amadey | f9f47e6c68eda38d13f3166cf64fb0401bb53cbbc0372e4759ebe7e77c760ad1

Analysis

max time kernel
116s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f995e7b6121391a9214a3f3068a1d0ce7ccace5ff86a12bb51c8f9ae325b1d0a.exe
Size

307KB
MD5

0f37164cab5555009bb737a04cc0c67e
SHA1

fbf04169c2f96d227f093f9fb4723babc6afb237
SHA256

f995e7b6121391a9214a3f3068a1d0ce7ccace5ff86a12bb51c8f9ae325b1d0a
SHA512

a8e3e1fcdbe4acd35d5716cf88f548688be377db0e2b209611e462d51eb3244de160e077a71dcd82eb8fd0445fd48dcc39698ed582fed2026d47672d09fb5bfa
SSDEEP

3072:jIT4gG9rAkOrC2nm+BcKEEXqiYtEe2Htl2795TyHofBRTHoN4ICRpiMRigYnh:s0bImCqCNHuI6kGIasMRs

Score

10^/10

amadey glupteba lumma smokeloader stealc pub1 backdoor discovery dropper evasion loader persistence spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://nidoe.org/tmp/index.php

http://sodez.ru/tmp/index.php

http://uama.com.ua/tmp/index.php

http://talesofpirates.net/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

stealc

http://185.172.128.209

Attributes

url_path
/3cd2b41cbde8fc9c.php

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

lumma

https://herdbescuitinjurywu.shop/api

https://relevantvoicelesskw.shop/api

https://resergvearyinitiani.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4528-86-0x0000000002F20000-0x000000000380B000-memory.dmp	family_glupteba
behavioral2/memory/4528-101-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4528-395-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4528-398-0x0000000002F20000-0x000000000380B000-memory.dmp	family_glupteba
behavioral2/memory/4528-400-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4528-453-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5028-583-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5028-716-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

7AB.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7AB.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1840 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7AB.exe

pid	process
1840	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7AB.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7AB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7AB.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

84FC.exeEasyAppns.exeInstallSetup_four.exeu1a4.1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	84FC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	EasyAppns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	InstallSetup_four.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	u1a4.1.exe

Deletes itself 1 IoCs

Processes:

pid process

3352

pid	process
3352

Executes dropped EXE 16 IoCs

Processes:

461C.exe84FC.exeInstallSetup_four.exe288c47bbc1871b439df19ff4df68f076.exeEasyAppns.exeapril.exeapril.tmpEasyApp.exeflashdecompiler32.exeflashdecompiler32.exeu1a4.0.exeu1a4.1.exe288c47bbc1871b439df19ff4df68f076.exeE9E1.exe7AB.execsrss.exe

pid	process
4312	461C.exe
3612	84FC.exe
1660	InstallSetup_four.exe
4528	288c47bbc1871b439df19ff4df68f076.exe
764	EasyAppns.exe
1020	april.exe
2304	april.tmp
4080	EasyApp.exe
4040	flashdecompiler32.exe
1724	flashdecompiler32.exe
1552	u1a4.0.exe
2380	u1a4.1.exe
5028	288c47bbc1871b439df19ff4df68f076.exe
1660	E9E1.exe
1148	7AB.exe
3732	csrss.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

7AB.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine 7AB.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeapril.tmp

pid process

4460 regsvr32.exe
2304 april.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine	7AB.exe

pid	process
4460	regsvr32.exe
2304	april.tmp

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

288c47bbc1871b439df19ff4df68f076.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	288c47bbc1871b439df19ff4df68f076.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

7AB.exe

pid process

1148 7AB.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

288c47bbc1871b439df19ff4df68f076.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 288c47bbc1871b439df19ff4df68f076.exe

pid	process
1148	7AB.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	288c47bbc1871b439df19ff4df68f076.exe

Drops file in Windows directory 3 IoCs

Processes:

7AB.exe288c47bbc1871b439df19ff4df68f076.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	7AB.exe
File opened for modification	C:\Windows\rss	288c47bbc1871b439df19ff4df68f076.exe
File created	C:\Windows\rss\csrss.exe	288c47bbc1871b439df19ff4df68f076.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3272 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3272	sc.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2160	4080	WerFault.exe	EasyApp.exe
4392	1660	WerFault.exe	InstallSetup_four.exe
1136	4528	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
1520	1660	WerFault.exe	E9E1.exe
636	3408	WerFault.exe	RegAsm.exe
2972	3408	WerFault.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

u1a4.1.exef995e7b6121391a9214a3f3068a1d0ce7ccace5ff86a12bb51c8f9ae325b1d0a.exe461C.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1a4.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1a4.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f995e7b6121391a9214a3f3068a1d0ce7ccace5ff86a12bb51c8f9ae325b1d0a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	461C.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	461C.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	461C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f995e7b6121391a9214a3f3068a1d0ce7ccace5ff86a12bb51c8f9ae325b1d0a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f995e7b6121391a9214a3f3068a1d0ce7ccace5ff86a12bb51c8f9ae325b1d0a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1a4.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u1a4.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1a4.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1a4.0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4556 schtasks.exe
4640 schtasks.exe

pid	process
4556	schtasks.exe
4640	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	288c47bbc1871b439df19ff4df68f076.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f995e7b6121391a9214a3f3068a1d0ce7ccace5ff86a12bb51c8f9ae325b1d0a.exe

