amadey | bb2ccd0ed0e154732e45624be211b66948fc2bef0940ded0697b38d84e30ac4c

Analysis

max time kernel
95s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb2ccd0ed0e154732e45624be211b66948fc2bef0940ded0697b38d84e30ac4c.exe
Size

316KB
MD5

755ccb1dc0ab20bb5bbb3c51d4852062
SHA1

b46aba8e7631ac844f164d515e4f55ad8e2f47ad
SHA256

bb2ccd0ed0e154732e45624be211b66948fc2bef0940ded0697b38d84e30ac4c
SHA512

cbaca1c9d87a290a6c095df24a3816f8617aef2a36192444c9dc860c741e913cfcece0fb98a325d1e4d7f4d913203c6b2a5ac6b8de76c47bd7ff2c76cf8462c3
SSDEEP

3072:LFSWQVIS1++JYYqEXCpFLWRVy/vN93SGh0dpIGz/efT1zMc8YYQ61VeCKGAY:AXd+ehuWRVyXN93ad6GSxQ1pB18hhY

Score

10^/10

amadey dcrat glupteba lumma smokeloader stealc pub1 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://nidoe.org/tmp/index.php

http://sodez.ru/tmp/index.php

http://uama.com.ua/tmp/index.php

http://talesofpirates.net/tmp/index.php

rc4.i32

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

lumma

https://relevantvoicelesskw.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exebb2ccd0ed0e154732e45624be211b66948fc2bef0940ded0697b38d84e30ac4c.exeschtasks.exe

pid	process
5140	schtasks.exe
5152	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bb2ccd0ed0e154732e45624be211b66948fc2bef0940ded0697b38d84e30ac4c.exe
5312	schtasks.exe

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1980-93-0x0000000005210000-0x0000000005AFB000-memory.dmp	family_glupteba
behavioral1/memory/1980-99-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba
behavioral1/memory/1980-171-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba
behavioral1/memory/1980-221-0x0000000005210000-0x0000000005AFB000-memory.dmp	family_glupteba
behavioral1/memory/1980-280-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba
behavioral1/memory/1980-304-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba
behavioral1/memory/1584-338-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba
behavioral1/memory/1584-391-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba
behavioral1/memory/1584-444-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba
behavioral1/memory/3108-576-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

74AF.exeexplorgu.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 74AF.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2480 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	74AF.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

pid	process
2480	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

74AF.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	74AF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	74AF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ISetup4.exeu2dk.0.exeEGHCBKKKFH.exe96EF.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ISetup4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	u2dk.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	EGHCBKKKFH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	96EF.exe

Deletes itself 1 IoCs

Processes:

pid process

3372

pid	process
3372

Executes dropped EXE 11 IoCs

Processes:

74AF.exe87DA.exe96EF.exeISetup4.exe288c47bbc1871b439df19ff4df68f076.exeB70A.exeu2dk.0.exeu2dk.1.exeEGHCBKKKFH.exe288c47bbc1871b439df19ff4df68f076.exeexplorgu.exe

pid	process
3512	74AF.exe
3428	87DA.exe
2252	96EF.exe
3080	ISetup4.exe
1980	288c47bbc1871b439df19ff4df68f076.exe
1804	B70A.exe
2880	u2dk.0.exe
2804	u2dk.1.exe
6016	EGHCBKKKFH.exe
1584	288c47bbc1871b439df19ff4df68f076.exe
5744	explorgu.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

74AF.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	74AF.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	explorgu.exe

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exeu2dk.0.exe

pid process

4528 regsvr32.exe
2880 u2dk.0.exe
2880 u2dk.0.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4528	regsvr32.exe
2880	u2dk.0.exe
2880	u2dk.0.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\u2dk.1.exe	upx
C:\Users\Admin\AppData\Local\Temp\u2dk.1.exe	upx
C:\Users\Admin\AppData\Local\Temp\u2dk.1.exe	upx
behavioral1/memory/2804-134-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral1/memory/2804-220-0x0000000000400000-0x0000000000930000-memory.dmp	upx
C:\Windows\windefender.exe	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

EGHCBKKKFH.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ledger-Live Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EGHCBKKKFH.exe"	EGHCBKKKFH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

74AF.exeexplorgu.exe

pid process

3512 74AF.exe
5744 explorgu.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

288c47bbc1871b439df19ff4df68f076.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 288c47bbc1871b439df19ff4df68f076.exe
Drops file in Windows directory 1 IoCs

Processes:

74AF.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job 74AF.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3696 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

