glupteba | 302d7fd05e821680b9e819ae8d8bb3971b2e0a14a98364a8570b12ab8ecbc395

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2023 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b684b3b90e0331574001083a3725195.exe
Size

230KB
MD5

0b684b3b90e0331574001083a3725195
SHA1

2501008667a64eab4b820e86faf5f724c6c8af86
SHA256

302d7fd05e821680b9e819ae8d8bb3971b2e0a14a98364a8570b12ab8ecbc395
SHA512

da31250d56d5595e77919712521590d0f09210c80e1e09fd62d2ef4ff95196075864d60d10d7ef2e35351e8b1cd04aa832c4a91ba51ad3d1e8d9322d2c626a99
SSDEEP

3072:G3pXYCsXWAeDKjNJD4wYEsK/hcvRZwqoGiWHFK:6pXNsGAE4/hcfwqBH

Malware Config

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://humydrole.com/tmp/index.php

http://trunk-co.ru/tmp/index.php

http://weareelight.com/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Bot: @logsdillabot)

57.128.155.22:20154

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

lumma

http://opposesicknessopw.pw/api

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\F51E.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\F51E.exe	family_zgrat_v1
behavioral2/memory/4284-23-0x00000000002D0000-0x00000000007E4000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/768-82-0x0000000002E90000-0x000000000377B000-memory.dmp	family_glupteba
behavioral2/memory/768-83-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/768-346-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/768-379-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2408-495-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4844-603-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4844-614-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4844-623-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4844-628-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4844-638-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1848-31-0x0000000000400000-0x000000000085E000-memory.dmp	family_raccoon_v2
behavioral2/memory/1848-29-0x00000000008F0000-0x0000000000906000-memory.dmp	family_raccoon_v2
behavioral2/memory/1848-84-0x0000000000400000-0x000000000085E000-memory.dmp	family_raccoon_v2

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1116-58-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

FEC6.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ FEC6.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

4780 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FEC6.exe

pid	process
4780	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FEC6.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FEC6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FEC6.exe

Deletes itself 1 IoCs

Processes:

pid process

3280

pid	process
3280

Executes dropped EXE 16 IoCs

Processes:

F51E.exeF648.exeFEC6.exe6C.exeA22.exe100E.exe1BA8.exe1BA8.tmpVoicemeeter.exeVoicemeeter.exe100E.execsrss.exeinjector.exewindefender.exewindefender.exef801950a962ddba14caaa44bf084b55c.exe

pid	process
4284	F51E.exe
1848	F648.exe
4972	FEC6.exe
4372	6C.exe
2868	A22.exe
768	100E.exe
4652	1BA8.exe
3488	1BA8.tmp
228	Voicemeeter.exe
2904	Voicemeeter.exe
2408	100E.exe
4844	csrss.exe
2296	injector.exe
4208	windefender.exe
728	windefender.exe
4720	f801950a962ddba14caaa44bf084b55c.exe

Loads dropped DLL 5 IoCs

Processes:

regsvr32.exe1BA8.tmpF51E.exe

pid process

2732 regsvr32.exe
3488 1BA8.tmp
3488 1BA8.tmp
3488 1BA8.tmp
4284 F51E.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2732	regsvr32.exe
3488	1BA8.tmp
3488	1BA8.tmp
3488	1BA8.tmp
4284	F51E.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FEC6.exe	themida
C:\Users\Admin\AppData\Local\Temp\FEC6.exe	themida
behavioral2/memory/4972-57-0x0000000000170000-0x0000000000A02000-memory.dmp	themida

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
behavioral2/memory/4208-620-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/728-624-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe	upx
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe	upx

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

100E.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	100E.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

FEC6.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FEC6.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FEC6.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

FEC6.exe

pid process

4972 FEC6.exe

pid	process
4972	FEC6.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6C.exeF51E.exe

description	pid	process	target process
PID 4372 set thread context of 1116	4372	6C.exe	AppLaunch.exe
PID 4284 set thread context of 740	4284	F51E.exe	RegSvcs.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

100E.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 100E.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	100E.exe

Drops file in Program Files directory 63 IoCs

Processes:

1BA8.tmp

description	ioc	process
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-Q7FTC.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-KF44K.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-V8AD9.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-VBNP5.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-UK18G.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\stuff\is-PEUD4.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-JUOAN.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-M0UGN.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-8JP77.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-24AA4.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-H0PPM.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-FGEG2.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-KHD8B.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-2R47C.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-99NBK.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\stuff\is-AIBJR.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-RR3OH.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-MKK23.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\plugins\internal\is-10AIN.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\uninstall\is-C86OT.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-OND3U.tmp	1BA8.tmp
File opened for modification	C:\Program Files (x86)\Voicemeeter\uninstall\unins000.dat	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-B6BAC.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-R4S82.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-GHFJ3.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\plugins\internal\is-4HL39.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-GA38M.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-K8JF0.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\lessmsi\is-G4DBI.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-5FS3M.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-KQ6MI.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-EFBSS.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-D1QO9.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-11NOR.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-69HIB.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-FC443.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-MIOQM.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-5FF8K.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\stuff\is-TD391.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-TA5VK.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-MR4UN.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-MUV8K.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-8LFJ3.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-KVOIF.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-1RHPR.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-LMK64.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-9FPA5.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-N66L9.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\is-F3F77.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\uninstall\unins000.dat	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-QVTG0.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-064RR.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\stuff\is-5KHRQ.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-E9OEV.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-4BCQ8.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-F3SGL.tmp	1BA8.tmp
File opened for modification	C:\Program Files (x86)\Voicemeeter\Voicemeeter.exe	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-KJ1PF.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-GD3TJ.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-0IMIG.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-BK6DU.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-FE8CP.tmp	1BA8.tmp
File created	C:\Program Files (x86)\Voicemeeter\bin\x86\is-IOB9N.tmp	1BA8.tmp

Drops file in Windows directory 4 IoCs

Processes:

csrss.exe100E.exe

description	ioc	process
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	100E.exe
File created	C:\Windows\rss\csrss.exe	100E.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4176 sc.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2948 740 WerFault.exe RegSvcs.exe
3544 1848 WerFault.exe F648.exe

pid	process
4176	sc.exe

pid	pid_target	process	target process
2948	740	WerFault.exe	RegSvcs.exe
3544	1848	WerFault.exe	F648.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

A22.exe0b684b3b90e0331574001083a3725195.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A22.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0b684b3b90e0331574001083a3725195.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0b684b3b90e0331574001083a3725195.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0b684b3b90e0331574001083a3725195.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A22.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4636 schtasks.exe
3844 schtasks.exe

pid	process
4636	schtasks.exe
3844	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

100E.exepowershell.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	100E.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	100E.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	100E.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	100E.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	100E.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	100E.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	100E.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	100E.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	100E.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	100E.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	100E.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	100E.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	100E.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	100E.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	100E.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	100E.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	100E.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	100E.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	100E.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	100E.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windefender.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0b684b3b90e0331574001083a3725195.exe

pid	process
2916	0b684b3b90e0331574001083a3725195.exe
2916	0b684b3b90e0331574001083a3725195.exe
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280
3280

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

0b684b3b90e0331574001083a3725195.exeA22.exe

pid process

2916 0b684b3b90e0331574001083a3725195.exe
3280
3280
3280
3280
2868 A22.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

FEC6.exepowershell.exeAppLaunch.exe100E.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeDebugPrivilege	4972	FEC6.exe
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeDebugPrivilege	540	powershell.exe
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeDebugPrivilege	1116	AppLaunch.exe
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeDebugPrivilege	768	100E.exe
Token: SeImpersonatePrivilege	768	100E.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeDebugPrivilege	320	powershell.exe
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeShutdownPrivilege	3280
Token: SeCreatePagefilePrivilege	3280

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

1BA8.tmp

pid process

3488 1BA8.tmp

pid	process
3488	1BA8.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe6C.exe1BA8.exe1BA8.tmpF51E.exe

