amadey | 00c430ff9419de414c9a73a7dbbdbc1ca235e509e7d89c5ea2f948938c869ab0

Analysis

max time kernel
99s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67cb1519b04712177716a6c87cf51264.exe
Size

790KB
MD5

67cb1519b04712177716a6c87cf51264
SHA1

e77caf42107a191354ffb6c978be9eb7f09da831
SHA256

00c430ff9419de414c9a73a7dbbdbc1ca235e509e7d89c5ea2f948938c869ab0
SHA512

570634c4da43101fe3643434bd37c80627d1b3c88094d7b276dba00b80aba8af4528dcc0ed2122560f3d5557b96e7c26a156e34e8dca3a5a799386a0cfcbdb61
SSDEEP

24576:poxaB/nPwQbaiyIakEL5JYqDZbmNrU0W0Rl:pP/nPlLL85JRZSgu

Score

10^/10

amadey fabookie glupteba redline risepro smokeloader stealc @rlreborn cloud tg: @fatherofcarders)pub1 backdoor discovery dropper evasion infostealer loader persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

redline

Botnet

@RLREBORN Cloud TG: @FATHEROFCARDERS)

141.95.211.148:46011

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

fabookie

http://app.alie3ksgaa.com/check/safe

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1264-394-0x0000000003AB0000-0x0000000003BE0000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3068-216-0x0000000002E70000-0x000000000375B000-memory.dmp	family_glupteba
behavioral2/memory/3068-228-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3068-295-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3068-363-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3068-463-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1488-541-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1424-158-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\ms_updater.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000460001\2024.exe	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

49 32 rundll32.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2768 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
49	32	rundll32.exe

pid	process
2768	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

newbuild.exe67cb1519b04712177716a6c87cf51264.exeexplorhe.exelatestrocki.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	newbuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	67cb1519b04712177716a6c87cf51264.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	explorhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	latestrocki.exe

Executes dropped EXE 17 IoCs

Processes:

explorhe.exelivak.exezonak.exeSetupPowerGREPDemo.exelatestrocki.exerdx1122.exeInstallSetup7.exetoolspub1.exe31839b57a4f11171d6abc8bbc4451ee4.exeBroomSetup.exerty25.exenseA824.tmpexplorhe.exedata.exenewbuild.exems_updater.exe31839b57a4f11171d6abc8bbc4451ee4.exe

pid	process
828	explorhe.exe
3172	livak.exe
3320	zonak.exe
5056	SetupPowerGREPDemo.exe
4572	latestrocki.exe
1516	rdx1122.exe
5048	InstallSetup7.exe
3604	toolspub1.exe
3068	31839b57a4f11171d6abc8bbc4451ee4.exe
4204	BroomSetup.exe
1264	rty25.exe
3356	nseA824.tmp
1236	explorhe.exe
3240	data.exe
2452	newbuild.exe
932	ms_updater.exe
1488	31839b57a4f11171d6abc8bbc4451ee4.exe

Loads dropped DLL 5 IoCs

Processes:

rundll32.exeInstallSetup7.exenseA824.tmp

pid process

32 rundll32.exe
5048 InstallSetup7.exe
5048 InstallSetup7.exe
3356 nseA824.tmp
3356 nseA824.tmp
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2496 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
32	rundll32.exe
5048	InstallSetup7.exe
5048	InstallSetup7.exe
3356	nseA824.tmp
3356	nseA824.tmp

pid	process
2496	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorhe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\livak.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000392001\\livak.exe"	explorhe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zonak.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000434001\\zonak.exe"	explorhe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

133 api.2ip.ua
135 api.2ip.ua

flow	ioc
133	api.2ip.ua
135	api.2ip.ua

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

67cb1519b04712177716a6c87cf51264.exeexplorhe.exezonak.exe

pid	process
4484	67cb1519b04712177716a6c87cf51264.exe
828	explorhe.exe
3320	zonak.exe
828	explorhe.exe
3320	zonak.exe
828	explorhe.exe
3320	zonak.exe
828	explorhe.exe
3320	zonak.exe
828	explorhe.exe
3320	zonak.exe
828	explorhe.exe
3320	zonak.exe
828	explorhe.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rdx1122.exe

description pid process target process

PID 1516 set thread context of 1424 1516 rdx1122.exe RegAsm.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1804 sc.exe
2768 sc.exe
1056 sc.exe
732 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1516 set thread context of 1424	1516	rdx1122.exe	RegAsm.exe

pid	process
1804	sc.exe
2768	sc.exe
1056	sc.exe
732	sc.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
712	3068	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4852	3356	WerFault.exe	nseA824.tmp
3248	2032	WerFault.exe	7A48.exe
3152	1488	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nseA824.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nseA824.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nseA824.tmp

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4712 schtasks.exe
3580 schtasks.exe
2120 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3316 timeout.exe

pid	process
4712	schtasks.exe
3580	schtasks.exe
2120	schtasks.exe

pid	process
3316	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspub1.exenseA824.tmp

pid	process
3604	toolspub1.exe
3604	toolspub1.exe
3356	nseA824.tmp
3356	nseA824.tmp
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

toolspub1.exe

pid process

3604 toolspub1.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeShutdownPrivilege	3540
Token: SeCreatePagefilePrivilege	3540
Token: SeShutdownPrivilege	3540
Token: SeCreatePagefilePrivilege	3540
Token: SeDebugPrivilege	952	powershell.exe
Token: SeShutdownPrivilege	3540
Token: SeCreatePagefilePrivilege	3540
Token: SeShutdownPrivilege	3540
Token: SeCreatePagefilePrivilege	3540
Token: SeDebugPrivilege	3068
Token: SeImpersonatePrivilege	3068
Token: SeShutdownPrivilege	3540
Token: SeCreatePagefilePrivilege	3540