976 3080 WerFault.exe ISetup4.exe
3384 1804 WerFault.exe B70A.exe
5980 2880 WerFault.exe u2dk.0.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	288c47bbc1871b439df19ff4df68f076.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	74AF.exe

pid	process
3696	sc.exe

pid	pid_target	process	target process
976	3080	WerFault.exe	ISetup4.exe
3384	1804	WerFault.exe	B70A.exe
5980	2880	WerFault.exe	u2dk.0.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bb2ccd0ed0e154732e45624be211b66948fc2bef0940ded0697b38d84e30ac4c.exe87DA.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bb2ccd0ed0e154732e45624be211b66948fc2bef0940ded0697b38d84e30ac4c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bb2ccd0ed0e154732e45624be211b66948fc2bef0940ded0697b38d84e30ac4c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	87DA.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	87DA.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	87DA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bb2ccd0ed0e154732e45624be211b66948fc2bef0940ded0697b38d84e30ac4c.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u2dk.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u2dk.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u2dk.0.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5140 schtasks.exe
5152 schtasks.exe
5312 schtasks.exe

pid	process
5140	schtasks.exe
5152	schtasks.exe
5312	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3892 PING.EXE

pid	process
3892	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bb2ccd0ed0e154732e45624be211b66948fc2bef0940ded0697b38d84e30ac4c.exe

pid	process
1512	bb2ccd0ed0e154732e45624be211b66948fc2bef0940ded0697b38d84e30ac4c.exe
1512	bb2ccd0ed0e154732e45624be211b66948fc2bef0940ded0697b38d84e30ac4c.exe
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372
3372

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

bb2ccd0ed0e154732e45624be211b66948fc2bef0940ded0697b38d84e30ac4c.exe87DA.exe

pid process

1512 bb2ccd0ed0e154732e45624be211b66948fc2bef0940ded0697b38d84e30ac4c.exe
3428 87DA.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

powershell.exeEGHCBKKKFH.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeDebugPrivilege	6016	EGHCBKKKFH.exe
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeDebugPrivilege	1980	288c47bbc1871b439df19ff4df68f076.exe
Token: SeImpersonatePrivilege	1980	288c47bbc1871b439df19ff4df68f076.exe
Token: SeDebugPrivilege	5336	powershell.exe
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeShutdownPrivilege	3372
Token: SeCreatePagefilePrivilege	3372
Token: SeDebugPrivilege	4384	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

74AF.exe

pid process

3512 74AF.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

u2dk.1.exe

pid process

2804 u2dk.1.exe

pid	process
2804	u2dk.1.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

regsvr32.exe96EF.exeISetup4.exeu2dk.1.execmd.exe288c47bbc1871b439df19ff4df68f076.exeu2dk.0.execmd.exeEGHCBKKKFH.execmd.exe288c47bbc1871b439df19ff4df68f076.execmd.exe

