d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1

Analysis

max time kernel
64s
max time network
152s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
Size

6.4MB
MD5

df1740e232cb77b02d8c0ab23e589601
SHA1

2e7551693cb138047c9328be85a912eb6395df52
SHA256

d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1
SHA512

e45eae7e84ad186dbed9bbc785edef3f56e204898bf5b8eafe0f159f4c2a2a5d95c92d0685b0da7ff55c0e4d279faeeeb690fdddcb2df5953f1681988f929886

Score

10^/10

discovery evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

ACProtect 1.3x - 1.4x DLL software 17 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	acprotect
\Windows\Temp\nsy2F7E.tmp\md5dll.dll	acprotect
\Windows\Temp\nsy2F7E.tmp\md5dll.dll	acprotect
\Windows\Temp\nsy2F7E.tmp\md5dll.dll	acprotect
\Windows\Temp\nsy2F7E.tmp\md5dll.dll	acprotect
\Windows\Temp\nsy2F7E.tmp\md5dll.dll	acprotect
\Windows\Temp\nsy2F7E.tmp\md5dll.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	acprotect

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Drops file in Drivers directory 1 IoCs

Processes:

d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe

description ioc process

File created C:\Windows\system32\drivers\NmYzNWFkYzJ d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
Executes dropped EXE 3 IoCs

Processes:

M2U1OGE1.exeM2U1OGE1.exeM2U1OGE1.exe

pid process

976 M2U1OGE1.exe
1072 M2U1OGE1.exe
952 M2U1OGE1.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\system32\drivers\NmYzNWFkYzJ	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe

pid	process
976	M2U1OGE1.exe
1072	M2U1OGE1.exe
952	M2U1OGE1.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	upx
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	upx
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	upx
\Windows\Temp\nsy2F7E.tmp\md5dll.dll	upx
\Windows\Temp\nsy2F7E.tmp\md5dll.dll	upx
\Windows\Temp\nsy2F7E.tmp\md5dll.dll	upx
\Windows\Temp\nsy2F7E.tmp\md5dll.dll	upx
\Windows\Temp\nsy2F7E.tmp\md5dll.dll	upx
\Windows\Temp\nsy2F7E.tmp\md5dll.dll	upx
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	upx
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	upx
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	upx
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	upx
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	upx
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	upx
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	upx
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll	upx

Loads dropped DLL 64 IoCs

Processes:

d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exed3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe

pid	process
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

M2U1OGE1.exed3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\c:\program files\ote1ztbmztdjnz\ = "0"	M2U1OGE1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers\NmYzNWFkYzJ.sys = "0"	M2U1OGE1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\YzI5YTUwMTJjN2NiM = "0"	M2U1OGE1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers\NmYzNWFkYzJ = "0"	M2U1OGE1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\uninstaller.dat = "0"	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\YzI5YTUwMTJjN2NiM.exe = "0"	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\system32\drivers\NmYzNWFkYzJ = "0"	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\OTE1ZTBmZTdjNz = "0"	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 16 IoCs

Processes:

M2U1OGE1.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\SSL\xtls2.db	M2U1OGE1.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	M2U1OGE1.exe
File created	C:\Windows\SysWOW64\SSL\x2.db	M2U1OGE1.exe
File created	C:\Windows\SysWOW64\SSL\xtls2.db	M2U1OGE1.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	M2U1OGE1.exe
File created	C:\Windows\SysWOW64\SSL\xv2.db	M2U1OGE1.exe
File opened for modification	C:\Windows\SysWOW64\SSL\x2.db	M2U1OGE1.exe
File opened for modification	C:\Windows\SysWOW64\SSL\xv2.db	M2U1OGE1.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	M2U1OGE1.exe
File opened for modification	C:\Windows\SysWOW64\SSL\cert.db	M2U1OGE1.exe
File created	C:\Windows\SysWOW64\SSL\cert.db	M2U1OGE1.exe
File opened for modification	C:\Windows\SysWOW64\SSL\NTQ4YmFlNz 2.cer	M2U1OGE1.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	M2U1OGE1.exe
File created	C:\Windows\SysWOW64\__02EFE15B__C0000005.dmp	M2U1OGE1.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 19 IoCs