description	pid	process	target process
PID 3280 wrote to memory of 4284	3280		F51E.exe
PID 3280 wrote to memory of 4284	3280		F51E.exe
PID 3280 wrote to memory of 4284	3280		F51E.exe
PID 3280 wrote to memory of 1848	3280		F648.exe
PID 3280 wrote to memory of 1848	3280		F648.exe
PID 3280 wrote to memory of 1848	3280		F648.exe
PID 3280 wrote to memory of 4056	3280		regsvr32.exe
PID 3280 wrote to memory of 4056	3280		regsvr32.exe
PID 4056 wrote to memory of 2732	4056	regsvr32.exe	regsvr32.exe
PID 4056 wrote to memory of 2732	4056	regsvr32.exe	regsvr32.exe
PID 4056 wrote to memory of 2732	4056	regsvr32.exe	regsvr32.exe
PID 3280 wrote to memory of 4972	3280		FEC6.exe
PID 3280 wrote to memory of 4972	3280		FEC6.exe
PID 3280 wrote to memory of 4972	3280		FEC6.exe
PID 3280 wrote to memory of 4372	3280		6C.exe
PID 3280 wrote to memory of 4372	3280		6C.exe
PID 3280 wrote to memory of 4372	3280		6C.exe
PID 4372 wrote to memory of 540	4372	6C.exe	powershell.exe
PID 4372 wrote to memory of 540	4372	6C.exe	powershell.exe
PID 4372 wrote to memory of 540	4372	6C.exe	powershell.exe
PID 4372 wrote to memory of 3176	4372	6C.exe	AppLaunch.exe
PID 4372 wrote to memory of 3176	4372	6C.exe	AppLaunch.exe
PID 4372 wrote to memory of 3176	4372	6C.exe	AppLaunch.exe
PID 4372 wrote to memory of 1116	4372	6C.exe	AppLaunch.exe
PID 4372 wrote to memory of 1116	4372	6C.exe	AppLaunch.exe
PID 4372 wrote to memory of 1116	4372	6C.exe	AppLaunch.exe
PID 4372 wrote to memory of 1116	4372	6C.exe	AppLaunch.exe
PID 4372 wrote to memory of 1116	4372	6C.exe	AppLaunch.exe
PID 4372 wrote to memory of 1116	4372	6C.exe	AppLaunch.exe
PID 4372 wrote to memory of 1116	4372	6C.exe	AppLaunch.exe
PID 4372 wrote to memory of 1116	4372	6C.exe	AppLaunch.exe
PID 3280 wrote to memory of 2868	3280		A22.exe
PID 3280 wrote to memory of 2868	3280		A22.exe
PID 3280 wrote to memory of 2868	3280		A22.exe
PID 3280 wrote to memory of 768	3280		100E.exe
PID 3280 wrote to memory of 768	3280		100E.exe
PID 3280 wrote to memory of 768	3280		100E.exe
PID 3280 wrote to memory of 4652	3280		1BA8.exe
PID 3280 wrote to memory of 4652	3280		1BA8.exe
PID 3280 wrote to memory of 4652	3280		1BA8.exe
PID 3280 wrote to memory of 1844	3280		explorer.exe
PID 3280 wrote to memory of 1844	3280		explorer.exe
PID 3280 wrote to memory of 1844	3280		explorer.exe
PID 3280 wrote to memory of 1844	3280		explorer.exe
PID 4652 wrote to memory of 3488	4652	1BA8.exe	1BA8.tmp
PID 4652 wrote to memory of 3488	4652	1BA8.exe	1BA8.tmp
PID 4652 wrote to memory of 3488	4652	1BA8.exe	1BA8.tmp
PID 3280 wrote to memory of 4864	3280		powershell.exe
PID 3280 wrote to memory of 4864	3280		powershell.exe
PID 3280 wrote to memory of 4864	3280		powershell.exe
PID 3488 wrote to memory of 1780	3488	1BA8.tmp	schtasks.exe
PID 3488 wrote to memory of 1780	3488	1BA8.tmp	schtasks.exe
PID 3488 wrote to memory of 1780	3488	1BA8.tmp	schtasks.exe
PID 3488 wrote to memory of 228	3488	1BA8.tmp	Voicemeeter.exe
PID 3488 wrote to memory of 228	3488	1BA8.tmp	Voicemeeter.exe
PID 3488 wrote to memory of 228	3488	1BA8.tmp	Voicemeeter.exe
PID 3488 wrote to memory of 3484	3488	1BA8.tmp	net.exe
PID 3488 wrote to memory of 3484	3488	1BA8.tmp	net.exe
PID 3488 wrote to memory of 3484	3488	1BA8.tmp	net.exe
PID 3488 wrote to memory of 2904	3488	1BA8.tmp	Voicemeeter.exe
PID 3488 wrote to memory of 2904	3488	1BA8.tmp	Voicemeeter.exe
PID 3488 wrote to memory of 2904	3488	1BA8.tmp	Voicemeeter.exe
PID 4284 wrote to memory of 1980	4284	F51E.exe	RegSvcs.exe
PID 4284 wrote to memory of 1980	4284	F51E.exe	RegSvcs.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\0b684b3b90e0331574001083a3725195.exe
"C:\Users\Admin\AppData\Local\Temp\0b684b3b90e0331574001083a3725195.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2916

C:\Users\Admin\AppData\Local\Temp\F51E.exe
C:\Users\Admin\AppData\Local\Temp\F51E.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 772
3⤵
- Program crash
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\F648.exe
C:\Users\Admin\AppData\Local\Temp\F648.exe
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 7300
2⤵
- Program crash
PID:3544

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FB5A.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\FB5A.dll
2⤵
- Loads dropped DLL
PID:2732

C:\Users\Admin\AppData\Local\Temp\FEC6.exe
C:\Users\Admin\AppData\Local\Temp\FEC6.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Users\Admin\AppData\Local\Temp\6C.exe
C:\Users\Admin\AppData\Local\Temp\6C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\A22.exe
C:\Users\Admin\AppData\Local\Temp\A22.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2868

C:\Users\Admin\AppData\Local\Temp\100E.exe
C:\Users\Admin\AppData\Local\Temp\100E.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Users\Admin\AppData\Local\Temp\100E.exe
"C:\Users\Admin\AppData\Local\Temp\100E.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:220

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:4844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:4636

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:4148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:384