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

67cb1519b04712177716a6c87cf51264.exe

pid process

4484 67cb1519b04712177716a6c87cf51264.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

67cb1519b04712177716a6c87cf51264.exeexplorhe.exezonak.exeBroomSetup.exeexplorhe.exe

pid process

4484 67cb1519b04712177716a6c87cf51264.exe
828 explorhe.exe
3320 zonak.exe
4204 BroomSetup.exe
1236 explorhe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

67cb1519b04712177716a6c87cf51264.exeexplorhe.exerdx1122.exelatestrocki.exeInstallSetup7.exe31839b57a4f11171d6abc8bbc4451ee4.exeBroomSetup.execmd.exe

description	pid	process	target process
PID 4484 wrote to memory of 828	4484	67cb1519b04712177716a6c87cf51264.exe	explorhe.exe
PID 4484 wrote to memory of 828	4484	67cb1519b04712177716a6c87cf51264.exe	explorhe.exe
PID 4484 wrote to memory of 828	4484	67cb1519b04712177716a6c87cf51264.exe	explorhe.exe
PID 828 wrote to memory of 3580	828	explorhe.exe	schtasks.exe
PID 828 wrote to memory of 3580	828	explorhe.exe	schtasks.exe
PID 828 wrote to memory of 3580	828	explorhe.exe	schtasks.exe
PID 828 wrote to memory of 3172	828	explorhe.exe	livak.exe
PID 828 wrote to memory of 3172	828	explorhe.exe	livak.exe
PID 828 wrote to memory of 3172	828	explorhe.exe	livak.exe
PID 828 wrote to memory of 3320	828	explorhe.exe	zonak.exe
PID 828 wrote to memory of 3320	828	explorhe.exe	zonak.exe
PID 828 wrote to memory of 3320	828	explorhe.exe	zonak.exe
PID 828 wrote to memory of 5056	828	explorhe.exe	SetupPowerGREPDemo.exe
PID 828 wrote to memory of 5056	828	explorhe.exe	SetupPowerGREPDemo.exe
PID 828 wrote to memory of 32	828	explorhe.exe	rundll32.exe
PID 828 wrote to memory of 32	828	explorhe.exe	rundll32.exe
PID 828 wrote to memory of 32	828	explorhe.exe	rundll32.exe
PID 828 wrote to memory of 4572	828	explorhe.exe	latestrocki.exe
PID 828 wrote to memory of 4572	828	explorhe.exe	latestrocki.exe
PID 828 wrote to memory of 4572	828	explorhe.exe	latestrocki.exe
PID 828 wrote to memory of 1516	828	explorhe.exe	rdx1122.exe
PID 828 wrote to memory of 1516	828	explorhe.exe	rdx1122.exe
PID 828 wrote to memory of 1516	828	explorhe.exe	rdx1122.exe
PID 1516 wrote to memory of 1424	1516	rdx1122.exe	RegAsm.exe
PID 1516 wrote to memory of 1424	1516	rdx1122.exe	RegAsm.exe
PID 1516 wrote to memory of 1424	1516	rdx1122.exe	RegAsm.exe
PID 1516 wrote to memory of 1424	1516	rdx1122.exe	RegAsm.exe
PID 1516 wrote to memory of 1424	1516	rdx1122.exe	RegAsm.exe
PID 1516 wrote to memory of 1424	1516	rdx1122.exe	RegAsm.exe
PID 1516 wrote to memory of 1424	1516	rdx1122.exe	RegAsm.exe
PID 1516 wrote to memory of 1424	1516	rdx1122.exe	RegAsm.exe
PID 4572 wrote to memory of 5048	4572	latestrocki.exe	InstallSetup7.exe
PID 4572 wrote to memory of 5048	4572	latestrocki.exe	InstallSetup7.exe
PID 4572 wrote to memory of 5048	4572	latestrocki.exe	InstallSetup7.exe
PID 4572 wrote to memory of 3604	4572	latestrocki.exe	toolspub1.exe
PID 4572 wrote to memory of 3604	4572	latestrocki.exe	toolspub1.exe
PID 4572 wrote to memory of 3604	4572	latestrocki.exe	toolspub1.exe
PID 4572 wrote to memory of 3068	4572	latestrocki.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 4572 wrote to memory of 3068	4572	latestrocki.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 4572 wrote to memory of 3068	4572	latestrocki.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 5048 wrote to memory of 4204	5048	InstallSetup7.exe	BroomSetup.exe
PID 5048 wrote to memory of 4204	5048	InstallSetup7.exe	BroomSetup.exe
PID 5048 wrote to memory of 4204	5048	InstallSetup7.exe	BroomSetup.exe
PID 4572 wrote to memory of 1264	4572	latestrocki.exe	rty25.exe
PID 4572 wrote to memory of 1264	4572	latestrocki.exe	rty25.exe
PID 5048 wrote to memory of 3356	5048	InstallSetup7.exe	nseA824.tmp
PID 5048 wrote to memory of 3356	5048	InstallSetup7.exe	nseA824.tmp
PID 5048 wrote to memory of 3356	5048	InstallSetup7.exe	nseA824.tmp
PID 3068 wrote to memory of 952	3068	31839b57a4f11171d6abc8bbc4451ee4.exe	powershell.exe
PID 3068 wrote to memory of 952	3068	31839b57a4f11171d6abc8bbc4451ee4.exe	powershell.exe
PID 3068 wrote to memory of 952	3068	31839b57a4f11171d6abc8bbc4451ee4.exe	powershell.exe
PID 4204 wrote to memory of 4500	4204	BroomSetup.exe	cmd.exe
PID 4204 wrote to memory of 4500	4204	BroomSetup.exe	cmd.exe
PID 4204 wrote to memory of 4500	4204	BroomSetup.exe	cmd.exe
PID 4500 wrote to memory of 2528	4500	cmd.exe	chcp.com
PID 4500 wrote to memory of 2528	4500	cmd.exe	chcp.com
PID 4500 wrote to memory of 2528	4500	cmd.exe	chcp.com
PID 4500 wrote to memory of 2120	4500	cmd.exe	schtasks.exe
PID 4500 wrote to memory of 2120	4500	cmd.exe	schtasks.exe
PID 4500 wrote to memory of 2120	4500	cmd.exe	schtasks.exe
PID 828 wrote to memory of 3240	828	explorhe.exe	data.exe
PID 828 wrote to memory of 3240	828	explorhe.exe	data.exe
PID 828 wrote to memory of 3240	828	explorhe.exe	data.exe
PID 828 wrote to memory of 2452	828	explorhe.exe	newbuild.exe

