amadey | dd0bce209db18fd169d8183c9180882ffe095ae0cbf85bde307626cd28363217

Analysis

max time kernel
89s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2024 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

793KB
MD5

5a3924e66c52d9d97c3a79893a215eb3
SHA1

26044d6cf477b9e88860a4012e8669c17ce90920
SHA256

dd0bce209db18fd169d8183c9180882ffe095ae0cbf85bde307626cd28363217
SHA512

90e9e4f885652381a46ae2d92d2be31865602939674d206d1f79bee80db604f35691d7e629dd9839d6c1dcd8a30316ba349dec636234725dfe120fc47f767a78
SSDEEP

12288:OWaas7hkak+B6qnco7YNQj2YcKify3iSJl55GUYnSr3/35elqP6T6tMglA:OWaZhpqqnlwQ6siK3/l5jYnQ3v0lqPj

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

redline

Botnet

2024

195.20.16.103:20440

Extracted

Family

amadey

http://185.215.113.68

Attributes

strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

@oleh_ps

185.172.128.33:8924

Extracted

Family

redline

Botnet

@PixelsCloud

94.156.67.230:13781

Extracted

Family

redline

Botnet

@oni912

45.15.156.209:40481

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1620-83-0x0000000005000000-0x000000000503E000-memory.dmp	family_redline
behavioral2/memory/1620-78-0x00000000023E0000-0x0000000002422000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000842001\2024.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000842001\2024.exe	family_redline
behavioral2/memory/4924-141-0x0000000000F10000-0x0000000000F62000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000849001\sadsadsadsa.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000849001\sadsadsadsa.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000849001\sadsadsadsa.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000850001\RDX.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000850001\RDX.exe	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ladas.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ladas.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ladas.exe

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2404-156-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2404-159-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2404-161-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2404-162-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2404-160-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2404-157-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2404-163-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2404-198-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2404-197-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

76 3756 rundll32.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

5108 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
76	3756	rundll32.exe

pid	process
5108	netsh.exe

.NET Reactor proctector 20 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/4720-44-0x0000000004E10000-0x0000000004E20000-memory.dmp	net_reactor
behavioral2/memory/4720-41-0x0000000004C60000-0x0000000004CDE000-memory.dmp	net_reactor
behavioral2/memory/4720-46-0x0000000004D90000-0x0000000004E0E000-memory.dmp	net_reactor
behavioral2/memory/1968-231-0x0000000004C00000-0x0000000004C98000-memory.dmp	net_reactor
behavioral2/memory/1968-234-0x0000000004B60000-0x0000000004BF8000-memory.dmp	net_reactor
behavioral2/memory/3736-295-0x0000000004FC0000-0x0000000005165000-memory.dmp	net_reactor
behavioral2/memory/3736-294-0x0000000004FC0000-0x0000000005165000-memory.dmp	net_reactor
behavioral2/memory/3736-297-0x0000000004FC0000-0x0000000005165000-memory.dmp	net_reactor
behavioral2/memory/3736-299-0x0000000004FC0000-0x0000000005165000-memory.dmp	net_reactor
behavioral2/memory/3736-301-0x0000000004FC0000-0x0000000005165000-memory.dmp	net_reactor
behavioral2/memory/3736-303-0x0000000004FC0000-0x0000000005165000-memory.dmp	net_reactor
behavioral2/memory/3736-305-0x0000000004FC0000-0x0000000005165000-memory.dmp	net_reactor
behavioral2/memory/3736-307-0x0000000004FC0000-0x0000000005165000-memory.dmp	net_reactor
behavioral2/memory/3736-318-0x0000000004FC0000-0x0000000005165000-memory.dmp	net_reactor
behavioral2/memory/3736-330-0x0000000004FC0000-0x0000000005165000-memory.dmp	net_reactor
behavioral2/memory/3736-333-0x0000000004FC0000-0x0000000005165000-memory.dmp	net_reactor
behavioral2/memory/3736-335-0x0000000004FC0000-0x0000000005165000-memory.dmp	net_reactor
behavioral2/memory/3736-337-0x0000000004FC0000-0x0000000005165000-memory.dmp	net_reactor
behavioral2/memory/3736-341-0x0000000004FC0000-0x0000000005165000-memory.dmp	net_reactor
behavioral2/memory/3736-344-0x0000000004FC0000-0x0000000005165000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ladas.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ladas.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ladas.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorhe.exeleg221.exeRegAsm.exedayroc.exensh171F.tmpchrosha.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	explorhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	leg221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	dayroc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	nsh171F.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	chrosha.exe

Executes dropped EXE 31 IoCs

Processes:

explorhe.execrptchk.exeleg221.exeredline1234.exe2024.exeuwgxswmtctao.exeexplorhe.exe55555.exemrk1234.exeqemu-ga.exealex.exegoldklassd.exeolehps.exeLogs.exe1233213123213.exeWerFault.exesadsadsadsa.exeConhost.exedayroc.exed21cbe21e38b385a41a68c5e6dd32f4c.exeInstallSetup9.exetoolspub1.exeBroomSetup.exeAmadey.exensh171F.tmpladas.exed21cbe21e38b385a41a68c5e6dd32f4c.execsrss.exechrosha.exeexplorhe.exeinjector.exe

pid	process
4304	explorhe.exe
4720	crptchk.exe
1620	leg221.exe
228	redline1234.exe
4924	2024.exe
2440	uwgxswmtctao.exe
2148	explorhe.exe
3436	55555.exe
1968	mrk1234.exe
2604	qemu-ga.exe
3736	alex.exe
4444	goldklassd.exe
2240	olehps.exe
4676	Logs.exe
3836	1233213123213.exe
4576	WerFault.exe
232	sadsadsadsa.exe
3376	Conhost.exe
5104	dayroc.exe
4732	d21cbe21e38b385a41a68c5e6dd32f4c.exe
3584	InstallSetup9.exe
5116	toolspub1.exe
1756	BroomSetup.exe
1700	Amadey.exe
4284	nsh171F.tmp
4728	ladas.exe
5072	d21cbe21e38b385a41a68c5e6dd32f4c.exe
1480	csrss.exe
2816	chrosha.exe
2160	explorhe.exe
1872	injector.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ladas.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Wine ladas.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Wine	ladas.exe

Loads dropped DLL 8 IoCs

Processes:

rundll32.exeInstallSetup9.exensh171F.tmprundll32.exerundll32.exe

pid	process
3756	rundll32.exe
3584	InstallSetup9.exe
3584	InstallSetup9.exe
4284	nsh171F.tmp
4284	nsh171F.tmp
3584	InstallSetup9.exe
384	rundll32.exe
1164	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2404-151-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2404-153-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2404-154-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2404-152-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2404-155-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2404-156-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2404-159-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2404-161-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2404-162-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2404-160-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2404-157-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2404-163-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2404-198-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2404-197-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorhe.exed21cbe21e38b385a41a68c5e6dd32f4c.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ladas.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000854001\\ladas.exe"	explorhe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exeConhost.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	Conhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

explorhe.exeladas.exe

pid	process
4304	explorhe.exe
4304	explorhe.exe
4304	explorhe.exe
4304	explorhe.exe
4304	explorhe.exe
4304	explorhe.exe
4728	ladas.exe
4304	explorhe.exe
4304	explorhe.exe
4304	explorhe.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

crptchk.exeuwgxswmtctao.exemrk1234.exealex.exegoldklassd.exeWerFault.exe

description	pid	process	target process
PID 4720 set thread context of 552	4720	crptchk.exe	RegAsm.exe
PID 2440 set thread context of 2404	2440	uwgxswmtctao.exe	explorer.exe
PID 1968 set thread context of 1508	1968	mrk1234.exe	RegAsm.exe
PID 3736 set thread context of 1104	3736	alex.exe	RegAsm.exe
PID 4444 set thread context of 4744	4444	goldklassd.exe	RegAsm.exe
PID 4576 set thread context of 520	4576	WerFault.exe	RegAsm.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN d21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Drops file in Windows directory 3 IoCs

Processes:

Amadey.exed21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
File created	C:\Windows\Tasks\chrosha.job	Amadey.exe
File opened for modification	C:\Windows\rss	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\rss\csrss.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