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
PID:2296

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:3844

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
- Executes dropped EXE
PID:4208

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:780

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:4176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4400

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
4⤵
- Executes dropped EXE
PID:4720

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "csrss" /f
5⤵
PID:3104

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "ScheduledUpdate" /f
5⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\1BA8.exe
C:\Users\Admin\AppData\Local\Temp\1BA8.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652

C:\Users\Admin\AppData\Local\Temp\is-U4H9O.tmp\1BA8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U4H9O.tmp\1BA8.tmp" /SL5="$80160,7457838,54272,C:\Users\Admin\AppData\Local\Temp\1BA8.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3488

C:\Program Files (x86)\Voicemeeter\Voicemeeter.exe
"C:\Program Files (x86)\Voicemeeter\Voicemeeter.exe" -s
3⤵
- Executes dropped EXE
PID:2904

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 9
3⤵
PID:3484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 9
4⤵
PID:924

C:\Program Files (x86)\Voicemeeter\Voicemeeter.exe
"C:\Program Files (x86)\Voicemeeter\Voicemeeter.exe" -i
3⤵
- Executes dropped EXE
PID:228

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
3⤵
PID:1780

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1844

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 740 -ip 740
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1848 -ip 1848
1⤵
PID:4156

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Voicemeeter\Voicemeeter.exe
Filesize
2.6MB

MD5
2591f0ad0f8ff08d0550796c02fdc313

SHA1
6f91cc970f1a2096f535b943fbe14db2db8aa225

SHA256
bc3ec0b45fb34a2860f643e5aed8e4107112637016553e4228d0e27daf621c59

SHA512
546148b7a030c190fdd237cfb686d7219c4dd21f8cd514a92d4377928496c536f2a0942c45478c710d0263b33f97d91642426ec6bea94d4c61fe943e28e4beee

Download Submit
C:\Program Files (x86)\Voicemeeter\Voicemeeter.exe
Filesize
2.6MB

MD5
2591f0ad0f8ff08d0550796c02fdc313

SHA1
6f91cc970f1a2096f535b943fbe14db2db8aa225

SHA256
bc3ec0b45fb34a2860f643e5aed8e4107112637016553e4228d0e27daf621c59

SHA512
546148b7a030c190fdd237cfb686d7219c4dd21f8cd514a92d4377928496c536f2a0942c45478c710d0263b33f97d91642426ec6bea94d4c61fe943e28e4beee

Download Submit
C:\Program Files (x86)\Voicemeeter\Voicemeeter.exe
Filesize
2.6MB

MD5
2591f0ad0f8ff08d0550796c02fdc313

SHA1
6f91cc970f1a2096f535b943fbe14db2db8aa225

SHA256
bc3ec0b45fb34a2860f643e5aed8e4107112637016553e4228d0e27daf621c59

SHA512
546148b7a030c190fdd237cfb686d7219c4dd21f8cd514a92d4377928496c536f2a0942c45478c710d0263b33f97d91642426ec6bea94d4c61fe943e28e4beee

Download Submit
C:\Users\Admin\AppData\Local\Temp\100E.exe
Filesize
4.1MB

MD5
c4608c866d9ec5bf3017b79c1079b849

SHA1
e4cf1221ce9fe6df0bed752b086bbfafca10db89

SHA256
d3b5698e6fb8e79031eeb53d0b39d27a1e3e7b8d81fa23ca5680c1e2dff45153

SHA512
98ba84eeb710ceca04f1a2e8de6d16ef0d4e5d7da135454786139ff9c889947b8f99739971426f0e288413de5e766649a9aa0e7dce8ae567c743fbe9ee4a1bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\100E.exe
Filesize
4.1MB

MD5
c4608c866d9ec5bf3017b79c1079b849

SHA1
e4cf1221ce9fe6df0bed752b086bbfafca10db89

SHA256
d3b5698e6fb8e79031eeb53d0b39d27a1e3e7b8d81fa23ca5680c1e2dff45153

SHA512
98ba84eeb710ceca04f1a2e8de6d16ef0d4e5d7da135454786139ff9c889947b8f99739971426f0e288413de5e766649a9aa0e7dce8ae567c743fbe9ee4a1bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\100E.exe
Filesize
4.1MB

MD5
c4608c866d9ec5bf3017b79c1079b849

SHA1
e4cf1221ce9fe6df0bed752b086bbfafca10db89

SHA256
d3b5698e6fb8e79031eeb53d0b39d27a1e3e7b8d81fa23ca5680c1e2dff45153

SHA512
98ba84eeb710ceca04f1a2e8de6d16ef0d4e5d7da135454786139ff9c889947b8f99739971426f0e288413de5e766649a9aa0e7dce8ae567c743fbe9ee4a1bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BA8.exe
Filesize
7.4MB

