amadey | 7eced172f0eaf5cfd41d824ff44730b689a516911ce719c0cc3fa700c737d323

Analysis

max time kernel
107s
max time network
161s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
22-03-2024 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7eced172f0eaf5cfd41d824ff44730b689a516911ce719c0cc3fa700c737d323.exe
Size

309KB
MD5

32bcccc896374811a76edc42868632ff
SHA1

2538f0abd64c0e8b209381b312e9b0daeacec948
SHA256

7eced172f0eaf5cfd41d824ff44730b689a516911ce719c0cc3fa700c737d323
SHA512

3e7da36ca3def2be9c21f6d5aec0317b3d7297cd56894d4c8e7d5feb8e484efb644e1e4180183dd29ba7ec910452076b6c311831eeb00d7502057b5c9935f2b0
SSDEEP

3072:7Qgtvzef0WK+6YYFEXytxx6xSWBh3hBm1qo6HzHdgSCWaUK:JtCTKdIiE0Qh3hWqn5gwi

Score

10^/10

amadey glupteba smokeloader stealc pub1 backdoor bootkit discovery dropper evasion loader persistence spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://nidoe.org/tmp/index.php

http://sodez.ru/tmp/index.php

http://uama.com.ua/tmp/index.php

http://talesofpirates.net/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3240-106-0x00000000052F0000-0x0000000005BDB000-memory.dmp	family_glupteba
behavioral2/memory/3240-120-0x0000000000400000-0x000000000312F000-memory.dmp	family_glupteba
behavioral2/memory/3240-183-0x0000000000400000-0x000000000312F000-memory.dmp	family_glupteba
behavioral2/memory/3240-250-0x00000000052F0000-0x0000000005BDB000-memory.dmp	family_glupteba
behavioral2/memory/3240-287-0x0000000000400000-0x000000000312F000-memory.dmp	family_glupteba
behavioral2/memory/3240-361-0x0000000000400000-0x000000000312F000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

3383.exeexplorgu.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3383.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

24 104 rundll32.exe
26 3476 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4028 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3383.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

flow	pid	process
24	104	rundll32.exe
26	3476	rundll32.exe

pid	process
4028	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3383.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3383.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3383.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe

Deletes itself 1 IoCs

Processes:

pid process

3224

pid	process
3224

Executes dropped EXE 17 IoCs

Processes:

E659.exe7FC.exeInstallSetup_four.exe288c47bbc1871b439df19ff4df68f076.exeapril.exeapril.tmpactiveperl.exeactiveperl.exe1FEA.exeuns.0.exe3383.exe46AE.exeuns.1.exeexplorgu.exe288c47bbc1871b439df19ff4df68f076.exeIEHCAKKJDB.execsrss.exe

pid	process
5112	E659.exe
3272	7FC.exe
856	InstallSetup_four.exe
3240	288c47bbc1871b439df19ff4df68f076.exe
4924	april.exe
800	april.tmp
3004	activeperl.exe
4676	activeperl.exe
3168	1FEA.exe
1776	uns.0.exe
4816	3383.exe
3236	46AE.exe
1300	uns.1.exe
2024	explorgu.exe
4156	288c47bbc1871b439df19ff4df68f076.exe
4020	IEHCAKKJDB.exe
4512	csrss.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

3383.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Wine	3383.exe
Key opened	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Wine	explorgu.exe

Loads dropped DLL 7 IoCs

Processes:

regsvr32.exeapril.tmpuns.0.exerundll32.exerundll32.exerundll32.exe

pid process

4444 regsvr32.exe
800 april.tmp
1776 uns.0.exe
1776 uns.0.exe
4340 rundll32.exe
104 rundll32.exe
3476 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4444	regsvr32.exe
800	april.tmp
1776	uns.0.exe
1776	uns.0.exe
4340	rundll32.exe
104	rundll32.exe
3476	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

288c47bbc1871b439df19ff4df68f076.exeIEHCAKKJDB.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ledger-Live Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEHCAKKJDB.exe"	IEHCAKKJDB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

46AE.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 46AE.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	46AE.exe

Drops file in System32 directory 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

3383.exeexplorgu.exe

pid process

4816 3383.exe
2024 explorgu.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

288c47bbc1871b439df19ff4df68f076.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 288c47bbc1871b439df19ff4df68f076.exe

pid	process
4816	3383.exe
2024	explorgu.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	288c47bbc1871b439df19ff4df68f076.exe

Drops file in Windows directory 3 IoCs

Processes:

288c47bbc1871b439df19ff4df68f076.exe3383.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	288c47bbc1871b439df19ff4df68f076.exe
File created	C:\Windows\Tasks\explorgu.job	3383.exe
File opened for modification	C:\Windows\rss	288c47bbc1871b439df19ff4df68f076.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1812 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

460 3168 WerFault.exe 1FEA.exe
4292 856 WerFault.exe InstallSetup_four.exe
1720 1776 WerFault.exe uns.0.exe

pid	process
1812	sc.exe

pid	pid_target	process	target process
460	3168	WerFault.exe	1FEA.exe
4292	856	WerFault.exe	InstallSetup_four.exe
1720	1776	WerFault.exe	uns.0.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7eced172f0eaf5cfd41d824ff44730b689a516911ce719c0cc3fa700c737d323.exeE659.exeuns.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7eced172f0eaf5cfd41d824ff44730b689a516911ce719c0cc3fa700c737d323.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7eced172f0eaf5cfd41d824ff44730b689a516911ce719c0cc3fa700c737d323.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E659.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E659.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uns.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7eced172f0eaf5cfd41d824ff44730b689a516911ce719c0cc3fa700c737d323.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E659.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uns.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uns.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

uns.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	uns.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	uns.0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4432 schtasks.exe
2548 schtasks.exe

pid	process
4432	schtasks.exe
2548	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3092 PING.EXE

pid	process
3092	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7eced172f0eaf5cfd41d824ff44730b689a516911ce719c0cc3fa700c737d323.exe

pid	process
2428	7eced172f0eaf5cfd41d824ff44730b689a516911ce719c0cc3fa700c737d323.exe
2428	7eced172f0eaf5cfd41d824ff44730b689a516911ce719c0cc3fa700c737d323.exe
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224
3224

