amadey | e499e8022dd2df0e3204a5fc7061b290c429ab845940efa4f782f988a9930317

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e499e8022dd2df0e3204a5fc7061b290c429ab845940efa4f782f988a9930317.exe
Size

231KB
MD5

2334b1e2f8d58a4b1baa904c359ebf91
SHA1

9fd9f700d8a23375b5b2204702146c13402e590b
SHA256

e499e8022dd2df0e3204a5fc7061b290c429ab845940efa4f782f988a9930317
SHA512

65afbed0c0d80a298e34369bb0f04bc3ac2abe1f861bc052e3b11714ecc3e6e0ae6a9f84d440ec68f63a4a32f4c5564b5705fa97192fb8856a0192fb93ca5897
SSDEEP

6144:bm6z4HbT8z7f09l/hh3UfPlQk9vsGPaXzbHszA:C6z4Hn8z7faRHklQkRsys/iA

Score

10^/10

amadey glupteba lumma smokeloader stealc pub1 backdoor bootkit discovery dropper evasion loader persistence rootkit spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://nidoe.org/tmp/index.php

http://sodez.ru/tmp/index.php

http://uama.com.ua/tmp/index.php

http://talesofpirates.net/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

stealc

http://185.172.128.209

Attributes

url_path
/3cd2b41cbde8fc9c.php

Extracted

Family

lumma

https://resergvearyinitiani.shop/api

https://herdbescuitinjurywu.shop/api

https://relevantvoicelesskw.shop/api

https://asleepfulltytarrtw.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2680-94-0x0000000002EA0000-0x000000000378B000-memory.dmp	family_glupteba
behavioral2/memory/2680-229-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2680-398-0x0000000002EA0000-0x000000000378B000-memory.dmp	family_glupteba
behavioral2/memory/2680-423-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2680-433-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2680-543-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2680-554-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4324-690-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Detect binaries embedding considerable number of MFA browser extension IDs. 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3660-498-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
behavioral2/memory/3660-557-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
behavioral2/memory/3660-711-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3660-498-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral2/memory/3660-557-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral2/memory/3660-711-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects Windows executables referencing non-Windows User-Agents 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2680-229-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2680-423-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2680-433-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2680-543-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2680-554-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4324-690-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3660-498-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3660-557-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3660-711-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables Discord URL observed in first stage droppers 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2680-229-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/2680-423-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/2680-433-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/2680-543-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/2680-554-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/4324-690-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables containing URLs to raw contents of a Github gist 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2680-229-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2680-423-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2680-433-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2680-543-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2680-554-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4324-690-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Detects executables containing artifacts associated with disabling Widnows Defender 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2680-229-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/2680-423-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/2680-433-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/2680-543-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/2680-554-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/4324-690-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender

Detects executables packed with VMProtect. 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3632-356-0x0000000000400000-0x00000000005AD000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/3632-352-0x0000000000400000-0x00000000005AD000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/1824-362-0x0000000000400000-0x00000000005AD000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/1824-494-0x0000000000400000-0x00000000005AD000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/1824-556-0x0000000000400000-0x00000000005AD000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/1824-677-0x0000000000400000-0x00000000005AD000-memory.dmp	INDICATOR_EXE_Packed_VMProtect

Detects executables referencing many varying, potentially fake Windows User-Agents 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2680-229-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/2680-423-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/2680-433-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/2680-543-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/2680-554-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/4324-690-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

2FE9.exeexplorgu.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2FE9.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2FE9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

UPX dump on OEP (original entry point) 1 IoCs

Processes:

resource	yara_rule
C:\Windows\windefender.exe	UPX

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

148 860 rundll32.exe
149 448 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

5000 netsh.exe

flow	pid	process
148	860	rundll32.exe
149	448	rundll32.exe

pid	process
5000	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorgu.exe2FE9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2FE9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2FE9.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

F520.exeEasyAppns.exeInstallSetup_four.exeu25s.1.exeu25s.0.exeCBGHCAKKFB.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	F520.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	EasyAppns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	InstallSetup_four.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	u25s.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	u25s.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	CBGHCAKKFB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	explorgu.exe

Deletes itself 1 IoCs

Processes:

pid process

3424

pid	process
3424

Executes dropped EXE 24 IoCs

Processes:

C227.exeF520.exeInstallSetup_four.exe288c47bbc1871b439df19ff4df68f076.exeEasyAppns.exe1C60.exeapril.exeapril.tmpflashdecompiler32.exeflashdecompiler32.exeEasyApp.exe2FE9.exeu25s.0.exeu25s.1.exe288c47bbc1871b439df19ff4df68f076.execsrss.exeE271.exeinjector.exeinjector.exeCBGHCAKKFB.exeexplorgu.exeF9E2.exewindefender.exewindefender.exe

pid	process
1100	C227.exe
1388	F520.exe
2800	InstallSetup_four.exe
2680	288c47bbc1871b439df19ff4df68f076.exe
4100	EasyAppns.exe
3436	1C60.exe
1560	april.exe
372	april.tmp
3632	flashdecompiler32.exe
1824	flashdecompiler32.exe
4596	EasyApp.exe
2472	2FE9.exe
3660	u25s.0.exe
3712	u25s.1.exe
4324	288c47bbc1871b439df19ff4df68f076.exe
4996	csrss.exe
2792	E271.exe
3580	injector.exe
1340	injector.exe
1696	CBGHCAKKFB.exe
2732	explorgu.exe
708	F9E2.exe
1984	windefender.exe
4652	windefender.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

