metasploit | 82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9

Resubmissions

09-04-2024 07:01

240409-htps3scd2w 10

09-04-2024 07:01

09-04-2024 07:00

09-04-2024 07:00

07-03-2024 22:29

Analysis

max time kernel
300s
max time network
297s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-04-2024 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

metasploit redline risepro stealc zgrat 6077866846 backdoor discovery infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

6077866846

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

metasploit

Version

metasploit_stager

91.92.247.21:8405

Signatures

Detect ZGRat V1 35 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4348-114-0x000002034A920000-0x000002034AB96000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-115-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-116-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-118-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-120-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-122-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-124-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-126-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-132-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-130-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-128-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-138-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-144-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-146-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-140-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-136-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-151-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-153-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-159-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-162-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-164-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-177-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-182-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-149-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-184-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-186-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-191-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-195-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-198-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-200-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-202-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-204-0x000002034A920000-0x000002034AB91000-memory.dmp	family_zgrat_v1
behavioral2/memory/3756-1351-0x000001CE4D520000-0x000001CE50E18000-memory.dmp	family_zgrat_v1
behavioral2/memory/3756-1366-0x000001CE6B610000-0x000001CE6B720000-memory.dmp	family_zgrat_v1
behavioral2/memory/3756-1374-0x000001CE6B380000-0x000001CE6B3A4000-memory.dmp	family_zgrat_v1

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4436-8-0x0000000000450000-0x0000000000472000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Executes dropped EXE 22 IoCs

Processes:

crypted6077866846MVYQY.exei1gcbW1E.exedisable-defender.exepclient.exeresponsibilitylead.exeMStore.exeProps.exewininit.exeTemp.exe1234.exeISetup8.exeu1lc.0.exeMService.exeu1lc.1.exetest2.exeKJJJDHDGDA.exe1111.exeISetup2.exeTester.exeu2o8.0.exeu2o8.1.exesvchost.exe

pid	process
4436	crypted6077866846MVYQY.exe
2492	i1gcbW1E.exe
2796	disable-defender.exe
4980	pclient.exe
4348	responsibilitylead.exe
3504	MStore.exe
3212	Props.exe
2196	wininit.exe
820	Temp.exe
4400	1234.exe
2064	ISetup8.exe
4960	u1lc.0.exe
2576	MService.exe
4688	u1lc.1.exe
3324	test2.exe
1796	KJJJDHDGDA.exe
416	1111.exe
3464	ISetup2.exe
3704	Tester.exe
1616	u2o8.0.exe
4688	u2o8.1.exe
916	svchost.exe

Loads dropped DLL 2 IoCs

Processes:

u1lc.0.exe

pid process

4960 u1lc.0.exe
4960 u1lc.0.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4960	u1lc.0.exe
4960	u1lc.0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pclient.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	pclient.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

6 raw.githubusercontent.com
7 raw.githubusercontent.com
12 pastebin.com
13 pastebin.com

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
12	pastebin.com
13	pastebin.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe	autoit_exe

Drops file in System32 directory 1 IoCs

Processes:

MStore.exe

description ioc process

File created C:\Windows\SysWOW64\MService.exe MStore.exe
Drops file in Windows directory 2 IoCs

Processes:

Tester.exe

description ioc process

File opened for modification C:\Windows\svchost.exe Tester.exe
File created C:\Windows\svchost.exe Tester.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\MService.exe	MStore.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.exe	Tester.exe
File created	C:\Windows\svchost.exe	Tester.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

u2o8.1.exeu1lc.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2o8.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2o8.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2o8.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1lc.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1lc.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1lc.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u1lc.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1lc.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1lc.0.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4460 PING.EXE

pid	process
4460	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

crypted6077866846MVYQY.exedisable-defender.exepowershell.exeTemp.exeu1lc.0.exei1gcbW1E.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeTester.exe

pid	process
4436	crypted6077866846MVYQY.exe
2796	disable-defender.exe
2796	disable-defender.exe
4436	crypted6077866846MVYQY.exe
2724	powershell.exe
2724	powershell.exe
4436	crypted6077866846MVYQY.exe
4436	crypted6077866846MVYQY.exe
2724	powershell.exe
4436	crypted6077866846MVYQY.exe
4436	crypted6077866846MVYQY.exe
4436	crypted6077866846MVYQY.exe
4436	crypted6077866846MVYQY.exe
820	Temp.exe
820	Temp.exe
4960	u1lc.0.exe
4960	u1lc.0.exe
4960	u1lc.0.exe
4960	u1lc.0.exe
2492	i1gcbW1E.exe
2492	i1gcbW1E.exe
2492	i1gcbW1E.exe
3756	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3756	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3756	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3756	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3756	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3756	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3756	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3756	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3756	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3756	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3756	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3756	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3756	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3756	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3756	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3756	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2492	i1gcbW1E.exe
2492	i1gcbW1E.exe
2492	i1gcbW1E.exe
2492	i1gcbW1E.exe
2492	i1gcbW1E.exe
2492	i1gcbW1E.exe
2492	i1gcbW1E.exe
2492	i1gcbW1E.exe
2492	i1gcbW1E.exe
3704	Tester.exe
3704	Tester.exe
3704	Tester.exe
3704	Tester.exe
3704	Tester.exe
3704	Tester.exe
3704	Tester.exe
3704	Tester.exe
3704	Tester.exe
3704	Tester.exe
3704	Tester.exe
3704	Tester.exe
3704	Tester.exe
3704	Tester.exe
3704	Tester.exe
3704	Tester.exe
3704	Tester.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