pid	process
4376	f995e7b6121391a9214a3f3068a1d0ce7ccace5ff86a12bb51c8f9ae325b1d0a.exe
4376	f995e7b6121391a9214a3f3068a1d0ce7ccace5ff86a12bb51c8f9ae325b1d0a.exe
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

f995e7b6121391a9214a3f3068a1d0ce7ccace5ff86a12bb51c8f9ae325b1d0a.exe461C.exe

pid process

4376 f995e7b6121391a9214a3f3068a1d0ce7ccace5ff86a12bb51c8f9ae325b1d0a.exe
4312 461C.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeDebugPrivilege	4528	288c47bbc1871b439df19ff4df68f076.exe
Token: SeImpersonatePrivilege	4528	288c47bbc1871b439df19ff4df68f076.exe
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeDebugPrivilege	1136	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeShutdownPrivilege	3352

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

u1a4.1.exe

pid process

2380 u1a4.1.exe
2380 u1a4.1.exe
2380 u1a4.1.exe
2380 u1a4.1.exe
2380 u1a4.1.exe
2380 u1a4.1.exe
2380 u1a4.1.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

u1a4.1.exe

pid process

2380 u1a4.1.exe
2380 u1a4.1.exe
2380 u1a4.1.exe
2380 u1a4.1.exe
2380 u1a4.1.exe
2380 u1a4.1.exe
2380 u1a4.1.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3352

pid	process
2380	u1a4.1.exe
2380	u1a4.1.exe
2380	u1a4.1.exe
2380	u1a4.1.exe
2380	u1a4.1.exe
2380	u1a4.1.exe
2380	u1a4.1.exe

pid	process
2380	u1a4.1.exe
2380	u1a4.1.exe
2380	u1a4.1.exe
2380	u1a4.1.exe
2380	u1a4.1.exe
2380	u1a4.1.exe
2380	u1a4.1.exe

pid	process
3352

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe84FC.exeapril.exeEasyAppns.exeapril.tmpInstallSetup_four.exe288c47bbc1871b439df19ff4df68f076.exe288c47bbc1871b439df19ff4df68f076.execmd.exeu1a4.1.exe

description	pid	process	target process
PID 3352 wrote to memory of 4312	3352		461C.exe
PID 3352 wrote to memory of 4312	3352		461C.exe
PID 3352 wrote to memory of 4312	3352		461C.exe
PID 3352 wrote to memory of 4728	3352		regsvr32.exe
PID 3352 wrote to memory of 4728	3352		regsvr32.exe
PID 4728 wrote to memory of 4460	4728	regsvr32.exe	regsvr32.exe
PID 4728 wrote to memory of 4460	4728	regsvr32.exe	regsvr32.exe
PID 4728 wrote to memory of 4460	4728	regsvr32.exe	regsvr32.exe
PID 3352 wrote to memory of 3612	3352		84FC.exe
PID 3352 wrote to memory of 3612	3352		84FC.exe
PID 3352 wrote to memory of 3612	3352		84FC.exe
PID 3612 wrote to memory of 1660	3612	84FC.exe	InstallSetup_four.exe
PID 3612 wrote to memory of 1660	3612	84FC.exe	InstallSetup_four.exe
PID 3612 wrote to memory of 1660	3612	84FC.exe	InstallSetup_four.exe
PID 3612 wrote to memory of 4528	3612	84FC.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 3612 wrote to memory of 4528	3612	84FC.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 3612 wrote to memory of 4528	3612	84FC.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 3612 wrote to memory of 764	3612	84FC.exe	EasyAppns.exe
PID 3612 wrote to memory of 764	3612	84FC.exe	EasyAppns.exe
PID 3612 wrote to memory of 764	3612	84FC.exe	EasyAppns.exe
PID 3612 wrote to memory of 1020	3612	84FC.exe	april.exe
PID 3612 wrote to memory of 1020	3612	84FC.exe	april.exe
PID 3612 wrote to memory of 1020	3612	84FC.exe	april.exe
PID 1020 wrote to memory of 2304	1020	april.exe	april.tmp
PID 1020 wrote to memory of 2304	1020	april.exe	april.tmp
PID 1020 wrote to memory of 2304	1020	april.exe	april.tmp
PID 764 wrote to memory of 4080	764	EasyAppns.exe	EasyApp.exe
PID 764 wrote to memory of 4080	764	EasyAppns.exe	EasyApp.exe
PID 764 wrote to memory of 4080	764	EasyAppns.exe	EasyApp.exe
PID 2304 wrote to memory of 4040	2304	april.tmp	flashdecompiler32.exe
PID 2304 wrote to memory of 4040	2304	april.tmp	flashdecompiler32.exe
PID 2304 wrote to memory of 4040	2304	april.tmp	flashdecompiler32.exe
PID 2304 wrote to memory of 1724	2304	april.tmp	flashdecompiler32.exe
PID 2304 wrote to memory of 1724	2304	april.tmp	flashdecompiler32.exe
PID 2304 wrote to memory of 1724	2304	april.tmp	flashdecompiler32.exe
PID 1660 wrote to memory of 1552	1660	InstallSetup_four.exe	u1a4.0.exe
PID 1660 wrote to memory of 1552	1660	InstallSetup_four.exe	u1a4.0.exe
PID 1660 wrote to memory of 1552	1660	InstallSetup_four.exe	u1a4.0.exe
PID 4528 wrote to memory of 4384	4528	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 4528 wrote to memory of 4384	4528	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 4528 wrote to memory of 4384	4528	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 1660 wrote to memory of 2380	1660	InstallSetup_four.exe	u1a4.1.exe
PID 1660 wrote to memory of 2380	1660	InstallSetup_four.exe	u1a4.1.exe
PID 1660 wrote to memory of 2380	1660	InstallSetup_four.exe	u1a4.1.exe
PID 5028 wrote to memory of 4704	5028	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 5028 wrote to memory of 4704	5028	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 5028 wrote to memory of 4704	5028	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 3352 wrote to memory of 1660	3352		E9E1.exe
PID 3352 wrote to memory of 1660	3352		E9E1.exe
PID 3352 wrote to memory of 1660	3352		E9E1.exe
PID 5028 wrote to memory of 3260	5028	288c47bbc1871b439df19ff4df68f076.exe	cmd.exe
PID 5028 wrote to memory of 3260	5028	288c47bbc1871b439df19ff4df68f076.exe	cmd.exe
PID 3260 wrote to memory of 1840	3260	cmd.exe	netsh.exe
PID 3260 wrote to memory of 1840	3260	cmd.exe	netsh.exe
PID 3352 wrote to memory of 1148	3352		7AB.exe
PID 3352 wrote to memory of 1148	3352		7AB.exe
PID 3352 wrote to memory of 1148	3352		7AB.exe
PID 2380 wrote to memory of 1136	2380	u1a4.1.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2380 wrote to memory of 1136	2380	u1a4.1.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 5028 wrote to memory of 5076	5028	288c47bbc1871b439df19ff4df68f076.exe	Conhost.exe
PID 5028 wrote to memory of 5076	5028	288c47bbc1871b439df19ff4df68f076.exe	Conhost.exe
PID 5028 wrote to memory of 5076	5028	288c47bbc1871b439df19ff4df68f076.exe	Conhost.exe
PID 5028 wrote to memory of 4996	5028	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 5028 wrote to memory of 4996	5028	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f995e7b6121391a9214a3f3068a1d0ce7ccace5ff86a12bb51c8f9ae325b1d0a.exe
"C:\Users\Admin\AppData\Local\Temp\f995e7b6121391a9214a3f3068a1d0ce7ccace5ff86a12bb51c8f9ae325b1d0a.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4376