2FE9.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine	2FE9.exe
Key opened	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine	explorgu.exe

Loads dropped DLL 7 IoCs

Processes:

regsvr32.exeapril.tmpu25s.0.exerundll32.exerundll32.exerundll32.exe

pid process

3712 regsvr32.exe
372 april.tmp
3660 u25s.0.exe
3660 u25s.0.exe
2148 rundll32.exe
860 rundll32.exe
448 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3712	regsvr32.exe
372	april.tmp
3660	u25s.0.exe
3660	u25s.0.exe
2148	rundll32.exe
860	rundll32.exe
448	rundll32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

288c47bbc1871b439df19ff4df68f076.exeCBGHCAKKFB.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ledger-Live Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CBGHCAKKFB.exe"	CBGHCAKKFB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

F9E2.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 F9E2.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	F9E2.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

2FE9.exeexplorgu.exe

pid process

2472 2FE9.exe
2732 explorgu.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

E271.exe

description pid process target process

PID 2792 set thread context of 3684 2792 E271.exe BitLockerToGo.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

288c47bbc1871b439df19ff4df68f076.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 288c47bbc1871b439df19ff4df68f076.exe

pid	process
2472	2FE9.exe
2732	explorgu.exe

description	pid	process	target process
PID 2792 set thread context of 3684	2792	E271.exe	BitLockerToGo.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	288c47bbc1871b439df19ff4df68f076.exe

Drops file in Windows directory 5 IoCs

Processes:

csrss.exe2FE9.exe288c47bbc1871b439df19ff4df68f076.exe

description	ioc	process
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\explorgu.job	2FE9.exe
File opened for modification	C:\Windows\rss	288c47bbc1871b439df19ff4df68f076.exe
File created	C:\Windows\rss\csrss.exe	288c47bbc1871b439df19ff4df68f076.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4444 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4444	sc.exe

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1832	3436	WerFault.exe	1C60.exe
3808	4596	WerFault.exe	EasyApp.exe
3896	2800	WerFault.exe	InstallSetup_four.exe
708	3436	WerFault.exe	1C60.exe
4828	2680	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
3652	4324	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
1052	3660	WerFault.exe	u25s.0.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e499e8022dd2df0e3204a5fc7061b290c429ab845940efa4f782f988a9930317.exeC227.exeu25s.1.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e499e8022dd2df0e3204a5fc7061b290c429ab845940efa4f782f988a9930317.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C227.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C227.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u25s.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e499e8022dd2df0e3204a5fc7061b290c429ab845940efa4f782f988a9930317.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e499e8022dd2df0e3204a5fc7061b290c429ab845940efa4f782f988a9930317.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u25s.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C227.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u25s.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u25s.0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u25s.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u25s.0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2648 schtasks.exe
3152 schtasks.exe

pid	process
2648	schtasks.exe
3152	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

288c47bbc1871b439df19ff4df68f076.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1944 PING.EXE

pid	process
1944	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e499e8022dd2df0e3204a5fc7061b290c429ab845940efa4f782f988a9930317.exe

pid	process
4668	e499e8022dd2df0e3204a5fc7061b290c429ab845940efa4f782f988a9930317.exe
4668	e499e8022dd2df0e3204a5fc7061b290c429ab845940efa4f782f988a9930317.exe
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

e499e8022dd2df0e3204a5fc7061b290c429ab845940efa4f782f988a9930317.exeC227.exe

pid process

4668 e499e8022dd2df0e3204a5fc7061b290c429ab845940efa4f782f988a9930317.exe
1100 C227.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

description	pid	process
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeDebugPrivilege	2680	288c47bbc1871b439df19ff4df68f076.exe
Token: SeImpersonatePrivilege	2680	288c47bbc1871b439df19ff4df68f076.exe
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeDebugPrivilege	1688	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeShutdownPrivilege	3424

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

2FE9.exeu25s.1.exe

pid process

2472 2FE9.exe
3712 u25s.1.exe
3712 u25s.1.exe
3712 u25s.1.exe
3712 u25s.1.exe
3712 u25s.1.exe
3712 u25s.1.exe
3712 u25s.1.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

u25s.1.exe

pid process

3712 u25s.1.exe
3712 u25s.1.exe
3712 u25s.1.exe
3712 u25s.1.exe
3712 u25s.1.exe
3712 u25s.1.exe
3712 u25s.1.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3424

pid	process
2472	2FE9.exe
3712	u25s.1.exe
3712	u25s.1.exe
3712	u25s.1.exe
3712	u25s.1.exe
3712	u25s.1.exe
3712	u25s.1.exe
3712	u25s.1.exe

pid	process
3712	u25s.1.exe
3712	u25s.1.exe
3712	u25s.1.exe
3712	u25s.1.exe
3712	u25s.1.exe
3712	u25s.1.exe
3712	u25s.1.exe

pid	process
3424

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeF520.exeapril.exeapril.tmpEasyAppns.exeInstallSetup_four.exe288c47bbc1871b439df19ff4df68f076.exe288c47bbc1871b439df19ff4df68f076.exeu25s.1.execmd.exe