New Text Document mod.execrypted6077866846MVYQY.exedisable-defender.exeresponsibilitylead.exepowershell.exeTemp.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeTester.exevssvc.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2752	New Text Document mod.exe
Token: SeDebugPrivilege	4436	crypted6077866846MVYQY.exe
Token: SeDebugPrivilege	2796	disable-defender.exe
Token: SeImpersonatePrivilege	2796	disable-defender.exe
Token: SeDebugPrivilege	4348	responsibilitylead.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeIncreaseQuotaPrivilege	2724	powershell.exe
Token: SeSecurityPrivilege	2724	powershell.exe
Token: SeTakeOwnershipPrivilege	2724	powershell.exe
Token: SeLoadDriverPrivilege	2724	powershell.exe
Token: SeSystemProfilePrivilege	2724	powershell.exe
Token: SeSystemtimePrivilege	2724	powershell.exe
Token: SeProfSingleProcessPrivilege	2724	powershell.exe
Token: SeIncBasePriorityPrivilege	2724	powershell.exe
Token: SeCreatePagefilePrivilege	2724	powershell.exe
Token: SeBackupPrivilege	2724	powershell.exe
Token: SeRestorePrivilege	2724	powershell.exe
Token: SeShutdownPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeSystemEnvironmentPrivilege	2724	powershell.exe
Token: SeRemoteShutdownPrivilege	2724	powershell.exe
Token: SeUndockPrivilege	2724	powershell.exe
Token: SeManageVolumePrivilege	2724	powershell.exe
Token: 33	2724	powershell.exe
Token: 34	2724	powershell.exe
Token: 35	2724	powershell.exe
Token: 36	2724	powershell.exe
Token: SeDebugPrivilege	820	Temp.exe
Token: SeImpersonatePrivilege	820	Temp.exe
Token: SeDebugPrivilege	3756	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	3704	Tester.exe
Token: SeBackupPrivilege	4872	vssvc.exe
Token: SeRestorePrivilege	4872	vssvc.exe
Token: SeAuditPrivilege	4872	vssvc.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeIncreaseQuotaPrivilege	1240	powershell.exe
Token: SeSecurityPrivilege	1240	powershell.exe
Token: SeTakeOwnershipPrivilege	1240	powershell.exe
Token: SeLoadDriverPrivilege	1240	powershell.exe
Token: SeSystemProfilePrivilege	1240	powershell.exe
Token: SeSystemtimePrivilege	1240	powershell.exe
Token: SeProfSingleProcessPrivilege	1240	powershell.exe
Token: SeIncBasePriorityPrivilege	1240	powershell.exe
Token: SeCreatePagefilePrivilege	1240	powershell.exe
Token: SeBackupPrivilege	1240	powershell.exe
Token: SeRestorePrivilege	1240	powershell.exe
Token: SeShutdownPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeSystemEnvironmentPrivilege	1240	powershell.exe
Token: SeRemoteShutdownPrivilege	1240	powershell.exe
Token: SeUndockPrivilege	1240	powershell.exe
Token: SeManageVolumePrivilege	1240	powershell.exe
Token: 33	1240	powershell.exe
Token: 34	1240	powershell.exe
Token: 35	1240	powershell.exe
Token: 36	1240	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeIncreaseQuotaPrivilege	3744	powershell.exe
Token: SeSecurityPrivilege	3744	powershell.exe
Token: SeTakeOwnershipPrivilege	3744	powershell.exe
Token: SeLoadDriverPrivilege	3744	powershell.exe
Token: SeSystemProfilePrivilege	3744	powershell.exe
Token: SeSystemtimePrivilege	3744	powershell.exe
Token: SeProfSingleProcessPrivilege	3744	powershell.exe

