Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12/05/2024, 17:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    259a5f46d6fd81c34a3a1dc5c65729e7a63d73627765fdaf7e0760a704609256.exe

  • Size

    1.9MB

  • MD5

    069ccf3cfa7a0ac6bfef6250253271a9

  • SHA1

    53eb649ca18ef5fc853801525e1c9ffdb117bf56

  • SHA256

    259a5f46d6fd81c34a3a1dc5c65729e7a63d73627765fdaf7e0760a704609256

  • SHA512

    80845482df0c1bbdb6668fe888da21be8caf4287121986d693d02179879f9cc7d40761e9c70371bf421f0c4fb8a8173367d703f85e49bbb1720c427e951c7329

  • SSDEEP

    49152:uJtMxRk93te6a91C0D8RbqrnyjhmtV4RvJQ0q0+3OSc:A2Rk93tNWc0D8RTMtahJF+O

Score
10/10
amadeygluptebastealczgratdiscoverydropperevasionexecutionloaderpersistenceratrootkitspywarestealertrojanupx

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://5.42.96.7

Attributes
  • install_dir

    7af68cdb52

  • install_file

    axplons.exe

  • strings_key

    e2ce58e78f631ed97d01fe7b70e85d5e

  • url_paths

    /zamo7h/index.php

rc4.plain

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect ZGRat V1 3 IoCs
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 11 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    evasion
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 16 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 5 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\259a5f46d6fd81c34a3a1dc5c65729e7a63d73627765fdaf7e0760a704609256.exe
    "C:\Users\Admin\AppData\Local\Temp\259a5f46d6fd81c34a3a1dc5c65729e7a63d73627765fdaf7e0760a704609256.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3708
      • C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
        "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4796
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:4548
        • C:\Users\Admin\AppData\Local\Temp\1000254001\ISetup8.exe
          "C:\Users\Admin\AppData\Local\Temp\1000254001\ISetup8.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1420
          • C:\Users\Admin\AppData\Local\Temp\u13g.0.exe
            "C:\Users\Admin\AppData\Local\Temp\u13g.0.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:1464
          • C:\Users\Admin\AppData\Local\Temp\u13g.1.exe
            "C:\Users\Admin\AppData\Local\Temp\u13g.1.exe"
            5⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4220
            • C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
              "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2372
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1596
            5⤵
            • Program crash
            PID:1428
        • C:\Users\Admin\AppData\Local\Temp\1000255001\toolspub1.exe
          "C:\Users\Admin\AppData\Local\Temp\1000255001\toolspub1.exe"
          4⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          PID:2440
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 384
            5⤵
            • Program crash
            PID:3136
        • C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe
          "C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4672
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4564
          • C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe
            "C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks for VirtualBox DLLs, possible anti-VM trick
            • Drops file in Windows directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3300
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              6⤵
              • Drops file in System32 directory
              • Command and Scripting Interpreter: PowerShell
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3860
            • C:\Windows\system32\cmd.exe
              C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:788
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                7⤵
                • Modifies Windows Firewall
                PID:4220
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              6⤵
              • Drops file in System32 directory
              • Command and Scripting Interpreter: PowerShell
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4588
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              6⤵
              • Drops file in System32 directory
              • Command and Scripting Interpreter: PowerShell
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4444
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Manipulates WinMonFS driver.
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1852
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                7⤵
                • Drops file in System32 directory
                • Command and Scripting Interpreter: PowerShell
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4020
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                7⤵
                • Creates scheduled task(s)
                PID:436
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /delete /tn ScheduledUpdate /f
                7⤵
                  PID:3820
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  7⤵
                  • Drops file in System32 directory
                  • Command and Scripting Interpreter: PowerShell
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:564
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  7⤵
                  • Drops file in System32 directory
                  • Command and Scripting Interpreter: PowerShell
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2528
                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                  C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2616
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  7⤵
                  • Creates scheduled task(s)
                  PID:4140
                • C:\Windows\windefender.exe
                  "C:\Windows\windefender.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:2588
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3076
                    • C:\Windows\SysWOW64\sc.exe
                      sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                      9⤵
                      • Launches sc.exe
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4020
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2440 -ip 2440
      1⤵
        PID:1372
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1420 -ip 1420
        1⤵
          PID:3860
        • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
          C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
          1⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:2132
        • C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
          C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
          1⤵
          • Executes dropped EXE
          PID:3136
        • C:\Windows\windefender.exe
          C:\Windows\windefender.exe
          1⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          PID:2868
        • C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
          C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
          1⤵
          • Executes dropped EXE
          PID:2760
        • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
          C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
          1⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:1944