description	pid	process	target process
PID 3424 wrote to memory of 1100	3424		C227.exe
PID 3424 wrote to memory of 1100	3424		C227.exe
PID 3424 wrote to memory of 1100	3424		C227.exe
PID 3424 wrote to memory of 3864	3424		regsvr32.exe
PID 3424 wrote to memory of 3864	3424		regsvr32.exe
PID 3864 wrote to memory of 3712	3864	regsvr32.exe	regsvr32.exe
PID 3864 wrote to memory of 3712	3864	regsvr32.exe	regsvr32.exe
PID 3864 wrote to memory of 3712	3864	regsvr32.exe	regsvr32.exe
PID 3424 wrote to memory of 1388	3424		F520.exe
PID 3424 wrote to memory of 1388	3424		F520.exe
PID 3424 wrote to memory of 1388	3424		F520.exe
PID 1388 wrote to memory of 2800	1388	F520.exe	InstallSetup_four.exe
PID 1388 wrote to memory of 2800	1388	F520.exe	InstallSetup_four.exe
PID 1388 wrote to memory of 2800	1388	F520.exe	InstallSetup_four.exe
PID 1388 wrote to memory of 2680	1388	F520.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 1388 wrote to memory of 2680	1388	F520.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 1388 wrote to memory of 2680	1388	F520.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 1388 wrote to memory of 4100	1388	F520.exe	EasyAppns.exe
PID 1388 wrote to memory of 4100	1388	F520.exe	EasyAppns.exe
PID 1388 wrote to memory of 4100	1388	F520.exe	EasyAppns.exe
PID 3424 wrote to memory of 3436	3424		1C60.exe
PID 3424 wrote to memory of 3436	3424		1C60.exe
PID 3424 wrote to memory of 3436	3424		1C60.exe
PID 1388 wrote to memory of 1560	1388	F520.exe	april.exe
PID 1388 wrote to memory of 1560	1388	F520.exe	april.exe
PID 1388 wrote to memory of 1560	1388	F520.exe	april.exe
PID 1560 wrote to memory of 372	1560	april.exe	april.tmp
PID 1560 wrote to memory of 372	1560	april.exe	april.tmp
PID 1560 wrote to memory of 372	1560	april.exe	april.tmp
PID 372 wrote to memory of 3632	372	april.tmp	flashdecompiler32.exe
PID 372 wrote to memory of 3632	372	april.tmp	flashdecompiler32.exe
PID 372 wrote to memory of 3632	372	april.tmp	flashdecompiler32.exe
PID 4100 wrote to memory of 4596	4100	EasyAppns.exe	EasyApp.exe
PID 4100 wrote to memory of 4596	4100	EasyAppns.exe	EasyApp.exe
PID 4100 wrote to memory of 4596	4100	EasyAppns.exe	EasyApp.exe
PID 372 wrote to memory of 1824	372	april.tmp	flashdecompiler32.exe
PID 372 wrote to memory of 1824	372	april.tmp	flashdecompiler32.exe
PID 372 wrote to memory of 1824	372	april.tmp	flashdecompiler32.exe
PID 3424 wrote to memory of 2472	3424		2FE9.exe
PID 3424 wrote to memory of 2472	3424		2FE9.exe
PID 3424 wrote to memory of 2472	3424		2FE9.exe
PID 2800 wrote to memory of 3660	2800	InstallSetup_four.exe	u25s.0.exe
PID 2800 wrote to memory of 3660	2800	InstallSetup_four.exe	u25s.0.exe
PID 2800 wrote to memory of 3660	2800	InstallSetup_four.exe	u25s.0.exe
PID 2680 wrote to memory of 4544	2680	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 2680 wrote to memory of 4544	2680	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 2680 wrote to memory of 4544	2680	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 2800 wrote to memory of 3712	2800	InstallSetup_four.exe	u25s.1.exe
PID 2800 wrote to memory of 3712	2800	InstallSetup_four.exe	u25s.1.exe
PID 2800 wrote to memory of 3712	2800	InstallSetup_four.exe	u25s.1.exe
PID 4324 wrote to memory of 2424	4324	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 4324 wrote to memory of 2424	4324	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 4324 wrote to memory of 2424	4324	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 3712 wrote to memory of 1688	3712	u25s.1.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 3712 wrote to memory of 1688	3712	u25s.1.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 4324 wrote to memory of 4068	4324	288c47bbc1871b439df19ff4df68f076.exe	cmd.exe
PID 4324 wrote to memory of 4068	4324	288c47bbc1871b439df19ff4df68f076.exe	cmd.exe
PID 4068 wrote to memory of 5000	4068	cmd.exe	netsh.exe
PID 4068 wrote to memory of 5000	4068	cmd.exe	netsh.exe
PID 4324 wrote to memory of 1920	4324	288c47bbc1871b439df19ff4df68f076.exe	Conhost.exe
PID 4324 wrote to memory of 1920	4324	288c47bbc1871b439df19ff4df68f076.exe	Conhost.exe
PID 4324 wrote to memory of 1920	4324	288c47bbc1871b439df19ff4df68f076.exe	Conhost.exe
PID 4324 wrote to memory of 2300	4324	288c47bbc1871b439df19ff4df68f076.exe	schtasks.exe
PID 4324 wrote to memory of 2300	4324	288c47bbc1871b439df19ff4df68f076.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e499e8022dd2df0e3204a5fc7061b290c429ab845940efa4f782f988a9930317.exe
"C:\Users\Admin\AppData\Local\Temp\e499e8022dd2df0e3204a5fc7061b290c429ab845940efa4f782f988a9930317.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4668

C:\Users\Admin\AppData\Local\Temp\C227.exe
C:\Users\Admin\AppData\Local\Temp\C227.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1100