C:\Users\Admin\AppData\Local\Temp\461C.exe
C:\Users\Admin\AppData\Local\Temp\461C.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4312

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\502F.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\502F.dll
  2⤵
  - Loads dropped DLL
  PID:4460

C:\Users\Admin\AppData\Local\Temp\84FC.exe
C:\Users\Admin\AppData\Local\Temp\84FC.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\u1a4.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u1a4.0.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\u1a4.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u1a4.1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
      "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1016
    3⤵
    - Program crash
    PID:4392
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4384
- - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:4704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3260
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1840
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:5076
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:4996
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Executes dropped EXE
      PID:3732
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Modifies data under HKEY_USERS
        
        PID:564
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:4556
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:2940
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1152
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2892
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5076
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:4040
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:4640
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        
        PID:560
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:3272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 900
    3⤵
    - Program crash
    PID:1136
- C:\Users\Admin\AppData\Local\Temp\EasyAppns.exe
  "C:\Users\Admin\AppData\Local\Temp\EasyAppns.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Users\Public\Music\EasyApp.exe
    "C:\Users\Public\Music\EasyApp.exe"
    3⤵
    - Executes dropped EXE
    PID:4080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 424
      4⤵
      Program crash
      PID:2160
- C:\Users\Admin\AppData\Local\Temp\april.exe
  "C:\Users\Admin\AppData\Local\Temp\april.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Users\Admin\AppData\Local\Temp\is-TVK49.tmp\april.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-TVK49.tmp\april.tmp" /SL5="$C01C6,1485356,54272,C:\Users\Admin\AppData\Local\Temp\april.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe
      "C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe" -i
      4⤵
      Executes dropped EXE
      PID:4040
  - - C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe
      "C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe" -s
      4⤵
      Executes dropped EXE
      PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4080 -ip 4080
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1660 -ip 1660
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4528 -ip 4528
1⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\E9E1.exe
C:\Users\Admin\AppData\Local\Temp\E9E1.exe
1⤵
- Executes dropped EXE
PID:1660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1132
  2⤵
  - Program crash
  PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1660 -ip 1660
1⤵
PID:492

C:\Users\Admin\AppData\Local\Temp\7AB.exe
C:\Users\Admin\AppData\Local\Temp\7AB.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
PID:1148

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
PID:1372
- C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe
  "C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe"
  2⤵
  PID:2836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 828
      4⤵
      Program crash
      PID:2972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1252
      4⤵
      Program crash
      PID:636
- C:\Users\Admin\AppData\Local\Temp\1001010001\ISetup3.exe
  "C:\Users\Admin\AppData\Local\Temp\1001010001\ISetup3.exe"
  2⤵
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\u3xw.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u3xw.0.exe"
    3⤵
    PID:228
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  PID:4460
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    PID:4124
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:2548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\570491262506_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:1388

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3408 -ip 3408
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3408 -ip 3408
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
832KB