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Scheduled Task/Job

        1
        T1053

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Scheduled Task/Job

        1
        T1053

        Defense Evasion

        Impair Defenses

        1
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Modify Registry

        1
        T1112

        Virtualization/Sandbox Evasion

        2
        T1497

        Credential Access

        Unsecured Credentials

        3
        T1552

        Credentials In Files

        3
        T1552.001

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        7
        T1012

        System Information Discovery

        5
        T1082

        Virtualization/Sandbox Evasion

        2
        T1497

        Lateral Movement

        Collection

        Data from Local System

        3
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Are.docx
          Filesize

          11KB

          MD5

          a33e5b189842c5867f46566bdbf7a095

          SHA1

          e1c06359f6a76da90d19e8fd95e79c832edb3196

          SHA256

          5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

          SHA512

          f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

          Download Submit

        • C:\ProgramData\mozglue.dll
          Filesize

          593KB

          MD5

          c8fd9be83bc728cc04beffafc2907fe9

          SHA1

          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

          SHA256

          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

          SHA512

          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

          Download Submit

        • C:\ProgramData\nss3.dll
          Filesize

          2.0MB

          MD5

          1cc453cdf74f31e4d913ff9c10acdde2

          SHA1

          6e85eae544d6e965f15fa5c39700fa7202f3aafe

          SHA256

          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

          SHA512

          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
          Filesize

          418KB

          MD5

          0099a99f5ffb3c3ae78af0084136fab3

          SHA1

          0205a065728a9ec1133e8a372b1e3864df776e8c

          SHA256

          919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

          SHA512

          5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1000254001\ISetup8.exe
          Filesize

          386KB

          MD5

          258e2128803910f3b69a21d5bae342c4

          SHA1

          fa9bb27e5804e43b268f063b69d40d8b9d6e05fc

          SHA256

          7954fe796c7bdfd2286b9c29349d8f349f02a0cb53e19bb5bbeaef65108f9e33

          SHA512

          03027a8add75e227870f8db62472807709c7343be3376b8791c38c94a2f6a22859da21c6c2672e65a6ca1e9e697a6c63d094b1d03ff7ad150c1f52ff31cbcd42

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1000255001\toolspub1.exe
          Filesize

          240KB

          MD5

          6bcbbfac4eb7dbecb5a44983645a75db

          SHA1

          06335c12d2dc398efa4956674628debaf8a22b39

          SHA256

          f73c2ff7df05fca90c08e6ac7a30b97f56a5f62ddc1aed09e0970dc416f995aa

          SHA512

          550b13098d9842bc79b441721b6a93f085d75c274d7b5e0387fae87f9cf5a3566fb13694b5369149e093cb41a109fa015a9698f0553827c8c46c864083a54a33

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe
          Filesize

          4.1MB

          MD5

          eb00d146a50bfc74d8281f4cca8fe3bc

          SHA1

          54761a16f66a52fdf5d878c9b5a2dcc964c93006

          SHA256

          fd23d52e2ce8268f9648e5239256f5960e62d681315653c776eea49f45ec7c15

          SHA512

          8d65e62e4a651b20f29a731e56f5cd08f1601dd97dfb5863d5c471303eed25981a0cf523c3fa1e672a59f599583aaca81e466575cb2c0609408c7a686f934019