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

7eced172f0eaf5cfd41d824ff44730b689a516911ce719c0cc3fa700c737d323.exeE659.exe

pid process

2428 7eced172f0eaf5cfd41d824ff44730b689a516911ce719c0cc3fa700c737d323.exe
5112 E659.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exeIEHCAKKJDB.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeDebugPrivilege	3240	288c47bbc1871b439df19ff4df68f076.exe
Token: SeImpersonatePrivilege	3240	288c47bbc1871b439df19ff4df68f076.exe
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeDebugPrivilege	4020	IEHCAKKJDB.exe
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeDebugPrivilege	1036	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeShutdownPrivilege	3224
Token: SeCreatePagefilePrivilege	3224

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

uns.1.exe

pid process

1300 uns.1.exe
1300 uns.1.exe
1300 uns.1.exe
1300 uns.1.exe
1300 uns.1.exe
1300 uns.1.exe
1300 uns.1.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

uns.1.exe

pid process

1300 uns.1.exe
1300 uns.1.exe
1300 uns.1.exe
1300 uns.1.exe
1300 uns.1.exe
1300 uns.1.exe
1300 uns.1.exe

pid	process
1300	uns.1.exe
1300	uns.1.exe
1300	uns.1.exe
1300	uns.1.exe
1300	uns.1.exe
1300	uns.1.exe
1300	uns.1.exe

pid	process
1300	uns.1.exe
1300	uns.1.exe
1300	uns.1.exe
1300	uns.1.exe
1300	uns.1.exe
1300	uns.1.exe
1300	uns.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe7FC.exeapril.exeapril.tmpInstallSetup_four.exe288c47bbc1871b439df19ff4df68f076.exe288c47bbc1871b439df19ff4df68f076.exeexplorgu.exeuns.0.exerundll32.exerundll32.execmd.exeIEHCAKKJDB.exe

description	pid	process	target process
PID 3224 wrote to memory of 5112	3224		E659.exe
PID 3224 wrote to memory of 5112	3224		E659.exe
PID 3224 wrote to memory of 5112	3224		E659.exe
PID 3224 wrote to memory of 1084	3224		regsvr32.exe
PID 3224 wrote to memory of 1084	3224		regsvr32.exe
PID 1084 wrote to memory of 4444	1084	regsvr32.exe	regsvr32.exe
PID 1084 wrote to memory of 4444	1084	regsvr32.exe	regsvr32.exe
PID 1084 wrote to memory of 4444	1084	regsvr32.exe	regsvr32.exe
PID 3224 wrote to memory of 3272	3224		7FC.exe
PID 3224 wrote to memory of 3272	3224		7FC.exe
PID 3224 wrote to memory of 3272	3224		7FC.exe
PID 3272 wrote to memory of 856	3272	7FC.exe	InstallSetup_four.exe
PID 3272 wrote to memory of 856	3272	7FC.exe	InstallSetup_four.exe
PID 3272 wrote to memory of 856	3272	7FC.exe	InstallSetup_four.exe
PID 3272 wrote to memory of 3240	3272	7FC.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 3272 wrote to memory of 3240	3272	7FC.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 3272 wrote to memory of 3240	3272	7FC.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 3272 wrote to memory of 4924	3272	7FC.exe	april.exe
PID 3272 wrote to memory of 4924	3272	7FC.exe	april.exe
PID 3272 wrote to memory of 4924	3272	7FC.exe	april.exe
PID 4924 wrote to memory of 800	4924	april.exe	april.tmp
PID 4924 wrote to memory of 800	4924	april.exe	april.tmp
PID 4924 wrote to memory of 800	4924	april.exe	april.tmp
PID 800 wrote to memory of 3004	800	april.tmp	activeperl.exe
PID 800 wrote to memory of 3004	800	april.tmp	activeperl.exe
PID 800 wrote to memory of 3004	800	april.tmp	activeperl.exe
PID 800 wrote to memory of 4676	800	april.tmp	activeperl.exe
PID 800 wrote to memory of 4676	800	april.tmp	activeperl.exe
PID 800 wrote to memory of 4676	800	april.tmp	activeperl.exe
PID 3224 wrote to memory of 3168	3224		1FEA.exe
PID 3224 wrote to memory of 3168	3224		1FEA.exe
PID 3224 wrote to memory of 3168	3224		1FEA.exe
PID 856 wrote to memory of 1776	856	InstallSetup_four.exe	uns.0.exe
PID 856 wrote to memory of 1776	856	InstallSetup_four.exe	uns.0.exe
PID 856 wrote to memory of 1776	856	InstallSetup_four.exe	uns.0.exe
PID 3240 wrote to memory of 4952	3240	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 3240 wrote to memory of 4952	3240	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 3240 wrote to memory of 4952	3240	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 3224 wrote to memory of 4816	3224		3383.exe
PID 3224 wrote to memory of 4816	3224		3383.exe
PID 3224 wrote to memory of 4816	3224		3383.exe
PID 3224 wrote to memory of 3236	3224		46AE.exe
PID 3224 wrote to memory of 3236	3224		46AE.exe
PID 3224 wrote to memory of 3236	3224		46AE.exe
PID 856 wrote to memory of 1300	856	InstallSetup_four.exe	uns.1.exe
PID 856 wrote to memory of 1300	856	InstallSetup_four.exe	uns.1.exe
PID 856 wrote to memory of 1300	856	InstallSetup_four.exe	uns.1.exe
PID 4156 wrote to memory of 3248	4156	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 4156 wrote to memory of 3248	4156	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 4156 wrote to memory of 3248	4156	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 2024 wrote to memory of 4340	2024	explorgu.exe	rundll32.exe
PID 2024 wrote to memory of 4340	2024	explorgu.exe	rundll32.exe
PID 2024 wrote to memory of 4340	2024	explorgu.exe	rundll32.exe
PID 1776 wrote to memory of 4736	1776	uns.0.exe	cmd.exe
PID 1776 wrote to memory of 4736	1776	uns.0.exe	cmd.exe
PID 1776 wrote to memory of 4736	1776	uns.0.exe	cmd.exe
PID 4340 wrote to memory of 104	4340	rundll32.exe	rundll32.exe
PID 4340 wrote to memory of 104	4340	rundll32.exe	rundll32.exe
PID 104 wrote to memory of 1244	104	rundll32.exe	netsh.exe
PID 104 wrote to memory of 1244	104	rundll32.exe	netsh.exe
PID 4736 wrote to memory of 4020	4736	cmd.exe	IEHCAKKJDB.exe
PID 4736 wrote to memory of 4020	4736	cmd.exe	IEHCAKKJDB.exe
PID 4736 wrote to memory of 4020	4736	cmd.exe	IEHCAKKJDB.exe
PID 4020 wrote to memory of 1660	4020	IEHCAKKJDB.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7eced172f0eaf5cfd41d824ff44730b689a516911ce719c0cc3fa700c737d323.exe
"C:\Users\Admin\AppData\Local\Temp\7eced172f0eaf5cfd41d824ff44730b689a516911ce719c0cc3fa700c737d323.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2428