MD5
40ea9529248f16608cdcca2ea4ddeba5

SHA1
b8ac52fcf95aa38ff1187110faf6d140eaa3b12b

SHA256
e6046e64f21b746d708694015756174d319caf1981b7096480df333e66c5dd8d

SHA512
e34c255d7be7fb057a9cf01ba5bc21dde6f7a1b2e1bad56da4b270ef7fbcb01a6af65c52e18e1062a78a78a8193fd991d5dd0f48ef13e706c2e60ed5e77b7ceb

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe

Filesize
1.1MB

MD5
deb198ca1ce7e825f6675604a1745c46

SHA1
cc32febaedc64217b5c809fb56bef968ed306270

SHA256
d4c1108c3342f05c53d9b2a71a5435303f0f4d3bda9f5ab85c21698a6142e560

SHA512
886a2e87424abc03fe7eaa92d7f3c5330a52df52a5d436e11ffdd7547e174e0f8df9184505b862b77c4662b04afdafd7af747cdf676ebcae9390ddf8593afb92

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe

Filesize
832KB

MD5
1098d5917275976046ebbdcae1421a94

SHA1
cdd6a4082e8ef0586e96c794241892ddafe962ff

SHA256
9cd7337e0575631b2d053386de592a80e02ec166bbd98b398346b726ff8bd158

SHA512
9a10f111d003136511404e7ba002c45a98ee6a795c3384dc7d9f3455490698a2c8a1434fae58bcb9f181b0b11431068416681f8a88d5472d2466eacd292a4378

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe

Filesize
576KB

MD5
27af71172da8736647dbdaeee9d42001

SHA1
0899fd8c46f62f1ea3bd4bf99f3b6888eb5b9564

SHA256
411e42551d70016666a05c01636974ea476e66f3c33f6f0516c4e707dcfdf4b2

SHA512
afe0a34d2275392d4fb85b598a4d9f1d77308939af3ed07da5a330740b0e4eca6c57a81e2d1ed527361f43bfdeda208e68fddcbe4751444b3676901539f9b205

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
1.8MB

MD5
b6042f0984c283f28b8b78cece2a1c54

SHA1
867568b9bf1f2975516c88255386f3e1352a746d

SHA256
285601c9d8ba5030cb23a22f0f78ead412ce73b55ed978137a8f66015ea6278a

SHA512
e97d24e60777bbb84b8fd8617c331904dfa115fb5c01e317a8ce861a6b79b253b21c8adc7dec68e6af57b2e86d8a64b173cd31d9d9694385de8c4514a61c8520

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe

Filesize
350KB

MD5
04df085b57814d1a1accead4e153909e

SHA1
6d277da314ef185ba9072a9b677b599b1f46c35b

SHA256
91a36d137ebfa812b055728807e11338d15d3a5d869cb4babdf779266688e4dd

SHA512
f37678424e46e4f28e1047161db60ad737515558c8c8905ed598ca96b198304da7356e49e7bb9d1e77fe75372f0b5a7f670a353d093749c37bb85c40ec7fdafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001010001\ISetup3.exe

Filesize
409KB

MD5
83a54df2b454eb462579a74f05fc6c9f

SHA1
5e235c7174c3dd9979b7a8ad7eaf596775f2d6e2

SHA256
cf7efb0f59fd6d747dcc6114019e6fcf797eb9a54e2706520557799fc18fc5e4

SHA512
b862d9799791f9f5a28dc9a848486e8c5000d1425546200f8be9fa31d597fc8864172ba01c8ffc851aac8ff366d8b1f363bcd3ab57c7a3f926f4638904872dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
3.7MB

MD5
923b85d270c3333fbb3f87f0a122bf30

SHA1
12565527612fc3c6527896562aa88cecb3341e48

SHA256
8db4c13210245f6b059dfc1695f63e505469da793a5be394b44e9170637bf00a

SHA512
8ae0605497a99eb16a89d3860f093715e54dcafa00b3d091ebefde7ee33372c691dc6ffdf15b2d842a1f3e273f936982d898474e30cfaaf33589c99c2394aa6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.3MB

MD5
43fae533c2b520dfda0c1abc27177ebd

SHA1
ae04e6d9f21300a5bfe2c33a1380392481bf5976

SHA256
16ca08c4d54425386fd6145677ae0b0e9602eaa4f86bcb2faf14a3778048fa16

SHA512
a8f580dfc80cd33402fb84f02bfaac85c1bce582aa861637a1efa2c0fa88a3a3ca5211c9b35f8cea4d676e252346235e26afc40ea27828d7c2210ab166a693ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.2MB

MD5
cafa59a8d60d947bb682549267b2c66f

SHA1
131a987ab0dbccc6e6a5dd6e5fa8f42a2d388b0d

SHA256
e18beb5decac38e988eac0197d90be88761449a5e9abd66766c1dcb861b49d91

SHA512
6ea5174b52ea67c471c2b40e4637d9d6fd194b691c8d9ebcdc1ca6127294a36779c309a60b6f9ed3664114b6e7479e9abd4743f5821b30af34a3f3f8b283292e

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
576KB

MD5
76682faaf6357ad3fa0806ab4e1f7f56

SHA1
91162c6a18ea5276b55a226c17262050746eb2be

SHA256
b5ced11fc898657874e3098be96b6a4f204c0208b6d62c73cbb38bbe0f290e44

SHA512
f468e81d0aca685f832aba6813c3bef80e2dd6da6ba8d074cb96819974cd4f2434f082f63a82660d68028c7cf6ae90f8c2d1c4af7fa9d98565a61f22703c6b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\461C.exe