4452 sc.exe
4056 sc.exe
2960 sc.exe
3836 sc.exe
2328 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4452	sc.exe
4056	sc.exe
2960	sc.exe
3836	sc.exe
2328	sc.exe

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4620	552	WerFault.exe	RegAsm.exe
4908	3436	WerFault.exe	55555.exe
1756	3436	WerFault.exe	55555.exe
5052	5116	WerFault.exe	toolspub1.exe
5020	1508	WerFault.exe	RegAsm.exe
644	1508	WerFault.exe	RegAsm.exe
4360	4284	WerFault.exe	nsh171F.tmp

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exedwm.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nsh171F.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsh171F.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsh171F.tmp

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4444 schtasks.exe
840 schtasks.exe
3212 schtasks.exe
2916 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4260 timeout.exe

pid	process
4444	schtasks.exe
840	schtasks.exe
3212	schtasks.exe
2916	schtasks.exe

pid	process
4260	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exedwm.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeConhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

leg221.exeredline1234.exeuwgxswmtctao.exe2024.exeLogs.exe1233213123213.exeolehps.exeRegAsm.exeRegAsm.exetoolspub1.exepowershell.exeConhost.exeladas.exensh171F.tmpd21cbe21e38b385a41a68c5e6dd32f4c.exepowershell.exed21cbe21e38b385a41a68c5e6dd32f4c.exeConhost.exe

pid	process
1620	leg221.exe
228	redline1234.exe
228	redline1234.exe
228	redline1234.exe
228	redline1234.exe
2440	uwgxswmtctao.exe
4924	2024.exe
4924	2024.exe
4924	2024.exe
4924	2024.exe
4924	2024.exe
4924	2024.exe
4924	2024.exe
4676	Logs.exe
4676	Logs.exe
3836	1233213123213.exe
2240	olehps.exe
2240	olehps.exe
520	RegAsm.exe
520	RegAsm.exe
4744	RegAsm.exe
4744	RegAsm.exe
3504
3504
4744	RegAsm.exe
4744	RegAsm.exe
4744	RegAsm.exe
4744	RegAsm.exe
2240	olehps.exe
2240	olehps.exe
2240	olehps.exe
2240	olehps.exe
5116	toolspub1.exe
5116	toolspub1.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
3376	Conhost.exe
3376	Conhost.exe
4728	ladas.exe
4728	ladas.exe
4284	nsh171F.tmp
4284	nsh171F.tmp
4732	d21cbe21e38b385a41a68c5e6dd32f4c.exe
4732	d21cbe21e38b385a41a68c5e6dd32f4c.exe
3376	Conhost.exe
3376	Conhost.exe
3376	Conhost.exe
3376	Conhost.exe
4996	powershell.exe
4996	powershell.exe
4996	powershell.exe
5072	d21cbe21e38b385a41a68c5e6dd32f4c.exe
5072	d21cbe21e38b385a41a68c5e6dd32f4c.exe
5072	d21cbe21e38b385a41a68c5e6dd32f4c.exe
5072	d21cbe21e38b385a41a68c5e6dd32f4c.exe
5072	d21cbe21e38b385a41a68c5e6dd32f4c.exe
5072	d21cbe21e38b385a41a68c5e6dd32f4c.exe
5072	d21cbe21e38b385a41a68c5e6dd32f4c.exe
5072	d21cbe21e38b385a41a68c5e6dd32f4c.exe
5072	d21cbe21e38b385a41a68c5e6dd32f4c.exe
5072	d21cbe21e38b385a41a68c5e6dd32f4c.exe
60	Conhost.exe
60	Conhost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1233213123213.exe

pid process

3836 1233213123213.exe

pid	process
3836	1233213123213.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

leg221.exeexplorer.exe2024.exealex.exeLogs.exeolehps.exeRegAsm.exeRegAsm.exeRegAsm.exepowershell.exeConhost.exed21cbe21e38b385a41a68c5e6dd32f4c.exe

description	pid	process
Token: SeDebugPrivilege	1620	leg221.exe
Token: SeLockMemoryPrivilege	2404	explorer.exe
Token: SeDebugPrivilege	4924	2024.exe
Token: SeDebugPrivilege	3736	alex.exe
Token: SeDebugPrivilege	4676	Logs.exe
Token: SeDebugPrivilege	2240	olehps.exe
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeDebugPrivilege	520	RegAsm.exe
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeDebugPrivilege	4744	RegAsm.exe
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeDebugPrivilege	1104	RegAsm.exe
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeDebugPrivilege	976	powershell.exe
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeDebugPrivilege	3376	Conhost.exe
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeDebugPrivilege	4732	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

pid process

3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

pid process

3504
3504
3504
3504
3504
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

tmp.exeexplorhe.exeexplorhe.exeBroomSetup.exe

pid process

368 tmp.exe
4304 explorhe.exe
2148 explorhe.exe
1756 BroomSetup.exe

pid	process
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504

pid	process
3504
3504
3504
3504
3504

pid	process
368	tmp.exe
4304	explorhe.exe
2148	explorhe.exe
1756	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

choice.exeexplorhe.execrptchk.exeuwgxswmtctao.exeleg221.exemrk1234.exealex.exe

description	pid	process	target process
PID 368 wrote to memory of 4304	368	choice.exe	explorhe.exe
PID 368 wrote to memory of 4304	368	choice.exe	explorhe.exe
PID 368 wrote to memory of 4304	368	choice.exe	explorhe.exe
PID 4304 wrote to memory of 4444	4304	explorhe.exe	goldklassd.exe
PID 4304 wrote to memory of 4444	4304	explorhe.exe	goldklassd.exe
PID 4304 wrote to memory of 4444	4304	explorhe.exe	goldklassd.exe
PID 4304 wrote to memory of 4720	4304	explorhe.exe	crptchk.exe
PID 4304 wrote to memory of 4720	4304	explorhe.exe	crptchk.exe
PID 4304 wrote to memory of 4720	4304	explorhe.exe	crptchk.exe
PID 4720 wrote to memory of 552	4720	crptchk.exe	RegAsm.exe
PID 4720 wrote to memory of 552	4720	crptchk.exe	RegAsm.exe
PID 4720 wrote to memory of 552	4720	crptchk.exe	RegAsm.exe
PID 4720 wrote to memory of 552	4720	crptchk.exe	RegAsm.exe
PID 4720 wrote to memory of 552	4720	crptchk.exe	RegAsm.exe
PID 4720 wrote to memory of 552	4720	crptchk.exe	RegAsm.exe
PID 4720 wrote to memory of 552	4720	crptchk.exe	RegAsm.exe
PID 4720 wrote to memory of 552	4720	crptchk.exe	RegAsm.exe
PID 4720 wrote to memory of 552	4720	crptchk.exe	RegAsm.exe
PID 4720 wrote to memory of 552	4720	crptchk.exe	RegAsm.exe
PID 4304 wrote to memory of 1620	4304	explorhe.exe	leg221.exe
PID 4304 wrote to memory of 1620	4304	explorhe.exe	leg221.exe
PID 4304 wrote to memory of 1620	4304	explorhe.exe	leg221.exe
PID 4304 wrote to memory of 228	4304	explorhe.exe	redline1234.exe
PID 4304 wrote to memory of 228	4304	explorhe.exe	redline1234.exe
PID 4304 wrote to memory of 4924	4304	explorhe.exe	2024.exe
PID 4304 wrote to memory of 4924	4304	explorhe.exe	2024.exe
PID 4304 wrote to memory of 4924	4304	explorhe.exe	2024.exe
PID 2440 wrote to memory of 2404	2440	uwgxswmtctao.exe	explorer.exe
PID 2440 wrote to memory of 2404	2440	uwgxswmtctao.exe	explorer.exe
PID 2440 wrote to memory of 2404	2440	uwgxswmtctao.exe	explorer.exe
PID 2440 wrote to memory of 2404	2440	uwgxswmtctao.exe	explorer.exe
PID 2440 wrote to memory of 2404	2440	uwgxswmtctao.exe	explorer.exe
PID 4304 wrote to memory of 3436	4304	explorhe.exe	55555.exe
PID 4304 wrote to memory of 3436	4304	explorhe.exe	55555.exe
PID 4304 wrote to memory of 3436	4304	explorhe.exe	55555.exe
PID 4304 wrote to memory of 3756	4304	explorhe.exe	rundll32.exe
PID 4304 wrote to memory of 3756	4304	explorhe.exe	rundll32.exe
PID 4304 wrote to memory of 3756	4304	explorhe.exe	rundll32.exe
PID 4304 wrote to memory of 1968	4304	explorhe.exe	mrk1234.exe
PID 4304 wrote to memory of 1968	4304	explorhe.exe	mrk1234.exe
PID 4304 wrote to memory of 1968	4304	explorhe.exe	mrk1234.exe
PID 1620 wrote to memory of 2604	1620	leg221.exe	qemu-ga.exe
PID 1620 wrote to memory of 2604	1620	leg221.exe	qemu-ga.exe
PID 1968 wrote to memory of 1508	1968	mrk1234.exe	RegAsm.exe
PID 1968 wrote to memory of 1508	1968	mrk1234.exe	RegAsm.exe
PID 1968 wrote to memory of 1508	1968	mrk1234.exe	RegAsm.exe
PID 1968 wrote to memory of 1508	1968	mrk1234.exe	RegAsm.exe
PID 1968 wrote to memory of 1508	1968	mrk1234.exe	RegAsm.exe
PID 1968 wrote to memory of 1508	1968	mrk1234.exe	RegAsm.exe
PID 1968 wrote to memory of 1508	1968	mrk1234.exe	RegAsm.exe
PID 1968 wrote to memory of 1508	1968	mrk1234.exe	RegAsm.exe
PID 1968 wrote to memory of 1508	1968	mrk1234.exe	RegAsm.exe
PID 4304 wrote to memory of 3736	4304	explorhe.exe	alex.exe
PID 4304 wrote to memory of 3736	4304	explorhe.exe	alex.exe
PID 4304 wrote to memory of 3736	4304	explorhe.exe	alex.exe
PID 4304 wrote to memory of 4444	4304	explorhe.exe	goldklassd.exe
PID 4304 wrote to memory of 4444	4304	explorhe.exe	goldklassd.exe
PID 4304 wrote to memory of 4444	4304	explorhe.exe	goldklassd.exe
PID 3736 wrote to memory of 1104	3736	alex.exe	RegAsm.exe
PID 3736 wrote to memory of 1104	3736	alex.exe	RegAsm.exe
PID 3736 wrote to memory of 1104	3736	alex.exe	RegAsm.exe
PID 3736 wrote to memory of 1104	3736	alex.exe	RegAsm.exe
PID 3736 wrote to memory of 1104	3736	alex.exe	RegAsm.exe
PID 3736 wrote to memory of 1104	3736	alex.exe	RegAsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