C:\Users\Admin\AppData\Local\Temp\E659.exe
C:\Users\Admin\AppData\Local\Temp\E659.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5112

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F7FD.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\F7FD.dll
  2⤵
  - Loads dropped DLL
  PID:4444

C:\Users\Admin\AppData\Local\Temp\7FC.exe
C:\Users\Admin\AppData\Local\Temp\7FC.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Users\Admin\AppData\Local\Temp\uns.0.exe
    "C:\Users\Admin\AppData\Local\Temp\uns.0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IEHCAKKJDB.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4736
    - - C:\Users\Admin\AppData\Local\Temp\IEHCAKKJDB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IEHCAKKJDB.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4020
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\IEHCAKKJDB.exe
        6⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        7⤵
        Runs ping.exe
        
        PID:3092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 2440
      4⤵
      Program crash
      PID:1720
- - C:\Users\Admin\AppData\Local\Temp\uns.1.exe
    "C:\Users\Admin\AppData\Local\Temp\uns.1.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
      "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 688
    3⤵
    - Program crash
    PID:4292
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4952
- - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:3248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:780
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:4028
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:4696
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:1624
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Executes dropped EXE
      PID:4512
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1092
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:4432
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:5044
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Modifies data under HKEY_USERS
        
        PID:3444
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2888
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:4340
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:2548
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        
        PID:2556
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:1812
- C:\Users\Admin\AppData\Local\Temp\april.exe
  "C:\Users\Admin\AppData\Local\Temp\april.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\is-3Q04N.tmp\april.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-3Q04N.tmp\april.tmp" /SL5="$90234,1755793,54272,C:\Users\Admin\AppData\Local\Temp\april.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Users\Admin\AppData\Local\Active Perl\activeperl.exe
      "C:\Users\Admin\AppData\Local\Active Perl\activeperl.exe" -i
      4⤵
      Executes dropped EXE
      PID:3004
  - - C:\Users\Admin\AppData\Local\Active Perl\activeperl.exe
      "C:\Users\Admin\AppData\Local\Active Perl\activeperl.exe" -s
      4⤵
      Executes dropped EXE
      PID:4676

C:\Users\Admin\AppData\Local\Temp\1FEA.exe
C:\Users\Admin\AppData\Local\Temp\1FEA.exe
1⤵
- Executes dropped EXE
PID:3168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1148
  2⤵
  - Program crash
  PID:460

C:\Users\Admin\AppData\Local\Temp\3383.exe
C:\Users\Admin\AppData\Local\Temp\3383.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3168 -ip 3168
1⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\46AE.exe
C:\Users\Admin\AppData\Local\Temp\46AE.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 856 -ip 856
1⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:104
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:1244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\084248216164_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:892
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1776 -ip 1776
1⤵
PID:4724

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Active Perl\activeperl.exe

Filesize
1.3MB

MD5
e7810d44f6f53cbaa66c3b3d9a429fef

SHA1
0e3f1bdde50094ba5d87ceeee58b28eb71ec21d5

SHA256
1d8a70e065b6f62ef98adafc641aa25ea681f3fc254b40cd2fd038ac3df2a7ff

SHA512
c52677846b21defa43827c1e190a276296297ba325f6f6dadbdbc8779532a61d58f86d3735f55ac69e2912ef7d02e6fdc44f24eb0fb335bc5204eb6a2cee633b

Download Submit
C:\Users\Admin\AppData\Local\Active Perl\activeperl.exe

Filesize
1.8MB

MD5
dfaebd8bebcff34742f85967c402418e

SHA1
ada1d8365c749b1577eb7deaaa32616a0f96223a

SHA256
080cf4f8d507e6b41cad079ab942cbfb4db1e84a9afffa96225be7d2bfb28bf4

SHA512
ac2739352be29717e314e025c6d06ca0ba03745b034e79bf4b5d512bc5735b0723401427283f3e678971df92d1f69100616fd3d1c5dda9fa2adb5e49a55403bb

Download Submit
C:\Users\Admin\AppData\Local\Active Perl\activeperl.exe

Filesize
1.4MB

MD5
af09d96340895c1f6ec774cef70a766a

SHA1
513bdab53ff56198a16b4ba48fbb3793c2c603ae

SHA256
ebc8b0f09eae33c73a7127afa90010870c0aa809b6474cdeede44b6e2c4b5091

SHA512
08a7df587a0c07b184fe78f8f24bb0eb54ddbedabf7d0f38127a57ec3e0e3017fe32c2ea86bd494ef742aeae8cc1ec12079a3f02b34bf44f3f8581c42e51e64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
1.1MB