description	pid	process	target process
PID 3372 wrote to memory of 3632	3372		regsvr32.exe
PID 3372 wrote to memory of 3632	3372		regsvr32.exe
PID 3632 wrote to memory of 4528	3632	regsvr32.exe	regsvr32.exe
PID 3632 wrote to memory of 4528	3632	regsvr32.exe	regsvr32.exe
PID 3632 wrote to memory of 4528	3632	regsvr32.exe	regsvr32.exe
PID 3372 wrote to memory of 3512	3372		74AF.exe
PID 3372 wrote to memory of 3512	3372		74AF.exe
PID 3372 wrote to memory of 3512	3372		74AF.exe
PID 3372 wrote to memory of 3428	3372		87DA.exe
PID 3372 wrote to memory of 3428	3372		87DA.exe
PID 3372 wrote to memory of 3428	3372		87DA.exe
PID 3372 wrote to memory of 2252	3372		96EF.exe
PID 3372 wrote to memory of 2252	3372		96EF.exe
PID 3372 wrote to memory of 2252	3372		96EF.exe
PID 2252 wrote to memory of 3080	2252	96EF.exe	ISetup4.exe
PID 2252 wrote to memory of 3080	2252	96EF.exe	ISetup4.exe
PID 2252 wrote to memory of 3080	2252	96EF.exe	ISetup4.exe
PID 2252 wrote to memory of 1980	2252	96EF.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 2252 wrote to memory of 1980	2252	96EF.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 2252 wrote to memory of 1980	2252	96EF.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 3372 wrote to memory of 1804	3372		B70A.exe
PID 3372 wrote to memory of 1804	3372		B70A.exe
PID 3372 wrote to memory of 1804	3372		B70A.exe
PID 3080 wrote to memory of 2880	3080	ISetup4.exe	u2dk.0.exe
PID 3080 wrote to memory of 2880	3080	ISetup4.exe	u2dk.0.exe
PID 3080 wrote to memory of 2880	3080	ISetup4.exe	u2dk.0.exe
PID 3080 wrote to memory of 2804	3080	ISetup4.exe	u2dk.1.exe
PID 3080 wrote to memory of 2804	3080	ISetup4.exe	u2dk.1.exe
PID 3080 wrote to memory of 2804	3080	ISetup4.exe	u2dk.1.exe
PID 2804 wrote to memory of 4640	2804	u2dk.1.exe	cmd.exe
PID 2804 wrote to memory of 4640	2804	u2dk.1.exe	cmd.exe
PID 2804 wrote to memory of 4640	2804	u2dk.1.exe	cmd.exe
PID 4640 wrote to memory of 1076	4640	cmd.exe	Conhost.exe
PID 4640 wrote to memory of 1076	4640	cmd.exe	Conhost.exe
PID 4640 wrote to memory of 1076	4640	cmd.exe	Conhost.exe
PID 1980 wrote to memory of 4744	1980	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 1980 wrote to memory of 4744	1980	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 1980 wrote to memory of 4744	1980	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 4640 wrote to memory of 5140	4640	cmd.exe	schtasks.exe
PID 4640 wrote to memory of 5140	4640	cmd.exe	schtasks.exe
PID 4640 wrote to memory of 5140	4640	cmd.exe	schtasks.exe
PID 2880 wrote to memory of 5908	2880	u2dk.0.exe	cmd.exe
PID 2880 wrote to memory of 5908	2880	u2dk.0.exe	cmd.exe
PID 2880 wrote to memory of 5908	2880	u2dk.0.exe	cmd.exe
PID 5908 wrote to memory of 6016	5908	cmd.exe	EGHCBKKKFH.exe
PID 5908 wrote to memory of 6016	5908	cmd.exe	EGHCBKKKFH.exe
PID 5908 wrote to memory of 6016	5908	cmd.exe	EGHCBKKKFH.exe
PID 6016 wrote to memory of 4304	6016	EGHCBKKKFH.exe	cmd.exe
PID 6016 wrote to memory of 4304	6016	EGHCBKKKFH.exe	cmd.exe
PID 6016 wrote to memory of 4304	6016	EGHCBKKKFH.exe	cmd.exe
PID 4304 wrote to memory of 3892	4304	cmd.exe	PING.EXE
PID 4304 wrote to memory of 3892	4304	cmd.exe	PING.EXE
PID 4304 wrote to memory of 3892	4304	cmd.exe	PING.EXE
PID 1584 wrote to memory of 5336	1584	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 1584 wrote to memory of 5336	1584	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 1584 wrote to memory of 5336	1584	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 1584 wrote to memory of 5656	1584	288c47bbc1871b439df19ff4df68f076.exe	cmd.exe
PID 1584 wrote to memory of 5656	1584	288c47bbc1871b439df19ff4df68f076.exe	cmd.exe
PID 5656 wrote to memory of 2480	5656	cmd.exe	netsh.exe
PID 5656 wrote to memory of 2480	5656	cmd.exe	netsh.exe
PID 1584 wrote to memory of 4384	1584	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 1584 wrote to memory of 4384	1584	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 1584 wrote to memory of 4384	1584	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bb2ccd0ed0e154732e45624be211b66948fc2bef0940ded0697b38d84e30ac4c.exe
"C:\Users\Admin\AppData\Local\Temp\bb2ccd0ed0e154732e45624be211b66948fc2bef0940ded0697b38d84e30ac4c.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1512

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6E55.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\6E55.dll
  2⤵
  - Loads dropped DLL
  PID:4528

C:\Users\Admin\AppData\Local\Temp\74AF.exe
C:\Users\Admin\AppData\Local\Temp\74AF.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:3512

C:\Users\Admin\AppData\Local\Temp\87DA.exe
C:\Users\Admin\AppData\Local\Temp\87DA.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3428

C:\Users\Admin\AppData\Local\Temp\96EF.exe
C:\Users\Admin\AppData\Local\Temp\96EF.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
  "C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Users\Admin\AppData\Local\Temp\u2dk.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u2dk.0.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGHCBKKKFH.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5908
    - - C:\Users\Admin\AppData\Local\Temp\EGHCBKKKFH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EGHCBKKKFH.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6016
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\EGHCBKKKFH.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        7⤵
        Runs ping.exe
        
        PID:3892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 2348
      4⤵
      Program crash
      PID:5980
- - C:\Users\Admin\AppData\Local\Temp\u2dk.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u2dk.1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:1076
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:5140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 704
    3⤵
    - Program crash
    PID:976
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4744
- - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
    3⤵
    - Executes dropped EXE
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:5336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5656
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2480
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:4384
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4560
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1076
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:3108
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:628
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:5152
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:2416
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5400
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2168
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:5772
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:5312
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        
        PID:1880
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:3696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3400 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\B70A.exe
C:\Users\Admin\AppData\Local\Temp\B70A.exe
1⤵
- Executes dropped EXE
PID:1804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 664
  2⤵
  - Program crash
  PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1804 -ip 1804
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3080 -ip 3080
1⤵
PID:972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4280 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:3
1⤵
PID:5232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2880 -ip 2880
1⤵
PID:5928