MD5
6d3d953da9c309e176c73722ed56b35c

SHA1
42b5501d075958bbe520aa0bcd4f37a89801e0f9

SHA256
b96894ab2fbe821800a94e727dc16ac4a6c8822c554da225d837ecb063f7e31f

SHA512
e76de2f17eae3feb8ccb4b84b27960dab5c4e7524f594fd400080d5a5d80f2d4d7472f66947571aabe95bfd71a83b054aead50ae50ec9cefbcf883688e08ee83

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BA8.exe
Filesize
7.4MB

MD5
6d3d953da9c309e176c73722ed56b35c

SHA1
42b5501d075958bbe520aa0bcd4f37a89801e0f9

SHA256
b96894ab2fbe821800a94e727dc16ac4a6c8822c554da225d837ecb063f7e31f

SHA512
e76de2f17eae3feb8ccb4b84b27960dab5c4e7524f594fd400080d5a5d80f2d4d7472f66947571aabe95bfd71a83b054aead50ae50ec9cefbcf883688e08ee83

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C.exe
Filesize
439KB

MD5
b51bc8f85b7ba047b35022f505066b72

SHA1
4dd8e61f706c3057995a447d8f1c0c08f8ce6d9a

SHA256
fd7e4e6d5b75b5479a9c38e601d6cd2a89c33e65887e6fae2ca6b16735a32757

SHA512
7b00852c88bfee57e89415508e0c209faea3733402a6aafb9f87dccde21fe7af9f8f9b9717e6acad9be3c58a6d1d079331e1bb72faae3ce02ca98295966ac3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C.exe
Filesize
439KB

MD5
b51bc8f85b7ba047b35022f505066b72

SHA1
4dd8e61f706c3057995a447d8f1c0c08f8ce6d9a

SHA256
fd7e4e6d5b75b5479a9c38e601d6cd2a89c33e65887e6fae2ca6b16735a32757

SHA512
7b00852c88bfee57e89415508e0c209faea3733402a6aafb9f87dccde21fe7af9f8f9b9717e6acad9be3c58a6d1d079331e1bb72faae3ce02ca98295966ac3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\A22.exe
Filesize
198KB

MD5
f448304a8da31f908c75870e5e951f1c

SHA1
d8a89677fa5938bc2bc279464bec17e3a7da36d2

SHA256
1472ad7c24b88dd1c89b610a394e031ad20dac60d3f233c828d0e706a8206d6f

SHA512
c3e34d2cff54fbfdff9b4575ef3648c9308d7b7e14c00fc12cfc8b2c57ec1fde09e9de54c94d74e65e80b805deee98531085743a80863acc690627518fdf8f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\A22.exe
Filesize
198KB

MD5
f448304a8da31f908c75870e5e951f1c

SHA1
d8a89677fa5938bc2bc279464bec17e3a7da36d2

SHA256
1472ad7c24b88dd1c89b610a394e031ad20dac60d3f233c828d0e706a8206d6f

SHA512
c3e34d2cff54fbfdff9b4575ef3648c9308d7b7e14c00fc12cfc8b2c57ec1fde09e9de54c94d74e65e80b805deee98531085743a80863acc690627518fdf8f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\F51E.exe
Filesize
5.1MB

MD5
7f4f98a26d4835578f46224112cc6a15

SHA1
c5cbaf07ef86ee77e7a079ece95e749e7b93a0f0

SHA256
c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276

SHA512
c2fe13271b35c799ea871b54f0d73a61a2ceed5b4f8fa7464bc758908f35185bfe1c43d38c54941c9fef18284334d61ddab506121d7d993ec87752a77eea8c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F51E.exe
Filesize
5.1MB

MD5
7f4f98a26d4835578f46224112cc6a15

SHA1
c5cbaf07ef86ee77e7a079ece95e749e7b93a0f0

SHA256
c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276

SHA512
c2fe13271b35c799ea871b54f0d73a61a2ceed5b4f8fa7464bc758908f35185bfe1c43d38c54941c9fef18284334d61ddab506121d7d993ec87752a77eea8c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F648.exe
Filesize
237KB

MD5
22a51b329fa194d51f68705a25d7396d

SHA1
aada03d8b7f1e28dbf6d72c1503981ccc5bb94da

SHA256
82857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742

SHA512
0d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821

Download Submit
C:\Users\Admin\AppData\Local\Temp\F648.exe
Filesize
237KB

MD5
22a51b329fa194d51f68705a25d7396d

SHA1
aada03d8b7f1e28dbf6d72c1503981ccc5bb94da

SHA256
82857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742

SHA512
0d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB5A.dll
Filesize
4.1MB

MD5
184fc62aeb4c9d78891eb8d509c429e5

SHA1
4456d00e767b918a5118741985f2e1bc924b8e53

SHA256
6b2a111ace1e8469a99e2696a6313352cadf138f5b431d68fdb36a7268df1052

SHA512
100eb18ee1ef332862b668769fc64b37429df107873525b3ffcd5a8ccea8ad31fe57bba97cb103c2b444d62113a999a58f7743eb0b8266bb9ff8f116472d854b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB5A.dll
Filesize
4.1MB