MD5
817113ff0299a0bc521fe2acafd4d538

SHA1
574207f5e5c094dd5972f6efa465e7f8768fa954

SHA256
86a44e8c01fac68c8d62f6a4416f68f820dec4675f998a196c82d00d75ee901a

SHA512
54e06cef7e8f1bc9eb8308aa129eb58c792eccbdbd675266e222e8c80575d0239c538ee5ba15f5783ec8535a154f5fd6d74858c4db801c09b5bd8498b8cb618b

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
640KB

MD5
449cd909c208ef546b88f4d1892fe409

SHA1
326b8a661fc98d21865dac14540e903324a9a337

SHA256
db915a30e5a9d3c893dee1b22eacbe3a35c3a242158d1a1f9fd7079195b8bc96

SHA512
2605c069660d7a0f818f422a853a4a2f15807c17cc30e8b59ac01b0f269884aef9ea3180819571f989a4a71211be4a0d74ef1136b4c88861ed56a29efa75a4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
512KB

MD5
55a26d13586475b96b550cdae461fc3d

SHA1
c4e757f9c5afacf8566545ee1ffb675a4830b62b

SHA256
bb4e7ff792b1355c27833f590c368f58a62321ec87f83ea2af1eb67d1e2dccad

SHA512
1c1b337f9bdfe1981bd0dad20db9093db49f0cfb82c1726405f75a13d82a09bf70e0c6a08cad919fd680b98aec7c7f83b8f4b552c4e4db94b042cc6edbce5c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\1FEA.exe

Filesize
2.1MB

MD5
ad0bae4a049d896fcf85620b064c3f23

SHA1
c4e0318d8b7c29a75268f17773c97ae4c4b226bf

SHA256
04b6decd17851b66037660cb4041e67cd74484585f8f984bee7dc2e6a321ec00

SHA512
569f07b2b1a1e41da120f1269bc04b3969a46b9fbc9d839e7a8d9cac7aa72a90226fdfde3194a0d0b77e35d9374f51a4d983aca4754a28f251bd08b2c2df5039

Download Submit
C:\Users\Admin\AppData\Local\Temp\1FEA.exe

Filesize
1.1MB

MD5
8b643578c2dae8c4e43284a00eace19c

SHA1
3b41b13bd7b4ffd45d9498ed4d7f0e3e0c196945

SHA256
e9f2822e303c284e368e0e150acc4ae585b870ab0cf23de7a2a26f6c15eb2214

SHA512
e2b37ef92ce8768a58000c7fa916fcbda01e59cf84fe48091f14782c2159dee1e760eb0ce96c88f14e66b421393ea8907119b2a2b2849bebfaff3595bd5776d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
896KB

MD5
b5d1f4eb8b6a2c1aa5f9bc5d0c54a520

SHA1
02e46dcb86d9a3e49afc585cec9e3518f1e27da9

SHA256
877f5add212d70891d31320a480865f31225871485608e53a345c01de0e5a428

SHA512
5e5f18532f2d713ab0c600cef42355e5078b276db640480655aa2635c5699a09ba237d5ac894b60133fdca2efc3d993232794c6f7c72f3b28ebb27bf12edd996

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
128KB

MD5
a59f4d9df4a10e1f713844774e831865

SHA1
282d45fe64383a03527bf3616325700236ae8a37

SHA256
0d078f1d6c96ee683c0fa564291d54bc29a1a5f525cf6fff6044422d716fed8c

SHA512
751d50e10af4c06f4d85dba9c2f94b8a974c6b71a85b7f740aca0bb9b1146cc2165415c9cd4b1de973483644dcdddc3e8355f31a21aed030b10ad41386b59522

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.6MB

MD5
0bc8f16487157005e8ee2f180ec4c8d9

SHA1
a39fe22d858bc7ab021334835258d35165ecae46

SHA256
8e06eac7670b39ce664eb2c659697de81630e1f9936b6310dd2b95a25ffea4a2

SHA512
959ac4ef06bb644938a581815c598701fdbf656ece97c07b01dba3957b2a0f922644ab58727abd4bf9a2838060dc1d552770db892f0f76446ac32938e496d6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
64KB

MD5
b52086950f1a3faf8db325e2a5f5d4bd

SHA1
bd456da168e020147e3b14df15ddabb54e56a312

SHA256
0a9f3c480b7babde15036f6dda4b3bb8cec447ece65dad5636361cc2fb729947

SHA512
b501f21493e206a5502221dae62601db49a96daf7c81b78a8056e9a2291124dc25b0d1c76acf024c8dbab641e7e93ad3063217670bdc3f718013cf4d45523238

Download Submit
C:\Users\Admin\AppData\Local\Temp\3383.exe

Filesize
1.8MB

MD5
cf9db0407cd91ac0ddafa0858fd26eb8

SHA1
f1bcc2513d403b28e008698dad7abf78b2fc4a9b

SHA256
99e84937d8934aed0bd610814d5bc76622abd74230f1d2cec2aa3d33580e1a90

SHA512
3aa696d2ff94a3ca02816b62215f63bb5cd45f61cd5e9db11b54d3ca0fdc932890dd54341d117798d8f7ee3bfc2d7832d29396f1ea195f796c354faadba86654

Download Submit
C:\Users\Admin\AppData\Local\Temp\46AE.exe

Filesize
1.1MB

MD5
679e0c9d77c16f8529e6a08486c3a9c1

SHA1
8e74ee4ac19b5653981a1d8378aeda9e6fc1b009

SHA256
585e21bcd0f3c05c51f4aa74f554e0a648370facb8b90134680c2e49b5fc272e

SHA512
54195de01cdbf53812f172931d66ff8ee510f78ac972737c71a57fbae1a3b8b7a295347bba81ff38fa0ab934eb4cb60c90e267acdd512ec1b9e90831db454acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\46AE.exe