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5744
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  PID:2204
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    PID:5008
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:5620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:5716
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  PID:4428

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
30KB

MD5
ba02703c2268e67645172aefe0c34e89

SHA1
d7fd075d9b9e5796b5aea71a2c1dcd6f4994fc84

SHA256
4a6d3c050f1ed89b9009e8d2fc84ed8751fe32a820cace573ecbf51c58fea691

SHA512
b1022e72a1dbab902ea869605ef4e959c6821e0422ba3793e8243ad38dff9e7e4d23395df5f2548405d487834d97ec02e27be4fc753f23997b461e7b75577829

Download Submit
C:\ProgramData\mozglue.dll

Filesize
315KB

MD5
c34116d30d53bae7189911469be7b50a

SHA1
be9620db3d941f9e785e32c146c126097ec2f346

SHA256
0a0c1755b915d40c871850fe4469124477779a15d0a959005270a4ac215f4bae

SHA512
a78ecd7b8ebec6b6f96588977efec9f56fb6806fcb00869065a13c46c3a029962b5495f234a2996fccb7acf87467475097f5142b087033de3bf3d2c65909c0e1

Download Submit
C:\ProgramData\nss3.dll

Filesize
245KB

MD5
e1ceccf23344e7ed48166ded1478af45

SHA1
933dca503fefefcb169683a250afd5ac8ef62bee

SHA256
038bf324ff4f149309ea82620b08e525f9ae67681953dc8ad8e9ef9667ec6ccf

SHA512
82dee0ad7195ad414f7e48919143d4460ddb08c6a9a35aabbe1a8e5641bef8255eaeb3837c2f54b01ca6be989f3e31a04c392951824413dacbf0f3aa8dbe9cd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
256KB

MD5
5cd830483216679456566507ff7f94a5

SHA1
a712e3912347c31dfee826c08f907d767fa5d355

SHA256
56e4a4f5f6e3952674a68045519609301527541b3c72523608904b4a1dcde17a

SHA512
e1d843e950d24faa37ae0d2a755f3ec240e16201af7547ccd1eceb22af18b745df53886423710ee43249aa31449ba68acd7ea9c9995a6262cdd2a52c13e0f7be

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.3MB

MD5
e8128d535f84e575364df383825a920a

SHA1
c0a710c2cc4023c05b972b54b76f1befa5939bbf

SHA256
a64e7698606d0d02acffb4c7960aebad8e69f2a99eb28c5c017a1c1bbc68f573

SHA512
1b27d1f267d6ccd733a93a865e52e873928b9da9f2e99f09363fec214a1cca373eea1b6f84c3e2bb2b1f8425207b3c26bdc1bb02f7d3284c48b4bfd59dff21eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
897KB

MD5
9cffbcff2e21bcc449475338939b0998

SHA1
600b5e41187ff4228fcfb6e0d5c2efe3c78506d5

SHA256
fc9c36baf07894398b8c02a8f21e7d8129c557927cc8acbe9c9c1b8ccb9c767f

SHA512
c031a87be4b52f762a0460509f199170bd8f3c1e259bdf7af5cf2e20bae9ba5130a7c43d9698e491f3a59f2f40c0ccf935990da7109cc7305464bf19c374622a

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
826KB

MD5
b192cdd995be76fcaddf1fdbba702677

SHA1
5ef532c89370f19d3a445219741d8c7bf62c500c

SHA256
d3e91f30a08b9b66c24bdbce253d49a7351688cf6ed9f368edb475f28bd457d7

SHA512
10e53065f9fcc6e69167678b0be3867d16ec5f43e70a3742fa8c705dddd7963fd37fc2ebdccfd73c6b64b2836288ec4230efe3b6f702fa63f04c1511d010811f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E55.dll

Filesize
313KB

MD5
5a60e8daa316db430ecb036b664cea95

SHA1
1aabf3c16445bcc80e183c2fb5598d817606d4b9

SHA256
c728ca1d088db4bbc416bb2826db08fa53559d467c0322a8c3a4f0e0e99fb60e

SHA512
15d9a334fa0f76adbf125ad30fd17d6cc1d5c6e1efbba3af8d735b58c9b3c0a3e8a95de6ad0481e34144306f7ba3053ad00d26eb9d141052f8088a18bab3023c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E55.dll

Filesize
2.2MB

MD5
e69125300a060d1eb870d352de33e4c3

SHA1
60f2c2e6f2a4289a05b5c6212cdaf0d02dad82ea

SHA256
009de0571eb77c7ed594b9e5cda731e2953fd2198e00b25a0e2c4c4ef7414355

SHA512
257d3b61b2c85c1e71d2a80a5fbf44436e9734785fe6b0a643c1939dd01c1d8b98f1c454695296f7137ff035ec6c0118f053e4833e0be91618f2a9066a8cace9