Filesize
230KB

MD5
60cfb7d9800c28666f19a6be76994545

SHA1
e5b1fbbfa182239425d9b6f12beabdd1f5b1096f

SHA256
2c72c603a6c9992c0f190e65ffc1290f00d31945804750f14d8b3596b9745758

SHA512
7f4231056c76951d693815c4d22aeb8db765d50db7e073b4d7ed839f1fb501074496f05d5e89aa6fea5c90a1c7a1aa35259df95c8481d1ff8e8a8be18221e9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\502F.dll

Filesize
2.2MB

MD5
e69125300a060d1eb870d352de33e4c3

SHA1
60f2c2e6f2a4289a05b5c6212cdaf0d02dad82ea

SHA256
009de0571eb77c7ed594b9e5cda731e2953fd2198e00b25a0e2c4c4ef7414355

SHA512
257d3b61b2c85c1e71d2a80a5fbf44436e9734785fe6b0a643c1939dd01c1d8b98f1c454695296f7137ff035ec6c0118f053e4833e0be91618f2a9066a8cace9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AB.exe

Filesize
1.4MB

MD5
5a380efa9558d9e1a3a72f4e334e3aac

SHA1
4e969aed532de9467b7726ae9dd648fd075c9d6b

SHA256
25dd555f513ef9ad7a543a935362cf945564d22b2884ea9d965956ce01d2b998

SHA512
941720a93c73866b2338e25b24834c00517034d5d60ffffddfdc76b6a9071b41069ed28433b9b449ec8b7e1225c5b241ffa8a77ccf94560c47a31d742e68e74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AB.exe

Filesize
512KB

MD5
e360fd2a5bbe1e73f63c8b77506d45a8

SHA1
e9cb4241c7309fe3d73e6a1f8ff65df4c8a3d17b

SHA256
d8b1f2efbc440d7387f4aaf35a0b6078524c6d6bdce196d161d89df3777891b9

SHA512
1456e3e3c0a1b6fa6b45d7a31963db6104e4aeb1fbcceaa0b22653f23d7234aa6c218be913512e2996e02eead977044c6b09ccd35a1fa01b777369ff1945a985

Download Submit
C:\Users\Admin\AppData\Local\Temp\84FC.exe

Filesize
7.2MB

MD5
5eb23b5f7ea35da055fbf010ae00e01f

SHA1
a7d8c4fd57463ebe20952a0ddb25d647da700cc3

SHA256
fdfc254cf83ffbfd643d799b843c535b794b3116e2d9d1122513be8bf787a4b3

SHA512
2cbfb3cf57dca8956b8ef767e3b01a279d98cc3712d5722ca86d105a67deb5f5204a2ecfc0dce6c6d6aa50b13e6d48ef442a1657acc40b4ca249d950f7683096

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9E1.exe

Filesize
1.9MB

MD5
d2aa75c6d4166d2bcb768073c8cf6bdd

SHA1
66464de9509b2a578fa01fe1f32df2ecfca7d9cc

SHA256
8bac8ff2f8f02e4d2263159d78452b0bfc91c1b3d72e83dd7855780da8a24ddc

SHA512
7d208e25e6d2befad4cd1d80ebf7f165375fc8b8b4183338931ded5decffdff95bc303d2fdac51e174ef09d3daf188a73a26d9c77f67f13dbd4ccfc375a7761b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9E1.exe

Filesize
254KB

MD5
2cdfdc1482a085221dfb91e49f5d0512

SHA1
846d4d52380e47a52fee1ce35df1bfe4b7943809

SHA256
62cb9c00dd047653ce40c4bd8f7e44defce868190ef65a82f5df2fbe9eea4ee6

SHA512
f5d29c9e7358364124290515e31844bb8d34325422090eb22b54ea14bd51a02ea44332ab52dfff771f40180c9c9a17b81f32c3d12c7e1f595120163b46f7e8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EasyAppns.exe

Filesize
384KB

MD5
11b5924c0dc4e2d63207500634709d56

SHA1
68ec7940876513a7129c3f500b5341a9f6d8b89d

SHA256
fcc6be5bb062de91fba746c90e77d0117bdeaeb6d2cdad29e2dca07285c24b5e

SHA512
fcda1d57b6c4eb45b5d2eb59b06ce02d6d4f2ba5d2d59766252b1fea75c1341c3e3f9b8ac7a04179ce7f8cf4d4c03e74ce464dd7bf64aab636b8280a7b757eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\EasyAppns.exe

Filesize
988KB

MD5
065760220981039db19b9701aaeffddf

SHA1
318170b5ca3673cff578d89b7de116f9d6fcd961

SHA256
cac5a59708cebec195aed03baf2c20b32b277ea73738d054ba40a072719160bf

SHA512
81bb505365d1a10dd902f76b24ec111b519d17c0ede500b5c47d6eab9f187f95ac2897b09e7004762455a17cfb068a47c854fd9c29957e13832bb108a6385895

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

Filesize
404KB

MD5
383c48c7f64a6867db5b8577fa3abfbf

SHA1
926911f9581df56f5ac38fac01f6d45acdfb7dbd

SHA256
9b37a304f33bda4707c0dae60a20ac7c76c75752b0d06ad9fb2d6f07f8edd1b9

SHA512
53b5d42ed93ad6f1163ed00be8cd1b66d367fadf25853c16d8c6fb710f69d9e8a32cb85d0dbf36d95c85da16b214de2a564bc0750c264bb0547dd8910a6f4442