outlook_win_path 1 IoCs

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:368

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:4444

C:\Users\Admin\AppData\Local\Temp\1000838001\crptchk.exe
"C:\Users\Admin\AppData\Local\Temp\1000838001\crptchk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 600
5⤵
- Program crash
PID:4620

C:\Users\Admin\AppData\Local\Temp\1000840001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000840001\leg221.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
4⤵
- Executes dropped EXE
PID:2604

C:\Users\Admin\AppData\Local\Temp\1000841001\redline1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000841001\redline1234.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:228

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "ACULXOBT"
4⤵
- Launches sc.exe
PID:4452

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "ACULXOBT"
4⤵
- Launches sc.exe
PID:4056

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:2960

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
4⤵
- Launches sc.exe
PID:3836

C:\Users\Admin\AppData\Local\Temp\1000842001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000842001\2024.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Users\Admin\AppData\Local\Temp\1000843001\55555.exe
"C:\Users\Admin\AppData\Local\Temp\1000843001\55555.exe"
3⤵
- Executes dropped EXE
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1088
4⤵
- Program crash
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 692
4⤵
- Program crash
PID:1756

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3756

C:\Users\Admin\AppData\Local\Temp\1000844001\mrk1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000844001\mrk1234.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1196
5⤵
- Program crash
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1212
5⤵
- Program crash
PID:644

C:\Users\Admin\AppData\Local\Temp\1000845001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000845001\alex.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
5⤵
PID:2992

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
6⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\1000846001\goldklassd.exe
"C:\Users\Admin\AppData\Local\Temp\1000846001\goldklassd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Users\Admin\AppData\Local\Temp\1000847001\1233213123213.exe
"C:\Users\Admin\AppData\Local\Temp\1000847001\1233213123213.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3836

C:\Users\Admin\AppData\Local\Temp\1000848001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000848001\crypted.exe"
3⤵
PID:4576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Users\Admin\AppData\Local\Temp\1000849001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000849001\sadsadsadsa.exe"
3⤵
- Executes dropped EXE
PID:232

C:\Users\Admin\AppData\Local\Temp\1000850001\RDX.exe
"C:\Users\Admin\AppData\Local\Temp\1000850001\RDX.exe"
3⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\1000851001\dayroc.exe
"C:\Users\Admin\AppData\Local\Temp\1000851001\dayroc.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:5104

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:4316

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:5108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:60

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4824

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
PID:1480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3812

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:3212

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:2988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:60

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:844

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
- Executes dropped EXE
PID:1872

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:2916

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
7⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
PID:4080

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
9⤵
- Launches sc.exe
PID:2328

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 348
5⤵
- Program crash
PID:5052

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3584

C:\Users\Admin\AppData\Local\Temp\nsh171F.tmp
C:\Users\Admin\AppData\Local\Temp\nsh171F.tmp
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsh171F.tmp" & del "C:\ProgramData\*.dll"" & exit
6⤵
PID:1044

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
7⤵
- Delays execution with timeout.exe
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 2588
6⤵
- Program crash
PID:4360

C:\Users\Admin\AppData\Local\Temp\1000853001\Amadey.exe
"C:\Users\Admin\AppData\Local\Temp\1000853001\Amadey.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1700

C:\Users\Admin\AppData\Local\Temp\1000854001\ladas.exe
"C:\Users\Admin\AppData\Local\Temp\1000854001\ladas.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 552 -ip 552
1⤵
PID:2072

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3436 -ip 3436
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3436 -ip 3436
1⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
2⤵
PID:436

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
3⤵
- Creates scheduled task(s)
PID:840

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5116 -ip 5116
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1508 -ip 1508
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1508 -ip 1508
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1508 -ip 1508
1⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2816

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
2⤵
- Loads dropped DLL
PID:384

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
3⤵
- Loads dropped DLL
PID:1164

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:1380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\168293393341_Desktop.zip' -CompressionLevel Optimal
4⤵
PID:2944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
2⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4284 -ip 4284
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4576

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:3984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
Filesize
372KB

MD5
5abf48506add9302c5d7ae461c05344c

SHA1
ab6652944fe3cce5a89f0a5da8275d901c43babb

SHA256
4f1a49a28287cd8cc40474dded582c4b507b700afa0d85db222d6878bdbeb39b

SHA512
c5317413da49123c71564cc3dfcc6555d8cd2b6fd40e1d981a3880c10c4fe4cf46995c6a79eba3daa4ad0dec10dc6aadf9c9311edcdc9161a7b8c01a5c0b7ebb

Download Submit
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
Filesize
628KB

MD5
270f9880d1dc2d9b7f9c697fbdd5d19f

SHA1
c004c4cff094c633e10d14b30fdb6ca1e8ae4ffd

SHA256
90bb3f3754d34e080e31831cbea7b08b63f917215018e17650791b9c03a4ab17

SHA512
b18745a465998225e766376608541a3090f1e2c6e738eefa461e7ae75fd5e18e4334b8f911ec51f24c77f61001be083e2d79103c9a3c4e7e34a12b7ea52d0dad

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
2KB

MD5
1305705ab4eb7a8ff5a73874670d91f4

SHA1
a118cf0ba2d4ac47473b9140c0aa7745efc6aac7

SHA256
d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b

SHA512
27ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000838001\crptchk.exe
Filesize
595KB

MD5
63d9528b6667199d22c482f15643ab31

SHA1
6b6ee0d6d1d661dc3806b653757c5fa8fbc7fd36

SHA256
7c94846904eeffd843980d64ba0eee3b8a81a52aeb60b5a5195bf7b426e4a443

SHA512
1bcf34c21d452db4212358d5ba10339b1d8c42ceda80741affdd54f2bc6dac876e10d72b583e7e7df65d47d9d4f95184b38f7b51963e82afba34d8540dc44e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000840001\leg221.exe
Filesize
128KB