Processes:

d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exeM2U1OGE1.exe

description	ioc	process
File created	C:\Program Files\OTE1ZTBmZTdjNz\softokn3.dll	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File opened for modification	C:\Program Files\OTE1ZTBmZTdjNz\service.dat	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File opened for modification	\??\c:\program files\ote1ztbmztdjnz\ZGJiYWFjOTE3MGMzOW	M2U1OGE1.exe
File created	C:\Program Files\OTE1ZTBmZTdjNz\service_64.dat	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File created	C:\Program Files\OTE1ZTBmZTdjNz\MTIzNG.ico	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File created	C:\Program Files\OTE1ZTBmZTdjNz\M2U1OGE1.exe	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File opened for modification	C:\Program Files\OTE1ZTBmZTdjNz\YjE5ZWY1YTQ3OTgx.exe	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File created	C:\Program Files\OTE1ZTBmZTdjNz\mozcrt19.dll	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File opened for modification	C:\Program Files\OTE1ZTBmZTdjNz\M2U1OGE1.exe	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File opened for modification	C:\Program Files\OTE1ZTBmZTdjNz\service_64.dat	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File created	C:\Program Files\OTE1ZTBmZTdjNz\YzI5YTUwMTJjN2NiM.exe	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File created	C:\Program Files\OTE1ZTBmZTdjNz\service.dat	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File created	C:\Program Files\OTE1ZTBmZTdjNz\nss3.dll	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File created	C:\Program Files\OTE1ZTBmZTdjNz\nspr4.dll	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File created	C:\Program Files\OTE1ZTBmZTdjNz\plc4.dll	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File created	C:\Program Files\OTE1ZTBmZTdjNz\plds4.dll	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File created	C:\Program Files\OTE1ZTBmZTdjNz\WBE_uninstall.dat	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File created	C:\Program Files\OTE1ZTBmZTdjNz\YjE5ZWY1YTQ3OTgx.exe	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File created	C:\Program Files\OTE1ZTBmZTdjNz\ZGJiYWFjOTE3MGMzOW	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe

Drops file in Windows directory 3 IoCs

Processes:

M2U1OGE1.exed3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe

description	ioc	process
File created	C:\Windows\flygx.flygf	M2U1OGE1.exe
File created	C:\Windows\YzI5YTUwMTJjN2NiM.exe	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
File created	C:\Windows\uninstaller.dat	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 44 IoCs

Processes:

M2U1OGE1.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	M2U1OGE1.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30b94b7da26cd801	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	M2U1OGE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	M2U1OGE1.exe

Modifies registry class 2 IoCs

Processes:

M2U1OGE1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\56BF5154-0B48-4ADB-902A-6C8B12E270D9	M2U1OGE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\56BF5154-0B48-4ADB-902A-6C8B12E270D9\LocalService = "OTE1ZTBmZTdjNz"	M2U1OGE1.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

