amadey | abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976

Analysis

max time kernel
57s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
22-03-2024 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe
Size

313KB
MD5

49c1a7094df766b5e5868811f298b529
SHA1

c48fc045b5ee06e02d558f3c3551a463199725b9
SHA256

abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976
SHA512

c34cf47f715fffb4c4b9ec4ba587ea0c455d3baf7192408114b9f7260dbb1ee6b28c794157cfdd12c6048e99e9140220d77232bd9355cb96db7df9e566ba9490
SSDEEP

3072:9gw3B7c4wkQMR+BYYeEX+qP4XTkedBoRv0XgGlf+N9XF6kVQvVYKAG:zxd/RmFMkeAv0ltKXF6k2NvJ

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.vook
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
payload_url
http://sdfjhuz.com/dl/build2.exe

http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS

rsa_pubkey.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

4.185.137.132:1632

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

F57D.exeschtasks.exeschtasks.exeabc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\47de060a-5eda-414f-b20d-02673e203e16\\F57D.exe\" --AutoStart"	F57D.exe
2948	schtasks.exe
4204	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe	family_zgrat_v1

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4504-21-0x0000000002610000-0x000000000272B000-memory.dmp	family_djvu
behavioral2/memory/3492-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3492-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3492-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3492-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3492-41-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/560-65-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/560-67-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/560-72-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3372-134-0x0000000005300000-0x0000000005BEB000-memory.dmp	family_glupteba
behavioral2/memory/3372-136-0x0000000000400000-0x000000000312F000-memory.dmp	family_glupteba
behavioral2/memory/3372-165-0x0000000000400000-0x000000000312F000-memory.dmp	family_glupteba
behavioral2/memory/3372-219-0x0000000000400000-0x000000000312F000-memory.dmp	family_glupteba
behavioral2/memory/3372-227-0x0000000000400000-0x000000000312F000-memory.dmp	family_glupteba
behavioral2/memory/3372-229-0x0000000005300000-0x0000000005BEB000-memory.dmp	family_glupteba
behavioral2/memory/3864-268-0x0000000000400000-0x000000000312F000-memory.dmp	family_glupteba
behavioral2/memory/3864-382-0x0000000000400000-0x000000000312F000-memory.dmp	family_glupteba
behavioral2/memory/3864-414-0x0000000000400000-0x000000000312F000-memory.dmp	family_glupteba
behavioral2/memory/3864-442-0x0000000000400000-0x000000000312F000-memory.dmp	family_glupteba
behavioral2/memory/2216-502-0x0000000000400000-0x000000000312F000-memory.dmp	family_glupteba
behavioral2/memory/2216-593-0x0000000000400000-0x000000000312F000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4192-654-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1244 netsh.exe
Deletes itself 1 IoCs

Processes:

pid process

3312
Executes dropped EXE 8 IoCs

Processes:

F57D.exeF57D.exeA9.exeF57D.exeF57D.exe3362.exe467F.exe5219.exe

pid process

4504 F57D.exe
3492 F57D.exe
2516 A9.exe
2796 F57D.exe
560 F57D.exe
5052 3362.exe
4388 467F.exe
3372 5219.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1896 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1244	netsh.exe

pid	process
3312

pid	process
4504	F57D.exe
3492	F57D.exe
2516	A9.exe
2796	F57D.exe
560	F57D.exe
5052	3362.exe
4388	467F.exe
3372	5219.exe

pid	process
1896	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

F57D.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\47de060a-5eda-414f-b20d-02673e203e16\\F57D.exe\" --AutoStart"	F57D.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\F: explorer.exe
File opened (read-only) \??\D: explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 drive.google.com
17 drive.google.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.2ip.ua
1 ip-api.com
4 api.2ip.ua

description	ioc	process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

flow	ioc
1	drive.google.com
17	drive.google.com

flow	ioc
1	api.2ip.ua
1	ip-api.com
4	api.2ip.ua

Suspicious use of SetThreadContext 4 IoCs

Processes:

F57D.exeF57D.exeA9.exe467F.exe

description	pid	process	target process
PID 4504 set thread context of 3492	4504	F57D.exe	F57D.exe
PID 2796 set thread context of 560	2796	F57D.exe	F57D.exe
PID 2516 set thread context of 2424	2516	A9.exe	RegAsm.exe
PID 4388 set thread context of 3992	4388	467F.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2460	560	WerFault.exe	F57D.exe
2288	2424	WerFault.exe	RegAsm.exe
1036	5052	WerFault.exe	3362.exe
4540	4584	WerFault.exe	RegAsm.exe
1724	4584	WerFault.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2948 schtasks.exe
4204 schtasks.exe

pid	process
2948	schtasks.exe
4204	schtasks.exe

Modifies registry class 8 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3084248216-1643706459-906455512-1000\{AE63838F-10DA-4073-B7C8-913ABBEE7956}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe

pid	process
3404	abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe
3404	abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe

pid process

3404 abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

RegAsm.exeexplorer.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeDebugPrivilege	3992	RegAsm.exe
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	2816	explorer.exe
Token: SeCreatePagefilePrivilege	2816	explorer.exe
Token: SeShutdownPrivilege	2816	explorer.exe
Token: SeCreatePagefilePrivilege	2816	explorer.exe
Token: SeShutdownPrivilege	2816	explorer.exe
Token: SeCreatePagefilePrivilege	2816	explorer.exe
Token: SeShutdownPrivilege	2816	explorer.exe
Token: SeCreatePagefilePrivilege	2816	explorer.exe
Token: SeShutdownPrivilege	2816	explorer.exe
Token: SeCreatePagefilePrivilege	2816	explorer.exe
Token: SeDebugPrivilege	4304	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

explorer.exe

pid process

2816 explorer.exe
2816 explorer.exe
2816 explorer.exe
2816 explorer.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

explorer.exe

pid	process
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeF57D.exeF57D.exeF57D.exeA9.execmd.exe467F.exe

description	pid	process	target process
PID 3312 wrote to memory of 3180	3312		cmd.exe
PID 3312 wrote to memory of 3180	3312		cmd.exe
PID 3180 wrote to memory of 2276	3180	cmd.exe	reg.exe
PID 3180 wrote to memory of 2276	3180	cmd.exe	reg.exe
PID 3312 wrote to memory of 4504	3312		F57D.exe
PID 3312 wrote to memory of 4504	3312		F57D.exe
PID 3312 wrote to memory of 4504	3312		F57D.exe
PID 4504 wrote to memory of 3492	4504	F57D.exe	F57D.exe
PID 4504 wrote to memory of 3492	4504	F57D.exe	F57D.exe
PID 4504 wrote to memory of 3492	4504	F57D.exe	F57D.exe
PID 4504 wrote to memory of 3492	4504	F57D.exe	F57D.exe
PID 4504 wrote to memory of 3492	4504	F57D.exe	F57D.exe
PID 4504 wrote to memory of 3492	4504	F57D.exe	F57D.exe
PID 4504 wrote to memory of 3492	4504	F57D.exe	F57D.exe
PID 4504 wrote to memory of 3492	4504	F57D.exe	F57D.exe
PID 4504 wrote to memory of 3492	4504	F57D.exe	F57D.exe
PID 4504 wrote to memory of 3492	4504	F57D.exe	F57D.exe
PID 3492 wrote to memory of 1896	3492	F57D.exe	icacls.exe
PID 3492 wrote to memory of 1896	3492	F57D.exe	icacls.exe
PID 3492 wrote to memory of 1896	3492	F57D.exe	icacls.exe
PID 3492 wrote to memory of 2796	3492	F57D.exe	F57D.exe
PID 3492 wrote to memory of 2796	3492	F57D.exe	F57D.exe
PID 3492 wrote to memory of 2796	3492	F57D.exe	F57D.exe
PID 3312 wrote to memory of 2516	3312		A9.exe
PID 3312 wrote to memory of 2516	3312		A9.exe
PID 3312 wrote to memory of 2516	3312		A9.exe
PID 2796 wrote to memory of 560	2796	F57D.exe	F57D.exe
PID 2796 wrote to memory of 560	2796	F57D.exe	F57D.exe
PID 2796 wrote to memory of 560	2796	F57D.exe	F57D.exe
PID 2796 wrote to memory of 560	2796	F57D.exe	F57D.exe
PID 2796 wrote to memory of 560	2796	F57D.exe	F57D.exe
PID 2796 wrote to memory of 560	2796	F57D.exe	F57D.exe
PID 2796 wrote to memory of 560	2796	F57D.exe	F57D.exe
PID 2796 wrote to memory of 560	2796	F57D.exe	F57D.exe
PID 2796 wrote to memory of 560	2796	F57D.exe	F57D.exe
PID 2796 wrote to memory of 560	2796	F57D.exe	F57D.exe
PID 2516 wrote to memory of 4852	2516	A9.exe	RegAsm.exe
PID 2516 wrote to memory of 4852	2516	A9.exe	RegAsm.exe
PID 2516 wrote to memory of 4852	2516	A9.exe	RegAsm.exe
PID 2516 wrote to memory of 2424	2516	A9.exe	RegAsm.exe
PID 2516 wrote to memory of 2424	2516	A9.exe	RegAsm.exe
PID 2516 wrote to memory of 2424	2516	A9.exe	RegAsm.exe
PID 2516 wrote to memory of 2424	2516	A9.exe	RegAsm.exe
PID 2516 wrote to memory of 2424	2516	A9.exe	RegAsm.exe
PID 2516 wrote to memory of 2424	2516	A9.exe	RegAsm.exe
PID 2516 wrote to memory of 2424	2516	A9.exe	RegAsm.exe
PID 2516 wrote to memory of 2424	2516	A9.exe	RegAsm.exe
PID 2516 wrote to memory of 2424	2516	A9.exe	RegAsm.exe
PID 3312 wrote to memory of 5052	3312		3362.exe
PID 3312 wrote to memory of 5052	3312		3362.exe
PID 3312 wrote to memory of 5052	3312		3362.exe
PID 3312 wrote to memory of 4104	3312		cmd.exe
PID 3312 wrote to memory of 4104	3312		cmd.exe
PID 4104 wrote to memory of 3632	4104	cmd.exe	reg.exe
PID 4104 wrote to memory of 3632	4104	cmd.exe	reg.exe
PID 3312 wrote to memory of 4388	3312		467F.exe
PID 3312 wrote to memory of 4388	3312		467F.exe
PID 3312 wrote to memory of 4388	3312		467F.exe
PID 4388 wrote to memory of 3992	4388	467F.exe	RegAsm.exe
PID 4388 wrote to memory of 3992	4388	467F.exe	RegAsm.exe
PID 4388 wrote to memory of 3992	4388	467F.exe	RegAsm.exe
PID 4388 wrote to memory of 3992	4388	467F.exe	RegAsm.exe
PID 4388 wrote to memory of 3992	4388	467F.exe	RegAsm.exe
PID 4388 wrote to memory of 3992	4388	467F.exe	RegAsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe
"C:\Users\Admin\AppData\Local\Temp\abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E9A4.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:2276