MD5
aed6732f41e44a2618eebfd97f7b021d

SHA1
1bdc5e9829ac57710e1849324cb08bcc0effcee2

SHA256
0937bf680a0bee9e9f29398a42b418de3e7c9bd6acd83305242ebb7d12ade7db

SHA512
6fbb5983812b4771a31f46aea6f628128d90ce62a58210713ec5357e8bf8a1600eef4e2b254ec36c7e0a559ae9d0fb395110925cce18eb7b24b1113de4563fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000840001\leg221.exe
Filesize
79KB

MD5
d4b2ca9edbe5f8eebbab5e9b6244e9d1

SHA1
ec674d07b45352f549b9231f8740f64aaf755cca

SHA256
9957e9bd74853058220835210007a30f6e12ce7480e709f944e5da91c70aed5b

SHA512
c08510a35a86c55f8391c3c7858e4063da5fd394670630bad133b814b751f3b084e02629331aa73f7f3ab35967a14890b2c11ed77c0398c9702503872e9dd78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000840001\leg221.exe
Filesize
104KB

MD5
8f89350775fcbd592f48bfbcd01bc24c

SHA1
e9093e8a229f09bb92220caabf957c724cceffaf

SHA256
f34c9bf2c6923bca20365a2a1e7ee254453e07e9d70fef45ac9e6365f04da9bc

SHA512
a9d937a244f23f936ddcd47de66b6d6a63ef46a99373dd4fc093ab6a0deeb2831af3ce3606d6c8fdf4c60ab9a4b61127f112b9a580727e576fbfeb2e74320da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000841001\redline1234.exe
Filesize
832KB

MD5
38b704c26924b3d0c05e681512e70002

SHA1
bae3d9d7234b33850290e5faa5ee6123a431c22d

SHA256
c5183f593f7c72db5844bcd35f78724f31cc97a6f011543d4c171057525b51be

SHA512
7f4480390bb21cd0f179a9fb7fcf212581ef2493f080ace6fe90fbbaa492f275d038e4a2c7c375b866d0c79fe6fb6435b1530d489e9e7bd508ba7defa82cd454

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000841001\redline1234.exe
Filesize
925KB

MD5
e8a6ea3f0d30d9583824918d40153cbf

SHA1
dc55c0d2658873a6276fa1a76f1ac09cd9ecf00f

SHA256
6c69e75b94f75f319db6fe804609961d9a3f723a0aa700e2a52abc7d5804e3ae

SHA512
cab16a667eed5442251dd6fd258a487c24197b128e85079bfe26f69e089f44bffc144e7000aac58307e437cbeac73043cf4978a479b7299512d74bd5fb55cac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000841001\redline1234.exe
Filesize
931KB

MD5
5fcaf9ba1fd37676b39409e74ee8a113

SHA1
59bc29f2b2cd51be0ab2277c22fc9b92e837a9b6

SHA256
766cbc3e893f88f2f680856f6129431b58ac1708056e50cecf33d6dc5ba9e5a1

SHA512
451c1e8b44c0265563f17b605a7672137211d867bcf08a02528ea4e7e3c41a1571c862a89dab433a79d658ea729b95838f0aea44f2f33530a14dac0f5874b3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000842001\2024.exe
Filesize
300KB

MD5
2c470494b6dc68b2346e42542d80a0fd

SHA1
87ce1483571bf04d67be4c8cb12fb7dfef4ba299

SHA256
1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9

SHA512
c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000842001\2024.exe
Filesize
183KB

MD5
3886f8568f10ea023e327034d6a8398c

SHA1
b2981b26fadcd2ec5a8d327c119779f391c42a9f

SHA256
f3726192f0a59a1a27d5c01465742123a7df2872337b374c0cf638df9221642b

SHA512
96ea3d31be1a7d5beaf10ce61f8f434e76dad110032a2aff096f0c4542e0495c26a5012db62af9ef32d5bad4ccdb461a4f9337c74c95139a9b3433af2ca3dc73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000843001\55555.exe
Filesize
46KB

MD5
8678decc5de28ff89f167f2f9d4bc09d

SHA1
54bd8c0ce615e7ab458b19d01517485f03080e7d

SHA256
ce960f2fd86baff2e38faf52afadd8a96cd55272d1df0d9ed7434a10ee9e4398

SHA512
c4ef521832ded50cb83eb37038591078110fb45960d0e628bb0f3293411243a9a40d02e683aa14026844ede15131123dadae376fa10b525f8f9d3cdb55ad8902

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000843001\55555.exe
Filesize
75KB

MD5
2a1d286b9cfe8751bb409a003f0a655c

SHA1
f712502ef0f221598d70e3166537200d70acd4eb

SHA256
ffb7434ce881249b167acad617c547926c7f77d1b64cd5e669c52d62e27a9284

SHA512
e534b50cad818b7ef2e9eb92fa2ef7944b7ab2ebd2b3f4ea403fe95732a6c4522dd55f2e3f575239c62063eeef83c82512fc4a703450ec03bec7928889c7114f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000843001\55555.exe
Filesize
235KB

MD5
c3c672b1d798b9f829516d048c273306

SHA1
92b51c092d06fadb89c10833d0d49d1b7619284a

SHA256
b17d612bad15b1fecb2c9d548584890d70104ea389b0e5b70179319f4cbd862e

SHA512
e71c7a0029e13f13e99c4348da4ae3f5f034f4809c2989039caac274ee45d804e58b9ca6615c3d71789bdfb3a2af65af4837bd2d6f70b6f73e6c746f6e6e04bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000844001\mrk1234.exe
Filesize
145KB

MD5
db7db1e225bdfe4b6f3e23ce056b73c8

SHA1
36fca836200869be127f422215a7c2684a38836b

SHA256
276ad1f373ea3725ffa5f53c27915dfcf76970b943fd4185b6aa4f443330d7bd

SHA512
4ccff0e60701dd36a59625bc773e4e74a8917a09f89021cff416b73fa8e81be6f5d40d4639599add28c03156779c3c93392d728ff4803c2a945910165b85b9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000844001\mrk1234.exe
Filesize
88KB

MD5
2caa4b0d9629792e0dba47e4bb90c767

SHA1
ea58bdfffc35e5ca47f6707f1b3aa563dbb303e6

SHA256
2c8a1f038be67a876c568e175602d671bbdd2e9697c494c75875226e1f4731c4

SHA512
94dca6865f9d0f404b81e550cc9552c527a3f99ec280c03e8f239ab9bff2460307a338a73f0e2f4f6f48503858fc5e37058043c2859f60b86e923628bd76d42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000844001\mrk1234.exe
Filesize
67KB

MD5
771280986d3fd30ebe19436bb15b2383

SHA1
87ab006c248c9278320ad93a774de708323894f7

SHA256
d19a75a9cdbd0f9457ad51ebcd80341647ddefc137dbc3ebf81e3cfbc52c6320

SHA512
9a1496e24620092eefdbe9178102e15a7c8e4a284257ce9ca311a1dd1750a929a2688f255df3affbdfed6bb2ab8ba0cffe9814433fc8c4ed1de0030c49166a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000845001\alex.exe
Filesize
206KB

MD5
4c765005f818559412667970ef1c3e1f

SHA1
5c56346b63231382a31671611dfd9277aa10c0d5

SHA256
c6feabea585bf8a0009a39a72d1f6b752e5ae6bf23775cf430e5eb1126074c44

SHA512
8b386d191bc552956c9efd8030b1abe87e52d572f61ea0d3f57ff092763305cbabab5f7a58433fb89bf366a5ba8a84d6b2fc17a8dc0f8d6a70c7bb3da56a34d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000845001\alex.exe
Filesize
149KB

MD5
e86e4d1c46f56139f5cc90789108dbc0

SHA1
029cddeb9540ffd29543d0509f270097ec3af4b2

SHA256
2cb97fce4dfeb8bc53537701a2d56186fb8e212c669f4b921d1ded519a664d3f

SHA512
d60edc01859bbdda75715315b26498dd164f964eb66955b8ff8fd47beee0e99d2d7b00a28c14cf23c3701ac25a1579d6057af0350c5ecad50801b6da8dfe6596

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000845001\alex.exe
Filesize
220KB