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0r3ueqmc.i4s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\april.exe

Filesize
307KB

MD5
21ee4573c7d89e4d19f6d268589e20fc

SHA1
912e5619aca90cf31ff577612a2c5a8ae133ec23

SHA256
ec897b040011c362e3072e3a8f8dc0370e7340d8e82d8a7d746a2e2da5ee10bb

SHA512
0f9735f7b347be24a0bd54f68951dcdfe245d4bf7f7990cb74aa2f2c7dd24dda3a961e0717b36a8ec178e47e5ff4aeef3eae9143cf80d9082970b30f62869fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\april.exe

Filesize
64KB

MD5
e34040252b9ce715c65088975050a38e

SHA1
4588bd254369d7865925292d799495a063ac1d66

SHA256
f8acdf993bb608309870b023597b43c0a4520507cbb888467b2618e4a1a35415

SHA512
3f1d0dad6b2b5e85031f226d6f5f9956f295b11265692665689bcc94b5067fe6d609b444a3069a7382112e7e50e3145c574fcc01f22a8072bdf7f9d38599dea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
5ef2daafe188d45f7630265b6d119ff1

SHA1
b19cf199dd18a3589366f95a68ec588360994eee

SHA256
3b912815cdc4dbe68ad949b73d21f9c8bda0fa6070e0804587a9304bc4580f48

SHA512
34075ce9d355659d748a862af794ac53337b38945e861e972fe5722fe7c4c09ff404762cba238653a7b7a360885e50220d6b99d5038dc00ae793c391587a239b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
4d0305c93378c7584c5f39dc21dbd84a

SHA1
96e88a5acbc405ecfa63504c86eb495c57ae3eb3

SHA256
a042cf97c0c2244105f84de628c985a97fb7aa66325606da4398eccc580e60df

SHA512
d82734f86c0f552a0f113aa32d8f9d253c7093f1ff507bd0af964867577cdab525108c5a4e760ed9d4a487cbf19bf2ddd4f49c483702a180ab728edfce84ebac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9JKVB.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TVK49.tmp\april.tmp

Filesize
677KB

MD5
8519bfba2d14dbdca979e73c62ed4b46

SHA1
388030278d4f7e4d88754adc3ff95df54e01eda9

SHA256
6848c671e27c33dd065e1d70c9be0a4205ad69ec9b4b4b356d03eb8dc73ddeb5

SHA512
a1bfd50e48a82f7b100de76674a082eb77ac385b7ccc5ba574f45b97e2e4a992541a992b979b266b9e6bd27eddec02f943b776ed0210d5b788954e15463921aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1a4.0.exe

Filesize
261KB

MD5
117317fbb36d19cd13ec4ad689003337

SHA1
255559041e48bf87b5409d62da5bdb93e4933c8d

SHA256
afd1ac557f3abeb5bb9a8358f0a3b06e5d276ff7b478b768af4d34af6e15cba2

SHA512
1c035c63157a3bb6cb00b9e3c2e6ea9af15b8b8edb3a6a34eb2a2530a3d080a37f806a6b2045bb68ede64373cb85b18b1e8632a331ad5448e9e77ffdd2801e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1a4.1.exe

Filesize
1.4MB

MD5
5ac226b79dbc538d948a422b0da803c2

SHA1
ad981113bf43ee0b347f3a0e881496cec0816173

SHA256
615bff877e3efdff24f95f948a536a1f72bee2ad4043e31e1d58cf67f41e0d3e

SHA512
44e46d1a59f18a87b220c7ef1dfcfeb19a8eefb046e64affd6f16e74e733a76075a5f091152656b72cb3f14b25a03d8aa512b44c3e7ddd0d862bab210930de36

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1a4.1.exe

Filesize
1.4MB

MD5
b2c7714ba6d7ec1a911ae4c8c11156c8

SHA1
85faf4b120c5f2b137613000e98e327026967446

SHA256
d657a1570bb70bdbc6990ef8eca015800e3c631f9fab4fe8c2bf4c64d8469373

SHA512
10e2f3400d8ab1d84b2bbbcfcf529cf3af9f36d41c025cc5453ef549dc01d7cc19de4bab6d1c23fc7c4ce3cabaf89bee5d29bad088c7ca2ca23fe403392fc326

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1a4.1.exe

Filesize
1.6MB

MD5
ba99609289551f8477045a61c4587ddd

SHA1
799147468f90735d819c2086dd345a9106f458b4

SHA256
c5e55096abe3eb2545b98573f8a9610bd9976ad3f57d7d4796329ab466c71d0d

SHA512
f44cff38ea4eee09af8508579df9170cd6b65876030ddc5710ffe0d250ef556c29e5839775fda72c0be3e47af263d2d08f5dd86a43973d2ae5b5b94febbaa39a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Public\Music\EasyApp.exe

Filesize
341KB

MD5
0e49e66fd0e90ac46ad9f027df419048

SHA1
357559abc784e69245db2e4302c838913df618b2

SHA256
599fbee1c0335d5f8efae7ed35eed9700001841005158a1c8c6648b53a6e4bda

SHA512
38aa37d633795de8ad65749a11da261e9f3aa2e1f285cd95e89a895c76e28a7d1fb72e87776013e8b508b9201d1b7ce92462c85cb4e3d55d5cf9b5a802479fed