C:\Users\Admin\AppData\Local\Temp\F57D.exe
C:\Users\Admin\AppData\Local\Temp\F57D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Local\Temp\F57D.exe
  C:\Users\Admin\AppData\Local\Temp\F57D.exe
  2⤵
  - DcRat
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\47de060a-5eda-414f-b20d-02673e203e16" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\F57D.exe
    "C:\Users\Admin\AppData\Local\Temp\F57D.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\F57D.exe
      "C:\Users\Admin\AppData\Local\Temp\F57D.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      PID:560
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 600
        5⤵
        Program crash
        
        PID:2460

C:\Users\Admin\AppData\Local\Temp\A9.exe
C:\Users\Admin\AppData\Local\Temp\A9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 1144
    3⤵
    - Program crash
    PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 560 -ip 560
1⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2424 -ip 2424
1⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\3362.exe
C:\Users\Admin\AppData\Local\Temp\3362.exe
1⤵
- Executes dropped EXE
PID:5052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1144
  2⤵
  - Program crash
  PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3538.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5052 -ip 5052
1⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\467F.exe
C:\Users\Admin\AppData\Local\Temp\467F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3992

C:\Users\Admin\AppData\Local\Temp\5219.exe
C:\Users\Admin\AppData\Local\Temp\5219.exe
1⤵
- Executes dropped EXE
PID:3372
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Users\Admin\AppData\Local\Temp\5219.exe
  "C:\Users\Admin\AppData\Local\Temp\5219.exe"
  2⤵
  PID:3864
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:1320
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:464
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1244
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:3636
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:2216
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2348
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:2948
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5064
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:4216
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:4204

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2816
- C:\Users\Admin\AppData\Local\Temp\94D4.exe
  C:\Users\Admin\AppData\Local\Temp\94D4.exe
  2⤵
  PID:400
- C:\Users\Admin\AppData\Local\Temp\9B4D.exe
  C:\Users\Admin\AppData\Local\Temp\9B4D.exe
  2⤵
  PID:1780
- - C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
    "C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
    3⤵
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe
      "C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"
      4⤵
      PID:4736
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5064
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4584
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 476
        6⤵
        Program crash
        
        PID:4540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1152
        6⤵
        Program crash
        
        PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe
      "C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe"
      4⤵
      PID:4952
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:484
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4192
- C:\Users\Admin\AppData\Local\Temp\B137.exe
  C:\Users\Admin\AppData\Local\Temp\B137.exe
  2⤵
  PID:2572

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:4152

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1460

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:4704

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:2600

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:3896

C:\Users\Admin\AppData\Roaming\uicfrbr
C:\Users\Admin\AppData\Roaming\uicfrbr
1⤵
PID:4356

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:652

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4584 -ip 4584
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4584 -ip 4584
1⤵
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
1KB

MD5
0610a4c36df2531d0760aaf9ebe1f02d

SHA1
4d302b5d99b70f1f94e5b91cc132a84e836cf82c

SHA256
9a73590b4c4d2e74c68ff0d88e6880c64ca30ff4eb68c937062bffd5cdc6325a

SHA512
a5812d9b868a74c15fae549391ed6148690447d153e0404c91d4a4bdf34af76b42c46d912e124622713ad24e7d3a28816c1e0bc5bc03c309ed2a57b2f0e184f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Filesize
1022B