Download Submit
C:\Users\Admin\AppData\Local\Temp\74AF.exe

Filesize
1.8MB

MD5
b8b5138dc6f97136cfebece16f80203d

SHA1
e020d3ac6d101791801e8ce8c921a5f54f78abf5

SHA256
7d1e736b876ad9f4effc5736323bbb1db9d53b49abda5a13d238cbe5f56e136c

SHA512
f26e295c0845b57520ee8392761c532527ca41974f68f189bb37637b45455edceb098ca23d2952e495635719a8da8a39d86d880467bc6ad79071afd870dd9877

Download Submit
C:\Users\Admin\AppData\Local\Temp\87DA.exe

Filesize
316KB

MD5
bdf48facb4a7ed84153f18938bc777c7

SHA1
ad5f2b77c05380298d9c7c11fa3c8d600806b798

SHA256
86b4e1e90af8fb3f5ab4958953c657e5919c19ad225a6845d202600279b919e2

SHA512
bde0e61697692513d52e7b4cec4493a8fc0ba87a89191a9a8472f763eecc614142bc8df7bf7a14ea5d52a74cd72b482c1a1ef22742907622e64e7df4638b2195

Download Submit
C:\Users\Admin\AppData\Local\Temp\96EF.exe

Filesize
4.7MB

MD5
4645adc87acf83b55edff3c5ce2fc28e

SHA1
4953795cc90315cf7004b8f71718f117887b8c91

SHA256
5a03eb8534caf92f4c3d7896d1af7fe61292b5f0995567be8c783ab28c3b74f8

SHA512
3d8853dd1f28062f7554628565bc62e42296b0ab69da28665bf29771d78c50fdcdb2432aea09dbeb69d935e0dcf6d3b703af8ba1b7a0aed70b5be93b7959c602

Download Submit
C:\Users\Admin\AppData\Local\Temp\B70A.exe

Filesize
827KB

MD5
bf33d1aeafc57a8cc0e4004288e1360e

SHA1
e48663fb5d6993db0a3fbe58099d05bfc65897d5

SHA256
48b9a0963d0ce20400139407730578fe17d22babf20936196efd3b21897f50b5

SHA512
3fab0464c5a16348dfa3e655eac406fef5d9004699b46a2f0c8bcf8c10ad9f161bae99f6951b11e2181dfacdc94611ae998f7f740db1ccf647ffd48fe34ae00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B70A.exe

Filesize
884KB

MD5
8ee2ed9d340312a8443df98147836bec

SHA1
5ba95d062505be855b23368b43fd5c360bac7355

SHA256
b647d25f3a0a393cc2c14be3bbf658d660b7ae78a20d29f5761043d3fcf829fa

SHA512
9898166593b8a9ab421c73f9966e252ca79a9faad2d061adc5748d82bbf752107264c62dba1b1eb5ec243ab8394adb8a9047c25703bb2e076b6181def62e47ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGHCBKKKFH.exe

Filesize
101KB

MD5
42b838cf8bdf67400525e128d917f6e0

SHA1
a578f6faec738912dba8c41e7abe1502c46d0cae

SHA256
0e4ffba62ce9a464aa1b7ff9f1e55ace8f51ff1e15102d856f801a81f8b4607d

SHA512
f64b39d885375251ab7db72c57dc5b5095f0c6412169f1035d1f6a25b8415a2a01004d06bfa0267cf683ef7dea7a9f969ad43fde5a4376f1fcb65a57403433c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISetup4.exe

Filesize
464KB

MD5
44f814be76122897ef325f8938f8e4cf

SHA1
5f338e940d1ee1fa89523d13a0b289912e396d23

SHA256
2899d533753918409ab910b70ba92f8740f76c8e8ac74f4c890e53b258e3bff6

SHA512
daeb1a81dd4fe1578502d0c681c7e723273d06297c2fad7aeb74b1a06cd05f72a418af9571c82188525af329b3fef9785d588f1416d6ccf45ab58b589d8f0d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ow3nnl0h.ouf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2dk.0.exe

Filesize
295KB

MD5
cfb42c3b67c1ef16e521f3f03f1d6447

SHA1
fc0c001171eab5714dc0dacf9582aa848d85d2b6

SHA256
eeafc37a13e2c1022e121dd6c5d3d8feab21d2fc3331d651fe227ef4c049ae2d

SHA512
d2e909703249b83f39ecce8a609c24101c58ef738218d01fc4b1edfb5086b2d29cb90b6ac94f5fe48a91b09fb3c32678f33d0f9b3385a8c810a23783315794d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2dk.0.exe