MD5
0830afd61e2e9a80eb8e262af6a8f217

SHA1
543064d1c74fe30aec53a2b0a953644a17c56564

SHA256
3d06b4abd0b7216ce9ab360e9cd1a6e8fdb075d76fa84cff8634dc91fecbcb84

SHA512
ebfd0c0a12eafd9a6a0124161d6aa7bf98e8fa17a058b1672099f69e567e5b0b9b9d9ef6ae0059157ce3f9ebbe4cfa8b4d299335c7ebc64fe585d180ce4e8662

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000846001\goldklassd.exe
Filesize
89KB

MD5
78fd0f1583e1703e46937cde68bcc326

SHA1
f35f671963021eef7ca0291e83a3a1564dade3f1

SHA256
1b2850952566d64b56f10e2e4dcec68938afcba6f87b35e4d2b3d09612506d75

SHA512
292a3909d0bd9a92b28231a51cb456b70b2e41435fded4bb02cbd7502b5b46deab5e2c79a3fdbf603167bd065708c320bbafaa7a7041c870fca485e7d895c282

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000846001\goldklassd.exe
Filesize
74KB

MD5
01e99922e069f8b9c8a4e6886dcb7c4c

SHA1
ba823ad4142eb0307091f1d41a651e8184af468e

SHA256
e361a57f041cbaaf8636426e7b4670cd9c000f645bb06266fcdad2de82880d89

SHA512
6756fca9409e9a513b89cfb3fc7eac3ff905f0e9d69bf54727902c44b09017ba2de1171e57333659716090273e858d80eed45d4ba4b237adf949d70666124ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000846001\goldklassd.exe
Filesize
67KB

MD5
31b7a57faa589b1018764bb543d12b53

SHA1
17108e25d58ab3eebe8f1624647b2d4199f06999

SHA256
fb8ad513670f6e7128fc490513caf5b6636d1145ccbfd724a7e6e1e1c7a6720f

SHA512
eaaad733f7fb172b9c82953bbeffe25de187bc1be750fc40cdc357ab1594192551e3e5a9651a31b9cd5f8f5770050c58fdb9847d13669f815a4c84d6d15cf6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000847001\1233213123213.exe
Filesize
71KB

MD5
32e1eaa51557d24a58346584e553418f

SHA1
9e3c20fd313718cfb6dda352ad86ea3f6831c3cf

SHA256
845100fd80e54c22b8052411bee9553bcc7d28fc8cd6f9bf9c99840a147b48c8

SHA512
adbd33a25bdd7307ab3d1109a450a4a72e8304cf26a461615e5dd2f55242a74612e23e6bf09c41351d1fbd9f5262c3f8afeb4bd4775825ac4acfa7c6b806707f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000847001\1233213123213.exe
Filesize
59KB

MD5
47914b51f73bae4a5fba003223c90ec2

SHA1
f0084cf8196712a7947e234fc84cbf8d83539b5c

SHA256
ba1e9ed2418a9ca88596e953ebd7f686190fbe6b3b518061c8593f210b8ff19c

SHA512
d1b06acb04a6ccd4c132c39e86c9dfd0d552adb044c298f65f45bc8c145e6f5d1f41eac9624abe0bfe7ff8bd0de6615708800a191e78ff999d98d6ae5404d403

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000847001\1233213123213.exe
Filesize
145KB

MD5
e651a5902c8f43a0f301172bf8ba884a

SHA1
5b6da7339ba4d32607dbb3448299af330c21e4da

SHA256
379b8bad52867295c58fc18d96ffbaa50c6da55b15ff93fa0b49a74a65f7376f

SHA512
1897766c802210a99d09297326d97137ac2a4181e132771d0b76421f1f88b5fda840f716ddb0ed8f5e1621fe2efd57a3c225b50dbcc17d0c76073e9f3fbdb1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000848001\crypted.exe
Filesize
179KB

MD5
0d9f45c5316c1914dd8caac92f0930e0

SHA1
91f41517506f04994e74e317d8b51e8128318315

SHA256
b05fc71876910ed34b8060bc917c94723aabe73ed6371e3b8d59268684a52de7

SHA512
b6ec8eaeb3a60382c994a88003de0d22775699891800a0e94e78120050cc9beeca6a0e8ab1ff112af5d9b134ce4bdf35a7e026a276d00d2b4fa73f6fa5e7476c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000848001\crypted.exe
Filesize
155KB

MD5
f84eabce219dc14685fda6d32a22a3de

SHA1
1ef2da51bd583962906c50c26d7e65ec52d6aa49

SHA256
7bf881cc8e6d3979752b37ff846feb2947819c9979d61d1c216256cc7be5ccb8

SHA512
a7cbe31188151f427364c28b41f7c6aed097765a2bba9eb1911b53f53a8e071f477bdb627736c491cc2f65c4d3aab5879e9b0d7885c5be17e5a49bdeea10a376

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000848001\crypted.exe
Filesize
176KB

MD5
5fee9ad167515162327a520cda0ffccd

SHA1
8e476261094fd2b034ae3e8fe9763690c7684891

SHA256
4732cc2ec714413726760279d51f48972a716d1726bdbf7f201a5e88a1bb4ace

SHA512
73c06f75ab379ddeea2355234eb96e715305b9cdd05b4564a6284fff3fe67ab4afb0e21a7266fc64f8ef91089c5aba01f2320ee45a83f7d00805c487866dc1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000849001\sadsadsadsa.exe
Filesize
298KB

MD5
a3f3068e2bcfd79a56ffa5b8a76fa507

SHA1
5e6067ed5c70c0d06a49945d1cfbfa7ca4c6a3a3

SHA256
e3afc598637a42d894ddcbcac306586d30a43f33d9bba3a1f1904b6d8de0b9b8

SHA512
90044b828cbd35c0399f62b768d737037b3b1ad2f8c5dca43bd792d80d7c7642bb2bd185a3cb1566f7313fc7387761584d74a28ee687698b71e184c0b5a8efc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000849001\sadsadsadsa.exe
Filesize
206KB

MD5
3d8e965ad85e54513aa5cd4fb6148c08

SHA1
bc8d8ef2e4b84b5cd3a6550d837f5bb64bf04e6b

SHA256
fd80ee25a8f97447b0e928fa6438cd60cec5cbd766eb69ef085bf31e2c2ed9c7

SHA512
8bfe1f6c7d09ddc4b7277347cda2ae5062f2b33f9d4f2df813e0898c05a37fd8cc5d8dbb11a257a73f62964f49d328e87fb53304f34aba0c9553c958338803a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000849001\sadsadsadsa.exe
Filesize
313KB

MD5
5a6358bb95f251ab50b99305958a4c98

SHA1
c7efa3847114e6fa410c5b2d3056c052a69cda01

SHA256
54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5

SHA512
4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000850001\RDX.exe
Filesize
5KB

MD5
50573cfccae517394a1ec50c97aafcbc

SHA1
a6ac3cf457eaafaf3e30a467b9cf14821581cc4f

SHA256
25740d18cd289974ac1418d1591a8829680714fbf3afe47071e589a810e8a42a

SHA512
633a369b7970010fe0f57117e3741631d02c54a71f035568201b57e3049b1ee5aa455436d72e5299373cbc04511a985672c877cba203c9f19ef543b05c30f37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000850001\RDX.exe
Filesize
313KB

MD5
f733785f9d088490b784d4dc5584ebfb

SHA1
6c073d4208fee7cc88a235a3759b586889b91adf

SHA256
e7216d8b7084c0c36d90aefaf30bb7b6d10ae2ecae700889d459ed5ab1b26a59

SHA512
43589b18333b0edcd6e300577f86de685058df5533bcbfdd3e30497aa76176008125fbd28deecaca5e6132c42cc5c0a583c34497f40dbe4ea577333eaebab899

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000851001\dayroc.exe
Filesize
19KB

MD5
aa9bb99f42a3138dfb29b085545eef68

SHA1
6741ab65d9bb94ba0ae440c533b6650431d8cbeb

SHA256
844ae11fe27516989b880c8d8e868c862e0a201af9a0cc42c5772af765c6ebd2

SHA512
6f0f0538778cee9c31304756c566a3b57da6e5bb897919af13fae8e56236a26bdbee83628b10d574a28a9fffefb5f448c7ab209695f37b97dae27165a7c73ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000851001\dayroc.exe
Filesize
424KB