MD5
e0e52915eb6309693aac1c4535b28b9f

SHA1
20c9362e4a4ee8b454d255945b68f2fe8d8c09bb

SHA256
fbdc94cee75d57351bf94954d03b172f2a13b080e385de8068ff5f637c67218a

SHA512
0c43d95ec620502374ef0d6da286bebbc391df29694899625e84741ee271f4caf5fb63801e666bba30ec914852ebc5b30f0b0751a3409f58b23641fe5d2be4c8

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\B19DE93B-F36A-4896-BA50-9F4A8F97397C\Zrtu2hQ08VU_1.bytecode

Filesize
62KB

MD5
d086993f38b70c227bc090c83899b526

SHA1
9534cd37499f1fd0000fb4dfd59f7270c14ca955

SHA256
c6b8add3d89dd2dfb4c255771c05c7abce11bfbb33d12861fb1eafb338e48a06

SHA512
e3e0d312da3eca4410c89c8836ea7e1864be46272453e22744be2be2249b8901306255bb6dd4b06775f5ce33e487ddf90f40db51443eee40a659a7c40594e1fa

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\B19DE93B-F36A-4896-BA50-9F4A8F97397C\Zrtu2hQ08VU_1.metadata

Filesize
192B

MD5
67598848cb6251441a2e15a90847b4fe

SHA1
769e0155b736f5e567a28a710a9d4544cde368d4

SHA256
24efcf85ef21551acf8f6e3a34c80611f4965f114dac223587b3ff2b4835935a

SHA512
275403c4626aa9d2642a300d127e7013b79d3e3884ca87a7db11c8483d4a4a5a180bc033dbe9accdad79e733be7a9a0f968c8dcf62d64c3424c3afa6292578ab

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A

Filesize
313B

MD5
3ea358bc5d2636c7c05260406a76be5d

SHA1
ca64794c172f9d2c46c91d868ce6b703aa7b4157

SHA256
561d6c91d0e6061ad178a87d9cdc23e25a8f79310564a90c5b4025ef1a745701

SHA512
641e00f3b3225f639271ce7c1da87f12650386dd4842ed240fe9a89a4baa704efc3433c55dae41665ad9ac9053a10d4f2adca8902c733a91159512006daf96d7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A

Filesize
404B

MD5
26837185beb926f1c4d6a4b3b5e511ae

SHA1
8f3ddc13bdd978a4c8f5da02953bba28836498bd

SHA256
9b78499fd4ec5c4388f2a88b1ce43f0a04885c7da0b592a1fb1b06cf461f2f47

SHA512
e4e304f7d42776cd3876f2a0716603ffb6e4af40b5bd3b1b32648aa3556d8d1d5506b7c72f2eb6cc6b11bf156016d855d34b39a7a9b826937a7211f05947c160

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\33P75E8Z\www.bing[1].xml

Filesize
2KB

MD5
e0239a6c81cd0f511aaf7b0476dd54ca

SHA1
38328a28e33b16ec9016ebdc2d804238779f4546

SHA256
4b7d87b8385eda2bb0e28ecb4b31fc797975199075465e67b81762ec0661bcd2

SHA512
00a42c2dd0ae0d375be0e71c67e96a4cacd85681277fc2f4522cb0acd062f1f21d3998483fdeaa3712e6ae0123b3fd69c889b8a059cd0389142923b35a12bd83

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
832KB

MD5
0164a4ff87a0dc5a2bd089be2417b5e7

SHA1
bfff6c1915a40ccc66ab2fc151ee0e7245c863df

SHA256
cbc1041ba8e2614a8bfe07cc1bc79ffcd4bd2ffc166e49934a225163981e9843

SHA512
320f83f7747e65c809ca255e347b9efe486664a48edda7e5a3404321ccb5d7e2a6e7cb7c8c50a136fdf1b73b93a3d1fbe08748eab6ad362fe2e088f43b3fdbc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe

Filesize
534KB

MD5
a3f8b60a08da0f600cfce3bb600d5cb3

SHA1
b00d7721767b717b3337b5c6dade4ebf2d56345e

SHA256
0c608a9b1e70bf8b51a681a8390c8e4743501c45b84cf4d59727aba2fc33cadb

SHA512
14f63e415133ca438d3c217d5fb3ecf0ad76e19969c54d356f46282230230f1b254fbfc8ae5f78809dc189a9648be2dc1398927b3f089c525cd1105a3843f60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe

Filesize
464KB

MD5
c084d6f6ba40534fbfc5a64b21ef99ab

SHA1
0b4a17da83c0a8abbc8fab321931d5447b32b720

SHA256
afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624

SHA512
a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3362.exe

Filesize
6.5MB

MD5
9e52aa572f0afc888c098db4c0f687ff

SHA1
ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

SHA256
4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

SHA512
d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\467F.exe

Filesize
124KB

MD5
15e99fef6ef1009225f7c4c6e150be76

SHA1
89bc8a468138da2fac12db6a0fb7b93ffd8703c3

SHA256
11d03ca1f0e3a488cd6ce3b2db917f470218473ed7cbbe75b1e7bf301ea23269

SHA512
3b8ef63d2f08ef6dc0d74e596c23afaa701b22d8dbf52fc1d073b0d285256f340587d9a933d7eb664f2a79df9e0576fa6737a9919304e67150e39e3d51c10480

Download Submit
C:\Users\Admin\AppData\Local\Temp\5219.exe

Filesize
2.2MB

MD5
dd342d3d95fb436e58a143ca35aa67a5

SHA1
0e05885061c078e840f388391f9388a1febbef02

SHA256
b5a9d417b89a353cbb6cf7935970d45eaf928956b5b602b309d72ba26129150b

SHA512
11050c96447ee178ecb9579712289f8e2230bdb8e8800164a8044aff306883e40d6ac6c1313df414155d3ef7dcf624e888a987eb0b927a2657f5a01dd9d67bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5219.exe

Filesize
1.9MB

MD5
17fb99c142cf9f689ee0c761dc7406fb

SHA1
0e8bc8d9e465958bfb47d6a8c4768933cab70555

SHA256
99af8c8c18098c030f9bf75b30e2701afdbf91092afb5fef9b4093fac2def6db

SHA512
8c6df89117a31a4db5768652349012c25a058a77d6fdae46f049147a1756972d2e40e3138723915bafd4abc4b502da989ab3fd1cf720d09e2f765804ddc1cbf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5219.exe

Filesize
3.5MB

MD5
1354ff27fa001cd992ddce43deff3a05

SHA1
d25769c20a131ef5cbd06c21e5e8598ef72bf25f

SHA256
931661582896e7bb516d2d6f3ea2e0970c1e2d2cbe5146366bff1d264439875b

SHA512
73d3180026508facf00747c75d435cae292748979e8dd088995d8db96a43b627819fad96e10178d19356477b8a41ee3982f590403d63b89a0ba39ee9f520eeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\94D4.exe

Filesize
1.8MB

MD5
dfb04c99ff9c9c5e3680e9f66eed0b42

SHA1
6f1bfffeb5d0df4af3c02969d42c075d6f8e28d8

SHA256
ec056709f6332170c8c92141476541b3730b1e610d6d8e835e1489b608ea892f

SHA512
3f7e6edb722a154094d59e8d92cdacca74e86a2853c567a4158025525780d62f0854a3eaa3007874f0d2a3ee467285313e84336a7550e06de52c86ff361696b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9.exe

Filesize
351KB

MD5
cdecfa866f6afdc28197256d599ea9d6

SHA1
3de6536984bb94009be0b5b3761239fdc861b4aa

SHA256
5b65a8e580bd4add0ebc2759cc1a9619bdb24a011f0256373e493e3143a49427

SHA512
8e6d69703364b7b2b7eba2bfcf039ae0bda91e88ed6d47946eaa3e2dc4b19566dffa1da5c355929e0bbe2172095c39ab5c99e703c41f27d2ab092a8d738ca78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\B137.exe

Filesize
1.5MB

MD5
ce330a87078b27865f933d27f1239c8a

SHA1
48c79a789a595de5082c65a8cab995543ae445b4

SHA256
f2cd57fdb5835b43910fb4ec7829a6d08c54074d0657e78931b8b41cf3af27c7

SHA512
58b18db087eb2c54b7d117ffd8631e9c0978e004f06505b7275358d968d63c63bfde1edc05ab102e73358ff57762ead678e1241bc3a7cd55e17e0301a2a9e6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9A4.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\F57D.exe

Filesize
725KB

MD5
1e4a31d86b7890bb038908aef7c9c898

SHA1
5dd3dd0460c67983cafc92282307e7a3d15ea493

SHA256
79d2a17028a6442b48d12fb5cfe9015d8a5cae8f706f88082a4f3efed0a6981e

SHA512
687bc5f34a53a96e7e74fa46497d96425a0ba92aa59d52a240cbb13275f7646c93e5a4a861139c5be27e3d8feed40a5ea3a1bc67011923fd8c36f76fe3903095

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_duxjaq1y.hqo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Roaming\uicfrbr