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

wininit.exeu1lc.1.exeu2o8.1.exe

pid	process
2196	wininit.exe
2196	wininit.exe
4688	u1lc.1.exe
4688	u1lc.1.exe
4688	u1lc.1.exe
4688	u1lc.1.exe
4688	u1lc.1.exe
4688	u1lc.1.exe
4688	u1lc.1.exe
4688	u2o8.1.exe
4688	u2o8.1.exe
4688	u2o8.1.exe
4688	u2o8.1.exe
4688	u2o8.1.exe
4688	u2o8.1.exe
4688	u2o8.1.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

wininit.exeu1lc.1.exeu2o8.1.exe

pid	process
2196	wininit.exe
2196	wininit.exe
4688	u1lc.1.exe
4688	u1lc.1.exe
4688	u1lc.1.exe
4688	u1lc.1.exe
4688	u1lc.1.exe
4688	u1lc.1.exe
4688	u1lc.1.exe
4688	u2o8.1.exe
4688	u2o8.1.exe
4688	u2o8.1.exe
4688	u2o8.1.exe
4688	u2o8.1.exe
4688	u2o8.1.exe
4688	u2o8.1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

916 svchost.exe

pid	process
916	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document mod.exepclient.exeMStore.execmd.exeISetup8.exeu1lc.0.execmd.exeKJJJDHDGDA.execmd.exeu1lc.1.exeISetup2.exe

description	pid	process	target process
PID 2752 wrote to memory of 4436	2752	New Text Document mod.exe	crypted6077866846MVYQY.exe
PID 2752 wrote to memory of 4436	2752	New Text Document mod.exe	crypted6077866846MVYQY.exe
PID 2752 wrote to memory of 4436	2752	New Text Document mod.exe	crypted6077866846MVYQY.exe
PID 2752 wrote to memory of 2492	2752	New Text Document mod.exe	i1gcbW1E.exe
PID 2752 wrote to memory of 2492	2752	New Text Document mod.exe	i1gcbW1E.exe
PID 2752 wrote to memory of 2796	2752	New Text Document mod.exe	disable-defender.exe
PID 2752 wrote to memory of 2796	2752	New Text Document mod.exe	disable-defender.exe
PID 2752 wrote to memory of 4980	2752	New Text Document mod.exe	pclient.exe
PID 2752 wrote to memory of 4980	2752	New Text Document mod.exe	pclient.exe
PID 4980 wrote to memory of 4348	4980	pclient.exe	responsibilitylead.exe
PID 4980 wrote to memory of 4348	4980	pclient.exe	responsibilitylead.exe
PID 2752 wrote to memory of 3504	2752	New Text Document mod.exe	MStore.exe
PID 2752 wrote to memory of 3504	2752	New Text Document mod.exe	MStore.exe
PID 2752 wrote to memory of 3212	2752	New Text Document mod.exe	Props.exe
PID 2752 wrote to memory of 3212	2752	New Text Document mod.exe	Props.exe
PID 3504 wrote to memory of 4456	3504	MStore.exe	cmd.exe
PID 3504 wrote to memory of 4456	3504	MStore.exe	cmd.exe
PID 4456 wrote to memory of 2724	4456	cmd.exe	powershell.exe
PID 4456 wrote to memory of 2724	4456	cmd.exe	powershell.exe
PID 2752 wrote to memory of 2196	2752	New Text Document mod.exe	wininit.exe
PID 2752 wrote to memory of 2196	2752	New Text Document mod.exe	wininit.exe
PID 2752 wrote to memory of 2196	2752	New Text Document mod.exe	wininit.exe
PID 3504 wrote to memory of 820	3504	MStore.exe	Temp.exe
PID 3504 wrote to memory of 820	3504	MStore.exe	Temp.exe
PID 2752 wrote to memory of 4400	2752	New Text Document mod.exe	1234.exe
PID 2752 wrote to memory of 4400	2752	New Text Document mod.exe	1234.exe
PID 2752 wrote to memory of 4400	2752	New Text Document mod.exe	1234.exe
PID 2752 wrote to memory of 2064	2752	New Text Document mod.exe	ISetup8.exe
PID 2752 wrote to memory of 2064	2752	New Text Document mod.exe	ISetup8.exe
PID 2752 wrote to memory of 2064	2752	New Text Document mod.exe	ISetup8.exe
PID 2064 wrote to memory of 4960	2064	ISetup8.exe	u1lc.0.exe
PID 2064 wrote to memory of 4960	2064	ISetup8.exe	u1lc.0.exe
PID 2064 wrote to memory of 4960	2064	ISetup8.exe	u1lc.0.exe
PID 3504 wrote to memory of 2576	3504	MStore.exe	MService.exe
PID 3504 wrote to memory of 2576	3504	MStore.exe	MService.exe
PID 2064 wrote to memory of 4688	2064	ISetup8.exe	u2o8.1.exe
PID 2064 wrote to memory of 4688	2064	ISetup8.exe	u2o8.1.exe
PID 2064 wrote to memory of 4688	2064	ISetup8.exe	u2o8.1.exe
PID 2752 wrote to memory of 3324	2752	New Text Document mod.exe	test2.exe
PID 2752 wrote to memory of 3324	2752	New Text Document mod.exe	test2.exe
PID 4960 wrote to memory of 356	4960	u1lc.0.exe	cmd.exe
PID 4960 wrote to memory of 356	4960	u1lc.0.exe	cmd.exe
PID 4960 wrote to memory of 356	4960	u1lc.0.exe	cmd.exe
PID 356 wrote to memory of 1796	356	cmd.exe	KJJJDHDGDA.exe
PID 356 wrote to memory of 1796	356	cmd.exe	KJJJDHDGDA.exe
PID 356 wrote to memory of 1796	356	cmd.exe	KJJJDHDGDA.exe
PID 1796 wrote to memory of 4296	1796	KJJJDHDGDA.exe	cmd.exe
PID 1796 wrote to memory of 4296	1796	KJJJDHDGDA.exe	cmd.exe
PID 1796 wrote to memory of 4296	1796	KJJJDHDGDA.exe	cmd.exe
PID 4296 wrote to memory of 4460	4296	cmd.exe	PING.EXE
PID 4296 wrote to memory of 4460	4296	cmd.exe	PING.EXE
PID 4296 wrote to memory of 4460	4296	cmd.exe	PING.EXE
PID 4688 wrote to memory of 3756	4688	u1lc.1.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 4688 wrote to memory of 3756	4688	u1lc.1.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2752 wrote to memory of 416	2752	New Text Document mod.exe	1111.exe
PID 2752 wrote to memory of 416	2752	New Text Document mod.exe	1111.exe
PID 2752 wrote to memory of 3464	2752	New Text Document mod.exe	ISetup2.exe
PID 2752 wrote to memory of 3464	2752	New Text Document mod.exe	ISetup2.exe
PID 2752 wrote to memory of 3464	2752	New Text Document mod.exe	ISetup2.exe
PID 2752 wrote to memory of 3704	2752	New Text Document mod.exe	Tester.exe
PID 2752 wrote to memory of 3704	2752	New Text Document mod.exe	Tester.exe
PID 3464 wrote to memory of 1616	3464	ISetup2.exe	u2o8.0.exe
PID 3464 wrote to memory of 1616	3464	ISetup2.exe	u2o8.0.exe
PID 3464 wrote to memory of 1616	3464	ISetup2.exe	u2o8.0.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe
"C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2492