Filesize
1024KB

MD5
9f20738c90125353d0303dfdae015bf1

SHA1
589aa7034fe94fa4743c9bfa5e1c5a94c9d6c88b

SHA256
4d0ba58b431c48a321a687ffd675fd3f370237ba3438f16a82d0e406e44b7f04

SHA512
76e5c605424d330a2df686fa2918ab84148ef781ecb27b11710fd170bb2faac69f1cb7818f29be13732ee8a639cbb5e2f817e375b0e88fadac793298c1bbe4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FC.exe

Filesize
3.4MB

MD5
2ef3eb03e296e0def582152e3dfda833

SHA1
5be3625fb94058b05a3121f5ed19a7972d7bb7e8

SHA256
569f74a3d8a95064cd845695a35add3a8554f4bf2847953140e0eee7d14e287d

SHA512
1673799324a9c76e7963a0ed162acc092e6afa009a89f0dbda7184d56e2597fd7cc389fba61ef1036f568e1650f902efd7f6feb4dd9d9be1fd467c5c9ce5bdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FC.exe

Filesize
4.1MB

MD5
29c628a32667cd5be0e8109a8b6b8c46

SHA1
24841a1f0461244705f1d0dcdac2e926c2e4f1a6

SHA256
21755d1b41c06baae7d51807d71ede3ba57f1f4e48396ad7f89a61915cad8ab6

SHA512
ac6f3196b38570b35c2d1c5f0e8955f6206d3aeb507810426217fec2a4bcb15bdae0f8b5e88231e8d655b700df2e8e5dd7af331c74e517a7431613613b14b175

Download Submit
C:\Users\Admin\AppData\Local\Temp\E659.exe

Filesize
309KB

MD5
06a2c882a216f54c113178755f132707

SHA1
a0406b7c56d8d7edf5d212ebbfec94de16ea0a45

SHA256
6871242934d994b905290524f24ebf97742315405158650cc4428f16483ac9c3

SHA512
6ea36637e30a324a2935f09fda879af8a80e42e3735e6fa9147b2d92f4dbe9fd2d1f1ea17c4fcc01ca356610a4ca811de2e194c3faa801fdfd66a36817d3d8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7FD.dll

Filesize
2.2MB

MD5
e69125300a060d1eb870d352de33e4c3

SHA1
60f2c2e6f2a4289a05b5c6212cdaf0d02dad82ea

SHA256
009de0571eb77c7ed594b9e5cda731e2953fd2198e00b25a0e2c4c4ef7414355

SHA512
257d3b61b2c85c1e71d2a80a5fbf44436e9734785fe6b0a643c1939dd01c1d8b98f1c454695296f7137ff035ec6c0118f053e4833e0be91618f2a9066a8cace9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEHCAKKJDB.exe

Filesize
101KB

MD5
42b838cf8bdf67400525e128d917f6e0

SHA1
a578f6faec738912dba8c41e7abe1502c46d0cae

SHA256
0e4ffba62ce9a464aa1b7ff9f1e55ace8f51ff1e15102d856f801a81f8b4607d

SHA512
f64b39d885375251ab7db72c57dc5b5095f0c6412169f1035d1f6a25b8415a2a01004d06bfa0267cf683ef7dea7a9f969ad43fde5a4376f1fcb65a57403433c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

Filesize
462KB

MD5
d3a4af01113e3f90694baa0b576ae6d3

SHA1
e04522a745e32d51352963c2c649b54d0b0d70fe

SHA256
e10386c8f6eea263564dd6932b0436864e9a3840a98bd3432dfb7d00d806a22e

SHA512
619b6397bf610497216562f06d533b5036e046a67a6593758e2f9e97c413b592d1db29fbb72e9730a5dce0968b23c0325f9532cdf04c0a97d4b034b6b38d9bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1wmvl3yg.4eu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\april.exe

Filesize
2.0MB

MD5
c4aa5d1690de28d9c1a2abeba44f3020

SHA1
f698a4ca22445b404c0090d34e857abcce0b26da

SHA256
1e2d59eb46ce12d34cff40848629324908399308761e6db5d228b7dd44a692d1

SHA512
877ac5f148a94699452cefeee8781771a04f796dbfa6d38e0743534907b5f1c8c78edd1125020b2f3d5789ef15594ffbf2e6622e7d6bec8b005d05bc5936c436

Download Submit
C:\Users\Admin\AppData\Local\Temp\april.exe

Filesize
1.1MB

MD5
e31069bb8bb58c20dfc0d55b087db66a

SHA1
781c647da173804dc3ca76f780078e0503840d00

SHA256
640970231697afc69af1014e82b62d4bff1de5e4dc85a2fce1c58d1a6c77536e

SHA512
a13c7db876c0d2651ba41adb23e054a5c0ef9e5ace747c6c111893440bcd49c9fce60e78f09b6d231c1976fa239888098e9d7d1a697cc640496bf4969f8df6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
f378e90b1f1fafd51650605198ea95d4

SHA1
d0fcc0b282d01166d818063391d056919b9e3a4b

SHA256
cdeed5c25b510b71b1fface22167de95704b5470945040ac653ddecb2f2a1a52

SHA512
29112484811540366b92314783d02ef689211b5b96c03c0196c445200543d888f04e10f7d6dd46fb8f7e178be5647b3b7fef629c671b876fb77a808df8e8bd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
528680dda405b712a370a0e24665d889