MD5
6bc31d4b7bc627a53c0a7ac2eed23d44

SHA1
8c6e6be251cfc8ed261ec8b7850a2788600ac916

SHA256
7433151983f1ca3fdd9cb4abd14f8aeec4b857d2a4a070ef95b509d2b9216aa1

SHA512
3205c86f1122caa6c509826a47a066eadfe8bf5b952691761828897c5f70e722da9dd8e868ccfa0e097c192127c8561c4e9e6dfb7a5ea589c7011c948022f1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000851001\dayroc.exe
Filesize
535KB

MD5
3258083c6b507df11b5e882dd548cac6

SHA1
621c23f57925c1f5bdead6931cc7feed7e048f7f

SHA256
3fabba7c84a5e00bc7483d007e7de829d48a035c97dcf8fb46f68a1eacbc4c6e

SHA512
6295808503a5b9aa04c2a90597354e6e510c774ca2fa920f8b944b45a442f7057fa44bdc45b3ad8e6e913c6b3874b937c54fff062b6ccc95f742b49d880c3348

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000853001\Amadey.exe
Filesize
413KB

MD5
d467222c3bd563cb72fa49302f80b079

SHA1
9335e2a36abb8309d8a2075faf78d66b968b2a91

SHA256
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

SHA512
484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000853001\Amadey.exe
Filesize
159KB

MD5
2539f4b604682fdda41a99f0bb7f8bde

SHA1
96eaa2e4c3409698c1fbee599e70db7354e541c6

SHA256
5f0641098969e1a2f0068ec9b88d76c75898047d3d4f1362c31b54bce46e1975

SHA512
85419bccaf15012a192d841947e12411fb228a227d076da9fc967806893e11fd5b7f51fcdc4cf7a359723b24caff696d1145a1b9edc31f8ca93d06680252c3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000853001\Amadey.exe
Filesize
277KB

MD5
1b703627114d5f19ddfe7684c0f37f5e

SHA1
34ba77fed5168ebca92901bc493ee6f7ef68fb8f

SHA256
24673953406432e8858457d27c238611c8e603af8367ffa59e2acd45d6632b77

SHA512
c1bba227a421e45fd68e59521a9e7f566772521b078c412bcb48301de1f3e38b028914f094e65e00be3fb5d110193386855d12a27ec791afaf6a4aecc8258ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000854001\ladas.exe
Filesize
681KB

MD5
490a00b419686c25d58c9b43082d6647

SHA1
7a627ebc774598033f0799683b60d9f29244330c

SHA256
4e70d60479ea9e6b6f26b7f6fd52a1b6b0ab2a89640a1498c2123069eaa068df

SHA512
55f013b599f121bde35fbe0f40bf5769561809a24de35e695778824ca90d823fe5e09fd74c9e8559c7e1bb4e89279640db3d854f1ed09835668060e75a28e468

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000854001\ladas.exe
Filesize
767KB

MD5
3c9133aff3baede79eb940e18f23ffc1

SHA1
059e94a91464b4a617cfd9543d07b3f168dafb60

SHA256
a560f1ed5fbc086c14140ed8ed817b5914f745d87e454d91286b18c187fb658c

SHA512
096bf70180f20950529bd189ad1fb6dd1e932b51a71b49a58d2c80fc85e68cc149b4f2feb9f77631bce715b06f49a54ccc9bc2e782d6dceeba1776b6b2227c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000854001\ladas.exe
Filesize
298KB

MD5
e604c900aa0dc490733f85b54ee9a55b

SHA1
745d143d0bfed5a65faaa6ab87521499bac148f1

SHA256
27fc64881e0d5eb82a63750ba67873a1e5a229f34632e802c6150edc92292ba1

SHA512
f4756b583a0b664a46eb7925d43754c0ec051b381e85a6aa476d82a8416bbcbc6f30e820642867bbdee12ab1499d18c009553dd43eb0589d464336d596025094

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
447KB

MD5
bfce1e53acd5c9dbef30d9220f1a90a1

SHA1
39021690b839304cda63c35e69aaa34ef5aa4e72

SHA256
d3c59fd20a880b1e1f778e70aa423423ddd08045cb5b31fe887e2ead4a302fba

SHA512
04d273d5cb3eed14ce2bdb21ad7d93fb206d0bffcf34fe0d94fe8f8b72c025cde835641bcd25aceab850efbedae0b818b26de313ca864c6971d9ea852856779c

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
280KB

MD5
aa92bc7eac4d9799a3cb78351e8878d5

SHA1
6eee9392d3e2ee176974b09f00f13b0d45b38422

SHA256
dcdb886efe1d4877dfacd7b6fe1d560de6c5c4548bb43e4d0387a45d54c2ef79

SHA512
34846573ba86c1830148f50854dd67550a2c2d1ddac4fd7f889bda431506c8fcd07cfc422c7a9e35dc26cd893e325cbd72ee4fb6898414054f93cf4b0b76ddb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
298KB

MD5
d4f6663f4df4dc4b99112d78ade733ad

SHA1
83c722772cbe190d49d9c0161d1c2be9861bbbcc

SHA256
9d46f788926ede3af7f00ea6453e9421889fd08c8d2176608cac4bbb82706826

SHA512
c5fd05b781bad6ae6716fafb2dcf82d48146438eb6ef49551064a22b9c3875d497e9663cd378dbef1bdea2c5146111b104038dc5cedce0bd13cea8c28b118364

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
370KB

MD5
77c976c7cc31b6caa71b93942a5d58fd

SHA1
f717fc7db583ab6e19060afea74ffaa87eef53fb

SHA256
88fd13e64dd7cbc2bcbd96ec63887d0082e34af63f0d8aa1fe9c0f9baf0a8e57

SHA512
740e33f535205dd4f91921f3f96963dd20fc44caaf3ebe9a37d70b452f6eede9be4a139c52f62f7ab7d80873ff26b602939c66e1a084b6228e4b2a6f093ec802

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5yxenqb3.nnd.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
202KB

MD5
b5837bfda2d3bcfd63b066012aa395b6

SHA1
c59457bc90a21c2a05b3dd62fc9a23d642dd789e

SHA256
b013ca715a6d5a1ade110e7c098a54c350cb501b31d082ef990499f379b26d98

SHA512
2549eb4658412dd23e04db925211eec6ea21a4cd07b7ac26bb82e964fdc0d4186f448a0b714295c4e909f6e0c4c15ebd922183df0abb23afb634d7953b2aa96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
375KB

MD5
eeedac79e2e3904cf760ebd10ce40a8b

SHA1
0654a84e8c37b9fc40a86648bf75a7f84fdd2a1f

SHA256
3589814b067550d20c6be1ac914c023f60a91b4cb063579d1b01eb9bbd502049

SHA512
1b7a6e076d197cd190b07c2049236e80353b1bed1ede649bc4bd5e34076133eb4d39b4fd1e4cdc3c0394830190c6d7b949800fee5ffe0ccf6b20a1de95f68085

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
329KB

MD5
17a0ab135594615f97ae9c0fe0c3755e

SHA1
8ac6b30fe6e6fffff4c5996e8d532a50b26b6d55

SHA256
02fac9745a985b97dff33592cc047212dcb603d0f48e0d23ca72ea5ddb631c20

SHA512
7bb85eb76447829e2b82f6787dfe8d7f181a3b1b6e4e9e057cfb35359a41445550a57bbff16871d8118f2c400c53579b0d7d483d90d148d1cf1a84f9d04a953a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
388KB

MD5
7c6dbd27029c1c3c5429d65b4b391731

SHA1
a684e92c8c772bd057ad6b74381558f89489ad91

SHA256
746a13f640269995735821482dc66f75c48ab55e24961dc84f917143f6565aa2

SHA512
48b6b135696c19fee723752c6a3242646af2761f07f34debd422d65ac5685463c57be0ff95662df5da86821352f46cfa70d7fca334497778f565beec38c113ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
227KB

MD5
3bd2abe350e46a15653707aa3be31bac

SHA1
3ef10f3390b6c100bdda7a5368faf12ac9b2db2b

SHA256
f16be48d3bc74bf43068f9c49b39b219497acc29c390317ed3c3136845747d46

SHA512
c0b2a207d7b137d6ab05001d9f23029b68de045fa5328df9a921c34af306191332532f0f9d011f71e85b00cdde95768dbca15d39022e058dd919923cf5758ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
793KB