C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe
"C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Users\Admin\AppData\Local\Temp\a\pclient.exe
"C:\Users\Admin\AppData\Local\Temp\a\pclient.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4980

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Users\Admin\AppData\Local\Temp\a\MStore.exe
"C:\Users\Admin\AppData\Local\Temp\a\MStore.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Add-MpPreference -ExclusionExtension .exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionExtension .exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\Temp\Temp.exe
"C:\Windows\Temp\Temp.exe" -s
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SysWOW64\MService.exe
"C:\Windows\SysWOW64\MService.exe"
3⤵
- Executes dropped EXE
PID:2576

C:\Users\Admin\AppData\Local\Temp\a\Props.exe
"C:\Users\Admin\AppData\Local\Temp\a\Props.exe"
2⤵
- Executes dropped EXE
PID:3212

C:\Users\Admin\AppData\Local\Temp\a\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2196

C:\Users\Admin\AppData\Local\Temp\a\1234.exe
"C:\Users\Admin\AppData\Local\Temp\a\1234.exe"
2⤵
- Executes dropped EXE
PID:4400

C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\u1lc.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1lc.0.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJJJDHDGDA.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:356

C:\Users\Admin\AppData\Local\Temp\KJJJDHDGDA.exe
"C:\Users\Admin\AppData\Local\Temp\KJJJDHDGDA.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\KJJJDHDGDA.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
7⤵
- Runs ping.exe
PID:4460

C:\Users\Admin\AppData\Local\Temp\u1lc.1.exe
"C:\Users\Admin\AppData\Local\Temp\u1lc.1.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4688

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Users\Admin\AppData\Local\Temp\a\test2.exe
"C:\Users\Admin\AppData\Local\Temp\a\test2.exe"
2⤵
- Executes dropped EXE
PID:3324

C:\Users\Admin\AppData\Local\Temp\a\1111.exe
"C:\Users\Admin\AppData\Local\Temp\a\1111.exe"
2⤵
- Executes dropped EXE
PID:416

C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Local\Temp\u2o8.0.exe
"C:\Users\Admin\AppData\Local\Temp\u2o8.0.exe"
3⤵
- Executes dropped EXE
PID:1616