C:\Users\Admin\AppData\Local\Temp\67cb1519b04712177716a6c87cf51264.exe
"C:\Users\Admin\AppData\Local\Temp\67cb1519b04712177716a6c87cf51264.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:3580

C:\Users\Admin\AppData\Local\Temp\1000392001\livak.exe
"C:\Users\Admin\AppData\Local\Temp\1000392001\livak.exe"
3⤵
- Executes dropped EXE
PID:3172

C:\Users\Admin\AppData\Local\Temp\1000434001\zonak.exe
"C:\Users\Admin\AppData\Local\Temp\1000434001\zonak.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3320

C:\Users\Admin\AppData\Local\Temp\1000441001\SetupPowerGREPDemo.exe
"C:\Users\Admin\AppData\Local\Temp\1000441001\SetupPowerGREPDemo.exe"
3⤵
- Executes dropped EXE
PID:5056

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:32

C:\Users\Admin\AppData\Local\Temp\1000447001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000447001\latestrocki.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:2528

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
7⤵
- Creates scheduled task(s)
PID:2120

C:\Users\Admin\AppData\Local\Temp\nseA824.tmp
C:\Users\Admin\AppData\Local\Temp\nseA824.tmp
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nseA824.tmp" & del "C:\ProgramData\*.dll"" & exit
6⤵
PID:2452

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
7⤵
- Delays execution with timeout.exe
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 2460
6⤵
- Program crash
PID:4852

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3604

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:1016

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:2768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:4452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:4672

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
PID:5088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:3604

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:4712

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:4436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:4752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 712
6⤵
- Program crash
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 904
5⤵
- Program crash
PID:712

C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
4⤵
- Executes dropped EXE
PID:1264

C:\Users\Admin\AppData\Local\Temp\1000450001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000450001\rdx1122.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\1000451001\data.exe
"C:\Users\Admin\AppData\Local\Temp\1000451001\data.exe"
3⤵
- Executes dropped EXE
PID:3240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
4⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\1000452001\newbuild.exe
"C:\Users\Admin\AppData\Local\Temp\1000452001\newbuild.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:2452

C:\Users\Admin\AppData\Roaming\ms_updater.exe
"C:\Users\Admin\AppData\Roaming\ms_updater.exe"
4⤵
- Executes dropped EXE
PID:932

C:\Users\Admin\AppData\Local\Temp\1000453001\Miner-XMR1.exe
"C:\Users\Admin\AppData\Local\Temp\1000453001\Miner-XMR1.exe"
3⤵
PID:2120

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
4⤵
- Launches sc.exe
PID:2768

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
4⤵
- Launches sc.exe
PID:1056

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000453001\Miner-XMR1.exe"
4⤵
PID:352

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:4524

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
4⤵
- Launches sc.exe
PID:1804

C:\Users\Admin\AppData\Local\Temp\1000454001\legnew.exe
"C:\Users\Admin\AppData\Local\Temp\1000454001\legnew.exe"
3⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
4⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\1000455001\5247749407.exe
"C:\Users\Admin\AppData\Local\Temp\1000455001\5247749407.exe"
3⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\1000456001\crypteddaisy.exe
"C:\Users\Admin\AppData\Local\Temp\1000456001\crypteddaisy.exe"
3⤵
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\1000457001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000457001\crypted.exe"
3⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\1000458001\flesh.exe
"C:\Users\Admin\AppData\Local\Temp\1000458001\flesh.exe"
3⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\1000459001\322321.exe
"C:\Users\Admin\AppData\Local\Temp\1000459001\322321.exe"
3⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\1000460001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000460001\2024.exe"
3⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3068 -ip 3068
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3356 -ip 3356
1⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\4A1F.exe
C:\Users\Admin\AppData\Local\Temp\4A1F.exe
1⤵
PID:2500

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
PID:4448

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:3236

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\7A48.exe
C:\Users\Admin\AppData\Local\Temp\7A48.exe
1⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\7A48.exe
C:\Users\Admin\AppData\Local\Temp\7A48.exe
2⤵
PID:1444

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\7a71b562-0c5c-43f0-94de-ec43313ab702" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2496

C:\Users\Admin\AppData\Local\Temp\7A48.exe
"C:\Users\Admin\AppData\Local\Temp\7A48.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\7A48.exe
"C:\Users\Admin\AppData\Local\Temp\7A48.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 568
5⤵
- Program crash
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2032 -ip 2032
1⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1488 -ip 1488
1⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\F6FB.exe
C:\Users\Admin\AppData\Local\Temp\F6FB.exe
1⤵
PID:3276

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
1.2MB

MD5
c66d64e2e166a7f78fe25ffaf1b5ba80

SHA1
ac7fbaaf171af92e46129ba59af6b15992ae692b

SHA256
2808ad7368cdd818932673d3837979942de9faee39d6ad29cc7fcf2d9a7c63f5

SHA512
738212d7b2963030e39b71e3fcde8a584fc14e2e0d324291d3ac2aaa55616a3634f9d1858e80e251307e2124f552537432968d0886c43f4f702fc25f85ebbba2