Filesize
313KB

MD5
49c1a7094df766b5e5868811f298b529

SHA1
c48fc045b5ee06e02d558f3c3551a463199725b9

SHA256
abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976

SHA512
c34cf47f715fffb4c4b9ec4ba587ea0c455d3baf7192408114b9f7260dbb1ee6b28c794157cfdd12c6048e99e9140220d77232bd9355cb96db7df9e566ba9490

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
8KB

MD5
4a1556d0d31eda1257008e6d77fe4e14

SHA1
c7b2310cee3314c49d85f70d8be1f676186507ae

SHA256
1fed4ec2a248f76c32730e409ebc4e34b2aeecda01e282c3d38b0f96a51c1ff6

SHA512
e745675989cc53d2286612a302b1459ce04c38ec0daa54950ebb3479c68e8c3f8157746bb2a17d80192aa8811a4bf7ba39f7d8cdc18cf67340ac9e24a89d15e8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
21c29ce2398c338dec45a78bc2d86939

SHA1
c0c2c12b024b31df9ca69666cca9c5aa95fca398

SHA256
d36bb4a3f6c7f1e97cdc01fe64056b9468b84ef9070322f96d572964f04bbb4a

SHA512
122ee51acc2518941a199a029ef6ca7556c91a1f396abc0f5eb195019c053eb6d6a02749993de5cc22b0ae115402abc912e021bc23fb7d89b451a0f23fa6642c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b38782ab4347fbd17f1df83adfdb66b2

SHA1
1d763cced53771899129b5b88862fff790637856

SHA256
646d1d7d7153a82ad3adcdd1efa78cff39fe0b0010849294c947aa09cb28344d

SHA512
ae20a3c35e0ce995f243064e27b4c0313f095cfcdcbc58e40562e355daca1701f81e6b4e8b0eba48e638c4d29188bb91c534fff20771aee49af8ddd8bd24960e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
16ccb278987754ac7904e89c51e7c8af

SHA1
4c901177d4a3d90663d76cdcb78e757c8636d882

SHA256
d39ebf3fc13bad0382465079ea699f111bd26abbc4a25f1ac9382be3194efe24

SHA512
6cb61f0d15cc0cf03aa950ff34839c326d1a81f72e0a689a62b9bfcb6889d32edfe579f27b69c5ea8b801b836b2025e7c1c0ee830a21f9123f261e2cd06f3d69

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
f20176e5518a2bd7d0f6e028bb5fcfa1

SHA1
8cfbcb9ddcd25c898ed52e1e22218ee1677e1c7f

SHA256
67382564657b99a05501f2862d2f60d7a6fa654171c713dc84adfa64b7bba403

SHA512
57a90326134fcbc801d261233e055e474be55745cc0bb61cb5fa18fb68f48c207335d8b681e72eb67229cded43ed00f7483b9fd8ac303ba6749a64e37d5d11e7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
0d28f0966d76128ec263c2877d5fcc13

SHA1
967231d53850ad0a2661adde8032339a31d62951

SHA256
d69227852a15213531c8e9a60cf367de1b2ac17e1bc6e0c25a01d16a110ba7fd

SHA512
03ca2c7411108d1c0a681a3a549cfb6958c73e8e19677b283081ad6efae79fa1664fef7416117560498f5159f7022613588951a56afb8fb61a95a798215ea49b

Download Submit
C:\Windows\Tasks\explorgu.job

Filesize
288B

MD5
069d30f837fb0e32bfc7ea439a7bcf15

SHA1
fe6aeb11ac52b7e2f1923b5b62e90f65ba4e51c5

SHA256
e314b9058307ad8a26161480ff5fe004a70143fbbe0d4449fc9767182b0ae9dd

SHA512
5ddd18fcfd1659ea8e2d4417dc3fbdf2ccf2ae368f521895aa3e792de59d4a28e080ede39d489f1f59f448658661d9bcb4589112b4638cdfd78a2608858e1f00

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
26984b7e8f20df949a84fcd0186ab274

SHA1
6da52690931aa3a7d2cd2a70e077b9eeaba80953

SHA256
8aa544e4289dc9cbcaeaee9b145afb4e59a0f6a4298954ca04c2a7aa2711a45a

SHA512
46d86ce79928fef0090e5ac528e5d1337146c04accfbfe7071cf8de4d2322fb55d177b83d31f6729259903d3f0de5a0a6a447bc78698d0a2531f633daf592463

Download Submit
memory/400-553-0x0000000000060000-0x0000000000529000-memory.dmp

Filesize
4.8MB

Download
memory/560-65-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/560-72-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/560-67-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/652-375-0x000001BB6D610000-0x000001BB6D630000-memory.dmp