MD5
184fc62aeb4c9d78891eb8d509c429e5

SHA1
4456d00e767b918a5118741985f2e1bc924b8e53

SHA256
6b2a111ace1e8469a99e2696a6313352cadf138f5b431d68fdb36a7268df1052

SHA512
100eb18ee1ef332862b668769fc64b37429df107873525b3ffcd5a8ccea8ad31fe57bba97cb103c2b444d62113a999a58f7743eb0b8266bb9ff8f116472d854b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEC6.exe
Filesize
3.0MB

MD5
f4cb9c8b7e02e8084008cd61e1899390

SHA1
af1a95a823a8c24cab9d8e8aaf46d69b3612dd4b

SHA256
a9ef0a36e9924f9742af01b648d7c89624e1e360716adb8fe7f58a6f28c4865e

SHA512
e808e95a5f57a13e61f8b77502f0f01c7faf66f2663d4de0b61a308f39520da8d649f32ed886edf446eefd88cf324854bcca059f8c0a6f46148388242e6b65b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEC6.exe
Filesize
3.0MB

MD5
f4cb9c8b7e02e8084008cd61e1899390

SHA1
af1a95a823a8c24cab9d8e8aaf46d69b3612dd4b

SHA256
a9ef0a36e9924f9742af01b648d7c89624e1e360716adb8fe7f58a6f28c4865e

SHA512
e808e95a5f57a13e61f8b77502f0f01c7faf66f2663d4de0b61a308f39520da8d649f32ed886edf446eefd88cf324854bcca059f8c0a6f46148388242e6b65b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s40svxqh.ugv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Filesize
99KB

MD5
09031a062610d77d685c9934318b4170

SHA1
880f744184e7774f3d14c1bb857e21cc7fe89a6d

SHA256
778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

SHA512
9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-50Q3H.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-50Q3H.tmp\_isetup\_isdecmp.dll
Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-50Q3H.tmp\_isetup\_isdecmp.dll
Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U4H9O.tmp\1BA8.tmp
Filesize
687KB

MD5
f448d7f4b76e5c9c3a4eaff16a8b9b73

SHA1
31808f1ffa84c954376975b7cdb0007e6b762488

SHA256
7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49

SHA512
f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U4H9O.tmp\1BA8.tmp
Filesize
687KB

MD5
f448d7f4b76e5c9c3a4eaff16a8b9b73

SHA1
31808f1ffa84c954376975b7cdb0007e6b762488

SHA256
7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49

SHA512
f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4

Download Submit
C:\Users\Admin\AppData\Roaming\gejrish
Filesize
198KB

MD5
f448304a8da31f908c75870e5e951f1c

SHA1
d8a89677fa5938bc2bc279464bec17e3a7da36d2

SHA256
1472ad7c24b88dd1c89b610a394e031ad20dac60d3f233c828d0e706a8206d6f

SHA512
c3e34d2cff54fbfdff9b4575ef3648c9308d7b7e14c00fc12cfc8b2c57ec1fde09e9de54c94d74e65e80b805deee98531085743a80863acc690627518fdf8f82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
59f56af46481cf754a9dfaa757b9fdc3

SHA1
8f6a1558a2e19ddaf2afad946617939d693af998

SHA256
f3bfc2d5659698cd4a5ad6cfd63f0949c052bd97ce92fa6e486523015a5c4646

SHA512
8afe5cbe1fcbe38632a31ba117f78d4b796cd41aa536bea53fc1552a3adc50fb1e2176a2121d7e968fbf93037b1229103c95f2c5e2a0653e8d52900b410c6c6d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
e8a5b51029fa3b88ffbf0fa10fb53678

SHA1
d6d3d6f9e2dc4aa33de040d022f3583e94ad6d93

SHA256
1273ac483d1500996f920b734272869767c718589c7d280a7acd52efdd024ec4

SHA512
e68c1bbb2b9007536ad93ccbd80ac7b388a52b61c5c7379ec6adf3c95a96c74c6a42b66ad6ec9525e4cf45a26fd83b1998719d7b84aaa3bdbbe4488c9a8a69e8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
bfd81f832c69c8b5d2c9476edb515fc8

SHA1
a568baec2537bfb25f924f8a84c34020e1c8d1ff

SHA256
d2fa1ec432683618ef72769bff95bbf3d7dfb249b040807b117a2e6e87f59d78

SHA512
58916e4cb12aaa0c56999c461d90dba371b83adf68b0a228542e4c2abcf84b6ad1540a03608a6ff20ba993aa747d2322a38c97da537919b38035968e300fc133