MD5
5a3924e66c52d9d97c3a79893a215eb3

SHA1
26044d6cf477b9e88860a4012e8669c17ce90920

SHA256
dd0bce209db18fd169d8183c9180882ffe095ae0cbf85bde307626cd28363217

SHA512
90e9e4f885652381a46ae2d92d2be31865602939674d206d1f79bee80db604f35691d7e629dd9839d6c1dcd8a30316ba349dec636234725dfe120fc47f767a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh171F.tmp
Filesize
64KB

MD5
03b875b1ed3f3ecf44c0cdd08bb80dd6

SHA1
82a541a6d4db45af89c17de9b8e778f5f7cb6709

SHA256
693142e6f95f2fbe4d01f89123e834f3c6d7425f4dd508f25391ca529a2d0668

SHA512
1fc0526850a9f3c7c572dcb55f0b3a683d3a63b3b5b8006328df6f29c4ad2d14fff539fd53ff487ee957ed3861bd09cad7410046daacaa8d305b459d0a60bc00

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh171F.tmp
Filesize
107KB

MD5
4c119a43bf6b46904dcdcfc4bdeb75e0

SHA1
2b0dabfbbf5af56dab75835262c1252566b61831

SHA256
af84fb36b6e28617d585eb0a5dbb288ee377f2adbd715a94b4c13fc4d2596e35

SHA512
70470b5c77d3468a9db37170263ea5344ef553a52b7960a93c57bce330157ffe619f3ab22d1516690cb0ce0d27293f89b21e2a7f7b8643588825a0cd9ea0bb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1038.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
171KB

MD5
4d1a4b3096f4a39f3a91df2f6efd43c6

SHA1
af7b52300363fa6f5ce8b5f99f753a9b1e0af94f

SHA256
ca5b5e71addd8a56460eefad5cd368a5f6aca71b7a2d6dcfb312f45d1ae6e20b

SHA512
d7cc6cf36fa0da5c22b531f7b3f58cbbcc206aaa47d40ebc0256fa5ede758fa7f636f9b70fa8077664067c8cbd3b38633ef2ca1e2e8e349b3b05c3cec1f8afd7

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
57KB

MD5
e782c2b0123efa714944115f0778bf7c

SHA1
406ac9362164d2081c39ad4e6676447cf36cf989

SHA256
7139d3d88aa7df1d53afa7fe238852d7d39084f14f68ef1a90a8c50c1d762931

SHA512
85c8cf9d14c816d7491ed31232ad5213bb715f2a3580c1c0a9329bd05d196a68d6fa4901611bd637ed891550a57bb66ab6650cd179bb39b6becb962eec69e7b6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
55KB

MD5
1dc8a4ba900d649d79d56511a545f567

SHA1
533c518e675d5488f9445939356548b737583104

SHA256
9c2bb5ed25d1046f65c24bc20cdc48a123cc60b7c25c95538bccc5f9f0e83a40

SHA512
fe9a95220aff5471c239956be4b0bd3453556cacf2cd3bcc44f87302e9eb03d3bb8a560bfa229ab1375d01c97adaf58ba864259ab7f2653378c37d862795ba98

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
91KB

MD5
799ddf3220ca53df9c6b2d69c14df208

SHA1
7515788016f09da1f88f3ea0647397f6af2674e6

SHA256
469bce8c5f5b03fee7cd91958e2fd835f8c02facec21f296d1d81be1c3d2bc1f

SHA512
5d877c96de2f9b96960fc4d2959b0e5298b5c02b02714b9aea209fbbfe20fe79bce3e5ddc332665399449861f13c92b3fd8dca1ebc3d9ac8cf966a72c414dcd3

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
139KB

MD5
5eb192efdb8ef2a26aa0ded93e414ba1

SHA1
c45d3113ec589a14a064bfac8cad7c63d048ce1e

SHA256
c27044575266f9a2abadc5c82beceff8394c05316d5e0db3b3ff5a2d6c80f704

SHA512
dc45e14a6fdf47f94f2cab8362d292769f236c3cac036c41d87ffa097f6014a117a76a8a71506fbeb02cead27ccd5a66654f641c54f41a192fd1d7375e26e3b1

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
192KB

MD5
e7a9b390c12887390cfdab84ea27485c

SHA1
78e456debffde35c2941682cb3f808ed8ab4ff7a

SHA256
2db3c38d92f3d8035d33a825ec3abbf4ee1ebd0c2f911e6393d464c058a29e04

SHA512
f1c207d90ab9144f0b95f43bb0bb4c3fa8901282e7e6148b3231999889b9708944183bd184eb24da0cc091f084807ee22bfaaae366a084e187d2016e238e70ff

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
85KB

MD5
b4f1f7ddce974bc0df0ceb9596d40a4e

SHA1
a04d9c029482f4dcfe1d50c8b2a5fa16251aca5e

SHA256
0eae07771c58477d0115ae1ef69a9aee1f435de752e9c05b6e2a94f4fcd3fcff

SHA512
05fd0eeed25f397ff40513e84fdd08d8ddb1251c0f7eace61420c4212fe8d9758b53baeb0ae2b9bbf0b2bb2e67ed1b8c797e4490c75c67a016a9340706b01e52

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
225KB

MD5
cb27efc8a23501ec33f31993208c55b6

SHA1
01f7fd4de63a676496cf1eb923b39078f5f19824

SHA256
0be92f2868872accdc33fafaf4545153fc3f0a8744055f959218ab02e318e86a

SHA512
b99108b02417dd97fab45b493b92333d000ad48a9102495fa150ce3047fb62e62e7b6b7a5dad99543876e2c32cbdbb3b724aa26d6f9d5406b750301449ee0e4f

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
226KB

MD5
6ef8a6381615b869d5549aba67ef9153

SHA1
918b680ef2b5abb2ceb9fa02348669eaacd34a10

SHA256
4218e2415c902e5365fc0416f8c7554d20f9f933a5451cdf9e479d631a07b5c0

SHA512
a3b8ea8716798d46578c3967f55bae49af77cd64442bf7868c2a0e3eb12b138138c35f5184b70438c72154bd3cb90e72bcc99c93ceb8c8c8d0acbb60160dd8c8

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
182KB

MD5
dc2472a9146eee789748302ebd3f3aa8

SHA1
bf93e16b8e28668cf30e4c683280d630bb87286c

SHA256
a46b2258c677e2055e6922b75791346dc10c5a5832e958ec88aeccabf52dc837

SHA512
9980b7afb69531dc8d246e0bf9ac79338de03c21db10703156da57ac8489af4e72a13fa78595740de94fe1ff71cc9683918c7728d6849f22d41b682d88bb9dd4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
cf10b7c66248efab6a18b0d9909768a4

SHA1
9c70a16dfc9360b4c398761d57b56e8c7791d466

SHA256
de90be3e3411aa27da225ba74b15e44dd03d0c255a088376930dfd9635abd482

SHA512
c31ca38a3645c559be9d7c4dc29b96a648a047240166c77bf1f617e9091a2777ecea8fc1c49565cf7e194947703546bd406453c1d3276d1f4f74f206b647a9a5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
aa941362fbfe35df0b7c66970223fb6d

SHA1
de96852ea4c16147d85347f4442232c247d4728e

SHA256
dceeaf53200924012280f576a7b80a7465acf4586ee269d1183587f6fbffab04

SHA512
a4a33aed96db211caf2d968e4b2e44842e75296842e6a4ff7b5c6d020c14e14503a8546a5019899fb3a2c48224c8c76f2768bcf405af3b6f33983f6fb9dfd993

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
b8a84d9fd4df2169f984fcaa8e86165f

SHA1
2a5e056450ea079f5ff78661d4a0c4c82ef52e7e

SHA256
4ccb957c0604fa52435088934f3c1ce1f3b7d0404d3cb684d6bfd716e24639ed

SHA512
01d642358dfc87629d6988513abea238034e97db05b37f818c689e98259f12b2bea1796b5e25dd6d845bacb7b9cad95dfea4104b1eeffaa30bab9c1c601bc973