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CC59.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\CC59.dll
  2⤵
  - Loads dropped DLL
  PID:3712

C:\Users\Admin\AppData\Local\Temp\F520.exe
C:\Users\Admin\AppData\Local\Temp\F520.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\u25s.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u25s.0.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:3660
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBGHCAKKFB.exe"
      4⤵
      PID:2860
    - - C:\Users\Admin\AppData\Local\Temp\CBGHCAKKFB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CBGHCAKKFB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1696
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\CBGHCAKKFB.exe
        6⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        7⤵
        Runs ping.exe
        
        PID:1944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 2416
      4⤵
      Program crash
      PID:1052
- - C:\Users\Admin\AppData\Local\Temp\u25s.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u25s.1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
      "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 724
    3⤵
    - Program crash
    PID:3896
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4544
- - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:2424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4068
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:5000
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:1920
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2300
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Manipulates WinMonFS driver.
      Drops file in Windows directory
      PID:4996
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1052
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1920
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:2648
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:2300
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4276
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4928
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        
        PID:3580
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        
        PID:1340
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:3152
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        Executes dropped EXE
        
        PID:1984
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:4444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 716
      4⤵
      Program crash
      PID:3652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1012
    3⤵
    - Program crash
    PID:4828
- C:\Users\Admin\AppData\Local\Temp\EasyAppns.exe
  "C:\Users\Admin\AppData\Local\Temp\EasyAppns.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Users\Public\Music\EasyApp.exe
    "C:\Users\Public\Music\EasyApp.exe"
    3⤵
    - Executes dropped EXE
    PID:4596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 676
      4⤵
      Program crash
      PID:3808
- C:\Users\Admin\AppData\Local\Temp\april.exe
  "C:\Users\Admin\AppData\Local\Temp\april.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\is-IVHNL.tmp\april.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-IVHNL.tmp\april.tmp" /SL5="$801C2,1485356,54272,C:\Users\Admin\AppData\Local\Temp\april.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe
      "C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe" -i
      4⤵
      Executes dropped EXE
      PID:3632
  - - C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe
      "C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe" -s
      4⤵
      Executes dropped EXE
      PID:1824

C:\Users\Admin\AppData\Local\Temp\1C60.exe
C:\Users\Admin\AppData\Local\Temp\1C60.exe
1⤵
- Executes dropped EXE
PID:3436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1084
  2⤵
  - Program crash
  PID:1832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1100
  2⤵
  - Program crash
  PID:708

C:\Users\Admin\AppData\Local\Temp\2FE9.exe
C:\Users\Admin\AppData\Local\Temp\2FE9.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4596 -ip 4596
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3436 -ip 3436
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2800 -ip 2800
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3436 -ip 3436
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2680 -ip 2680
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4324 -ip 4324
1⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\E271.exe
C:\Users\Admin\AppData\Local\Temp\E271.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2792
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3660 -ip 3660
1⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2732
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:2148
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:860
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:4700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\045580317372_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:3220
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:448

C:\Users\Admin\AppData\Local\Temp\F9E2.exe
C:\Users\Admin\AppData\Local\Temp\F9E2.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:708

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe

Filesize
128KB

MD5
938a2c7d49c08b85329be291368f5ec4

SHA1
5549aef1f1c4d56dbfef3b743a2af76916146398

SHA256
ede39a99b365a9162817c1a1f4787f75675f6782e97a4e5da03c746c1e8a6332

SHA512
1edbc2aca9f9b643a9245872e46ff2b8e198165d63d058b6bae4e496389b0388de83b03b901949529646335d6f31e2fd60b9ab6232e93d40bce2aa6142b9f90e

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe

Filesize
1.7MB

MD5
95dccef9f0bee7ef720486845368e79c

SHA1
e1a504d43e02b53b18bec110dbcb1e4b3f48681b

SHA256
777ea399013368cef357af77c88df152776feb2fa1bc3fae2cb01dd378adbbcc

SHA512
aea82c540ce49543e77a53f4376b5e88442bd3e0fdc29390b544274b9f2140b5e75b0043031adccd2cdee5e4b1a968bfac50ad1640290dc2839fd50b16ef5899

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C60.exe

Filesize
421KB

MD5
c3d259b868dfa77e4955ed5b4a5fb7f5

SHA1
6f57f1711f5734439b713338a8430e0e80e2bd5b

SHA256
d4b9d1e10290349b015ada3e86b6fd4c73a4450d3665c3f8a8f266c496c72f18

SHA512
a7882be9a2a643b7507e12d09acae117986f890d089b027bb18eee3e6d85aff04f51360cd2f72da0e56a545c09fab067a93a52f0b83e742f7aaa20249ae44ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C60.exe

Filesize
2.3MB

MD5
1a6212bd50131b501fd686aa403b5571

SHA1
c0ee0b6a73c0f6a4c3a3001cd0d4270446b6f62c

SHA256
ee744184fffb5722a24c893fc295ce92f4e8e448470bd57ed42f25db39663457

SHA512
80a0d40cf72993ca0053e948c65842a1f0a65b415f6c0fdc0f28c57d62a26e5f7ea5b6f63cb6ac90e88a712c9c970f909f67828ec644d0d5798cf5983675da15

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
4.1MB

MD5
c8564b4d627953e836d0faab99740a6a

SHA1
74b37a34950bd081d10072b4dae88952a4c52178

SHA256
051b0fe6b1d01ab0cc4dee0e7270b4dd54040a5c1783b78ea612bbf37d0c6f31

SHA512
77af3dd58d16effa1a307c174add6cdd1006b2a08add287388162bb2b7b3245a77e15375da1e508bcce10f024ab0e888b16862f087941e7b165834e8ae406776