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
          Filesize

          1.9MB

          MD5

          069ccf3cfa7a0ac6bfef6250253271a9

          SHA1

          53eb649ca18ef5fc853801525e1c9ffdb117bf56

          SHA256

          259a5f46d6fd81c34a3a1dc5c65729e7a63d73627765fdaf7e0760a704609256

          SHA512

          80845482df0c1bbdb6668fe888da21be8caf4287121986d693d02179879f9cc7d40761e9c70371bf421f0c4fb8a8173367d703f85e49bbb1720c427e951c7329

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dwgtdzfg.dy5.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          Filesize

          281KB

          MD5

          d98e33b66343e7c96158444127a117f6

          SHA1

          bb716c5509a2bf345c6c1152f6e3e1452d39d50d

          SHA256

          5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

          SHA512

          705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
          Filesize

          2KB

          MD5

          526cea11d76cace37eca4e0ec4161244

          SHA1

          b671670911d97672817bf950f66427a255236ce3

          SHA256

          45773c0ca5e8fc771ace2f765ec72edcc222cfaf0ea85c069f3729a5ba14fe2d

          SHA512

          1feffb70886392878d0b42cd277a1e42f86e5005a5c2ab728ceeb7ec9e6dcb222d48dca86608636a03a825804ff4c48bb1a4237f6b66bad5e9fe80be565da925

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\u13g.0.exe
          Filesize

          239KB

          MD5

          431c601846123a7b4aa67d75e31a3dfd

          SHA1

          0704a6551c01b3b5744e7b743b33ffa5be2b4ced

          SHA256

          0a9eab89753e07a01b1c5e0197acefea9cc05e5f7829823f811e7aa1d7b817b7

          SHA512

          87a0f6eb99baf620b25216ba491f4891154224ad44ecbbe209c5189585d4cc8abea25ef7b34d78608f074c00ce76374fe49252d76b693521363aced52e4cda27

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\u13g.1.exe
          Filesize

          4.6MB

          MD5

          397926927bca55be4a77839b1c44de6e

          SHA1

          e10f3434ef3021c399dbba047832f02b3c898dbd

          SHA256

          4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

          SHA512

          cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d0c46cad6c0778401e21910bd6b56b70

          SHA1

          7be418951ea96326aca445b8dfe449b2bfa0dca6

          SHA256

          9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

          SHA512

          057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          ad9bf035018737ed1f343b7ba947b584

          SHA1

          939a37b0f348e63fa4f9dc66b43304c10a1b1d69

          SHA256

          bae549d8981071e89c43d0a21b68935b6512ee49c45113a2a112d5c43e3455e0

          SHA512

          936c6591d35e163c323382180633b337f5ca76b8e81fe427c632a0b9f78771b7b3d6b42c6f31c0bd3a3663f718c7a615350b2c026aa08c5e2ba1db3593c0638a

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          90b9558e7e7ea1c0b024622582ed9afe

          SHA1

          3649601788e18124c16a4ad9fd9e6daef07f7206

          SHA256

          5070182d259a4d55b50038c77166ec329d27a15b224f1de8d1542daf0dce887f

          SHA512

          51b2168ba6a6df1bf1319bf5ae1a7b70258a1b2c35261c46c1fecc91b550713b58063aaa93b76ce69f284a776af86a8343f517e5e72a3d533e7818a5bbdb495e

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          8526d078fbbc026e29d246abdc5fa56c

          SHA1

          c7d1e463fbae95b049187baf50b16dff4fd628df

          SHA256

          6c87dee3cd13b377481424ef6ceffa18e97b56412862a05246e8906edaae9102

          SHA512

          b592d07feca3de35d3370cdbee5de350724ad247bea2d8bdc51742a852f5efbfa44cabfd06a489dc194ae6929d070fc5e0caf91155cc7d83c287a7a3d975e867

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          8aa992f276220fea0c35975b7180ebce