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
1.1MB

MD5
c8dd4f677d0b9972190300c8f3ebd1bb

SHA1
9acbb8d04a417ed64ebd0c3dafa6ae875c12d9a1

SHA256
d4158c7b678bfaea04e3b94ba5d3affe4b03b895a1404bc4e2c7da2f38525aa1

SHA512
7ce929e65c2abbce72ec60bd013c35a30aeb602f8ca0e9c48f506b8e676ed4fcaea55f6e3e3712cdb63ca21d2ae3098100801c261cd155ef024045237196ae2d

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.4MB

MD5
c41847dcc72b803b411a5d522123af22

SHA1
c535fdc369c3ce40b2cd01ea73f935fbc30f6471

SHA256
ab5b64fc346d6aff16d4ed1889247068f99729361511f1e9ff4fa91422219b16

SHA512
8757a7d965a2f25356e46668d7c4e9dce0ee3603219f886152d00adcbd9821864c1eece49b3d85f88bfed82d56774f79cecbf7a3cda7218f87a510620510d3a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
2KB

MD5
f57bf6e78035d7f9150292a466c1a82d

SHA1
58cce014a5e6a6c6d08f77b1de4ce48e31bc4331

SHA256
25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415

SHA512
fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000392001\livak.exe
Filesize
1.4MB

MD5
ad2be2fa8b2339ccb3d64715815b71ae

SHA1
b736ad0bd50212b740ea6b5631a36be528490972

SHA256
12ed1d5426cb4396d40ec76f484d78dbd9e3bdf7f3a476606ae27e3278683a3e

SHA512
3cfd1d21fbe642e9db1ff2eb068bb50a3dd7c3f47c8ef1afe5d1629cda71d432fdfb159ad07183a9ca070cacbfc35b5f8d489de544f15a619fe026be42ea4d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000434001\zonak.exe
Filesize
1.2MB

MD5
f5699cfef0f0ea0c7211b8da78e96bb3

SHA1
94ccf284d1ee26d74e06863978ebc387d248078a

SHA256
809133c8d9f40ce170938c2eb16d499ac6e4b048aecd4a1f80bdf05904c1afca

SHA512
678f6935b53ec11f11e9942fa7161fe931f64d3ac96bc004fe9e850db80c4569abea84e725c83b3e56f03da62bf0ef45311b80d855bd6fd3c220c542989ca8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000441001\SetupPowerGREPDemo.exe
Filesize
13.0MB

MD5
a29a203a471bcfaf00f00386bc60aee6

SHA1
c21f747d22edef328e65dccdd5322140cbb58640

SHA256
a5f1498dc8e50a7e9963ed8b55e575100cb69c88c55da2d5e7db97df8c4aa948

SHA512
f1a630d1ea130457d1179112a51ed95fa57bc38152edcd5e840fcb071bf53a85408f158cb934ea54871247397ae4b1674108fcce7db14b0199c96638156e3d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000447001\latestrocki.exe
Filesize
1.6MB

MD5
8d018b36ab3fdf5ec15c13d7d8eb8693

SHA1
f69161b3b9092f64661bb7369504b2fa321f9a14

SHA256
ef16985d019ac7844725bed9767ae49773ae12536b89cfecb0a23f09f3b0221f

SHA512
0d52feff0721f9f7f7dede9f06ec98938b483359fe993018e97eeb621f4ba6a6bd04e27b8c978976468b88e9c3f9a74838038a0c79cc24859c2a8e6914d01bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000447001\latestrocki.exe
Filesize
6.5MB

MD5
51a977874c9b190837bc2658396d4dfe

SHA1
e193aa67104a47b41226ab6c38bad3979fa77a5f

SHA256
07c186039358d2ae58c48a251366b0aed237339667290772f42c479f41e6c498

SHA512
fd20e4dc0a8b52d7373597df577d1cd60aec69fa5894b867844eae4cb75398fd2c3bd47f8e7b4ceea3ad71e23d625131daae998780b863e28e53c60fe1058951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000450001\rdx1122.exe
Filesize
329KB

MD5
927fa2810d057f5b7740f9fd3d0af3c9

SHA1
b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8

SHA256
9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9

SHA512
54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000451001\data.exe
Filesize
6.0MB

MD5
1f37218777bacc92422169143bb320ac

SHA1
da5c0de27a1dec683190b8594425278ec3b6ccca

SHA256
7b519fc07f4b84132bb47e46d6701c6527b3a651cfaacbce30a6333e47365a6b

SHA512
8f11863d390bd5bcc434a3b4f1ac179b5889d4c8fe7185c195c93dc768a7b5ca18abf6a8747e4b60ff2a6cf9e43f7ca39bd6d1fc6e456f4cb212d39a75308324

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000451001\data.exe
Filesize
3.9MB

MD5
124cc2d9b7c6368383538effdb8f1af2

SHA1
493b7edc863ff89e70c33fd73cd79cf81f062b93

SHA256
19fa1d7d1df0eb32d5f54d86b8f01d6cfc5b13ef2d46e9736e44c8105b96cb9e

SHA512
5bda637566e909e375e67e90677a2f71d783d3acd96ff8605b1b9c780090f7842b693068d2748a75b2c26fcff055a780890568466b41b6d732e4fb40a128a1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000451001\data.exe
Filesize
3.1MB

MD5
350561f06573e23f9b10e4f078204740

SHA1
65ca2daa479212ac141e5c7f21d2ddda89bfca4d

SHA256
fe1b3014e6bf760d57840e11f2c109679cdac68b88bd3fef905fa1d346b8655e

SHA512
49a5f2e4d5c50517f42e3eb8b97eac2b7df6987a155d7373c020deef1d5f288044d48c125f8fb7bb2755bc711dc22614c5417568438399a7182a09eaedd919ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000452001\newbuild.exe
Filesize
959KB