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
3.1MB

MD5
c391fca4149be8a8fbca1f957fc42092

SHA1
945e7b4365d77e707d0331eab7cd99b521d000e9

SHA256
052a030b677160621a73979a46e315413d265c1fa7bd2cf6cbb1564a148d3f9f

SHA512
9ac73ba465723500ab6e57b6e64ef6df272f56f85f59cbacd3246a6a74ea469b7ca9ef675b90169e2191cd2c2ad6c2c442efa72835b1f030ca71e6b7763bfdcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.7MB

MD5
7239ead58031ed82ad01dfaffa7d6514

SHA1
4b0374341c3a08b37d24e96fc7e2bae0b3f15b61

SHA256
cc0e7a732dd7617ea4bcc9401258d63c970607dc85d82dc8831d005ab319150d

SHA512
b8faa738e050af8d4a68b826c648eac9a15cc8862e670d052a56171b0545435e5247f05abd9d950de1505e0692bf3f90b422735f578555c8bc4fa1c2583fed21

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.1MB

MD5
617e2cd3470cb96f3aa5ab71e409bbf9

SHA1
a95af84b2208f78903c30848bbf0149547a0f3cd

SHA256
063ed666cbfda51ff4cd567cef11a89ec5085ac38ad3dd821bfa32d5b10416a4

SHA512
e45ced1d7b52fc751d48e3ad82d7b2165252a65e3177d3f185469aa18e318e4d5484c49e31d19046b92a4fc36441cfcd27a954d6be3548fb35dece89c96ef101

Download Submit
C:\Users\Admin\AppData\Local\Temp\2FE9.exe

Filesize
1.8MB

MD5
7c396270dd3aa8f5358a690fceff3a8f

SHA1
321c2273f7ceb2f8b084110ecff5a815132a4317

SHA256
d976e0a0a5ba6eef37a509186ef3c2732f1065b3bb34e96d4d0ac0f89d8f5332

SHA512
4af01db833d93c40bc6dc97f8b3b70915c4f4cf54e50eb17ffb71a4b04bd14b07f0d33e9e22693d140f70900a18b600072ed9f9baebf6dd4f3792d5dee3d0d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\C227.exe

Filesize
230KB

MD5
60cfb7d9800c28666f19a6be76994545

SHA1
e5b1fbbfa182239425d9b6f12beabdd1f5b1096f

SHA256
2c72c603a6c9992c0f190e65ffc1290f00d31945804750f14d8b3596b9745758

SHA512
7f4231056c76951d693815c4d22aeb8db765d50db7e073b4d7ed839f1fb501074496f05d5e89aa6fea5c90a1c7a1aa35259df95c8481d1ff8e8a8be18221e9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBGHCAKKFB.exe

Filesize
101KB

MD5
42b838cf8bdf67400525e128d917f6e0

SHA1
a578f6faec738912dba8c41e7abe1502c46d0cae

SHA256
0e4ffba62ce9a464aa1b7ff9f1e55ace8f51ff1e15102d856f801a81f8b4607d

SHA512
f64b39d885375251ab7db72c57dc5b5095f0c6412169f1035d1f6a25b8415a2a01004d06bfa0267cf683ef7dea7a9f969ad43fde5a4376f1fcb65a57403433c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC59.dll

Filesize
2.2MB

MD5
e69125300a060d1eb870d352de33e4c3

SHA1
60f2c2e6f2a4289a05b5c6212cdaf0d02dad82ea

SHA256
009de0571eb77c7ed594b9e5cda731e2953fd2198e00b25a0e2c4c4ef7414355

SHA512
257d3b61b2c85c1e71d2a80a5fbf44436e9734785fe6b0a643c1939dd01c1d8b98f1c454695296f7137ff035ec6c0118f053e4833e0be91618f2a9066a8cace9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E271.exe

Filesize
640KB

MD5
830008125e08beaff2fc9b534c6d214f

SHA1
9427a609d8186fe4a9dbee482995119a4f71daed

SHA256
0da07e46a0d4feee5c5bf19da99beba7b014014fd7c4d356e6a5dd55bc2f05ec

SHA512
d2df61e121508ae9b82e679ef776406221bc814a00a15bdf55303e28172a0c5f9c8dca387504904458a05b8200b31d2e344b9408e14f3a00a63f88067fcdca38

Download Submit
C:\Users\Admin\AppData\Local\Temp\E271.exe

Filesize
320KB

MD5
57dfe01b74d59d438193aaefa29492ab

SHA1
7cd1e3d444d390b8b9acf418ffc58dff585afe88

SHA256
401b7124c6bc3e702c232ee9773ecb9648149f60e688687bdd4f2b9ef070bf07

SHA512
075ec0b2ff1103882844b046ce5c05f16abe31affe5550e6f1818cb1bb42ed041c8d71324297c537e703e285c4ca798a41b3133d18e90032f63c0602dd86732b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EasyAppns.exe

Filesize
988KB

MD5
065760220981039db19b9701aaeffddf

SHA1
318170b5ca3673cff578d89b7de116f9d6fcd961

SHA256
cac5a59708cebec195aed03baf2c20b32b277ea73738d054ba40a072719160bf

SHA512
81bb505365d1a10dd902f76b24ec111b519d17c0ede500b5c47d6eab9f187f95ac2897b09e7004762455a17cfb068a47c854fd9c29957e13832bb108a6385895