M2U1OGE1.exed3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C51033028F59374F2B5523B970594A97C140EB81	M2U1OGE1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C51033028F59374F2B5523B970594A97C140EB81\Blob = 140000000100000014000000407668024a1a4c703ad3cb199c66f2ad004e3c85030000000100000014000000c51033028f59374f2b5523b970594a97c140eb810f0000000100000020000000eac884253cb5850898af94bb1d1114af1e8cfb94cb77d693c44e4be2fac09e152000000001000000fc020000308202f8308201e0a003020102021100ffa9e8ab6fb7f7c58dcb747351685970300d06092a864886f70d01010b05003024310b300906035504061302454e3115301306035504030c0c4e545134596d466c4e7a20323020170d3032303532353233333732375a180f32303632303531303233333732375a3024310b300906035504061302454e3115301306035504030c0c4e545134596d466c4e7a203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b0500038201010015337b2b21a6f9ebd018b1814f8e6ec02d35db07f5f282b4ae5a1ca24e8480bd5ad21b8a933695c0e96ce3076b19187c52ccc3f240143c97ea600e82fc24d125b22da911bcf92bf297670761da2e16bd6d4dd2ad8d2de8e6b302ba580e2f7b13d847db1b98de17abd928aea1845b1655fa8a2560e1be230084a6e71aeee789cdb0f3d07818b0f15cd0a42c88dd1b95335359f579dd55fa1177e972dcac5b2e29d9c4998423091c4b8653e4af343f2b431fefc0cac1a0b81e6a5efeee557d3887ea46698826ded8ff49aea61ecd8904b4d7072c3ac8daf714a5ee100d734be448a1ff2d79c56dac6206ae716d0d4a589f3081398c8e8f08212e56b3fda86007b3	M2U1OGE1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C51033028F59374F2B5523B970594A97C140EB81\Blob = 1900000001000000100000002167f922259fe0e5384e23e40eecfa010f0000000100000020000000eac884253cb5850898af94bb1d1114af1e8cfb94cb77d693c44e4be2fac09e15030000000100000014000000c51033028f59374f2b5523b970594a97c140eb81140000000100000014000000407668024a1a4c703ad3cb199c66f2ad004e3c852000000001000000fc020000308202f8308201e0a003020102021100ffa9e8ab6fb7f7c58dcb747351685970300d06092a864886f70d01010b05003024310b300906035504061302454e3115301306035504030c0c4e545134596d466c4e7a20323020170d3032303532353233333732375a180f32303632303531303233333732375a3024310b300906035504061302454e3115301306035504030c0c4e545134596d466c4e7a203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b0500038201010015337b2b21a6f9ebd018b1814f8e6ec02d35db07f5f282b4ae5a1ca24e8480bd5ad21b8a933695c0e96ce3076b19187c52ccc3f240143c97ea600e82fc24d125b22da911bcf92bf297670761da2e16bd6d4dd2ad8d2de8e6b302ba580e2f7b13d847db1b98de17abd928aea1845b1655fa8a2560e1be230084a6e71aeee789cdb0f3d07818b0f15cd0a42c88dd1b95335359f579dd55fa1177e972dcac5b2e29d9c4998423091c4b8653e4af343f2b431fefc0cac1a0b81e6a5efeee557d3887ea46698826ded8ff49aea61ecd8904b4d7072c3ac8daf714a5ee100d734be448a1ff2d79c56dac6206ae716d0d4a589f3081398c8e8f08212e56b3fda86007b3	M2U1OGE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C51033028F59374F2B5523B970594A97C140EB81\Blob = 030000000100000014000000c51033028f59374f2b5523b970594a97c140eb812000000001000000fc020000308202f8308201e0a003020102021100ffa9e8ab6fb7f7c58dcb747351685970300d06092a864886f70d01010b05003024310b300906035504061302454e3115301306035504030c0c4e545134596d466c4e7a20323020170d3032303532353233333732375a180f32303632303531303233333732375a3024310b300906035504061302454e3115301306035504030c0c4e545134596d466c4e7a203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b0500038201010015337b2b21a6f9ebd018b1814f8e6ec02d35db07f5f282b4ae5a1ca24e8480bd5ad21b8a933695c0e96ce3076b19187c52ccc3f240143c97ea600e82fc24d125b22da911bcf92bf297670761da2e16bd6d4dd2ad8d2de8e6b302ba580e2f7b13d847db1b98de17abd928aea1845b1655fa8a2560e1be230084a6e71aeee789cdb0f3d07818b0f15cd0a42c88dd1b95335359f579dd55fa1177e972dcac5b2e29d9c4998423091c4b8653e4af343f2b431fefc0cac1a0b81e6a5efeee557d3887ea46698826ded8ff49aea61ecd8904b4d7072c3ac8daf714a5ee100d734be448a1ff2d79c56dac6206ae716d0d4a589f3081398c8e8f08212e56b3fda86007b3	M2U1OGE1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C51033028F59374F2B5523B970594A97C140EB81\Blob = 0f0000000100000020000000eac884253cb5850898af94bb1d1114af1e8cfb94cb77d693c44e4be2fac09e15030000000100000014000000c51033028f59374f2b5523b970594a97c140eb812000000001000000fc020000308202f8308201e0a003020102021100ffa9e8ab6fb7f7c58dcb747351685970300d06092a864886f70d01010b05003024310b300906035504061302454e3115301306035504030c0c4e545134596d466c4e7a20323020170d3032303532353233333732375a180f32303632303531303233333732375a3024310b300906035504061302454e3115301306035504030c0c4e545134596d466c4e7a203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b0500038201010015337b2b21a6f9ebd018b1814f8e6ec02d35db07f5f282b4ae5a1ca24e8480bd5ad21b8a933695c0e96ce3076b19187c52ccc3f240143c97ea600e82fc24d125b22da911bcf92bf297670761da2e16bd6d4dd2ad8d2de8e6b302ba580e2f7b13d847db1b98de17abd928aea1845b1655fa8a2560e1be230084a6e71aeee789cdb0f3d07818b0f15cd0a42c88dd1b95335359f579dd55fa1177e972dcac5b2e29d9c4998423091c4b8653e4af343f2b431fefc0cac1a0b81e6a5efeee557d3887ea46698826ded8ff49aea61ecd8904b4d7072c3ac8daf714a5ee100d734be448a1ff2d79c56dac6206ae716d0d4a589f3081398c8e8f08212e56b3fda86007b3	M2U1OGE1.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeM2U1OGE1.exe

pid process

1424 powershell.exe
2016 powershell.exe
1840 powershell.exe
1628 powershell.exe
952 M2U1OGE1.exe
952 M2U1OGE1.exe
952 M2U1OGE1.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