Filesize
315KB

MD5
ad74fd4e201be3accb9743d5a968c3a6

SHA1
ff1a88017be012880f0faef29287f71e1a38cfff

SHA256
9befd484c37ec52960c294859cb598719c2b492448d8e93b245a7d52ba0d7346

SHA512
2a9a3907d7972c1549eeda3124e0c457a13bc359b7951967af7485c4be115b03461a19fad97ff7648b22f516f636d9e0de000bedd261bbbe6b87cc54f3b785a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2dk.1.exe

Filesize
289KB

MD5
7c299a2806ca9423a3e0a6e653c63234

SHA1
66a7b947b0bfcfbc81066bf0da739c554acaf15f

SHA256
ca975311f9b92ac7d7bf7a66933b06fc6dce6c8abc6d8158b16f794b37cbb37a

SHA512
7db40b6f090d79b510d034f39ca7701f3b39ebf891887f8057b3b9cd663fedde1c53b20fff9e2c9f375a9c3cafb9f216b0b52f02a9d79d28121834a9e6c15ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2dk.1.exe

Filesize
207KB

MD5
60b7528817cd6fe92b0084f748f412ea

SHA1
583fc8b54fd56575ce481255bdf3f609d4ec863d

SHA256
9e85604245b03ef676a7d3603ca9f78375e74f82637bd2e5d8e390357fb1838d

SHA512
e79e7e3a88be67cfb49e72329912ed202ab1114ea0d96ce84a07beffc9b4136841af7df9c846fdc1bf0cfa0c993edc00558bcca46583f77d775c6da7a44d870d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2dk.1.exe

Filesize
208KB

MD5
37750f33d38bae7b5777af3b1ae8e6c8

SHA1
e4b72a8b01225d0c42755587f840afcc5828e702

SHA256
178e2036ce7300f1cd1ed349328a52b4bd566e532d888c92b749468167f35db3

SHA512
4a8c53c691d6f3708c98781ba02a572a169d06f5c79adc80ac99ae38a3d6a7edc01a2f9b69c9a80e03e8fdf739db3384e9208f3792e0c02c9e43dced3fecec70

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
853KB

MD5
e6a012cb823983d051989c4cbf6241cb

SHA1
aaf1ed9358419bacad7c6a79e228ecb1a21a0253

SHA256
8f1a91308f4fa24a22c278cc2a37552b55e216f86c9346402e660e739f0f2db0

SHA512
727b6d344014ed0820a2a977f22e1ca17a7dc1a1e78ec4918a00bbfafedbb71e69599713b8ee7a7ebf29f1f254b49c73b3a15cb12bb1867892c3fe3a4ae5d2cd

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.1MB

MD5
fd17bf7b07fc556a1748e9aafed3a89f

SHA1
ba458f77410c2cd7644bb5a6f37d88ed86ebdfcf

SHA256
e649e0c94651f1201d50828cc7598eebf21dbae67631308b412febb3c9dbf9f6

SHA512
53a3975029e7788acab6242527a9f056b98e246c72a88eb440cf1407b96c86ef6781fffe0bf441d3d25521be3577ef7c87218ffb42b9aae49453861854fda3c4

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
9ef823b1155dada54260ef941bdd2aaf

SHA1
ed1ad826f8a41484c4bd939eeb98848efe62a213

SHA256
f3bc4b3dcf000847484519fb789bc5e599407cac5c484270fdbc5ac4e1e7e2bf

SHA512
d45d2e1dc7363f00d8f59edc1f88aaaac309bf3aed6aa143a8369aa7c3c0de98cc1794c1018724a2a3193447daade460614fc5ef88973c35c8f6ea62976c3b7b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
918116776fb7dd8a85269559e5983b4e

SHA1
eb6dce10c3829ce167c8366609d5e03b8563c0b9

SHA256
6a60b06130a57ce6871ee740fd8b35c146e7eae0af888f63d2f6e0c62d127033

SHA512
1373a90e8d045226dd64a71bac8c928d12cbbb244adbc7c1725da3d510a5847adfdd7b653875a1b7f63227908c3e2747b14cecae0255f34e2dba7a5d4995a63f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6c22686033568fd3218a6fdfda7e31b3

SHA1
ac132bd081995633aad5e9888c99997709f8c5d5

SHA256
ef6e3cfe7adb3d8c8a75eddcf583ed519f753c4a512646a360c84243d2f00934

SHA512
99fff113f50ba9c6ce0d17069f2340b2a27e18fa539c5ad372a2bf3827bdd343e6b35a40d2237a1c453c5d2dbb4ed900dba2fbd5ea9d15a304d60737539a42ae

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
c8a4bd163fefe4ae18ce7e257243c10d