SHA1
2730bf63de8892e3a2b738d10abf1e86f91bf5fe

SHA256
0d90478db0667fed365a4a7ca45277dbd1b8ed63e320f292fa1069f3946bf11d

SHA512
44d7a4e0c75962ce050590ee0180b78fdd21e2d63c46b8d215ffadd4dc0bd071e428d7d84965d360c90be8353c24e3da5c3e3297b7864d0989a9ae5feca03b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3Q04N.tmp\april.tmp

Filesize
677KB

MD5
b80c8b25d51b2c8db1ee8e84a54d78c2

SHA1
cb8415eb7af036fbc5f442bf256ba74a705ae2ed

SHA256
9b36062e8f376b08aa7fc77f7c68e2924a844f09450d376eb2171522d35966f7

SHA512
479375f5c1eb54017d91ea9f8ddbea3d13eaf1992a94d26f25a7dca0af365e1bfcde1bc545cb013232736da3f338e3fb3be61d2ac686dceb2d899ee46e33c7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KPH93.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\uns.0.exe

Filesize
308KB

MD5
1022296982380f4b385d9624f8be96b6

SHA1
f2fea483faea844b09b997bca27df717086f09d7

SHA256
a8111b3ec21c2dd38614e6b43855295d7f2c639a1d36540d15f67a7d0b766976

SHA512
b626b7d8e216c6c9c9cad23f8767f6b048fd5d67fb5bbc699212f5e94e92e7df4c898d317fde8a467b918e65f19fd0770bff56a7aca1f97461b2af9bb63508ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\uns.1.exe

Filesize
2.3MB

MD5
da50683a00bece4a8766894e1244b8cd

SHA1
c87013115d52635ef7dec715651efb1b80968ebb

SHA256
47bb1147e34d0e7a2cb1aaf098c05be4863fbf1a3f838143d44c708fcdd98f4e

SHA512
60a023e320174e94d6f74cb632b2ea4b08fba31d058e8ab63def9160a4f9d9ec7df6b472674121d202eca85f28eb292ad16b1461874edeba758d8073c52d1039

Download Submit
C:\Users\Admin\AppData\Local\Temp\uns.1.exe

Filesize
1.8MB

MD5
f1ceee43de59778e8c46b51777d8e650

SHA1
09ccedec1382ec35212e1805ea7603e2434a6745

SHA256
19a534ea47e70dbdaace25f9128c3892b027ecf593ce66644656a816aec917aa

SHA512
cf3ba404c5dcb94c369de0e05986a3093e56e0639c6a86d34e07bc6e0487221c63129555d4f2c1e7c6a532036c54bd1635687f42e8d7c8ab0b85abdc095171b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uns.1.exe

Filesize
2.2MB

MD5
6490a1b09dc5035de5c33b45f5b0af17

SHA1
248a388f0e1f070d5e1a216c66b79079c61ee142

SHA256
54775cc8edc04e86c8fa81006ff455137ba885ad0532d3ceb2416ff6955f1244

SHA512
deebf46841e3c3510d92ccae7f262ecf2e7fc9260b83c080c04ce9d721756906ffab4e122058c2de2974bfa12d2bbe7cf9d2d52f6ffc75c930e6886eb02a5b8f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
58e1bc68cae045cd472efbd81bbb9d54

SHA1
e74cb981a49b3de7c9cd8efa2e98534150e338f5

SHA256
d7af37982bfde2086b0fc147eb551d572f595160b25bfcd700287f8ce4581621

SHA512
e0361f9e5e9fb4baf5ee38fb971aa4493d0b20d1e1e8e8c3d9f582e116a33b935cfcc57d7df259984170c932b12507b6e22c607bddf75367725cb530041f7f7d

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
640KB

MD5
8797aa2e2071a68bad19e87bc5ffbfde

SHA1
7ec594cc608ebe2d8b02904884f3c49516a4a557

SHA256
8012deedc605cb859912ab19c907ae170397b6c673d44c7aaabdd81ab87674a4

SHA512
cabc364faf55796d20faded4304b845ab3b17fab3b222115a13081cf3e99c67c505f9788a1463673a52ed78a9f2b64e11d132e73165e67aa9be4da6db69d2ec3

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
448KB

MD5
0b9fd51c3214dca29e5f2f3d9d78c83a

SHA1
5cfd912d53a63ce702c2874a9d317e158ec5d751

SHA256
af3da92fdc2266cdca76d757ce8e3d3ccdcb232bbead6599b815734bfdd13cb8

SHA512
88a0a0df0aca10b2cae34f3f8cefe28450e1d7446b7a7ada3947e332e7d27961979e928a4da4e38c8344642f8aaeb517ba64170c9a27b439414c2fa1b497c691

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
384KB

MD5
784e5316cc19e70f60214f7ee115e43c

SHA1
11cc0f48d317b680a18083e1380cb50d0189560c

SHA256
2fc3b3eecbde36b4f5d63648f3d664bc1edf1c1046f508ef16c84962788d2bdf

SHA512
f85dd8db999ef784b4c8ee65f158130e6983519b2ffd52fd2324a84ef74eccfc85a34e949362589c7bdd6c5162570d1f0d8e24bec3467c53a97b7cec1a1ca646

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
7684dff0dac943920ad5b1b9b4a67907

SHA1
e39959d289888a816e02c5910c1c61f00f581ec2

SHA256
d94caeb9512e0214a66def74a190d019bf9d7f5a8a9557c7ae1c89e23d7db439

SHA512
9ffab04fd2fd3e69b14b17aaf4093a458891df0359fc98f36ff8f8aa52ff58248f9c029616a705cc8bf0fc4b77fc214b640fb4e615694c4de1dbcf4a9805d9e2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
419204497b1c55e172369d438d46cc17

SHA1
cc16dbd58c3aefd0c962a85c99653f99a37f26f3

SHA256
72d92b769982c64cb988b7c1234fbba67e91df6040c51f0bcafa5f35b3773ddb

SHA512
69f8aedf7667f05d0a62d93d95dde44c321bf43ad25d7a31f6253b7a054bfc4580ab30309cfbd11b60446e409217358f8d2c4e6e45822bc332fe687b50aa0f6e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
023473d886a968798cc8c7234f9bc8f2