MD5
33c7865d2fbcbccb7f9b4efdad2759cf

SHA1
38871aecd108aa670010a0cdbdfb1c1d2046f796

SHA256
72ec288691f888d841781fea3cc419432b323cde60b5745cf2ac940d319d6fb5

SHA512
e794fb9c433ee27ac2936b549812f0264dad34c365e1e878c17a841905e4524a90e7a656d1ccb0ded144e2fea7b4193d90a244c7e4f875afa74b0fb9e7d6069a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000453001\Miner-XMR1.exe
Filesize
2.5MB

MD5
8daa51b3d4d9801f29dff71e9bc4dd67

SHA1
2722c1b4f5165e21d9b2a3670f6ace5bc36d9ecf

SHA256
e049e4fbda75c0cf404d2a755cca8cdb1831803fd4fdcf34b07b2eeaec39704d

SHA512
6efb6c10e25ed723a863c75d153e3c52e5aac0df4527bd1699e4785b5974af241b008693702b89372ea6ac9a049291150a464ff3ad963482e3fe73ae594b370b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000453001\Miner-XMR1.exe
Filesize
5.6MB

MD5
69a8be70a1907db122f773bd83057e88

SHA1
05d61938a026e5bd13ed2633fffd8b37abb781d1

SHA256
45fa7481fda82f9f0e987adb793ffb101d8289ca7e005a2a57ea98bd320556d9

SHA512
26647f04736c8107f4f1a26b113286e22cd122745030a1917236acb648aa1c786b6a9c01b94cd1b41d90528e5b9977afe982bf9a0cb19d4ba0a8c4f62d2b40f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000453001\Miner-XMR1.exe
Filesize
6.4MB

MD5
2eafb4926d78feb0b61d5b995d0fe6ee

SHA1
f6e75678f1dafcb18408452ea948b9ad51b5d83e

SHA256
50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30

SHA512
1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000454001\legnew.exe
Filesize
289KB

MD5
3b8212d9d6fdc390c9f5c9262563c34f

SHA1
1e609b7396ccff4efa6c4a58f00f1826afb10c70

SHA256
b7bc7db05aeb57af30283f118d3fb8d3406862de660552dbe6c930516dc6a579

SHA512
c0ebb917369977c5de47a4c4081817f9a9b09ddabf990170b60e836cc971aa937c3ad073bdb5e40f301890e5511d950e54b8952fc310fb42dada27f439fc713c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000455001\5247749407.exe
Filesize
723KB

MD5
d2d491570cb5308722ceeb9da1425ab3

SHA1
8b8a0dd6bd9fe81873a642b2fda0b51322a8d970

SHA256
6e99c3ef01126ea6f0cbd04aea1bc3018967fc5ca9236d7e0a7d205f05b9e96b

SHA512
7dc9d7deb7e03da456a0cae8bd74369351abd80ee50f0d8da10ec17f09c83677b2571c17918be12ca12f7afdf6c37623297d83bb035d276c7bee67bc87bd3011

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000456001\crypteddaisy.exe
Filesize
387KB

MD5
c0101a931d5c1b6e60167ab326c2b49d

SHA1
cff1f5af8ab8095552a85d1d56c375efc90720d7

SHA256
bf11a72df62ce83529a881e2b42a93618bd523a06fbd1e52a2bc12f160541e75

SHA512
77d179d7a3a787c2422b755ddd45241ba90e28fe79ffe2bea93cc2c4bb6aa247d98822d8e526e55b437cbe353bbaf058b8fac26ee6974710452a0d8a4bf6e836

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000456001\crypteddaisy.exe
Filesize
64KB

MD5
e883506cc6e66a5e511058bb9497a402

SHA1
b6bc93b55362600fb2f64e92116974f1a799e75c

SHA256
fb7a8a7e80fd52c647496f510cd76355f009a571f40301b95bb3b48ba15a373c

SHA512
22e38068cab71c9ca699b610182a13bf47f8c24ca3bc6c3ad7fb4a616959bac9a7ba23f1bcf7d7c40caefc85d29b25cd0ac1eb270e670deca8344e2abbe22372

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000457001\crypted.exe
Filesize
320KB

MD5
fcc0763e7bbcb19a548681027f6e83c6

SHA1
d7a089de9d23a65a008a722c1930bb23d26394f1

SHA256
7947070451866dc989f60e30fad437717b354effad1c60fe745e6c18d10eebd1

SHA512
82782b33d270671774833fa7b9d15631baaf4fcf2453b2870cbfb40b5dadf8497d213847ff0f1bf73666213841be656769f51c8b44b8b79b25c545940e53f806

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000457001\crypted.exe
Filesize
341KB

MD5
ece8e2177083eefb49d5e0185b899b93

SHA1
ea29f48483d95897da5af016c47ca99f825871cd

SHA256
5e88119a34553c24625c42dbbb35b9c969a051a54478ab9227dac4ce720a703e

SHA512
4cd4a45cba10387b7e977ca05a3f44efb0ed3911cbd22d2ec00d9e24a9d0e0a424727ddfee9aec71454fb52f0d85f6a42b95656ef232e0538e18d97a5f32646c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000458001\flesh.exe
Filesize
660KB

MD5
d8337d7ca38eddace5472f7a274b3943

SHA1
273fc254a6051aaf13d74b6f426fd9f1a58dee19

SHA256
3ac6dde9c9dfcaed7066ea5af5121fd75a7c6c1ab9bb7bb4ca35784d50efa202

SHA512
c65082f8478a7dfae7c244e093f34b8cd67599ab20e39a7db3fc50b346039588772764a4f737ad71fff74655534d6c307338c36de6ca209c5ff8b41d0171f589