460
460

pid	process
1424	powershell.exe
2016	powershell.exe
1840	powershell.exe
1628	powershell.exe
952	M2U1OGE1.exe
952	M2U1OGE1.exe
952	M2U1OGE1.exe

pid	process
460
460

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exed3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exeM2U1OGE1.exe

description	pid	process
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeTakeOwnershipPrivilege	1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
Token: SeRestorePrivilege	1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
Token: SeBackupPrivilege	952	M2U1OGE1.exe
Token: SeSecurityPrivilege	952	M2U1OGE1.exe
Token: SeSecurityPrivilege	952	M2U1OGE1.exe
Token: SeSecurityPrivilege	952	M2U1OGE1.exe
Token: SeSecurityPrivilege	952	M2U1OGE1.exe
Token: SeSecurityPrivilege	952	M2U1OGE1.exe
Token: SeDebugPrivilege	952	M2U1OGE1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.execmd.execmd.exenet.exed3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.execmd.execmd.exe

description	pid	process	target process
PID 968 wrote to memory of 1644	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	cmd.exe
PID 968 wrote to memory of 1644	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	cmd.exe
PID 968 wrote to memory of 1644	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	cmd.exe
PID 968 wrote to memory of 1644	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	cmd.exe
PID 1644 wrote to memory of 1424	1644	cmd.exe	powershell.exe
PID 1644 wrote to memory of 1424	1644	cmd.exe	powershell.exe
PID 1644 wrote to memory of 1424	1644	cmd.exe	powershell.exe
PID 1644 wrote to memory of 1424	1644	cmd.exe	powershell.exe
PID 968 wrote to memory of 1324	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	cmd.exe
PID 968 wrote to memory of 1324	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	cmd.exe
PID 968 wrote to memory of 1324	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	cmd.exe
PID 968 wrote to memory of 1324	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	cmd.exe
PID 1324 wrote to memory of 2016	1324	cmd.exe	powershell.exe
PID 1324 wrote to memory of 2016	1324	cmd.exe	powershell.exe
PID 1324 wrote to memory of 2016	1324	cmd.exe	powershell.exe
PID 1324 wrote to memory of 2016	1324	cmd.exe	powershell.exe
PID 968 wrote to memory of 380	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	sc.exe
PID 968 wrote to memory of 380	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	sc.exe
PID 968 wrote to memory of 380	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	sc.exe
PID 968 wrote to memory of 380	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	sc.exe
PID 968 wrote to memory of 1688	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	net.exe
PID 968 wrote to memory of 1688	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	net.exe
PID 968 wrote to memory of 1688	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	net.exe
PID 968 wrote to memory of 1688	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	net.exe
PID 1688 wrote to memory of 1584	1688	net.exe	net1.exe
PID 1688 wrote to memory of 1584	1688	net.exe	net1.exe
PID 1688 wrote to memory of 1584	1688	net.exe	net1.exe
PID 1688 wrote to memory of 1584	1688	net.exe	net1.exe
PID 1244 wrote to memory of 1500	1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	cmd.exe
PID 1244 wrote to memory of 1500	1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	cmd.exe
PID 1244 wrote to memory of 1500	1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	cmd.exe
PID 1244 wrote to memory of 1500	1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	cmd.exe
PID 1500 wrote to memory of 1840	1500	cmd.exe	powershell.exe
PID 1500 wrote to memory of 1840	1500	cmd.exe	powershell.exe
PID 1500 wrote to memory of 1840	1500	cmd.exe	powershell.exe
PID 1500 wrote to memory of 1840	1500	cmd.exe	powershell.exe
PID 1244 wrote to memory of 992	1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	cmd.exe
PID 1244 wrote to memory of 992	1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	cmd.exe
PID 1244 wrote to memory of 992	1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	cmd.exe
PID 1244 wrote to memory of 992	1244	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	cmd.exe
PID 992 wrote to memory of 1628	992	cmd.exe	powershell.exe
PID 992 wrote to memory of 1628	992	cmd.exe	powershell.exe
PID 992 wrote to memory of 1628	992	cmd.exe	powershell.exe
PID 992 wrote to memory of 1628	992	cmd.exe	powershell.exe
PID 968 wrote to memory of 1108	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	sc.exe
PID 968 wrote to memory of 1108	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	sc.exe
PID 968 wrote to memory of 1108	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	sc.exe
PID 968 wrote to memory of 1108	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	sc.exe
PID 968 wrote to memory of 960	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	reg.exe
PID 968 wrote to memory of 960	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	reg.exe
PID 968 wrote to memory of 960	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	reg.exe
PID 968 wrote to memory of 960	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	reg.exe
PID 968 wrote to memory of 1936	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	reg.exe
PID 968 wrote to memory of 1936	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	reg.exe
PID 968 wrote to memory of 1936	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	reg.exe
PID 968 wrote to memory of 1936	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	reg.exe
PID 968 wrote to memory of 1996	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	reg.exe
PID 968 wrote to memory of 1996	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	reg.exe
PID 968 wrote to memory of 1996	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	reg.exe
PID 968 wrote to memory of 1996	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	reg.exe
PID 968 wrote to memory of 1836	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	reg.exe
PID 968 wrote to memory of 1836	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	reg.exe
PID 968 wrote to memory of 1836	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	reg.exe
PID 968 wrote to memory of 1836	968	d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
"C:\Users\Admin\AppData\Local\Temp\d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\cmd.exe
cmd /c "powershell -command Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe\""
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe\"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c "powershell -command Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\nsyFC99.tmp\""
2⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\nsyFC99.tmp\"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\sc.exe
sc create -- binPath= ""C:\Users\Admin\AppData\Local\Temp\d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe" /wl 1"
2⤵
PID:380