SHA1
422106ccbda2a5ebbf6b586ae0386ece546e5037

SHA256
b47fd3f809b283aaea3b0283d98b10d8004b61a31f5fcf404f2633cf879d6f80

SHA512
14c229eec79d213071c6e0ab97f3879c041ce20e45f790c70b6ebf88dcab21760bd9a882618833b0ed1b29386284ea0340f12f241a53a681904ef65c5047a0a6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2413a87227d1a5adb825d9d39851ae9c

SHA1
5c9788966efd209505fc8257d7be262a0ebc0085

SHA256
b38f751ea55938f1a8a60fcb3f7a7bcb9ecacc1825066a97e605aef0c3302468

SHA512
8279f9a4f6d4cdc6566ec4cdd956178f7ef5b2be7b8d8ba037b68da55f4add81801e64437cfa890062d71a46258fbece06ea74eaa98edab482bf99704363218e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
46c9aa7136104683848e65af57cbc21a

SHA1
3a34d20f8f96a2a8637e89ab04bcab387692d425

SHA256
5cd3e81fb55686c90d51934c638006607437aba7d8f9e6c49c0937c1b7b5e44b

SHA512
768e87152a414cd240d535e9667b20faa7066773fb4e40a8cbdda7c0582517f5633778fd3e1c6c234ceca3c2b00c03ed88af1fc83b15a089b982b78bd8be7101

Download Submit
C:\Windows\rss\csrss.exe

Filesize
2.2MB

MD5
0f7a01d0087fbb24f471bd17511fbe65

SHA1
9db28ac124cd16221f1166131323c6ea76cc4e3f

SHA256
c2896a0edb496e17cbf2a4f21edeb34b513558aebdc894cf57f8da4b05c53666

SHA512
f552ac75517ff11e5b294a1688ba579e1e3ac7d4accf17b95caa06bf88d53f0b93be3423fb1b9d7164d79e6d4e9228f1556474679c41cdb3099f121093f70c24

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.6MB

MD5
bae00cea1a31d63ac02b85cc42725069

SHA1
8c433ac896ae0cf3f44aaedc5c18fef31f11b537

SHA256
ba1508b4996ae5a2cb538d4de9b40bb8782ce6c15686ac5b02fc902e56883275

SHA512
6f3fc174b66fe6a40bc264a13fe0aa5643b09ad5524276c1462d17decdabda1863b44aa2f8f427a3214907639074a3313161063b5e4925762e33d2a2d3fce673

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
1.1MB

MD5
e8936d6e1cab6b327879d191a2ef0e55

SHA1
7fbf6e58d0e599d1044a52ef9d1753f06608335c

SHA256
36e0b0de3b7a51b5a6f84008fc644bc8b889f00305c7a2c9614c414a79fbc4f0

SHA512
5d5760398597eaee5a066065daa311fd5ffed678c95452e7ed9675f9293b6804fbed312f11f2a8e3827d9966f16d01831e0d28c90792aead79d70add92708b1d

Download Submit
memory/800-107-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/800-195-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/856-48-0x0000000004990000-0x00000000049FF000-memory.dmp

Filesize
444KB

Download
memory/856-231-0x0000000002FB0000-0x00000000030B0000-memory.dmp

Filesize
1024KB

Download
memory/856-284-0x0000000000400000-0x0000000002D71000-memory.dmp

Filesize
41.4MB

Download
memory/856-180-0x0000000000400000-0x0000000002D71000-memory.dmp

Filesize
41.4MB

Download
memory/856-71-0x0000000000400000-0x0000000002D71000-memory.dmp

Filesize
41.4MB

Download
memory/856-45-0x0000000002FB0000-0x00000000030B0000-memory.dmp

Filesize
1024KB

Download
memory/1300-367-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/1776-184-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1776-278-0x0000000000400000-0x0000000002D4B000-memory.dmp

Filesize
41.3MB

Download
memory/1776-146-0x0000000000400000-0x0000000002D4B000-memory.dmp

Filesize
41.3MB

Download
memory/1776-365-0x0000000000400000-0x0000000002D4B000-memory.dmp

Filesize
41.3MB

Download
memory/1776-145-0x0000000002FB0000-0x0000000002FD7000-memory.dmp

Filesize
156KB

Download
memory/1776-152-0x0000000003010000-0x0000000003110000-memory.dmp

Filesize
1024KB

Download
memory/2428-2-0x0000000002E60000-0x0000000002E6B000-memory.dmp

Filesize
44KB

Download
memory/2428-3-0x0000000000400000-0x0000000002D4B000-memory.dmp

Filesize
41.3MB

Download
memory/2428-5-0x0000000000400000-0x0000000002D4B000-memory.dmp

Filesize
41.3MB

Download
memory/2428-1-0x0000000002E80000-0x0000000002F80000-memory.dmp

Filesize
1024KB

Download
memory/3004-112-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/3004-115-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/3168-141-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3168-137-0x0000000000FD0000-0x0000000001376000-memory.dmp

Filesize
3.6MB

Download
memory/3224-25-0x0000000003740000-0x0000000003756000-memory.dmp

Filesize
88KB

Download
memory/3224-4-0x0000000001390000-0x00000000013A6000-memory.dmp

Filesize
88KB

Download
memory/3236-251-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/3236-306-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3240-183-0x0000000000400000-0x000000000312F000-memory.dmp