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000459001\322321.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000460001\2024.exe
Filesize
300KB

MD5
2c470494b6dc68b2346e42542d80a0fd

SHA1
87ce1483571bf04d67be4c8cb12fb7dfef4ba299

SHA256
1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9

SHA512
c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
d2b00037b2f635a3fe38f34fb9c10f13

SHA1
19c60095d68d029e4342d542988433206471e3bb

SHA256
9c5393ff39ecc04dbb78a04f8662538b4874277c25a18f1617270f1c628b9054

SHA512
dee2cde00293369aa5bce574fb9141ebd46fb9dc89da824b01ea36152c5688978af55afcfcde95d324d2bc73084ce4684535b1fc1533930a7040b686d189cba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4A1F.exe
Filesize
272KB

MD5
1b34541fb0dc55293424cd982f09cb30

SHA1
6e27e8c899d92da67fdb5b6f07b3d3ef54dcf62b

SHA256
c1a94b4836ce341261dafddcdd0b7f2fb0d8974418cfe37bfe4edac452966dcf

SHA512
ca39dbca5ae9771feba001fc6aecb8dfd32e4c78be53c14af092b49e7277d8575833fa65ff5f7b06809f1733215892c1506dcbd968376f97ea18f0d5313d10d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A48.exe
Filesize
769KB

MD5
6b3c3b621f4964f232d23c7b32a2e486

SHA1
dc7a1111a7fa4380b42dfa8e6d1b22b338aa10fc

SHA256
5e19952acedb1da68215069d44ce1f3d48da10491151003148f1cceab03f1073

SHA512
78b0b893295e5c8c811618638bfb9fcca2daef20b209ef4f0aeb400372b9827ff8b01325427ee41091dfb9d6b3c334510a6f2b4cccf407970cf72adb0bb2b293

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
3.2MB

MD5
f868b05799aa80ff30114489daa4fad3

SHA1
ec406a450331ba55c96ea04cf6f9171c36677a00

SHA256
c1e5aa4c7ceac0de2d61fd2abee919258d4169a1b2d951fb825886937c5e3010

SHA512
184f58fd6b7f745cd9f0caf259fa3b62b110c8c482f156a7c5838096d14b119a537b76350f7c4721de804e364975011e826b2786c6212b3d564fefd462c7a0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
1.7MB

MD5
59d57b5320b787123aae10ef48ecc553

SHA1
1dd0b4e62fc907a25afb1d98ea056f7d717c6c19

SHA256
c2ee31dbf469f153a7aab565451c84c8288fc7bbcf8fa9a35c1453cfa80dda20

SHA512
8f201183999f2f51e7866bf46d12e68d06fa0baa1d65b212a4412df3aee1a8e364c5b4d9cb531f181651ebd94119d8748ec8c4033f7179e05c4ba0c0c94bcaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
448KB

MD5
f943151fdf922d0cfdb478525a83c0d9

SHA1
037457a312cd2c12562743cb20018ca2abf71b37

SHA256
3656b7948af4ea2166886d550212fd3adcce2dfd0c6747b0b40bdf61d32f5e84

SHA512
0e3468cbb9aa59913d20bab507b8aa8bae4d5ebcf9b43d2a0de602aef7aae62cee23273b2d25cc1e1eaacd5026f8deb0f79cb0ebdbdc0e9b62b65f2502380210

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lfmuswhu.31r.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
790KB

MD5
67cb1519b04712177716a6c87cf51264

SHA1
e77caf42107a191354ffb6c978be9eb7f09da831

SHA256
00c430ff9419de414c9a73a7dbbdbc1ca235e509e7d89c5ea2f948938c869ab0

SHA512
570634c4da43101fe3643434bd37c80627d1b3c88094d7b276dba00b80aba8af4528dcc0ed2122560f3d5557b96e7c26a156e34e8dca3a5a799386a0cfcbdb61

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA479.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA824.tmp
Filesize
272KB

MD5
488a1fec80ae263aa3c8fce25b4ce529

SHA1
38bf66825b10b4e97db398dd6305008555011f58

SHA256
08454a874650411f45b77654a67c83081e676fb56aa3d27ac5aa5a7c2eaa54a9

SHA512
5cf13b44ae5b31b0f02ee08bc1e32ddcf1b8132f6e73877a62ad0f103ae007889c13d42159c7f42675d84542797995b43ed62d31255da1667aad9fa2941a9d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
396KB

MD5
a5880e6164b1626035d881898402a127

SHA1
7fed22ad56eee9e518db43fa82c7bdac57114038

SHA256
3c4a7a9f0ef16676f3ef6b290f1df209c39f41c6f4f1d4c5a3d8391cdacddf1c

SHA512
c7edb323155ce230603e74e96e1b00ca0b04f81239afd030598f0b88e88bb64abf2c533afc8fc2ddab7c6a370b57f8d51693718fb366751a7d17229ead76f070

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
234KB

MD5
d5f6b1cd4f54966a2f6b263d79e62ccb

SHA1
5f17be2980c7f37e7e14ca9bc2f0a230fe3ef37b

SHA256
430c04122ba81a231c4b036c6444087d5a7e28f9414552741d43b592a47dab6b

SHA512
a01eacd2085f89cfcd67edfe5dd3072616ad6b76147b289b20fab83c40c95ef7f1caac58d54ef865ee26e5b4e85ace27bb134c2202938923239fc0fa07915439