SHA1
4b0b5d6c15d5dc5deb57cd913878737cd3a1a8e0

SHA256
b0610d514730d8a95af30eb2f94dd0e2a39238e4c8590d993ac495198a4a3e2c

SHA512
1fb250104038584caee690f79e77c0f899b4d8b34d8d7416528f2afe187b5e69de8fa61597df502feed7a23675f02fc90daa86e4b0307d7859a7e5b9fdb6f196

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
dab03a80c6d0be6174e46bbd7314da46

SHA1
b3839a472ceb7f59b556761618d3fd0b2970ef34

SHA256
47103cce442805e927d8106928b13dafeab0bd2c4f5e412417762853b4d98336

SHA512
4036f9f3036fcd2058c12fe0d4486fabbaa628f4136ad9cc00d8a2cca0d8a27818aa197fc17428f92a66c03110946d885cd6e9d15d59730f6c15784f1f5c088e

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.6MB

MD5
dc322c78cfd5b7f2c7fa984cf9ef6b30

SHA1
50661eb39fac151792a3b6c41a7f392d64027809

SHA256
9f3651162b67e2e3c674f5577ed3cbff6dfd8cb9d23a01ae016f6071f872d92d

SHA512
0898a404cd217eb952b98aa4c1183da117d7a824ded7a16e325df953321339bfbda9ea79416c0d3231fc80111964b8e6df3540869e68edff3194ac687b3f87a0

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.1MB

MD5
8ebb3fb9d3ec9ae848557754b5c33154

SHA1
62c70fe12ad7141ee869b697913abc8c3c78c882

SHA256
030eb5c05d37412cf1ceff28373b5dd294c761337b562aedd54ce4453272455d

SHA512
9fed11a57e6a54fec06415dfa2b9c516cbae9da65fc1de1ad1899c7950125f550305f3b155863129c91c3b96b24982fcd2677b09ec4fbdcdf8d6da39b452544f

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/1512-1-0x0000000002EF0000-0x0000000002FF0000-memory.dmp

Filesize
1024KB

Download
memory/1512-8-0x0000000004A90000-0x0000000004A9B000-memory.dmp

Filesize
44KB

Download
memory/1512-5-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/1512-3-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/1512-2-0x0000000004A90000-0x0000000004A9B000-memory.dmp

Filesize
44KB

Download
memory/1584-338-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/1584-391-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/1584-444-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/1804-112-0x0000000001790000-0x0000000001791000-memory.dmp

Filesize
4KB

Download
memory/1804-115-0x0000000001790000-0x00000000017C2000-memory.dmp

Filesize
200KB

Download
memory/1804-100-0x0000000000E70000-0x0000000001207000-memory.dmp

Filesize
3.6MB

Download
memory/1804-116-0x0000000001790000-0x00000000017C2000-memory.dmp

Filesize
200KB

Download
memory/1804-111-0x0000000001790000-0x0000000001791000-memory.dmp

Filesize
4KB

Download
memory/1804-114-0x0000000001790000-0x00000000017C2000-memory.dmp

Filesize
200KB

Download
memory/1804-113-0x0000000001790000-0x0000000001791000-memory.dmp

Filesize
4KB

Download
memory/1980-174-0x0000000004E10000-0x000000000520A000-memory.dmp

Filesize
4.0MB

Download
memory/1980-304-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/1980-93-0x0000000005210000-0x0000000005AFB000-memory.dmp

Filesize
8.9MB

Download
memory/1980-92-0x0000000004E10000-0x000000000520A000-memory.dmp

Filesize
4.0MB

Download
memory/1980-99-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/1980-221-0x0000000005210000-0x0000000005AFB000-memory.dmp

Filesize
8.9MB

Download
memory/1980-171-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/1980-280-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/2252-57-0x0000000073AD0000-0x0000000074280000-memory.dmp

Filesize
7.7MB

Download
memory/2252-58-0x0000000000BA0000-0x0000000001050000-memory.dmp

Filesize
4.7MB

Download
memory/2252-90-0x0000000073AD0000-0x0000000074280000-memory.dmp

Filesize
7.7MB

Download
memory/2804-134-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2804-135-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2804-220-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2880-120-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

Filesize
1024KB

Download
memory/2880-281-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/2880-137-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2880-130-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/2880-215-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/2880-121-0x0000000002DC0000-0x0000000002DE7000-memory.dmp

Filesize
156KB

Download
memory/3080-136-0x0000000000400000-0x0000000002D72000-memory.dmp

Filesize
41.4MB

Download
memory/3080-91-0x0000000000400000-0x0000000002D72000-memory.dmp

Filesize
41.4MB

Download
memory/3080-86-0x0000000002F30000-0x0000000003030000-memory.dmp

Filesize
1024KB

Download
memory/3080-89-0x00000000048D0000-0x000000000493F000-memory.dmp

Filesize
444KB

Download
memory/3108-576-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/3372-52-0x00000000027B0000-0x00000000027C6000-memory.dmp