Filesize
128KB

Download
memory/1780-573-0x00000000007C0000-0x0000000000C89000-memory.dmp

Filesize
4.8MB

Download
memory/2216-593-0x0000000000400000-0x000000000312F000-memory.dmp

Filesize
45.2MB

Download
memory/2216-502-0x0000000000400000-0x000000000312F000-memory.dmp

Filesize
45.2MB

Download
memory/2424-66-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2424-71-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2424-76-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2424-77-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2424-80-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2516-58-0x00000000746D0000-0x0000000074E81000-memory.dmp

Filesize
7.7MB

Download
memory/2516-74-0x0000000003330000-0x0000000005330000-memory.dmp

Filesize
32.0MB

Download
memory/2516-75-0x00000000746D0000-0x0000000074E81000-memory.dmp

Filesize
7.7MB

Download
memory/2516-57-0x0000000000F60000-0x0000000000FBE000-memory.dmp

Filesize
376KB

Download
memory/2600-274-0x000002745B7E0000-0x000002745B800000-memory.dmp

Filesize
128KB

Download
memory/2600-284-0x000002745C210000-0x000002745C230000-memory.dmp

Filesize
128KB

Download
memory/2600-282-0x000002745C270000-0x000002745C290000-memory.dmp

Filesize
128KB

Download
memory/2796-61-0x0000000002330000-0x00000000023C4000-memory.dmp

Filesize
592KB

Download
memory/2816-378-0x0000000002870000-0x0000000002886000-memory.dmp

Filesize
88KB

Download
memory/3312-140-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3312-4-0x0000000000D30000-0x0000000000D46000-memory.dmp

Filesize
88KB

Download
memory/3372-229-0x0000000005300000-0x0000000005BEB000-memory.dmp

Filesize
8.9MB

Download
memory/3372-227-0x0000000000400000-0x000000000312F000-memory.dmp

Filesize
45.2MB

Download
memory/3372-134-0x0000000005300000-0x0000000005BEB000-memory.dmp

Filesize
8.9MB

Download
memory/3372-165-0x0000000000400000-0x000000000312F000-memory.dmp

Filesize
45.2MB

Download
memory/3372-136-0x0000000000400000-0x000000000312F000-memory.dmp

Filesize
45.2MB

Download
memory/3372-133-0x0000000004E00000-0x00000000051FD000-memory.dmp

Filesize
4.0MB

Download
memory/3372-219-0x0000000000400000-0x000000000312F000-memory.dmp

Filesize
45.2MB

Download
memory/3404-5-0x0000000000400000-0x0000000002D4C000-memory.dmp

Filesize
41.3MB

Download
memory/3404-3-0x0000000000400000-0x0000000002D4C000-memory.dmp

Filesize
41.3MB

Download
memory/3404-2-0x0000000004B90000-0x0000000004B9B000-memory.dmp

Filesize
44KB

Download
memory/3404-1-0x00000000030B0000-0x00000000031B0000-memory.dmp

Filesize
1024KB

Download
memory/3492-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3492-41-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3492-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3492-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3492-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3648-433-0x0000018A39220000-0x0000018A39240000-memory.dmp

Filesize
128KB

Download
memory/3648-412-0x0000018A38790000-0x0000018A387B0000-memory.dmp

Filesize
128KB

Download
memory/3864-414-0x0000000000400000-0x000000000312F000-memory.dmp

Filesize
45.2MB

Download
memory/3864-382-0x0000000000400000-0x000000000312F000-memory.dmp

Filesize
45.2MB

Download
memory/3864-268-0x0000000000400000-0x000000000312F000-memory.dmp

Filesize
45.2MB

Download
memory/3864-442-0x0000000000400000-0x000000000312F000-memory.dmp

Filesize
45.2MB

Download
memory/3992-125-0x0000000006170000-0x0000000006202000-memory.dmp

Filesize
584KB

Download
memory/3992-144-0x00000000738A0000-0x0000000074051000-memory.dmp

Filesize
7.7MB

Download
memory/3992-126-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download
memory/3992-124-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/3992-123-0x00000000738A0000-0x0000000074051000-memory.dmp

Filesize
7.7MB

Download
memory/3992-120-0x0000000005430000-0x00000000059D6000-memory.dmp

Filesize
5.6MB

Download
memory/3992-117-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4192-654-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4304-160-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/4304-148-0x0000000005780000-0x0000000005DAA000-memory.dmp