Download Submit
C:\Users\Admin\AppData\Local\Temp\EasyAppns.exe

Filesize
384KB

MD5
11b5924c0dc4e2d63207500634709d56

SHA1
68ec7940876513a7129c3f500b5341a9f6d8b89d

SHA256
fcc6be5bb062de91fba746c90e77d0117bdeaeb6d2cdad29e2dca07285c24b5e

SHA512
fcda1d57b6c4eb45b5d2eb59b06ce02d6d4f2ba5d2d59766252b1fea75c1341c3e3f9b8ac7a04179ce7f8cf4d4c03e74ce464dd7bf64aab636b8280a7b757eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\F520.exe

Filesize
5.2MB

MD5
f48ae6d4eacd157cc10915fe1e3b9c3a

SHA1
b1bec23a066799189fb2b3948e083ec0cf29f952

SHA256
0707dac8c51217815ad81fd792203cb9e89e1590af8063caea8710b26093f498

SHA512
364cb78b2ae110719d2c73214469bd463d505a0720488434a5bdec544e1c0c95a2c8a8e5bf4988a74cc4bcebb5dc282236769cc95d18d7520b6bf525eae03e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\F520.exe

Filesize
1.8MB

MD5
9e1c06a16c9930566f7c4bec387e8b55

SHA1
cb7e883a0550f7474cd865da4d72ecd46ec547b4

SHA256
011d119459b39f8112a6bbad0cfebbbb97196c5bc3663f8f1e3457f517827e7d

SHA512
7483a041358d1acbc25dea36f5a3c9a6e6dd0dfb71783f3d00945c225edec65e6c915a7147de77417628ff7e2a735f0dbcc123a89f8f936e2b72c73dd80de8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9E2.exe

Filesize
1.1MB

MD5
679e0c9d77c16f8529e6a08486c3a9c1

SHA1
8e74ee4ac19b5653981a1d8378aeda9e6fc1b009

SHA256
585e21bcd0f3c05c51f4aa74f554e0a648370facb8b90134680c2e49b5fc272e

SHA512
54195de01cdbf53812f172931d66ff8ee510f78ac972737c71a57fbae1a3b8b7a295347bba81ff38fa0ab934eb4cb60c90e267acdd512ec1b9e90831db454acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

Filesize
404KB

MD5
383c48c7f64a6867db5b8577fa3abfbf

SHA1
926911f9581df56f5ac38fac01f6d45acdfb7dbd

SHA256
9b37a304f33bda4707c0dae60a20ac7c76c75752b0d06ad9fb2d6f07f8edd1b9

SHA512
53b5d42ed93ad6f1163ed00be8cd1b66d367fadf25853c16d8c6fb710f69d9e8a32cb85d0dbf36d95c85da16b214de2a564bc0750c264bb0547dd8910a6f4442

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2fhypriz.bcv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\april.exe

Filesize
1.8MB

MD5
00afae68a43d8845cbe0555330b2d332

SHA1
4db6e7281ba89d9808bddd823cae64fa6f7c6ea4

SHA256
143d067bf572802cb8a76ad8e9e8b240b4f5cc6b757400a20fdfde18fb92a1fd

SHA512
40670fd43961e6f8c41052545361af45393b508991c40393d63481db1a0389ee1ea9dd8f9a0077f3db4178968d4d404646992cdea3983a34ab6f041e408f5742

Download Submit
C:\Users\Admin\AppData\Local\Temp\april.exe

Filesize
448KB

MD5
96536cc145bb38ca4747dd924641ae52

SHA1
dbc065d376e9f0084b4896698f3289262a5ffa6e

SHA256
0d2741cf2412ec57481c11c7fbec19d7ad314e45dc9997b3fd6cfdaa6b7ec944

SHA512
af565c6f1507004cd26fa0c2fc8e014960e6a4644c6dab7211e8591cc4b679eaeacd7b12faaca76b02496ef01f17b9f8815711127adc9d43550d4e8b3953fbe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\april.exe

Filesize
192KB

MD5
5d4ac72967d655e2768084a3d6518990

SHA1
fb958903b70a96219a7e0c2a9fd5cce47884f152

SHA256
07531662fcf7eae82e4fa1ad35eab3333ae0f4f0b56d9db0e90bb80ee0ce21f0

SHA512
ad58d15aadb1d94c1beb64e0755a17b7787cd9fcbdb1d7fc80249344804a78dfbcd7ea5f8f97330417761fc8cfa54c726acb8adca44183be2597ee87cb8dba86

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
192KB

MD5
b0501abdb7e3d679dfeba1158d0b7cb0

SHA1
272a4664af0c6ba1ab40459656e60c5cfb3725ee

SHA256
ba77a33078a08cdc1dc6ff3fde2a7a1a9d5d2520a3ff74cc8ea95e288b1e3fc3

SHA512
1f36cce8c018f046a4fd19011dfd9914ac1b8708e95c06e44ff065b7aeac9b44da7630ce0f915a693a556b2257c3d8aa603d653d43f6a3690aec9c98dbdd7936

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
88aba96b3bd1119a44173fcaa05846a5

SHA1
4825aac249064009e7552521078c63990e501bb4

SHA256
679acfe628efe9f7e6423e12f51d1ba5b29826c4ef8e46e873653b6e76d35700

SHA512
939fdda959477c8eeb3678ddbfa67edf774e82b4c948acb36e1b3d7a4ca62861cc58bf519290dc5687118849932f1c42419a1ecc2c79a01eb490bf5f3dcc9f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IVHNL.tmp\april.tmp