C:\Users\Admin\AppData\Local\Temp\u2o8.1.exe
"C:\Users\Admin\AppData\Local\Temp\u2o8.1.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4688

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
4⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\a\Tester.exe
"C:\Users\Admin\AppData\Local\Temp\a\Tester.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\iolo technologies\logs\bootstrap.log
Filesize
287B

MD5
7bb4f19175da7dd403bc947a0c68cb1f

SHA1
7c20a8cebe6be5da456595ec4a7db1f87923dbcb

SHA256
08ae86730ca387bd8f23ea8a22bf73626237186431abaa03c3c615d65594e78e

SHA512
f25ee64dca6a9c97bfaf3ef3cb9944bac45070397966420012a5481b00e05b2cc4492afab6da4794c9c4a012e5a9bd182c6012914c9230bb30aed3562d63fa86

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5320f0ca76befe3bc11d626c496fafb6

SHA1
defdc7731236d6e24df3d7fdea95d6f852768e68

SHA256
3031d8cf7ab781b7a335b762bb25c9103e07278bd9bfda5cca99feda46bea5f7

SHA512
b46455cfec140799ec74e2a6a729475453f2b0bc72252dc6309e83c4d7850c8cbd56d8cf964d3bc6d23742faaaf82d43a69ca4b232c7e610d709f3199a4acf84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cb6033b66671e302f6fd58b56309ff65

SHA1
f27cbb4b71d0a1b7f7ee79e8ea7b83eef853fe0f

SHA256
ae4cc95cd552f5580066149a3373bbeb2c21a0d38ae672f19bb878181e81bea1

SHA512
fb9af1e505b8332e91664c32ba0befa2067eb5a01ebd9daf22d2d02a8f73dafe3cb4046073e75ead3927fa5a7d376830ce4973c1d61e81b48a18580bd5133256

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
Filesize
6KB

MD5
f7930c4859ccd34bd2b80a9995f49926

SHA1
8b5b95fb51619e20246f90d60f2137da7654fc5e

SHA256
163969ebee8180e125eb00c02307adda1eb31174ba6f7e011b7b4b3441d8950a

SHA512
8f5a440541b227083f3d2a3a251758bf699a290db3c066ae3209d4c2df5e1e933b9c24cd4c0da0a7f3cb6ca0ce025acf22f65cc06ee1e306ecb9b1318a223a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\KJJJDHDGDA.exe
Filesize
106KB

MD5
fe380780b5c35bd6d54541791151c2be

SHA1
7fe3a583cf91474c733f85cebf3c857682e269e1

SHA256
b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53

SHA512
ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cb2yq3ny.vwy.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1111.exe
Filesize
2.8MB

MD5
e670bdc7c82eee75a6d3ada6a7c9134e

SHA1
b0f0bab6f6e92bc86e86fd7bff93c257a4235859

SHA256
a5cf4844df86abc9222fe436dbc0726e09383a61f4708cdc1a3e8a89cc3540fb

SHA512
7384550bb19ccc11243b79d3bfc9c3f25dce84de64891e7f7eb078b246bfedcd26a958a019a3a7b4ecf5ee1c4e8c8d44790f5c958a58266e5676f3a8e58f4643

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1234.exe
Filesize
1.3MB

MD5
5e13199a94cf8664e5bfbe2f68d4738e

SHA1
8cfaa21f68226ae775615f033507b5756f5ccacc

SHA256
71b320a5d9456acc43494213dcd1f4ae8b7f6e27a15ac80cb42df5f19f692ec5

SHA512
b7b682717cd49b9fff9885c85f1421050613559308aa7160dee7ce493d5bff126c8157727d8f88fdfd602092203c64ab0dbff718b7ce7af9f9f2ad8375d703b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe
Filesize
413KB

MD5
d388d6918f1e8a6a3b34ad993d8159eb

SHA1
cf3cd31a4dd6571cc78016c7b0f97f621b1f253d

SHA256
27d2a005efcb4da7da558eaafb6bc955a008c4beb5814d262cee38cf379f7645

SHA512
54cdbb862536ce1deffc37c5a185e85e52ea1b69bb4c8e0e9137e4d34787ad4b66b047a90b1dbe6694b1d41233e947ffa7119f08e01616f472daf3f72e35761e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe
Filesize
413KB

MD5
94e9960a45131af61e599acee54d21d6

SHA1
39b03e050337d4eb127ae5ff5f0868e986bec7ad

SHA256
7add2d9d67534037b7ae6e8d1682595f5bc45cd71f6bcc933994f53f5ff00172

SHA512
179f713f0ce01a70b176373d042538f95a1653cf364510b7f35d3d46a7fee2d295c6e24755d2a1363e5ca82494caec8252dd94bcd31c7a015ef5640636f7e81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\MStore.exe
Filesize
12KB