          SHA1

          f28ab57c37ef5e0f8ad86411125ee6c4bcd31e65

          SHA256

          86a1a982cc69e8d6ab2ee48e94db3a81eb5557305974265038b14af620fde02d

          SHA512

          c5e18757ba104d4c573a7ac459576ca60756b7190bc0d0f9af13632f44c1d00df19955f8738b6ba8d8102edb3bbeb81f2107ba862b760399766e6c9250708230

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          df4c597a36cb9e9bbf7235164d0b1ebb

          SHA1

          8aa453dab9192c8d85d520c314e2745a1d024a58

          SHA256

          6961a6760a7a1a8a754699fb169a5a7017acfce4e15912b1cc90cca24892b616

          SHA512

          85d5ba30dd0d424716afec2719602128076915344a7968a3bdb5335f7ca9db059b0b364a446a76b0fc24bbdee5840176183109ee14cb72b4631ffdb2aad2556a

          Download Submit

        • C:\Windows\windefender.exe
          Filesize

          2.0MB

          MD5

          8e67f58837092385dcf01e8a2b4f5783

          SHA1

          012c49cfd8c5d06795a6f67ea2baf2a082cf8625

          SHA256

          166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

          SHA512

          40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

          Download Submit

        • memory/564-436-0x00000000730C0000-0x000000007310C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/564-437-0x000000006F5C0000-0x000000006F917000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1420-124-0x0000000000400000-0x000000000259D000-memory.dmp

          Filesize

          33.6MB

          Download

        • memory/1464-387-0x0000000000400000-0x0000000000793000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1464-322-0x0000000000400000-0x0000000000793000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1464-398-0x0000000000400000-0x0000000000793000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1464-221-0x0000000000400000-0x0000000000793000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1464-140-0x0000000061E00000-0x0000000061EF3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/1852-514-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1852-495-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1852-477-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1852-509-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1852-491-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1852-500-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1852-447-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1944-504-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/1944-505-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/2132-335-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/2132-325-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/2372-329-0x000001A4B3BB0000-0x000001A4B3BCE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2372-288-0x000001A4AF090000-0x000001A4AF0E0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/2372-300-0x000001A4B3DF0000-0x000001A4B3DFA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2372-301-0x000001A4B3E10000-0x000001A4B3E72000-memory.dmp

          Filesize

          392KB

          Download

        • memory/2372-302-0x000001A4B3E70000-0x000001A4B3E92000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2372-297-0x000001A4B3480000-0x000001A4B34B8000-memory.dmp

          Filesize

          224KB

          Download

        • memory/2372-298-0x000001A4B3450000-0x000001A4B345E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2372-299-0x000001A4B3470000-0x000001A4B3478000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2372-294-0x000001A4AF0E0000-0x000001A4AF3E0000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/2372-290-0x000001A496310000-0x000001A49631A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2372-289-0x000001A4AF040000-0x000001A4AF062000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2372-287-0x000001A4AF010000-0x000001A4AF03A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/2372-285-0x000001A4AEBC0000-0x000001A4AEBCA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2372-246-0x000001A490CF0000-0x000001A494524000-memory.dmp