Filesize
677KB

MD5
8519bfba2d14dbdca979e73c62ed4b46

SHA1
388030278d4f7e4d88754adc3ff95df54e01eda9

SHA256
6848c671e27c33dd065e1d70c9be0a4205ad69ec9b4b4b356d03eb8dc73ddeb5

SHA512
a1bfd50e48a82f7b100de76674a082eb77ac385b7ccc5ba574f45b97e2e4a992541a992b979b266b9e6bd27eddec02f943b776ed0210d5b788954e15463921aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K5S00.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\u25s.0.exe

Filesize
261KB

MD5
117317fbb36d19cd13ec4ad689003337

SHA1
255559041e48bf87b5409d62da5bdb93e4933c8d

SHA256
afd1ac557f3abeb5bb9a8358f0a3b06e5d276ff7b478b768af4d34af6e15cba2

SHA512
1c035c63157a3bb6cb00b9e3c2e6ea9af15b8b8edb3a6a34eb2a2530a3d080a37f806a6b2045bb68ede64373cb85b18b1e8632a331ad5448e9e77ffdd2801e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\u25s.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Local\Temp\u25s.1.exe

Filesize
1.2MB

MD5
c713698774acbf295528b4d19cc7800d

SHA1
23005d8a605ebffd31f6564af3c6e1d70a6d2195

SHA256
a9ede3a195f0f57040b8e77907e9676e84ee63ae34806f2933bd2f72a26cfcb1

SHA512
2a7bff3212702ea928604fe779e7537d123a95294624a1a2b59efc2ee7e10b78c62eca33fc4ff6709aa64a8c8848e56ea4301a772def5d5e48c8c4f79c8eb926

Download Submit
C:\Users\Admin\AppData\Local\Temp\u25s.1.exe

Filesize
1.9MB

MD5
a1d098ea468c9cb1ffcea9f9356a713d

SHA1
4d823cb7927b6ff059197871e70287b90e3003e7

SHA256
3deb805191106a5b9545b00589bfb7d21db8ba510dc64faaa0dc400096d343df

SHA512
27f79b13ccbf6fcfb0591e402de557af164d45a0e5d0186e06ebcb8e6fafaca0b38c17e987344bf3052b1ca1f69020a44c0585abe04442c55eed1d3aa7b0ea51

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Public\Music\EasyApp.exe

Filesize
192KB

MD5
922e9bd10aa9555b696b43d24027234b

SHA1
03f176287383b885b927028baa6e34e57a84bc70

SHA256
2d05d884a7e2a031bd3334f36eef3d172b9a25a9c2dc9222fe52eed5e3c6ea72

SHA512
a633ba9061ed501408fd497c7b7e52e91be051931ea80cb54ac5010cfe944197aab6bb28d992dccb9f3649e934c0ed8d5895db2e38f1d8b80dee2d5668011e30

Download Submit
C:\Users\Public\Music\EasyApp.exe

Filesize
341KB

MD5
0e49e66fd0e90ac46ad9f027df419048

SHA1
357559abc784e69245db2e4302c838913df618b2

SHA256
599fbee1c0335d5f8efae7ed35eed9700001841005158a1c8c6648b53a6e4bda

SHA512
38aa37d633795de8ad65749a11da261e9f3aa2e1f285cd95e89a895c76e28a7d1fb72e87776013e8b508b9201d1b7ce92462c85cb4e3d55d5cf9b5a802479fed

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
7b99f2e1ab340f7e7b1567c468719fd9

SHA1
82cabc6fd714ec277da85445048d5b1ae87ab165

SHA256
f0a8981dbbce75c370b30bae64dd4673e0c21d4c2d6a6fcb7ae8081cc6828353

SHA512
a440ed27d65c25e86fa271237e8f1383f7f23830a44d78b237d3faa42aa005f0859a54ec6f189d1b152ad077c94ea71f7231e36fc899f16017bea793c84abf91

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
db54b2fd6f7ac34e729fc94f8bad8af0

SHA1
1d466b69cbb016d68a9559dadb88e927de0d56ee

SHA256
2acad2ad040c9e0ba51c9d3c38c38b774cf4a859ed70e0157f5b0dc6713445d3

SHA512
fa3ef033137c867b582b579d6f99666c3b5110e5468d39bd062220acee39c24454c0dcb04f273053fac86ea8a1540f607d79e0095ca4d05add6864324fea5d9b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
d5fb05e08e6bc96ee241c67045ad0466

SHA1
1d98b88a4c92869730706f0d8e13c5fd20dd3ed8

SHA256
9f9fcfcb30ef30d6d611f92b275202cb6bd7f78cad066150e4545c6fa054f068

SHA512
f40d9aac92b4dc015dedcf6f238f61424e4c496a346bc7c9fb487e39be85af52f0e23c3969641a88d3d03fd9bb01ff655748884f66d3529a5b9df6a8579865bd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
18f3a7ca9d4d5b90d05da08e1b3c4b0b

SHA1
7c06c5a7d8b605293eec38dc324dc91feabcc28d

SHA256
b603923b6aeda4e198bc9e07f2645db917d754de613def2dbf04592d05ed9458

SHA512
f12bea6d587756695ecd996574b389e043aa43236ad9e3c438461fccbdb64324bc32f5882246032cfa9d03ab658ba745f75d1d8e81d720ed40a3b71b0e05221c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6a74a927bf124d9bace3ad49d1b6737d