C:\Windows\SysWOW64\net.exe
net start --
2⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start --
3⤵
PID:1584

C:\Windows\SysWOW64\sc.exe
sc delete --
2⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
2⤵
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:32
2⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:64
2⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
2⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:32
2⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:64
2⤵
PID:2008

C:\Program Files\OTE1ZTBmZTdjNz\M2U1OGE1.exe
"C:\Program Files\OTE1ZTBmZTdjNz\M2U1OGE1.exe" --install_updater 0
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:976

C:\Windows\SysWOW64\sc.exe
sc create MzAxZmFj binPath= "rundll32.exe C:\Windows\flygx.flygf ADucfIaK" start= auto
3⤵
PID:956

C:\Windows\SysWOW64\sc.exe
sc failure MzAxZmFj reset= 30 actions= restart/5000
3⤵
PID:1744

C:\Windows\SysWOW64\sc.exe
sc create NmYzNWFkYzJ binpath= "C:\Windows\system32\drivers\NmYzNWFkYzJ" DisplayName= NmYzNWFkYzJ type= kernel start= system group= PNP_TDI
2⤵
PID:1332

C:\Windows\SysWOW64\sc.exe
sc start NmYzNWFkYzJ
2⤵
PID:700

C:\Program Files\OTE1ZTBmZTdjNz\M2U1OGE1.exe
"C:\Program Files\OTE1ZTBmZTdjNz\M2U1OGE1.exe" --service
2⤵
- Executes dropped EXE
- Modifies registry class
PID:1072

C:\Windows\SysWOW64\sc.exe
sc failure OTE1ZTBmZTdjNz reset= 60 actions= restart/5000/restart/5000/restart/5000
2⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe
C:\Users\Admin\AppData\Local\Temp\d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe /wl 1
1⤵
- Loads dropped DLL
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\cmd.exe
cmd /c "powershell -command Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe\""
2⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\d3d368d55c46063e3fc5d22ca09b973398cf9286211eefa469acd97310ee34b1.exe\"
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\SysWOW64\cmd.exe
cmd /c "powershell -command Add-MpPreference -ExclusionPath \"C:\Windows\TEMP\nso21D5.tmp\""
2⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command Add-MpPreference -ExclusionPath \"C:\Windows\TEMP\nso21D5.tmp\"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Program Files\OTE1ZTBmZTdjNz\M2U1OGE1.exe
"C:\Program Files\OTE1ZTBmZTdjNz\M2U1OGE1.exe"
1⤵
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0f5c1a92131d55cdc6125aaad5a68aed

SHA1
44cdaaebbd389d9e274d4ce7e87e0f48b98793c2

SHA256
e43ac4fe4d692e63accc973fe75872f55842854b782851a41a4dffc48d8ee31f

SHA512
be35da6ff5497251d5d62a37d8eca904e1c43d0eac71441890f4778decd1318fac15cca3e84dfcc6d54ee4b39ef12c6b4c5e99a83799d61c0a98c0ff4067f6d8

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\IpConfig.dll
Filesize
118KB

MD5
a75e3775daac9958610ce1308e0bca3b

SHA1
d83ce354cde527c2e20fb425415f6d4795dd4cd4

SHA256
fe2093ff4bfa1d7259c922aca1e7bb219c4d234e469942446d9e2f8086b7d720

SHA512
48168a91ec90df262b1e158f32b4bc2a6d6ce10022eb96d4a6f3c755b977e5c104558626adaa214bda29d7f1d246f19e2df59b9a338982aa1c623e1bdd5714c6

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\MoreInfo.dll
Filesize
7KB

MD5
bd393029cc49b415b6c9aeb8a4936516

SHA1
c67fd92fffd18941bed41bfd6ac4f3b04fd123df

SHA256
227a4fc9408a44faa5eca608a974bd536814f97b8a4d28b4cac479727167b026

SHA512
3bb8e5cf4bea7e8adaa62196e58fff9031f49fd4efa78e5bd3e4b9c4e9ba1523864567521793053595d90abec719761a5964ff3abe04b93b24d52e5ffa4c1f96

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\NSISList.dll
Filesize
105KB

MD5
4b0617493f32b2b5fe5e838eeb885819

SHA1
336e84380420a9caaa9c12af7c8e530135e63c57

SHA256
df3621f83e9d11be45e0e617b899c4ab0241f60ed56494e892dc449482058402

SHA512
5c50cf97cd9a6c699ec7928a08f77f4eaa68105e87a974432e39b637f926f0df8a95ec19bd63465fc438a4ef6349398938bc8d7651de125d13ccab89d1d49143