Download Submit
C:\Users\Public\Music\EasyApp.exe

Filesize
192KB

MD5
922e9bd10aa9555b696b43d24027234b

SHA1
03f176287383b885b927028baa6e34e57a84bc70

SHA256
2d05d884a7e2a031bd3334f36eef3d172b9a25a9c2dc9222fe52eed5e3c6ea72

SHA512
a633ba9061ed501408fd497c7b7e52e91be051931ea80cb54ac5010cfe944197aab6bb28d992dccb9f3649e934c0ed8d5895db2e38f1d8b80dee2d5668011e30

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
d7121823b6c6dedcba0ac075c34d2569

SHA1
44698ca2dd9b08165ef7d18a2fb69e5fae8822a5

SHA256
43d6a77617fb6a54e8ced7f6fa81eacb6324771477d0a748ae9a26e909650d2f

SHA512
e88575bd6beab085c53f9c2a3fcbfaf86bf149906e0bf66f1d58d4002e9008c2312a9b35d06487e20948cfaf0f666dcb3c79285881c8b095cfc15f00b78708a4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
42e0461d4a6e68d5c3d648d8a83358cf

SHA1
0d7f875abacac488ec690f95308e7fee89b4222c

SHA256
1c6ea534d50cafc947b7d82a1c4a1c17ba634e20417ce4f5d112ff3e2f0bed60

SHA512
1b89102ad57cf7fb8df59de9915a5aa339c8c9616535d2a3571462c179306158a8327cc9eeb70a904a16322f65385a0f60e48fd1f9d8f07d93aa8a4249906a5b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
0cb1c418d87cf32a3837657c4b1841b1

SHA1
f9ae17288d245b9855dd16dd01d42c11961f4a8d

SHA256
83149d9921dffa5455c3f6bbc650afa4eeb8ffb49bd510de540b9425981bb96f

SHA512
e97df3d7c3118f8305de0159a7665b3535c8353237731300d9687bfedfadbc57e690954d5f1840d21612cb772d2ffdf461b4852ba714f30adefa9d82db91b475

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6e50a5efb70ebe797b08ebc5c162e193

SHA1
47948cf6f304031e259fe78e145ba2ab24456fda

SHA256
22d541d18df6add45d472e38d8ede028b8b080bc4f92d569c7fe2f1ccf1a3166

SHA512
1a483cfa90dec6ec085ef16a10addda273f8fe8cdf76dd9536bfa003e72e740f31d2de8636194ae4742fc6d195f6c63d1192a2f2acf54f544136e1df35cf681c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
ec9108c056f845da49c89a48fbd23221

SHA1
9cfd8d068bca19e8b81e5df03e1f891ffd317fea

SHA256
98d6f9b2cdc3c4cc61405f225ca1ca1aa7bed8806a55aece74b03dc03e68f0b4

SHA512
27959a23a9e34987ca1e8d1ee960c55e27148f68ed9632aa8f6be71749d3c82ac87fcc77fe835df5d4e5df0cd6c03218773de573a41cbfcee9a3280fcbd9329a

Download Submit
C:\Windows\rss\csrss.exe

Filesize
3.1MB

MD5
c391fca4149be8a8fbca1f957fc42092

SHA1
945e7b4365d77e707d0331eab7cd99b521d000e9

SHA256
052a030b677160621a73979a46e315413d265c1fa7bd2cf6cbb1564a148d3f9f

SHA512
9ac73ba465723500ab6e57b6e64ef6df272f56f85f59cbacd3246a6a74ea469b7ca9ef675b90169e2191cd2c2ad6c2c442efa72835b1f030ca71e6b7763bfdcd

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.6MB

MD5
2b0c5342e354ee156048ac044cbaee5a

SHA1
b42a340511dd534a859f2cdb6defbc5c2bddd0cd

SHA256
95c152e81924794ebe7b4fd592254cb9f6e0372b092193cb37c3faf3b252a5d4

SHA512
6035105170d1f050aea69bba2953170f545797634eb92cf452be310f0c509deea413ab5b053cf2e1f6cd6c4e7535ddd1b1f6fe1687c37f9fc87a83c8e6816cbb

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/1020-79-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1020-372-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1148-626-0x0000000000D50000-0x000000000120D000-memory.dmp

Filesize
4.7MB

Download
memory/1552-447-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1552-667-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1552-557-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1552-456-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1552-362-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download
memory/1552-363-0x00000000008A0000-0x00000000008C7000-memory.dmp

Filesize
156KB

Download
memory/1552-364-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1660-365-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1660-69-0x00000000021D0000-0x000000000223F000-memory.dmp

Filesize
444KB

Download
memory/1660-366-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/1660-536-0x0000000000350000-0x00000000006F6000-memory.dmp

Filesize
3.6MB

Download
memory/1660-65-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/1660-420-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1660-78-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1724-421-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/1724-457-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/1724-636-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/1724-352-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/1724-539-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/2304-397-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2304-142-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2380-540-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2380-413-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/2380-585-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/3352-25-0x00000000030D0000-0x00000000030E6000-memory.dmp