Filesize
45.2MB

Download
memory/3240-106-0x00000000052F0000-0x0000000005BDB000-memory.dmp

Filesize
8.9MB

Download
memory/3240-85-0x0000000004DE0000-0x00000000051E6000-memory.dmp

Filesize
4.0MB

Download
memory/3240-361-0x0000000000400000-0x000000000312F000-memory.dmp

Filesize
45.2MB

Download
memory/3240-120-0x0000000000400000-0x000000000312F000-memory.dmp

Filesize
45.2MB

Download
memory/3240-287-0x0000000000400000-0x000000000312F000-memory.dmp

Filesize
45.2MB

Download
memory/3240-250-0x00000000052F0000-0x0000000005BDB000-memory.dmp

Filesize
8.9MB

Download
memory/3240-248-0x0000000004DE0000-0x00000000051E6000-memory.dmp

Filesize
4.0MB

Download
memory/3272-70-0x0000000074080000-0x0000000074831000-memory.dmp

Filesize
7.7MB

Download
memory/3272-34-0x0000000074080000-0x0000000074831000-memory.dmp

Filesize
7.7MB

Download
memory/3272-33-0x0000000000930000-0x0000000000FE4000-memory.dmp

Filesize
6.7MB

Download
memory/4444-105-0x00000000032D0000-0x00000000033F3000-memory.dmp

Filesize
1.1MB

Download
memory/4444-128-0x0000000003400000-0x0000000003508000-memory.dmp

Filesize
1.0MB

Download
memory/4444-123-0x0000000010000000-0x0000000010239000-memory.dmp

Filesize
2.2MB

Download
memory/4444-139-0x0000000003400000-0x0000000003508000-memory.dmp

Filesize
1.0MB

Download
memory/4444-24-0x0000000001510000-0x0000000001516000-memory.dmp

Filesize
24KB

Download
memory/4444-22-0x0000000010000000-0x0000000010239000-memory.dmp

Filesize
2.2MB

Download
memory/4444-124-0x0000000003400000-0x0000000003508000-memory.dmp

Filesize
1.0MB

Download
memory/4676-229-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/4676-305-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/4676-127-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/4676-364-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/4816-178-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/4816-188-0x00000000008C0000-0x0000000000D7F000-memory.dmp

Filesize
4.7MB

Download
memory/4816-170-0x00000000008C0000-0x0000000000D7F000-memory.dmp

Filesize
4.7MB

Download
memory/4816-172-0x0000000077346000-0x0000000077348000-memory.dmp

Filesize
8KB

Download
memory/4816-174-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/4816-175-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/4816-177-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/4816-176-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/4816-179-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/4816-173-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/4924-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4924-86-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4952-249-0x0000000006E60000-0x0000000006F04000-memory.dmp

Filesize
656KB

Download
memory/4952-255-0x0000000006FD0000-0x0000000006FDA000-memory.dmp

Filesize
40KB

Download
memory/4952-228-0x0000000006E00000-0x0000000006E34000-memory.dmp

Filesize
208KB

Download
memory/4952-197-0x00000000048D0000-0x00000000048E0000-memory.dmp

Filesize
64KB

Download
memory/4952-232-0x000000006E5C0000-0x000000006E917000-memory.dmp

Filesize
3.3MB

Download
memory/4952-181-0x0000000005F70000-0x0000000005FB6000-memory.dmp

Filesize
280KB

Download
memory/4952-256-0x00000000070E0000-0x0000000007176000-memory.dmp

Filesize
600KB

Download
memory/4952-252-0x000000007FDF0000-0x000000007FE00000-memory.dmp

Filesize
64KB

Download
memory/4952-285-0x0000000007070000-0x0000000007085000-memory.dmp

Filesize
84KB

Download
memory/4952-247-0x0000000006E40000-0x0000000006E5E000-memory.dmp

Filesize
120KB

Download
memory/4952-283-0x0000000007060000-0x000000000706E000-memory.dmp

Filesize
56KB

Download
memory/4952-253-0x00000000075D0000-0x0000000007C4A000-memory.dmp

Filesize
6.5MB

Download
memory/4952-254-0x0000000006F90000-0x0000000006FAA000-memory.dmp

Filesize
104KB

Download
memory/4952-230-0x00000000707B0000-0x00000000707FC000-memory.dmp

Filesize
304KB

Download
memory/4952-171-0x0000000005A30000-0x0000000005A7C000-memory.dmp

Filesize
304KB

Download
memory/4952-292-0x00000000070C0000-0x00000000070DA000-memory.dmp

Filesize
104KB

Download
memory/4952-266-0x0000000006FF0000-0x0000000007001000-memory.dmp

Filesize
68KB

Download
memory/4952-169-0x00000000059E0000-0x00000000059FE000-memory.dmp

Filesize
120KB

Download
memory/4952-164-0x00000000055B0000-0x0000000005907000-memory.dmp

Filesize
3.3MB

Download
memory/4952-154-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/4952-147-0x0000000002530000-0x0000000002566000-memory.dmp

Filesize
216KB

Download
memory/4952-155-0x0000000071F80000-0x0000000072731000-memory.dmp

Filesize
7.7MB

Download
memory/4952-153-0x0000000004DD0000-0x0000000004E36000-memory.dmp

Filesize
408KB

Download
memory/4952-151-0x0000000004A30000-0x0000000004A52000-memory.dmp

Filesize
136KB

Download
memory/4952-149-0x0000000004F10000-0x000000000553A000-memory.dmp

Filesize
6.2MB

Download
memory/4952-150-0x00000000048D0000-0x00000000048E0000-memory.dmp

Filesize
64KB

Download
memory/4952-148-0x00000000048D0000-0x00000000048E0000-memory.dmp

Filesize
64KB

Download
memory/5112-16-0x0000000002EC0000-0x0000000002FC0000-memory.dmp

Filesize
1024KB

Download
memory/5112-17-0x0000000002EA0000-0x0000000002EAB000-memory.dmp

Filesize
44KB

Download
memory/5112-18-0x0000000000400000-0x0000000002D4B000-memory.dmp

Filesize
41.3MB

Download
memory/5112-28-0x0000000000400000-0x0000000002D4B000-memory.dmp

Filesize
41.3MB

Download