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\NSISList.dll
Filesize
105KB

MD5
4b0617493f32b2b5fe5e838eeb885819

SHA1
336e84380420a9caaa9c12af7c8e530135e63c57

SHA256
df3621f83e9d11be45e0e617b899c4ab0241f60ed56494e892dc449482058402

SHA512
5c50cf97cd9a6c699ec7928a08f77f4eaa68105e87a974432e39b637f926f0df8a95ec19bd63465fc438a4ef6349398938bc8d7651de125d13ccab89d1d49143

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\NSISList.dll
Filesize
105KB

MD5
4b0617493f32b2b5fe5e838eeb885819

SHA1
336e84380420a9caaa9c12af7c8e530135e63c57

SHA256
df3621f83e9d11be45e0e617b899c4ab0241f60ed56494e892dc449482058402

SHA512
5c50cf97cd9a6c699ec7928a08f77f4eaa68105e87a974432e39b637f926f0df8a95ec19bd63465fc438a4ef6349398938bc8d7651de125d13ccab89d1d49143

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\NsisCrypt.dll
Filesize
15KB

MD5
a3e9024e53c55893b1e4f62a2bd93ca8

SHA1
aa289e93d68bd15bfcdec3bb00cf1ef930074a1e

SHA256
7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad

SHA512
a124cf63e9db33de10fda6ba0c78cbb366d9cc7ef26f90031dba03c111dfdcd4a9bd378e1075211fd12e63da2beffa973f8c3f5b283be5debb06e820aa02750b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\NsisCrypt.dll
Filesize
15KB

MD5
a3e9024e53c55893b1e4f62a2bd93ca8

SHA1
aa289e93d68bd15bfcdec3bb00cf1ef930074a1e

SHA256
7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad

SHA512
a124cf63e9db33de10fda6ba0c78cbb366d9cc7ef26f90031dba03c111dfdcd4a9bd378e1075211fd12e63da2beffa973f8c3f5b283be5debb06e820aa02750b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\NsisCrypt.dll
Filesize
15KB

MD5
a3e9024e53c55893b1e4f62a2bd93ca8

SHA1
aa289e93d68bd15bfcdec3bb00cf1ef930074a1e

SHA256
7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad

SHA512
a124cf63e9db33de10fda6ba0c78cbb366d9cc7ef26f90031dba03c111dfdcd4a9bd378e1075211fd12e63da2beffa973f8c3f5b283be5debb06e820aa02750b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\NsisCrypt.dll
Filesize
15KB

MD5
a3e9024e53c55893b1e4f62a2bd93ca8

SHA1
aa289e93d68bd15bfcdec3bb00cf1ef930074a1e

SHA256
7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad

SHA512
a124cf63e9db33de10fda6ba0c78cbb366d9cc7ef26f90031dba03c111dfdcd4a9bd378e1075211fd12e63da2beffa973f8c3f5b283be5debb06e820aa02750b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\NsisCrypt.dll
Filesize
15KB

MD5
a3e9024e53c55893b1e4f62a2bd93ca8

SHA1
aa289e93d68bd15bfcdec3bb00cf1ef930074a1e

SHA256
7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad

SHA512
a124cf63e9db33de10fda6ba0c78cbb366d9cc7ef26f90031dba03c111dfdcd4a9bd378e1075211fd12e63da2beffa973f8c3f5b283be5debb06e820aa02750b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\NsisCrypt.dll
Filesize
15KB

MD5
a3e9024e53c55893b1e4f62a2bd93ca8

SHA1
aa289e93d68bd15bfcdec3bb00cf1ef930074a1e

SHA256
7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad

SHA512
a124cf63e9db33de10fda6ba0c78cbb366d9cc7ef26f90031dba03c111dfdcd4a9bd378e1075211fd12e63da2beffa973f8c3f5b283be5debb06e820aa02750b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\NsisCrypt.dll
Filesize
15KB

MD5
a3e9024e53c55893b1e4f62a2bd93ca8

SHA1
aa289e93d68bd15bfcdec3bb00cf1ef930074a1e

SHA256
7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad

SHA512
a124cf63e9db33de10fda6ba0c78cbb366d9cc7ef26f90031dba03c111dfdcd4a9bd378e1075211fd12e63da2beffa973f8c3f5b283be5debb06e820aa02750b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\System.dll
Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\inetc.dll
Filesize
24KB