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
badc1461115f272d72ce75d76a18d275

SHA1
7bab18db59e87062a0aee59665ec973fe2eab335

SHA256
3963a958b922f225795d509f3b4446070a3387a51976794af3908ab043134577

SHA512
7745ce2ca3846801f4aeff9938907c50f209a71df034246cbbd81cbf44a5b3c53b0605d03f4f051bd4306d49a818f228449e59f6ad0c4bd2162c7df4fdc1eb93

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
f9a04766a5d8658813376e723caeb808

SHA1
cf770ce74eb0cc81e47017872e221cbe43cfaa45

SHA256
472e8de957076d6b32fa8160bc01ef16a60142a08d44edbdf331b96227933cdd

SHA512
99cc1b48575d922c946b9de5c66ce81b2799a1e233a09cdad7034985b2b08f5a86f229f42fec5a21ef49a989e1d0e196ce9f0b7c85b8a3022b6f09bc4a22ab71

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
02003bbae86838d722b0007bf1eb5f2f

SHA1
a4e5b925cb1749a97aded3b98d7305dbcf0b4b47

SHA256
3afe16bf5f1a2017cd88d45b61aee8ae306de1b100212a5f8dd88716a975a6d8

SHA512
39312363aa1b143386247855d5e6118852bcfdde5bbb56a87412be51c6aa51d3717938089acee6cb8002f295f376d38d38e9205ee835c3ae82a0cbc2743bc8c3

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
c4608c866d9ec5bf3017b79c1079b849

SHA1
e4cf1221ce9fe6df0bed752b086bbfafca10db89

SHA256
d3b5698e6fb8e79031eeb53d0b39d27a1e3e7b8d81fa23ca5680c1e2dff45153

SHA512
98ba84eeb710ceca04f1a2e8de6d16ef0d4e5d7da135454786139ff9c889947b8f99739971426f0e288413de5e766649a9aa0e7dce8ae567c743fbe9ee4a1bd5

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
c4608c866d9ec5bf3017b79c1079b849

SHA1
e4cf1221ce9fe6df0bed752b086bbfafca10db89

SHA256
d3b5698e6fb8e79031eeb53d0b39d27a1e3e7b8d81fa23ca5680c1e2dff45153

SHA512
98ba84eeb710ceca04f1a2e8de6d16ef0d4e5d7da135454786139ff9c889947b8f99739971426f0e288413de5e766649a9aa0e7dce8ae567c743fbe9ee4a1bd5

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/228-290-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/228-296-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/728-624-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/740-311-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/740-316-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/740-313-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/768-82-0x0000000002E90000-0x000000000377B000-memory.dmp

Filesize
8.9MB

Download
memory/768-79-0x0000000002A80000-0x0000000002E85000-memory.dmp

Filesize
4.0MB

Download
memory/768-306-0x0000000002A80000-0x0000000002E85000-memory.dmp

Filesize
4.0MB

Download
memory/768-83-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/768-346-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/768-379-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1116-293-0x0000000075080000-0x0000000075830000-memory.dmp

Filesize
7.7MB

Download
memory/1116-64-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/1116-60-0x0000000075080000-0x0000000075830000-memory.dmp

Filesize
7.7MB

Download
memory/1116-58-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1116-297-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/1844-155-0x0000000001250000-0x00000000012BB000-memory.dmp

Filesize
428KB

Download
memory/1844-136-0x00000000012C0000-0x0000000001340000-memory.dmp

Filesize
512KB

Download
memory/1844-99-0x0000000001250000-0x00000000012BB000-memory.dmp

Filesize
428KB

Download
memory/1848-32-0x00000000009A0000-0x0000000000AA0000-memory.dmp

Filesize
1024KB

Download
memory/1848-29-0x00000000008F0000-0x0000000000906000-memory.dmp

Filesize
88KB

Download
memory/1848-31-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/1848-93-0x00000000009A0000-0x0000000000AA0000-memory.dmp

Filesize
1024KB

Download
memory/1848-84-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/2408-495-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2732-101-0x0000000002670000-0x0000000002797000-memory.dmp

Filesize
1.2MB

Download
memory/2732-85-0x0000000002520000-0x0000000002663000-memory.dmp

Filesize
1.3MB

Download
memory/2732-256-0x0000000010000000-0x0000000010418000-memory.dmp

Filesize
4.1MB

Download
memory/2732-118-0x0000000002670000-0x0000000002797000-memory.dmp

Filesize
1.2MB

Download
memory/2732-36-0x0000000010000000-0x0000000010418000-memory.dmp

Filesize
4.1MB

Download
memory/2732-37-0x0000000000670000-0x0000000000676000-memory.dmp

Filesize
24KB

Download
memory/2732-282-0x0000000002670000-0x0000000002797000-memory.dmp

Filesize
1.2MB

Download
memory/2868-73-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/2868-72-0x0000000000AC0000-0x0000000000ACB000-memory.dmp