Download Submit
memory/368-0-0x0000000000D90000-0x0000000001198000-memory.dmp

Filesize
4.0MB

Download
memory/368-1-0x0000000000D90000-0x0000000001198000-memory.dmp

Filesize
4.0MB

Download
memory/368-2-0x0000000000D90000-0x0000000001198000-memory.dmp

Filesize
4.0MB

Download
memory/368-16-0x0000000000D90000-0x0000000001198000-memory.dmp

Filesize
4.0MB

Download
memory/552-52-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/552-57-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/552-53-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/552-50-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1508-255-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1508-258-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1508-262-0x0000000000DD0000-0x0000000000E10000-memory.dmp

Filesize
256KB

Download
memory/1508-267-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/1508-266-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1508-265-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/1508-264-0x0000000000DD0000-0x0000000000E10000-memory.dmp

Filesize
256KB

Download
memory/1620-88-0x00000000057D0000-0x000000000580C000-memory.dmp

Filesize
240KB

Download
memory/1620-91-0x0000000006170000-0x00000000061E6000-memory.dmp

Filesize
472KB

Download
memory/1620-143-0x00000000723E0000-0x0000000072B90000-memory.dmp

Filesize
7.7MB

Download
memory/1620-96-0x0000000007F90000-0x00000000084BC000-memory.dmp

Filesize
5.2MB

Download
memory/1620-95-0x0000000007DC0000-0x0000000007F82000-memory.dmp

Filesize
1.8MB

Download
memory/1620-94-0x0000000006F60000-0x0000000006FB0000-memory.dmp

Filesize
320KB

Download
memory/1620-253-0x00000000723E0000-0x0000000072B90000-memory.dmp

Filesize
7.7MB

Download
memory/1620-93-0x0000000006470000-0x000000000648E000-memory.dmp

Filesize
120KB

Download
memory/1620-92-0x0000000006230000-0x00000000062C2000-memory.dmp

Filesize
584KB

Download
memory/1620-146-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1620-165-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1620-85-0x0000000005040000-0x0000000005658000-memory.dmp

Filesize
6.1MB

Download
memory/1620-81-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1620-83-0x0000000005000000-0x000000000503E000-memory.dmp

Filesize
248KB

Download
memory/1620-82-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1620-80-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1620-87-0x00000000056C0000-0x00000000057CA000-memory.dmp

Filesize
1.0MB

Download
memory/1620-90-0x00000000059C0000-0x0000000005A26000-memory.dmp

Filesize
408KB

Download
memory/1620-168-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1620-78-0x00000000023E0000-0x0000000002422000-memory.dmp

Filesize
264KB

Download
memory/1620-79-0x00000000723E0000-0x0000000072B90000-memory.dmp

Filesize
7.7MB

Download
memory/1620-86-0x00000000056A0000-0x00000000056B2000-memory.dmp

Filesize
72KB

Download
memory/1620-89-0x0000000005840000-0x000000000588C000-memory.dmp

Filesize
304KB

Download
memory/1968-231-0x0000000004C00000-0x0000000004C98000-memory.dmp

Filesize
608KB

Download
memory/1968-243-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/1968-234-0x0000000004B60000-0x0000000004BF8000-memory.dmp

Filesize
608KB

Download
memory/1968-235-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/1968-259-0x0000000002820000-0x0000000004820000-memory.dmp

Filesize
32.0MB

Download
memory/1968-263-0x00000000723E0000-0x0000000072B90000-memory.dmp

Filesize
7.7MB

Download
memory/1968-247-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/1968-233-0x00000000723E0000-0x0000000072B90000-memory.dmp

Filesize
7.7MB

Download
memory/1968-244-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2148-166-0x00000000002B0000-0x00000000006B8000-memory.dmp

Filesize
4.0MB

Download
memory/2148-172-0x00000000002B0000-0x00000000006B8000-memory.dmp

Filesize
4.0MB

Download
memory/2148-169-0x00000000002B0000-0x00000000006B8000-memory.dmp

Filesize
4.0MB

Download
memory/2404-152-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2404-162-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2404-198-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2404-199-0x00000000012E0000-0x0000000001300000-memory.dmp

Filesize
128KB

Download
memory/2404-163-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2404-159-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2404-161-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2404-151-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2404-160-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2404-155-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2404-157-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2404-156-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2404-197-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2404-154-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2404-153-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2404-158-0x00000000009B0000-0x00000000009D0000-memory.dmp

Filesize
128KB

Download
memory/2604-251-0x0000000000E10000-0x0000000000E18000-memory.dmp

Filesize
32KB

Download
memory/2604-254-0x00007FFAB1580000-0x00007FFAB2041000-memory.dmp

Filesize
10.8MB

Download
memory/3436-195-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3436-196-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3436-194-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3436-189-0x0000000002140000-0x00000000021C9000-memory.dmp

Filesize
548KB

Download
memory/3436-269-0x0000000002140000-0x00000000021C9000-memory.dmp

Filesize
548KB

Download
memory/3736-341-0x0000000004FC0000-0x0000000005165000-memory.dmp

Filesize
1.6MB

Download
memory/3736-305-0x0000000004FC0000-0x0000000005165000-memory.dmp

Filesize
1.6MB

Download
memory/3736-294-0x0000000004FC0000-0x0000000005165000-memory.dmp

Filesize
1.6MB

Download
memory/3736-307-0x0000000004FC0000-0x0000000005165000-memory.dmp

Filesize
1.6MB

Download
memory/3736-297-0x0000000004FC0000-0x0000000005165000-memory.dmp

Filesize
1.6MB

Download
memory/3736-295-0x0000000004FC0000-0x0000000005165000-memory.dmp

Filesize
1.6MB

Download
memory/3736-344-0x0000000004FC0000-0x0000000005165000-memory.dmp

Filesize
1.6MB

Download
memory/3736-299-0x0000000004FC0000-0x0000000005165000-memory.dmp

Filesize
1.6MB

Download
memory/3736-318-0x0000000004FC0000-0x0000000005165000-memory.dmp

Filesize
1.6MB

Download
memory/3736-303-0x0000000004FC0000-0x0000000005165000-memory.dmp

Filesize
1.6MB

Download
memory/3736-301-0x0000000004FC0000-0x0000000005165000-memory.dmp

Filesize
1.6MB

Download
memory/3736-330-0x0000000004FC0000-0x0000000005165000-memory.dmp

Filesize
1.6MB

Download
memory/3736-337-0x0000000004FC0000-0x0000000005165000-memory.dmp

Filesize
1.6MB

Download
memory/3736-335-0x0000000004FC0000-0x0000000005165000-memory.dmp

Filesize
1.6MB

Download
memory/3736-333-0x0000000004FC0000-0x0000000005165000-memory.dmp

Filesize
1.6MB

Download
memory/4304-230-0x00000000002B0000-0x00000000006B8000-memory.dmp

Filesize
4.0MB

Download
memory/4304-97-0x00000000002B0000-0x00000000006B8000-memory.dmp

Filesize
4.0MB

Download
memory/4304-84-0x00000000002B0000-0x00000000006B8000-memory.dmp

Filesize
4.0MB

Download
memory/4304-19-0x00000000002B0000-0x00000000006B8000-memory.dmp

Filesize
4.0MB

Download
memory/4304-18-0x00000000002B0000-0x00000000006B8000-memory.dmp

Filesize
4.0MB

Download
memory/4720-45-0x0000000004E20000-0x00000000053C4000-memory.dmp

Filesize
5.6MB

Download
memory/4720-46-0x0000000004D90000-0x0000000004E0E000-memory.dmp

Filesize
504KB

Download
memory/4720-41-0x0000000004C60000-0x0000000004CDE000-memory.dmp

Filesize
504KB

Download
memory/4720-42-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/4720-43-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/4720-44-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/4720-47-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/4720-55-0x0000000002720000-0x0000000004720000-memory.dmp

Filesize
32.0MB

Download
memory/4720-58-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/4924-268-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/4924-260-0x00000000723E0000-0x0000000072B90000-memory.dmp

Filesize
7.7MB

Download
memory/4924-141-0x0000000000F10000-0x0000000000F62000-memory.dmp

Filesize
328KB

Download
memory/4924-142-0x00000000723E0000-0x0000000072B90000-memory.dmp

Filesize
7.7MB

Download
memory/4924-145-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/4924-144-0x0000000005840000-0x000000000584A000-memory.dmp

Filesize
40KB

Download