Filesize
88KB

Download
memory/3372-4-0x0000000002290000-0x00000000022A6000-memory.dmp

Filesize
88KB

Download
memory/3428-54-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/3428-41-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/3428-38-0x0000000002D50000-0x0000000002E50000-memory.dmp

Filesize
1024KB

Download
memory/3428-39-0x0000000004850000-0x000000000485B000-memory.dmp

Filesize
44KB

Download
memory/3512-29-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/3512-62-0x00000000009F0000-0x0000000000EA3000-memory.dmp

Filesize
4.7MB

Download
memory/3512-19-0x00000000009F0000-0x0000000000EA3000-memory.dmp

Filesize
4.7MB

Download
memory/3512-56-0x00000000009F0000-0x0000000000EA3000-memory.dmp

Filesize
4.7MB

Download
memory/3512-23-0x0000000077C34000-0x0000000077C36000-memory.dmp

Filesize
8KB

Download
memory/3512-24-0x00000000009F0000-0x0000000000EA3000-memory.dmp

Filesize
4.7MB

Download
memory/3512-26-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/3512-25-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/3512-27-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/3512-28-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/3512-30-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3512-31-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/4528-20-0x0000000002860000-0x0000000002866000-memory.dmp

Filesize
24KB

Download
memory/4528-42-0x0000000002D50000-0x0000000002E58000-memory.dmp

Filesize
1.0MB

Download
memory/4528-40-0x0000000002C20000-0x0000000002D43000-memory.dmp

Filesize
1.1MB

Download
memory/4528-21-0x0000000010000000-0x0000000010239000-memory.dmp

Filesize
2.2MB

Download
memory/4528-46-0x0000000002D50000-0x0000000002E58000-memory.dmp

Filesize
1.0MB

Download
memory/4528-45-0x0000000002D50000-0x0000000002E58000-memory.dmp

Filesize
1.0MB

Download
memory/4744-268-0x00000000073F0000-0x0000000007493000-memory.dmp

Filesize
652KB

Download
memory/4744-173-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4744-169-0x00000000721A0000-0x0000000072950000-memory.dmp

Filesize
7.7MB

Download
memory/4744-263-0x0000000007390000-0x00000000073AE000-memory.dmp

Filesize
120KB

Download
memory/4744-187-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/4744-228-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4744-276-0x00000000075B0000-0x0000000007646000-memory.dmp

Filesize
600KB

Download
memory/4744-277-0x0000000007510000-0x0000000007521000-memory.dmp

Filesize
68KB

Download
memory/4744-172-0x0000000005120000-0x0000000005748000-memory.dmp

Filesize
6.2MB

Download
memory/4744-270-0x00000000074F0000-0x00000000074FA000-memory.dmp

Filesize
40KB

Download
memory/4744-207-0x0000000004BC0000-0x0000000004BDE000-memory.dmp

Filesize
120KB

Download
memory/4744-170-0x0000000002810000-0x0000000002846000-memory.dmp

Filesize
216KB

Download
memory/4744-211-0x0000000005E90000-0x0000000005EDC000-memory.dmp

Filesize
304KB

Download
memory/4744-253-0x000000006F030000-0x000000006F384000-memory.dmp

Filesize
3.3MB

Download
memory/4744-252-0x0000000074700000-0x000000007474C000-memory.dmp

Filesize
304KB

Download
memory/4744-216-0x0000000006380000-0x00000000063C4000-memory.dmp

Filesize
272KB

Download
memory/4744-251-0x00000000073B0000-0x00000000073E2000-memory.dmp

Filesize
200KB

Download
memory/4744-250-0x000000007F400000-0x000000007F410000-memory.dmp

Filesize
64KB

Download
memory/4744-242-0x00000000071E0000-0x00000000071FA000-memory.dmp

Filesize
104KB

Download
memory/4744-229-0x0000000006F30000-0x0000000006FA6000-memory.dmp

Filesize
472KB

Download
memory/4744-241-0x0000000007830000-0x0000000007EAA000-memory.dmp

Filesize
6.5MB

Download
memory/4744-175-0x0000000004F70000-0x0000000004F92000-memory.dmp

Filesize
136KB

Download
memory/4744-180-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/4744-203-0x0000000005930000-0x0000000005C84000-memory.dmp

Filesize
3.3MB

Download
memory/5744-405-0x0000000000EE0000-0x0000000001393000-memory.dmp

Filesize
4.7MB

Download
memory/5744-568-0x0000000000EE0000-0x0000000001393000-memory.dmp

Filesize
4.7MB

Download
memory/5744-496-0x0000000000EE0000-0x0000000001393000-memory.dmp

Filesize
4.7MB

Download