MD5
282c1ebb16ad0edc41389d1e73a74607

SHA1
fbcdda121484ea6125827ed4e7b1b00f6a88835d

SHA256
7712424f2dec2d08630237c737e5f81789d2e92edc31111c72eaa0388b6df1dc

SHA512
94be4f173c5c63947a6e7902a86c8851ee84a06d1ddec104af91592178adafc3180f652791badc3e0c1139bbc7c9f64b9e47ccd0adadd16159a40ab6c188b292

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Props.exe
Filesize
7KB

MD5
9c938f91a0530150a2b1c4546334570c

SHA1
f4ae9acba920744457739fef0205f86443dbdf65

SHA256
35a6319c334d545be1aff625c27d51d583762b44c77f172f532c27021459345a

SHA512
f5b8fa5f95011fe6677f2f751b5364745607a027e49de05d2a11a5bea5040c97b6cb4285007ee34ce05b00217dd9665065b276df21bf37f823691f57ad2a6a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Tester.exe
Filesize
267KB

MD5
0803c1aec008e75859877844cfa81492

SHA1
16924d5802ddf76a2096fcfade0ce06d4c0670bd

SHA256
d5ab98bd209db0ed18272fe616ea4b8be34fd13d36116d25793fa7aa6f8b33e3

SHA512
9001e77da2562652ae51bdb3b8b9bfe686d0ed0c4eb8d338b20b7c4eb6eb8e90a4fae01d8212b1908037d5ff456e982500e4907686c38e5c33e969d55ba914d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe
Filesize
524KB

MD5
c8edf453ed433cefb2696bb859e0f782

SHA1
e34cf939d6c5a34c7bedfd885249bb7fb15336e5

SHA256
0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0

SHA512
61d0ba50f9678d6614e4d8ab8b06d759891979e0debfda88246871ee110a07c16ceeed4e7baec475b4b63de851bc5d62c69c5ae41674ffc207b94515f6ab197c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe
Filesize
294KB

MD5
10fc8b2915c43aa16b6a2e2b4529adc5

SHA1
0c15286457963eb86d61d83642870a3473ef38fe

SHA256
feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5

SHA512
421631c06408c3be522953459228d2e1d45eeeafce29dba7746c8485a105b59c3a2c0d9e2ffc6d89126cd825ffd09ebe7eb82223a69d1f5caf441feb01e57897

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe
Filesize
2.3MB

MD5
262a7eb58a01d1aab21b24292c181cd3

SHA1
535312b7048fb90be981e04ea759c5ad8aaf6eda

SHA256
107090a44888272297ecb7a715a9abca4bc17dafe6aa57505436722a5a9926a6

SHA512
358b34a792eadc739446283e42a352147aac1bad6d9a535eedabeb2427735b03e7977d25086cfa6b6e8e17df628e37d9a8cd584dd1a64d703e99a8f7af1a0e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pclient.exe
Filesize
157KB

MD5
5790d1417f8f00bd7ec6fb7011c79d9c

SHA1
36076ed9457c45d94e664ea291eb01e5c70d084b

SHA256
ad07503bc046f5b3d65eb61646fa826bc39560916c6e1ef2c3437b6465b30a82

SHA512
b19195510624ad16a4730282c97b68d05e4890a33d91f86f24eaf921e23e7786649e4e31aaaec2d9d6c7bb3695c615851d7aed3e53b13083e03acbc8d0543ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test2.exe
Filesize
2.7MB

MD5
5347852b24409aed42423f0118637f03

SHA1
6c7947428231ab857ee8c9dab7a7e62fdeed024b

SHA256
a2e678bb376d2dcec5b7d0abac428c87cd8ae75936e28c03cb4232ae97015131

SHA512
0a52f226be962eb8187f444657317d3e0385d9d47d507e6f1c028143f57153a7b8e34ef7b0c8732bb3b3d361da483a13264f511ca5c80cedda3bc439fe936991

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe
Filesize
1.3MB

MD5
ddee86f4db0d3b8010110445b0545526

SHA1
b41380b50d17dd679f85a224771398b81966bb9e

SHA256
0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5

SHA512
4271e530a7090d58e41adc441eed6aacd6238d4e562cbab05bf273549e15a22dda668450746eda64e2435d480dc46531a29de3ba797a235a9c1a411a1f8f3710

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
3KB

MD5
32ce1c7a07b61c55b65e08f4b48a13df

SHA1
94224c3ab3c7a77a0f8615cff680e493809688f9

SHA256
8fe3cfb823b50ce4cefe1958fd5f5f051dbca4bd274c229bd7b10b4270858dd5

SHA512
bba28f29f7fafecf48f2c573c763cc9a2552f33cce95ca6adf110c0128157f6e4c564085242f5f58866983f2b94e8272bd0cba0722be0874dc312743de4345d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
4KB