SHA1
07f6cf277113f7dead56ac9b54ece67484ad01f6

SHA256
014065fde317ebaea766907cdf1c719f4c3924ddf2beb7edf7a3730acaaff194

SHA512
dd898ac3f763d5363fd5b392afe32788df1838caceda9fba60204f9d44ac93989592d5c541aaaabe7e7ff56f580763eb3c18d0f44af061202f106f0fd6d3d56e

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/372-443-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/372-278-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1100-18-0x00000000005C0000-0x00000000005CB000-memory.dmp

Filesize
44KB

Download
memory/1100-17-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/1100-19-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1100-29-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1388-41-0x0000000000350000-0x0000000000A90000-memory.dmp

Filesize
7.2MB

Download
memory/1388-40-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/1388-92-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/1560-429-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1560-93-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1824-556-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/1824-494-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/1824-362-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/1824-677-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/2472-386-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/2472-391-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/2472-369-0x0000000000130000-0x00000000005DA000-memory.dmp

Filesize
4.7MB

Download
memory/2472-409-0x0000000000130000-0x00000000005DA000-memory.dmp

Filesize
4.7MB

Download
memory/2472-403-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/2472-402-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/2472-396-0x0000000000130000-0x00000000005DA000-memory.dmp

Filesize
4.7MB

Download
memory/2472-384-0x0000000077C24000-0x0000000077C26000-memory.dmp

Filesize
8KB

Download
memory/2472-392-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/2472-385-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/2472-390-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/2472-389-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/2680-397-0x0000000002A90000-0x0000000002E95000-memory.dmp

Filesize
4.0MB

Download
memory/2680-554-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2680-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2680-433-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2680-94-0x0000000002EA0000-0x000000000378B000-memory.dmp

Filesize
8.9MB

Download
memory/2680-423-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2680-398-0x0000000002EA0000-0x000000000378B000-memory.dmp

Filesize
8.9MB

Download
memory/2680-543-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2680-76-0x0000000002A90000-0x0000000002E95000-memory.dmp

Filesize
4.0MB

Download
memory/2800-66-0x00000000020A0000-0x000000000210F000-memory.dmp

Filesize
444KB

Download
memory/2800-421-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2800-393-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2800-67-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2800-65-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2800-394-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/3424-26-0x0000000002760000-0x0000000002776000-memory.dmp

Filesize
88KB

Download
memory/3424-4-0x0000000002A80000-0x0000000002A96000-memory.dmp

Filesize
88KB

Download
memory/3436-358-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3436-334-0x0000000000730000-0x0000000000AD6000-memory.dmp

Filesize
3.6MB

Download
memory/3436-353-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3436-351-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3436-447-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3436-357-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3632-350-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/3632-356-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/3632-352-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/3660-711-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/3660-400-0x00000000006E0000-0x0000000000707000-memory.dmp

Filesize
156KB

Download
memory/3660-399-0x0000000000770000-0x0000000000870000-memory.dmp

Filesize
1024KB

Download
memory/3660-401-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/3660-557-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/3660-422-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3660-498-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/3712-607-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/3712-24-0x0000000010000000-0x0000000010239000-memory.dmp

Filesize
2.2MB

Download
memory/3712-34-0x0000000002530000-0x0000000002638000-memory.dmp

Filesize
1.0MB

Download
memory/3712-31-0x0000000002530000-0x0000000002638000-memory.dmp

Filesize
1.0MB

Download
memory/3712-435-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3712-30-0x0000000002400000-0x0000000002523000-memory.dmp

Filesize
1.1MB

Download
memory/3712-549-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/3712-23-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download
memory/3712-35-0x0000000002530000-0x0000000002638000-memory.dmp

Filesize
1.0MB

Download
memory/4324-690-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4544-463-0x0000000005080000-0x00000000050A2000-memory.dmp

Filesize
136KB

Download
memory/4544-482-0x0000000005C00000-0x0000000005F54000-memory.dmp

Filesize
3.3MB

Download
memory/4544-428-0x0000000002710000-0x0000000002746000-memory.dmp

Filesize
216KB

Download
memory/4544-464-0x0000000005950000-0x00000000059B6000-memory.dmp

Filesize
408KB

Download
memory/4544-449-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/4544-437-0x00000000052B0000-0x00000000058D8000-memory.dmp

Filesize
6.2MB

Download
memory/4544-445-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/4544-496-0x00000000060B0000-0x00000000060FC000-memory.dmp

Filesize
304KB

Download
memory/4544-495-0x0000000005FD0000-0x0000000005FEE000-memory.dmp

Filesize
120KB

Download
memory/4544-474-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/4544-440-0x00000000732B0000-0x0000000073A60000-memory.dmp

Filesize
7.7MB

Download
memory/4596-372-0x0000000002180000-0x00000000021C8000-memory.dmp

Filesize
288KB

Download
memory/4596-374-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4596-380-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/4596-383-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/4596-381-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/4596-378-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/4596-379-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/4596-408-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4596-371-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/4668-1-0x0000000000870000-0x0000000000970000-memory.dmp

Filesize
1024KB

Download
memory/4668-5-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4668-8-0x00000000006D0000-0x00000000006DB000-memory.dmp

Filesize
44KB

Download
memory/4668-3-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4668-2-0x00000000006D0000-0x00000000006DB000-memory.dmp

Filesize
44KB

Download