          Filesize

          56.2MB

          Download

        • memory/2372-286-0x000001A4AEF60000-0x000001A4AF012000-memory.dmp

          Filesize

          712KB

          Download

        • memory/2372-278-0x000001A494A40000-0x000001A494A50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2372-317-0x000001A4B3C50000-0x000001A4B3CC6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2372-281-0x000001A4AEB90000-0x000001A4AEBB4000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2372-306-0x000001A4B3B70000-0x000001A4B3B7C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2372-303-0x000001A4B43C0000-0x000001A4B48E8000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/2372-296-0x000001A4B3B40000-0x000001A4B3B48000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2372-277-0x000001A4AED00000-0x000001A4AEE0A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2372-279-0x000001A496340000-0x000001A49634C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2372-280-0x000001A496330000-0x000001A496344000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2440-97-0x0000000000400000-0x0000000000793000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/2528-458-0x00000000730C0000-0x000000007310C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2528-459-0x000000006F5C0000-0x000000006F917000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2588-483-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/2588-487-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/2764-1-0x00000000779C6000-0x00000000779C8000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2764-3-0x0000000000BE0000-0x00000000010BB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/2764-5-0x0000000000BE0000-0x00000000010BB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/2764-17-0x0000000000BE0000-0x00000000010BB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/2764-2-0x0000000000BE1000-0x0000000000C0F000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2764-0-0x0000000000BE0000-0x00000000010BB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/2868-506-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/2868-492-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/2868-485-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3300-399-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/3300-323-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/3708-364-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3708-493-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3708-475-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3708-22-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3708-267-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3708-488-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3708-21-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3708-498-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3708-274-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3708-219-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3708-385-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3708-103-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3708-513-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3708-19-0x0000000000D21000-0x0000000000D4F000-memory.dmp

          Filesize

          184KB

          Download

        • memory/3708-507-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3708-20-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3708-446-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3708-18-0x0000000000D20000-0x00000000011FB000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3860-318-0x0000000007760000-0x0000000007804000-memory.dmp

          Filesize

          656KB

          Download

        • memory/3860-308-0x000000006F1F0000-0x000000006F547000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3860-275-0x0000000006590000-0x00000000065DC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3860-319-0x0000000007A60000-0x0000000007A71000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3860-307-0x0000000072CA0000-0x0000000072CEC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3860-255-0x0000000006030000-0x0000000006387000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3860-320-0x0000000007AB0000-0x0000000007AC5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/4020-413-0x000000006F5C0000-0x000000006F917000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4020-411-0x0000000006590000-0x00000000065DC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4020-412-0x00000000730C0000-0x000000007310C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4020-422-0x00000000075A0000-0x0000000007644000-memory.dmp

          Filesize

          656KB

          Download

        • memory/4020-424-0x0000000007930000-0x0000000007941000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4020-425-0x0000000006120000-0x0000000006135000-memory.dmp

          Filesize

          84KB

          Download

        • memory/4020-409-0x0000000005D60000-0x00000000060B7000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4220-242-0x0000000000400000-0x00000000008AD000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4220-229-0x0000000000400000-0x00000000008AD000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4444-376-0x000000006F1F0000-0x000000006F547000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4444-375-0x0000000072CA0000-0x0000000072CEC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4564-131-0x0000000006040000-0x00000000060A6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4564-216-0x0000000007B60000-0x0000000007B6A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4564-205-0x00000000079D0000-0x00000000079EE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4564-196-0x000000006F100000-0x000000006F457000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4564-195-0x000000006EF70000-0x000000006EFBC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4564-191-0x0000000007990000-0x00000000079C4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/4564-179-0x0000000006B10000-0x0000000006B56000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4564-214-0x0000000008160000-0x00000000087DA000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4564-175-0x0000000006610000-0x000000000665C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4564-174-0x0000000006550000-0x000000000656E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4564-156-0x00000000060B0000-0x0000000006407000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4564-215-0x0000000007B20000-0x0000000007B3A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4564-130-0x0000000005FD0000-0x0000000006036000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4564-206-0x00000000079F0000-0x0000000007A94000-memory.dmp

          Filesize

          656KB

          Download

        • memory/4564-129-0x00000000057D0000-0x00000000057F2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4564-128-0x0000000005930000-0x0000000005F5A000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4564-217-0x0000000007C20000-0x0000000007CB6000-memory.dmp

          Filesize

          600KB

          Download

        • memory/4564-127-0x0000000003090000-0x00000000030C6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4564-218-0x0000000007B90000-0x0000000007BA1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4564-225-0x0000000007D00000-0x0000000007D08000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4564-222-0x0000000007BD0000-0x0000000007BDE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4564-224-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4564-223-0x0000000007BE0000-0x0000000007BF5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/4588-346-0x0000000072CA0000-0x0000000072CEC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4588-347-0x000000006F1F0000-0x000000006F547000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4672-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4672-272-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download