MD5
bec0a5db4bd51c7b04f9d517b30041bc

SHA1
1e9f9c6fcede279cdb105eb157831cd68c2d778c

SHA256
59a01f1b965ddeeceb072d1e8ff2db4674734033518843e758331ef49cc20227

SHA512
f3347d4432f36df5d8fde2fa0059207d9b7612ce7de18c21dfb1e88cbd04ba5d12762a05334f0465b81119353717750b442f00181fe725f1ecad8871b5901522

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
2KB

MD5
00d56746ea6ff960b803b3e30d559620

SHA1
dc31bd9484692b353554da33f9d6fe1f61a36a47

SHA256
4ebf9c84054e9a33bc07490a8fb2ed799f235b83cec28a805ac4b463790861b0

SHA512
94c6dd639fd74e25a5a425eddfce97ec7fac9f7375ab3cacdd88af472b0f962f72ac80c97a2476a54cbe562a38393bf6a4556bdf9a2a45c5a247089a1a6a5869

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1lc.0.exe
Filesize
271KB

MD5
b95747cad90e982d44da8fd74f50b9a6

SHA1
d7f267d2042f6b67f63542395ff6a5a1b3ba1250

SHA256
7b4d39265da2ddc442c1bc4335c92fe527bf6b8d644d4d465f1476a97a1fb153

SHA512
615d35780262f55313ccbe31e323bb6ba9787120ce06d5236a74844736543c7551e4e227e350bf1604208095165c42564234bb2dafe575785008683ae4e5393c

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1lc.1.exe
Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/1796-1255-0x00000000004F0000-0x0000000000510000-memory.dmp

Filesize
128KB

Download
memory/1796-1261-0x0000000071B70000-0x000000007225E000-memory.dmp

Filesize
6.9MB

Download
memory/1796-1262-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/1796-1266-0x0000000071B70000-0x000000007225E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-564-0x0000000000400000-0x0000000002D44000-memory.dmp

Filesize
41.3MB

Download
memory/2064-414-0x0000000000400000-0x0000000002D44000-memory.dmp

Filesize
41.3MB

Download
memory/2064-410-0x0000000002EC0000-0x0000000002F2C000-memory.dmp

Filesize
432KB

Download
memory/2064-408-0x0000000002F90000-0x0000000003090000-memory.dmp

Filesize
1024KB

Download
memory/2196-176-0x0000000001530000-0x0000000001534000-memory.dmp

Filesize
16KB

Download
memory/2724-68-0x000001B0513C0000-0x000001B0513D0000-memory.dmp

Filesize
64KB

Download
memory/2724-85-0x000001B0513C0000-0x000001B0513D0000-memory.dmp

Filesize
64KB

Download
memory/2724-113-0x00007FF8747A0000-0x00007FF87518C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-71-0x000001B069B40000-0x000001B069BB6000-memory.dmp

Filesize
472KB

Download
memory/2724-66-0x000001B069990000-0x000001B0699B2000-memory.dmp

Filesize
136KB

Download
memory/2724-109-0x000001B0513C0000-0x000001B0513D0000-memory.dmp

Filesize
64KB

Download
memory/2724-67-0x000001B0513C0000-0x000001B0513D0000-memory.dmp

Filesize
64KB

Download
memory/2724-65-0x00007FF8747A0000-0x00007FF87518C000-memory.dmp

Filesize
9.9MB

Download
memory/2752-1-0x00007FF8747A0000-0x00007FF87518C000-memory.dmp

Filesize
9.9MB

Download
memory/2752-2-0x000000001B050000-0x000000001B060000-memory.dmp

Filesize
64KB

Download
memory/2752-84-0x00007FF8747A0000-0x00007FF87518C000-memory.dmp

Filesize
9.9MB

Download
memory/2752-0-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/3212-59-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download
memory/3756-1371-0x000001CE6B290000-0x000001CE6B2A4000-memory.dmp