MD5
1fc1fbb2c7a14b7901fc9abbd6dbef10

SHA1
4d9ed86f31075a3d3f674ff78f39c190a4098126

SHA256
4f26394c93f1acb315c42c351983dafc7f094b2d05db6d7a1ba7dcb39a3a599e

SHA512
76d8ff7fc301cc5ff966ad8be17f0f3f2d869ef797c5a2c55a062305c02133a842906448741bf9818ec369bbb2932b9a9c2193ebc59835b50e8703db0090fdb2

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\inetc.dll
Filesize
24KB

MD5
1fc1fbb2c7a14b7901fc9abbd6dbef10

SHA1
4d9ed86f31075a3d3f674ff78f39c190a4098126

SHA256
4f26394c93f1acb315c42c351983dafc7f094b2d05db6d7a1ba7dcb39a3a599e

SHA512
76d8ff7fc301cc5ff966ad8be17f0f3f2d869ef797c5a2c55a062305c02133a842906448741bf9818ec369bbb2932b9a9c2193ebc59835b50e8703db0090fdb2

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\inetc.dll
Filesize
24KB

MD5
1fc1fbb2c7a14b7901fc9abbd6dbef10

SHA1
4d9ed86f31075a3d3f674ff78f39c190a4098126

SHA256
4f26394c93f1acb315c42c351983dafc7f094b2d05db6d7a1ba7dcb39a3a599e

SHA512
76d8ff7fc301cc5ff966ad8be17f0f3f2d869ef797c5a2c55a062305c02133a842906448741bf9818ec369bbb2932b9a9c2193ebc59835b50e8703db0090fdb2

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\inetc.dll
Filesize
24KB

MD5
1fc1fbb2c7a14b7901fc9abbd6dbef10

SHA1
4d9ed86f31075a3d3f674ff78f39c190a4098126

SHA256
4f26394c93f1acb315c42c351983dafc7f094b2d05db6d7a1ba7dcb39a3a599e

SHA512
76d8ff7fc301cc5ff966ad8be17f0f3f2d869ef797c5a2c55a062305c02133a842906448741bf9818ec369bbb2932b9a9c2193ebc59835b50e8703db0090fdb2

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\nsExec.dll
Filesize
6KB

MD5
35200be9cf105f3defe2ae0ee44cea12

SHA1
3f4a09eeb477d3f048cdfb848b95aa39b20d89dc

SHA256
0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527

SHA512
f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\nsExec.dll
Filesize
6KB

MD5
35200be9cf105f3defe2ae0ee44cea12

SHA1
3f4a09eeb477d3f048cdfb848b95aa39b20d89dc

SHA256
0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527

SHA512
f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\nsExec.dll
Filesize
6KB

MD5
35200be9cf105f3defe2ae0ee44cea12

SHA1
3f4a09eeb477d3f048cdfb848b95aa39b20d89dc

SHA256
0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527

SHA512
f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\nsExec.dll
Filesize
6KB

MD5
35200be9cf105f3defe2ae0ee44cea12

SHA1
3f4a09eeb477d3f048cdfb848b95aa39b20d89dc

SHA256
0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527

SHA512
f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\nsExec.dll
Filesize
6KB

MD5
35200be9cf105f3defe2ae0ee44cea12

SHA1
3f4a09eeb477d3f048cdfb848b95aa39b20d89dc

SHA256
0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527

SHA512
f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\nsExec.dll
Filesize
6KB

MD5
35200be9cf105f3defe2ae0ee44cea12

SHA1
3f4a09eeb477d3f048cdfb848b95aa39b20d89dc

SHA256
0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527

SHA512
f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\nsExec.dll
Filesize
6KB

MD5
35200be9cf105f3defe2ae0ee44cea12

SHA1
3f4a09eeb477d3f048cdfb848b95aa39b20d89dc

SHA256
0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527

SHA512
f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\nsExec.dll
Filesize
6KB

MD5
35200be9cf105f3defe2ae0ee44cea12

SHA1
3f4a09eeb477d3f048cdfb848b95aa39b20d89dc

SHA256
0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527

SHA512
f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\nsExec.dll
Filesize
6KB

MD5
35200be9cf105f3defe2ae0ee44cea12

SHA1
3f4a09eeb477d3f048cdfb848b95aa39b20d89dc

SHA256
0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527

SHA512
f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D7.tmp\nsExec.dll
Filesize
6KB

MD5
35200be9cf105f3defe2ae0ee44cea12

SHA1
3f4a09eeb477d3f048cdfb848b95aa39b20d89dc

SHA256
0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527

SHA512
f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFC99.tmp\VYIkNlXjrQC.dll
Filesize
1.0MB

MD5
c2934c3b593917c74121f80a492e5599

SHA1
d1376b9e080c4312ab59aa5751d5a315962bee9a

SHA256
e59d8c8118f602305870fb60e8569e5947c7aca94f7b895e9fd363531bb30a8d

SHA512
047f99bc95f2e954352b229663219126ee34719ff6e8a5ef21ae83ce8cfb20d379744b112c2501e99fb23acc46c50ff510fd73275614b2d953a70e924dffcae3