Filesize
88KB

Download
memory/3352-4-0x0000000003570000-0x0000000003586000-memory.dmp

Filesize
88KB

Download
memory/3612-83-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/3612-39-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/3612-40-0x0000000000F40000-0x0000000001680000-memory.dmp

Filesize
7.2MB

Download
memory/4040-344-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4040-347-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4080-349-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4080-348-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4080-393-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4080-341-0x0000000000720000-0x0000000000768000-memory.dmp

Filesize
288KB

Download
memory/4080-338-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/4312-16-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/4312-27-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/4312-18-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/4312-17-0x0000000002280000-0x000000000228B000-memory.dmp

Filesize
44KB

Download
memory/4376-2-0x0000000002EF0000-0x0000000002EFB000-memory.dmp

Filesize
44KB

Download
memory/4376-5-0x0000000000400000-0x0000000002D4B000-memory.dmp

Filesize
41.3MB

Download
memory/4376-3-0x0000000000400000-0x0000000002D4B000-memory.dmp

Filesize
41.3MB

Download
memory/4376-1-0x0000000002F00000-0x0000000003000000-memory.dmp

Filesize
1024KB

Download
memory/4384-439-0x0000000007680000-0x000000000769E000-memory.dmp

Filesize
120KB

Download
memory/4384-425-0x0000000072390000-0x00000000723DC000-memory.dmp

Filesize
304KB

Download
memory/4384-442-0x00000000078A0000-0x0000000007936000-memory.dmp

Filesize
600KB

Download
memory/4384-443-0x0000000007800000-0x0000000007811000-memory.dmp

Filesize
68KB

Download
memory/4384-444-0x0000000007840000-0x000000000784E000-memory.dmp

Filesize
56KB

Download
memory/4384-445-0x0000000007850000-0x0000000007864000-memory.dmp

Filesize
80KB

Download
memory/4384-446-0x0000000007940000-0x000000000795A000-memory.dmp

Filesize
104KB

Download
memory/4384-376-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/4384-448-0x0000000007880000-0x0000000007888000-memory.dmp

Filesize
32KB

Download
memory/4384-451-0x0000000071A70000-0x0000000072220000-memory.dmp

Filesize
7.7MB

Download
memory/4384-375-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/4384-399-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4384-374-0x0000000005220000-0x0000000005242000-memory.dmp

Filesize
136KB

Download
memory/4384-401-0x0000000007470000-0x00000000074E6000-memory.dmp

Filesize
472KB

Download
memory/4384-392-0x00000000066A0000-0x00000000066E4000-memory.dmp

Filesize
272KB

Download
memory/4384-370-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4384-371-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4384-368-0x0000000071A70000-0x0000000072220000-memory.dmp

Filesize
7.7MB

Download
memory/4384-369-0x0000000005260000-0x0000000005888000-memory.dmp

Filesize
6.2MB

Download
memory/4384-367-0x0000000004B90000-0x0000000004BC6000-memory.dmp

Filesize
216KB

Download
memory/4384-440-0x00000000076E0000-0x0000000007783000-memory.dmp

Filesize
652KB

Download
memory/4384-388-0x0000000006160000-0x00000000061AC000-memory.dmp

Filesize
304KB

Download
memory/4384-429-0x0000000072510000-0x0000000072864000-memory.dmp

Filesize
3.3MB

Download
memory/4384-441-0x00000000077D0000-0x00000000077DA000-memory.dmp

Filesize
40KB

Download
memory/4384-423-0x00000000076A0000-0x00000000076D2000-memory.dmp

Filesize
200KB

Download
memory/4384-416-0x0000000007B70000-0x00000000081EA000-memory.dmp

Filesize
6.5MB

Download
memory/4384-422-0x000000007F6B0000-0x000000007F6C0000-memory.dmp

Filesize
64KB

Download
memory/4384-418-0x00000000074F0000-0x000000000750A000-memory.dmp

Filesize
104KB

Download
memory/4384-387-0x0000000006140000-0x000000000615E000-memory.dmp

Filesize
120KB

Download
memory/4384-382-0x0000000005B10000-0x0000000005E64000-memory.dmp

Filesize
3.3MB

Download
memory/4460-23-0x0000000010000000-0x0000000010239000-memory.dmp

Filesize
2.2MB

Download
memory/4460-29-0x0000000002750000-0x0000000002873000-memory.dmp

Filesize
1.1MB

Download
memory/4460-22-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/4460-34-0x00000000022A0000-0x00000000023A8000-memory.dmp

Filesize
1.0MB

Download
memory/4460-33-0x00000000022A0000-0x00000000023A8000-memory.dmp

Filesize
1.0MB

Download
memory/4460-30-0x00000000022A0000-0x00000000023A8000-memory.dmp

Filesize
1.0MB

Download
memory/4528-453-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4528-86-0x0000000002F20000-0x000000000380B000-memory.dmp

Filesize
8.9MB

Download
memory/4528-101-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4528-373-0x0000000002B20000-0x0000000002F1F000-memory.dmp

Filesize
4.0MB

Download
memory/4528-84-0x0000000002B20000-0x0000000002F1F000-memory.dmp

Filesize
4.0MB

Download
memory/4528-398-0x0000000002F20000-0x000000000380B000-memory.dmp

Filesize
8.9MB

Download
memory/4528-400-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4528-395-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5028-583-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5028-455-0x0000000002A80000-0x0000000002E84000-memory.dmp

Filesize
4.0MB

Download
memory/5028-716-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download