Filesize
44KB

Download
memory/2868-269-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/2868-71-0x0000000000B70000-0x0000000000C70000-memory.dmp

Filesize
1024KB

Download
memory/2904-421-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/2904-625-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/2904-309-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/2904-602-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/2904-630-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/2904-618-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/2904-502-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/2904-637-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/2916-3-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/2916-5-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/2916-1-0x0000000000910000-0x0000000000A10000-memory.dmp

Filesize
1024KB

Download
memory/2916-2-0x00000000025A0000-0x00000000025AB000-memory.dmp

Filesize
44KB

Download
memory/3280-255-0x0000000007D90000-0x0000000007DA6000-memory.dmp

Filesize
88KB

Download
memory/3280-4-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/3488-217-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/3488-383-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4208-620-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4284-28-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/4284-24-0x0000000005830000-0x0000000005DD4000-memory.dmp

Filesize
5.6MB

Download
memory/4284-303-0x0000000002C00000-0x0000000002C10000-memory.dmp

Filesize
64KB

Download
memory/4284-80-0x0000000075080000-0x0000000075830000-memory.dmp

Filesize
7.7MB

Download
memory/4284-257-0x0000000005DE0000-0x0000000006008000-memory.dmp

Filesize
2.2MB

Download
memory/4284-81-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/4284-294-0x0000000007150000-0x00000000072E2000-memory.dmp

Filesize
1.6MB

Download
memory/4284-308-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/4284-307-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/4284-26-0x00000000053F0000-0x000000000548C000-memory.dmp

Filesize
624KB

Download
memory/4284-30-0x0000000005490000-0x000000000549A000-memory.dmp

Filesize
40KB

Download
memory/4284-23-0x00000000002D0000-0x00000000007E4000-memory.dmp

Filesize
5.1MB

Download
memory/4284-25-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/4284-22-0x0000000075080000-0x0000000075830000-memory.dmp

Filesize
7.7MB

Download
memory/4284-310-0x0000000007890000-0x0000000007990000-memory.dmp

Filesize
1024KB

Download
memory/4652-90-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4652-95-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4844-623-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4844-614-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4844-628-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4844-638-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4844-603-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4864-266-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/4864-247-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/4972-59-0x0000000008920000-0x0000000008F38000-memory.dmp

Filesize
6.1MB

Download
memory/4972-51-0x0000000076560000-0x0000000076650000-memory.dmp

Filesize
960KB

Download
memory/4972-62-0x0000000007B30000-0x0000000007B42000-memory.dmp

Filesize
72KB

Download
memory/4972-53-0x0000000076560000-0x0000000076650000-memory.dmp

Filesize
960KB

Download
memory/4972-55-0x0000000077B94000-0x0000000077B96000-memory.dmp

Filesize
8KB

Download
memory/4972-52-0x0000000076560000-0x0000000076650000-memory.dmp

Filesize
960KB

Download
memory/4972-234-0x0000000008550000-0x00000000085B6000-memory.dmp

Filesize
408KB

Download
memory/4972-57-0x0000000000170000-0x0000000000A02000-memory.dmp

Filesize
8.6MB

Download
memory/4972-63-0x0000000007B90000-0x0000000007BCC000-memory.dmp

Filesize
240KB

Download
memory/4972-44-0x0000000076560000-0x0000000076650000-memory.dmp

Filesize
960KB

Download
memory/4972-105-0x0000000000170000-0x0000000000A02000-memory.dmp

Filesize
8.6MB

Download
memory/4972-45-0x0000000076560000-0x0000000076650000-memory.dmp

Filesize
960KB

Download
memory/4972-43-0x0000000000170000-0x0000000000A02000-memory.dmp

Filesize
8.6MB

Download
memory/4972-65-0x0000000008300000-0x000000000834C000-memory.dmp

Filesize
304KB

Download
memory/4972-284-0x0000000076560000-0x0000000076650000-memory.dmp

Filesize
960KB

Download
memory/4972-271-0x0000000076560000-0x0000000076650000-memory.dmp

Filesize
960KB

Download
memory/4972-47-0x0000000076560000-0x0000000076650000-memory.dmp

Filesize
960KB

Download
memory/4972-122-0x0000000076560000-0x0000000076650000-memory.dmp

Filesize
960KB

Download
memory/4972-192-0x0000000076560000-0x0000000076650000-memory.dmp

Filesize
960KB

Download
memory/4972-180-0x0000000076560000-0x0000000076650000-memory.dmp

Filesize
960KB

Download
memory/4972-123-0x0000000076560000-0x0000000076650000-memory.dmp

Filesize
960KB

Download
memory/4972-61-0x0000000007C00000-0x0000000007D0A000-memory.dmp

Filesize
1.0MB

Download