Filesize
6.2MB

Download
memory/4304-201-0x00000000078B0000-0x00000000078BE000-memory.dmp

Filesize
56KB

Download
memory/4304-202-0x00000000078C0000-0x00000000078D5000-memory.dmp

Filesize
84KB

Download
memory/4304-203-0x0000000007910000-0x000000000792A000-memory.dmp

Filesize
104KB

Download
memory/4304-204-0x0000000007930000-0x0000000007938000-memory.dmp

Filesize
32KB

Download
memory/4304-209-0x00000000738A0000-0x0000000074051000-memory.dmp

Filesize
7.7MB

Download
memory/4304-199-0x0000000007950000-0x00000000079E6000-memory.dmp

Filesize
600KB

Download
memory/4304-145-0x0000000002D50000-0x0000000002D86000-memory.dmp

Filesize
216KB

Download
memory/4304-198-0x0000000007840000-0x000000000784A000-memory.dmp

Filesize
40KB

Download
memory/4304-196-0x0000000007E50000-0x00000000084CA000-memory.dmp

Filesize
6.5MB

Download
memory/4304-146-0x00000000738A0000-0x0000000074051000-memory.dmp

Filesize
7.7MB

Download
memory/4304-197-0x0000000007800000-0x000000000781A000-memory.dmp

Filesize
104KB

Download
memory/4304-147-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4304-195-0x00000000076C0000-0x0000000007764000-memory.dmp

Filesize
656KB

Download
memory/4304-193-0x00000000076A0000-0x00000000076BE000-memory.dmp

Filesize
120KB

Download
memory/4304-183-0x0000000074420000-0x0000000074777000-memory.dmp

Filesize
3.3MB

Download
memory/4304-181-0x0000000074A30000-0x0000000074A7C000-memory.dmp

Filesize
304KB

Download
memory/4304-178-0x0000000007660000-0x0000000007694000-memory.dmp

Filesize
208KB

Download
memory/4304-177-0x000000007EE70000-0x000000007EE80000-memory.dmp

Filesize
64KB

Download
memory/4304-167-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4304-164-0x00000000067C0000-0x0000000006806000-memory.dmp

Filesize
280KB

Download
memory/4304-163-0x0000000006300000-0x000000000634C000-memory.dmp

Filesize
304KB

Download
memory/4304-162-0x0000000006250000-0x000000000626E000-memory.dmp

Filesize
120KB

Download
memory/4304-161-0x0000000005E20000-0x0000000006177000-memory.dmp

Filesize
3.3MB

Download
memory/4304-150-0x0000000005470000-0x0000000005492000-memory.dmp

Filesize
136KB

Download
memory/4304-149-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4304-200-0x0000000007870000-0x0000000007881000-memory.dmp

Filesize
68KB

Download
memory/4356-381-0x0000000000400000-0x0000000002D4C000-memory.dmp

Filesize
41.3MB

Download
memory/4388-228-0x00000000025C0000-0x00000000045C0000-memory.dmp

Filesize
32.0MB

Download
memory/4388-122-0x00000000025C0000-0x00000000045C0000-memory.dmp

Filesize
32.0MB

Download
memory/4388-121-0x00000000738A0000-0x0000000074051000-memory.dmp

Filesize
7.7MB

Download
memory/4388-114-0x00000000738A0000-0x0000000074051000-memory.dmp

Filesize
7.7MB

Download
memory/4388-113-0x00000000000F0000-0x0000000000116000-memory.dmp

Filesize
152KB

Download
memory/4504-20-0x0000000002460000-0x00000000024FA000-memory.dmp

Filesize
616KB

Download
memory/4504-21-0x0000000002610000-0x000000000272B000-memory.dmp

Filesize
1.1MB

Download
memory/4584-625-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4584-621-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4704-236-0x000001EB01AA0000-0x000001EB01BA0000-memory.dmp

Filesize
1024KB

Download
memory/4704-224-0x000001EB016C0000-0x000001EB016E0000-memory.dmp

Filesize
128KB

Download
memory/5052-103-0x0000000002EA0000-0x0000000002EE0000-memory.dmp

Filesize
256KB

Download
memory/5052-100-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/5052-101-0x0000000000030000-0x0000000000D15000-memory.dmp

Filesize
12.9MB

Download
memory/5052-99-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/5052-94-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/5052-95-0x0000000001310000-0x0000000001311000-memory.dmp

Filesize
4KB

Download
memory/5052-97-0x0000000002E60000-0x0000000002E61000-memory.dmp

Filesize
4KB

Download
memory/5052-102-0x0000000002EA0000-0x0000000002EE0000-memory.dmp

Filesize
256KB

Download
memory/5052-98-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/5052-96-0x0000000000030000-0x0000000000D15000-memory.dmp

Filesize
12.9MB

Download
memory/5052-104-0x0000000002EA0000-0x0000000002EE0000-memory.dmp

Filesize
256KB

Download
memory/5052-106-0x0000000002EA0000-0x0000000002EE0000-memory.dmp

Filesize
256KB

Download
memory/5052-89-0x0000000000030000-0x0000000000D15000-memory.dmp

Filesize
12.9MB

Download
memory/5052-105-0x0000000002EA0000-0x0000000002EE0000-memory.dmp

Filesize
256KB

Download
memory/5052-132-0x0000000000030000-0x0000000000D15000-memory.dmp

Filesize
12.9MB

Download