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\ms_tool.exe
Filesize
418KB

MD5
5f7c614de934c4cbbf1a24d01eeb74ca

SHA1
68266ef1ef32df18e3ab20451dbe360ea89f27ae

SHA256
1d3ab9e001a2da0c0ba7d9193bdd9fe21baeb41cf73ded1189656b4ae9be580d

SHA512
ea1777ffc7a1d65fb246bd3d57e62fe2b6cc63d4f7a8c5045c05569230e51d1b8278f0d4c4e0a688b72287467cf55bca8e7eac633d74949effdd10a0cf96b183

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe
Filesize
300KB

MD5
699afe0b79c303adb18e76913d97c2fa

SHA1
3624f03a23af2b75bc1d86701024e50e5312b2ef

SHA256
9c5a036b07dc364fdb2cab03b9a146d6f4ae252b0001b8293f1db84a5e82b153

SHA512
3234e33db8d37a805ddef28f7af760c8a9aade8771ac762e3c93b781a82a757a1dc1604053aacc26003e336ca13e95b4004386f6298c4df3aabe8d1813cba516

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
e89ac1f7b3083ec3c93283ec05fecf79

SHA1
489b25a1a12157a6b3ce503b091feee61522ffc5

SHA256
60a8cdd10cb25eef274723b0c24b5d140a5ef2402455f7a03dc44844b867dbde

SHA512
1c498b1b8733fe257e1c57e1b89641909af085b35a3becfc9893616205e9d3efce9e14345a3080b0d3b75bfff97bd36ecc819126b511088ab10476fb77ca7187

Download Submit
memory/828-461-0x0000000000480000-0x0000000000888000-memory.dmp

Filesize
4.0MB

Download
memory/828-98-0x0000000000480000-0x0000000000888000-memory.dmp

Filesize
4.0MB

Download
memory/828-69-0x0000000000480000-0x0000000000888000-memory.dmp

Filesize
4.0MB

Download
memory/828-59-0x0000000000480000-0x0000000000888000-memory.dmp

Filesize
4.0MB

Download
memory/828-15-0x0000000000480000-0x0000000000888000-memory.dmp

Filesize
4.0MB

Download
memory/828-275-0x0000000000480000-0x0000000000888000-memory.dmp

Filesize
4.0MB

Download
memory/828-17-0x0000000000480000-0x0000000000888000-memory.dmp

Filesize
4.0MB

Download
memory/828-18-0x0000000000480000-0x0000000000888000-memory.dmp

Filesize
4.0MB

Download
memory/828-184-0x0000000000480000-0x0000000000888000-memory.dmp

Filesize
4.0MB

Download
memory/828-123-0x0000000000480000-0x0000000000888000-memory.dmp

Filesize
4.0MB

Download
memory/828-357-0x0000000000480000-0x0000000000888000-memory.dmp

Filesize
4.0MB

Download
memory/828-526-0x0000000000480000-0x0000000000888000-memory.dmp

Filesize
4.0MB

Download
memory/952-399-0x000000006BE20000-0x000000006C174000-memory.dmp

Filesize
3.3MB

Download
memory/952-312-0x0000000004F70000-0x0000000004F92000-memory.dmp

Filesize
136KB

Download
memory/952-371-0x0000000007270000-0x00000000072E6000-memory.dmp

Filesize
472KB

Download
memory/952-382-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/952-307-0x0000000005150000-0x0000000005778000-memory.dmp

Filesize
6.2MB

Download
memory/952-383-0x0000000007320000-0x000000000733A000-memory.dmp

Filesize
104KB

Download
memory/952-308-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/952-306-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/952-397-0x000000007FB20000-0x000000007FB30000-memory.dmp

Filesize
64KB

Download
memory/952-330-0x0000000006370000-0x00000000063B4000-memory.dmp

Filesize
272KB

Download
memory/952-328-0x0000000004C80000-0x0000000004C9E000-memory.dmp

Filesize
120KB

Download
memory/952-398-0x000000006C440000-0x000000006C48C000-memory.dmp

Filesize
304KB

Download
memory/952-324-0x0000000005950000-0x0000000005CA4000-memory.dmp

Filesize
3.3MB

Download
memory/952-296-0x0000000002920000-0x0000000002956000-memory.dmp

Filesize
216KB

Download
memory/952-396-0x00000000074F0000-0x0000000007522000-memory.dmp

Filesize
200KB

Download
memory/952-314-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/952-379-0x0000000007970000-0x0000000007FEA000-memory.dmp

Filesize
6.5MB

Download
memory/952-313-0x00000000057F0000-0x0000000005856000-memory.dmp

Filesize
408KB

Download
memory/952-305-0x0000000072FE0000-0x0000000073790000-memory.dmp

Filesize
7.7MB

Download
memory/1236-311-0x0000000000480000-0x0000000000888000-memory.dmp

Filesize
4.0MB

Download
memory/1264-394-0x0000000003AB0000-0x0000000003BE0000-memory.dmp

Filesize
1.2MB

Download
memory/1264-391-0x0000000003870000-0x000000000397C000-memory.dmp

Filesize
1.0MB

Download
memory/1264-230-0x00007FF62B440000-0x00007FF62B4A6000-memory.dmp

Filesize
408KB

Download
memory/1424-164-0x0000000005B70000-0x0000000006114000-memory.dmp

Filesize
5.6MB

Download
memory/1424-158-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1424-170-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/1424-166-0x0000000005660000-0x00000000056F2000-memory.dmp

Filesize
584KB

Download
memory/1424-231-0x0000000006790000-0x000000000689A000-memory.dmp

Filesize
1.0MB

Download
memory/1424-162-0x0000000072FE0000-0x0000000073790000-memory.dmp

Filesize
7.7MB

Download
memory/1424-372-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/1424-226-0x0000000006B40000-0x0000000007158000-memory.dmp

