memory.dmp

Filesize
1024KB

Download
memory/1020-3-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/1020-2-0x0000000002460000-0x000000000246B000-memory.dmp

Filesize
44KB

Download
memory/1088-238-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1088-237-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1088-236-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1088-253-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1492-42-0x0000000005D80000-0x0000000005D8A000-memory.dmp

Filesize
40KB

Download
memory/1492-223-0x0000000006750000-0x0000000006978000-memory.dmp

Filesize
2.2MB

Download
memory/1492-240-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/1492-26-0x0000000005B90000-0x0000000005C22000-memory.dmp

Filesize
584KB

Download
memory/1492-22-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/1492-232-0x0000000005DC0000-0x0000000005DD0000-memory.dmp

Filesize
64KB

Download
memory/1492-225-0x0000000007AC0000-0x0000000007C52000-memory.dmp

Filesize
1.6MB

Download
memory/1492-23-0x0000000000C60000-0x0000000001174000-memory.dmp

Filesize
5.1MB

Download
memory/1492-41-0x0000000005EF0000-0x0000000005F00000-memory.dmp

Filesize
64KB

Download
memory/1492-30-0x0000000005DD0000-0x0000000005E6C000-memory.dmp

Filesize
624KB

Download
memory/1492-221-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/1492-24-0x0000000006030000-0x00000000065D4000-memory.dmp

Filesize
5.6MB

Download
memory/1796-452-0x00000000010D0000-0x00000000010DC000-memory.dmp

Filesize
48KB

Download
memory/1964-551-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1964-501-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1964-484-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1964-252-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1964-609-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1964-430-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/2160-53-0x0000000002EA0000-0x000000000378B000-memory.dmp

Filesize
8.9MB

Download
memory/2160-428-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2160-544-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2160-281-0x0000000002EA0000-0x000000000378B000-memory.dmp

Filesize
8.9MB

Download
memory/2160-52-0x0000000002A90000-0x0000000002E96000-memory.dmp

Filesize
4.0MB

Download
memory/2160-54-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2160-424-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2160-260-0x0000000002A90000-0x0000000002E96000-memory.dmp

Filesize
4.0MB

Download
memory/2160-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2316-495-0x0000000005590000-0x00000000058E4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-490-0x0000000005520000-0x0000000005586000-memory.dmp

Filesize
408KB

Download
memory/2316-442-0x0000000002490000-0x00000000024C6000-memory.dmp

Filesize
216KB

Download
memory/2316-444-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/2316-448-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2316-456-0x0000000004C10000-0x0000000005238000-memory.dmp

Filesize
6.2MB

Download
memory/2316-498-0x0000000005A80000-0x0000000005A9E000-memory.dmp

Filesize
120KB

Download
memory/2316-477-0x0000000004B80000-0x0000000004BA2000-memory.dmp

Filesize
136KB

Download
memory/2316-483-0x00000000053B0000-0x0000000005416000-memory.dmp

Filesize
408KB

Download
memory/2948-425-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/2948-418-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/2968-491-0x0000000007EF0000-0x0000000007F00000-memory.dmp

Filesize
64KB

Download
memory/2968-497-0x0000000007F80000-0x0000000007FCC000-memory.dmp

Filesize
304KB

Download
memory/2968-496-0x0000000007F40000-0x0000000007F7C000-memory.dmp

Filesize
240KB

Download
memory/2968-469-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2968-476-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/3044-206-0x00000000026F0000-0x0000000002833000-memory.dmp

Filesize
1.3MB

Download
memory/3044-38-0x0000000010000000-0x0000000010418000-memory.dmp

Filesize
4.1MB

Download
memory/3044-39-0x00000000008D0000-0x00000000008D6000-memory.dmp

Filesize
24KB

Download
memory/3044-216-0x0000000010000000-0x0000000010418000-memory.dmp

Filesize
4.1MB

Download
memory/3044-241-0x0000000002840000-0x0000000002967000-memory.dmp

Filesize
1.2MB

Download
memory/3044-231-0x0000000002840000-0x0000000002967000-memory.dmp

Filesize
1.2MB

Download
memory/3044-235-0x0000000002840000-0x0000000002967000-memory.dmp

Filesize
1.2MB

Download
memory/3240-31-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/3240-27-0x00000000009A0000-0x0000000000AA0000-memory.dmp

Filesize
1024KB

Download
memory/3240-249-0x00000000009A0000-0x0000000000AA0000-memory.dmp

Filesize
1024KB

Download
memory/3240-29-0x0000000000980000-0x0000000000996000-memory.dmp

Filesize
88KB

Download
memory/3240-64-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/3340-4-0x0000000000B00000-0x0000000000B16000-memory.dmp

Filesize
88KB

Download
memory/3340-55-0x0000000002A90000-0x0000000002AA6000-memory.dmp

Filesize
88KB

Download
memory/3432-310-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/3432-474-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3896-58-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/3896-44-0x0000000000940000-0x0000000000A40000-memory.dmp

Filesize
1024KB

Download
memory/3896-45-0x00000000008E0000-0x00000000008EB000-memory.dmp

Filesize
44KB

Download
memory/3896-46-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/3976-439-0x0000000001290000-0x00000000012FB000-memory.dmp

Filesize
428KB

Download
memory/3976-492-0x0000000001290000-0x00000000012FB000-memory.dmp

Filesize
428KB

Download
memory/3976-437-0x0000000001290000-0x00000000012FB000-memory.dmp

Filesize
428KB

Download
memory/4032-251-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4032-67-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4032-63-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4560-434-0x0000000076AE0000-0x0000000076BD0000-memory.dmp

Filesize
960KB

Download
memory/4560-489-0x0000000007CB0000-0x0000000007DBA000-memory.dmp

Filesize
1.0MB

Download
memory/4560-412-0x0000000000210000-0x0000000000AA2000-memory.dmp

Filesize
8.6MB

Download
memory/4560-414-0x0000000076AE0000-0x0000000076BD0000-memory.dmp

Filesize
960KB

Download
memory/4560-436-0x0000000076AE0000-0x0000000076BD0000-memory.dmp

Filesize
960KB

Download
memory/4560-417-0x0000000076AE0000-0x0000000076BD0000-memory.dmp

Filesize
960KB

Download
memory/4560-438-0x0000000077754000-0x0000000077756000-memory.dmp

Filesize
8KB

Download
memory/4560-443-0x0000000000210000-0x0000000000AA2000-memory.dmp

Filesize
8.6MB

Download
memory/4560-493-0x0000000007BD0000-0x0000000007BE2000-memory.dmp

Filesize
72KB

Download
memory/4560-475-0x0000000008A50000-0x0000000009068000-memory.dmp

Filesize
6.1MB

Download
memory/4560-415-0x0000000076AE0000-0x0000000076BD0000-memory.dmp

Filesize
960KB

Download
memory/4616-473-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4616-258-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4772-441-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/4772-87-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/4772-277-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4988-220-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/4988-217-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download