Filesize
80KB

Download
memory/3756-1374-0x000001CE6B380000-0x000001CE6B3A4000-memory.dmp

Filesize
144KB

Download
memory/3756-1368-0x000001CE51240000-0x000001CE51250000-memory.dmp

Filesize
64KB

Download
memory/3756-1369-0x000001CE6B320000-0x000001CE6B32C000-memory.dmp

Filesize
48KB

Download
memory/3756-1359-0x000001CE6B3F0000-0x000001CE6B400000-memory.dmp

Filesize
64KB

Download
memory/3756-1351-0x000001CE4D520000-0x000001CE50E18000-memory.dmp

Filesize
57.0MB

Download
memory/3756-1342-0x00007FF8747A0000-0x00007FF87518C000-memory.dmp

Filesize
9.9MB

Download
memory/3756-1366-0x000001CE6B610000-0x000001CE6B720000-memory.dmp

Filesize
1.1MB

Download
memory/3756-1380-0x000001CE51220000-0x000001CE5122A000-memory.dmp

Filesize
40KB

Download
memory/3756-1384-0x000001CE6B3B0000-0x000001CE6B3DA000-memory.dmp

Filesize
168KB

Download
memory/3756-1382-0x000001CE6B950000-0x000001CE6BA02000-memory.dmp

Filesize
712KB

Download
memory/3756-1385-0x000001CE6BA00000-0x000001CE6BA7A000-memory.dmp

Filesize
488KB

Download
memory/3756-1387-0x000001CE6BA80000-0x000001CE6BAE2000-memory.dmp

Filesize
392KB

Download
memory/3756-1390-0x000001CE51230000-0x000001CE5123A000-memory.dmp

Filesize
40KB

Download
memory/3756-1396-0x000001CE6BBE0000-0x000001CE6BEE0000-memory.dmp

Filesize
3.0MB

Download
memory/4348-162-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-159-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-186-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-191-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-195-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-198-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-200-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-202-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-204-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-114-0x000002034A920000-0x000002034AB96000-memory.dmp

Filesize
2.5MB

Download
memory/4348-149-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-182-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-177-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-164-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-184-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-493-0x00007FF8747A0000-0x00007FF87518C000-memory.dmp

Filesize
9.9MB

Download
memory/4348-115-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-500-0x000002034A910000-0x000002034A920000-memory.dmp

Filesize
64KB

Download
memory/4348-116-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-136-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-118-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-120-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-122-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-57-0x000002034A910000-0x000002034A920000-memory.dmp

Filesize
64KB

Download
memory/4348-153-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-54-0x00007FF8747A0000-0x00007FF87518C000-memory.dmp

Filesize
9.9MB

Download
memory/4348-124-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-46-0x0000020330390000-0x0000020330396000-memory.dmp

Filesize
24KB

Download
memory/4348-126-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-132-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-130-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-128-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-138-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-144-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-146-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-140-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4348-151-0x000002034A920000-0x000002034AB91000-memory.dmp

Filesize
2.4MB

Download
memory/4436-106-0x00000000074F0000-0x0000000007540000-memory.dmp

Filesize
320KB

Download
memory/4436-56-0x00000000066F0000-0x000000000670E000-memory.dmp

Filesize
120KB

Download
memory/4436-23-0x0000000006120000-0x000000000615E000-memory.dmp

Filesize
248KB

Download
memory/4436-24-0x0000000006160000-0x00000000061AB000-memory.dmp

Filesize
300KB

Download
memory/4436-25-0x0000000006430000-0x00000000065F2000-memory.dmp

Filesize
1.8MB

Download
memory/4436-31-0x0000000006B30000-0x000000000705C000-memory.dmp

Filesize
5.2MB

Download
memory/4436-32-0x0000000006600000-0x0000000006692000-memory.dmp

Filesize
584KB

Download
memory/4436-338-0x00000000734B0000-0x0000000073B9E000-memory.dmp

Filesize
6.9MB

Download
memory/4436-33-0x0000000007560000-0x0000000007A5E000-memory.dmp

Filesize
5.0MB

Download
memory/4436-45-0x0000000006770000-0x00000000067E6000-memory.dmp

Filesize
472KB

Download
memory/4436-8-0x0000000000450000-0x0000000000472000-memory.dmp

Filesize
136KB

Download
memory/4436-17-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/4436-12-0x00000000734B0000-0x0000000073B9E000-memory.dmp

Filesize
6.9MB

Download
memory/4436-13-0x0000000004B90000-0x0000000004BF6000-memory.dmp

Filesize
408KB

Download
memory/4436-16-0x0000000005230000-0x000000000533A000-memory.dmp

Filesize
1.0MB

Download
memory/4436-14-0x00000000056B0000-0x0000000005CB6000-memory.dmp

Filesize
6.0MB

Download
memory/4436-15-0x0000000005100000-0x0000000005112000-memory.dmp

Filesize
72KB

Download
memory/4688-551-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/4960-497-0x0000000002ED0000-0x0000000002FD0000-memory.dmp

Filesize
1024KB

Download
memory/4960-508-0x0000000000400000-0x0000000002D21000-memory.dmp

Filesize
41.1MB

Download
memory/4960-499-0x0000000002E70000-0x0000000002E97000-memory.dmp

Filesize
156KB

Download
memory/4960-1233-0x0000000000400000-0x0000000002D21000-memory.dmp

Filesize
41.1MB

Download