Filesize
6.1MB

Download
memory/1424-332-0x0000000072FE0000-0x0000000073790000-memory.dmp

Filesize
7.7MB

Download
memory/1424-233-0x00000000066C0000-0x00000000066D2000-memory.dmp

Filesize
72KB

Download
memory/1424-185-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/1424-237-0x0000000006920000-0x000000000696C000-memory.dmp

Filesize
304KB

Download
memory/1424-236-0x00000000068E0000-0x000000000691C000-memory.dmp

Filesize
240KB

Download
memory/1488-541-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1516-151-0x0000000000B70000-0x0000000000BC6000-memory.dmp

Filesize
344KB

Download
memory/1516-161-0x0000000002E90000-0x0000000004E90000-memory.dmp

Filesize
32.0MB

Download
memory/1516-154-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/1516-153-0x0000000072FE0000-0x0000000073790000-memory.dmp

Filesize
7.7MB

Download
memory/1516-163-0x0000000072FE0000-0x0000000073790000-memory.dmp

Filesize
7.7MB

Download
memory/2120-594-0x00007FF717D30000-0x00007FF71876D000-memory.dmp

Filesize
10.2MB

Download
memory/3068-389-0x0000000002A70000-0x0000000002E70000-memory.dmp

Filesize
4.0MB

Download
memory/3068-363-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3068-463-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3068-295-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3068-215-0x0000000002A70000-0x0000000002E70000-memory.dmp

Filesize
4.0MB

Download
memory/3068-216-0x0000000002E70000-0x000000000375B000-memory.dmp

Filesize
8.9MB

Download
memory/3068-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3240-380-0x0000000072FE0000-0x0000000073790000-memory.dmp

Filesize
7.7MB

Download
memory/3240-364-0x0000000005800000-0x000000000589C000-memory.dmp

Filesize
624KB

Download
memory/3240-359-0x0000000000980000-0x0000000000F88000-memory.dmp

Filesize
6.0MB

Download
memory/3320-390-0x00000000003B0000-0x00000000008CD000-memory.dmp

Filesize
5.1MB

Download
memory/3320-101-0x00000000003B0000-0x00000000008CD000-memory.dmp

Filesize
5.1MB

Download
memory/3320-329-0x00000000003B0000-0x00000000008CD000-memory.dmp

Filesize
5.1MB

Download
memory/3320-272-0x00000000003B0000-0x00000000008CD000-memory.dmp

Filesize
5.1MB

Download
memory/3320-126-0x00000000003B0000-0x00000000008CD000-memory.dmp

Filesize
5.1MB

Download
memory/3320-68-0x00000000003B0000-0x00000000008CD000-memory.dmp

Filesize
5.1MB

Download
memory/3320-56-0x00000000003B0000-0x00000000008CD000-memory.dmp

Filesize
5.1MB

Download
memory/3320-482-0x00000000003B0000-0x00000000008CD000-memory.dmp

Filesize
5.1MB

Download
memory/3320-152-0x00000000003B0000-0x00000000008CD000-memory.dmp

Filesize
5.1MB

Download
memory/3356-235-0x00000000008E0000-0x00000000009E0000-memory.dmp

Filesize
1024KB

Download
memory/3356-232-0x00000000008B0000-0x00000000008CC000-memory.dmp

Filesize
112KB

Download
memory/3356-250-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3356-472-0x0000000000400000-0x0000000000866000-memory.dmp

Filesize
4.4MB

Download
memory/3356-301-0x0000000000400000-0x0000000000866000-memory.dmp

Filesize
4.4MB

Download
memory/3356-234-0x0000000000400000-0x0000000000866000-memory.dmp

Filesize
4.4MB

Download
memory/3356-381-0x0000000000400000-0x0000000000866000-memory.dmp

Filesize
4.4MB

Download
memory/3356-564-0x0000000000400000-0x0000000000866000-memory.dmp

Filesize
4.4MB

Download
memory/3540-241-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/3604-243-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-188-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/3604-189-0x0000000000590000-0x000000000059B000-memory.dmp

Filesize
44KB

Download
memory/3604-190-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4204-221-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/4204-365-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/4204-395-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/4204-297-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/4484-1-0x0000000000790000-0x0000000000B98000-memory.dmp

Filesize
4.0MB

Download
memory/4484-2-0x0000000000790000-0x0000000000B98000-memory.dmp

Filesize
4.0MB

Download
memory/4484-0-0x0000000000790000-0x0000000000B98000-memory.dmp

Filesize
4.0MB

Download
memory/4484-4-0x0000000000790000-0x0000000000B98000-memory.dmp

Filesize
4.0MB

Download
memory/4484-16-0x0000000000790000-0x0000000000B98000-memory.dmp

Filesize
4.0MB

Download
memory/4572-130-0x0000000000740000-0x0000000000DCC000-memory.dmp

Filesize
6.5MB

Download
memory/4572-131-0x0000000072FE0000-0x0000000073790000-memory.dmp

Filesize
7.7MB

Download
memory/4572-213-0x0000000072FE0000-0x0000000073790000-memory.dmp

Filesize
7.7MB

Download
memory/5056-124-0x00007FF63D790000-0x00007FF63E4F1000-memory.dmp

Filesize
13.4MB

Download
memory/5056-462-0x00007FF63D790000-0x00007FF63E4F1000-memory.dmp

Filesize
13.4MB

Download
memory/5056-294-0x00007FF63D790000-0x00007FF63E4F1000-memory.dmp

Filesize
13.4MB

Download
memory/5056-358-0x00007FF63D790000-0x00007FF63E4F1000-memory.dmp

Filesize
13.4MB

Download
memory/5056-528-0x00007FF63D790000-0x00007FF63E4F1000-memory.dmp

Filesize
13.4MB

Download
memory/5056-214-0x00007FF63D790000-0x00007FF63E4F1000-memory.dmp

Filesize
13.4MB

Download