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFC99.tmp\nsExec.dll
Filesize
6KB

MD5
35200be9cf105f3defe2ae0ee44cea12

SHA1
3f4a09eeb477d3f048cdfb848b95aa39b20d89dc

SHA256
0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527

SHA512
f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFC99.tmp\nsExec.dll
Filesize
6KB

MD5
35200be9cf105f3defe2ae0ee44cea12

SHA1
3f4a09eeb477d3f048cdfb848b95aa39b20d89dc

SHA256
0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527

SHA512
f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFC99.tmp\znsWbETcgRk.dll
Filesize
609KB

MD5
d400b79ff5a0e3a8352e4317d29deeef

SHA1
109a744edcde024d0ea1c3d2e0ad1538f6bdd9c2

SHA256
02ea7ca8962249a2890c13c94e08b3ffad26169edd5f12d98ea6b3e9a729e964

SHA512
7679bbb679353a31cb14b8eedc687e6a40e06e5361411366f46bb3868ae9d35a24f2eb1618ccba9a3a8db02590f3d6da90d2bd1802a32c9642ca7dd0d031ba9e

Download Submit
\Windows\Temp\nso21D5.tmp\VYIkNlXjrQC.dll
Filesize
1.0MB

MD5
c2934c3b593917c74121f80a492e5599

SHA1
d1376b9e080c4312ab59aa5751d5a315962bee9a

SHA256
e59d8c8118f602305870fb60e8569e5947c7aca94f7b895e9fd363531bb30a8d

SHA512
047f99bc95f2e954352b229663219126ee34719ff6e8a5ef21ae83ce8cfb20d379744b112c2501e99fb23acc46c50ff510fd73275614b2d953a70e924dffcae3

Download Submit
\Windows\Temp\nso21D5.tmp\nsExec.dll
Filesize
6KB

MD5
35200be9cf105f3defe2ae0ee44cea12

SHA1
3f4a09eeb477d3f048cdfb848b95aa39b20d89dc

SHA256
0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527

SHA512
f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

Download Submit
\Windows\Temp\nso21D5.tmp\nsExec.dll
Filesize
6KB

MD5
35200be9cf105f3defe2ae0ee44cea12

SHA1
3f4a09eeb477d3f048cdfb848b95aa39b20d89dc

SHA256
0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527

SHA512
f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

Download Submit
\Windows\Temp\nso21D5.tmp\znsWbETcgRk.dll
Filesize
609KB

MD5
d400b79ff5a0e3a8352e4317d29deeef

SHA1
109a744edcde024d0ea1c3d2e0ad1538f6bdd9c2

SHA256
02ea7ca8962249a2890c13c94e08b3ffad26169edd5f12d98ea6b3e9a729e964

SHA512
7679bbb679353a31cb14b8eedc687e6a40e06e5361411366f46bb3868ae9d35a24f2eb1618ccba9a3a8db02590f3d6da90d2bd1802a32c9642ca7dd0d031ba9e

Download Submit
\Windows\Temp\nsy2F7E.tmp\IpConfig.dll
Filesize
118KB

MD5
a75e3775daac9958610ce1308e0bca3b

SHA1
d83ce354cde527c2e20fb425415f6d4795dd4cd4

SHA256
fe2093ff4bfa1d7259c922aca1e7bb219c4d234e469942446d9e2f8086b7d720

SHA512
48168a91ec90df262b1e158f32b4bc2a6d6ce10022eb96d4a6f3c755b977e5c104558626adaa214bda29d7f1d246f19e2df59b9a338982aa1c623e1bdd5714c6

Download Submit
\Windows\Temp\nsy2F7E.tmp\NsisCrypt.dll
Filesize
15KB

MD5
a3e9024e53c55893b1e4f62a2bd93ca8

SHA1
aa289e93d68bd15bfcdec3bb00cf1ef930074a1e

SHA256
7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad

SHA512
a124cf63e9db33de10fda6ba0c78cbb366d9cc7ef26f90031dba03c111dfdcd4a9bd378e1075211fd12e63da2beffa973f8c3f5b283be5debb06e820aa02750b

Download Submit
\Windows\Temp\nsy2F7E.tmp\NsisCrypt.dll
Filesize
15KB

MD5
a3e9024e53c55893b1e4f62a2bd93ca8

SHA1
aa289e93d68bd15bfcdec3bb00cf1ef930074a1e

SHA256
7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad

SHA512
a124cf63e9db33de10fda6ba0c78cbb366d9cc7ef26f90031dba03c111dfdcd4a9bd378e1075211fd12e63da2beffa973f8c3f5b283be5debb06e820aa02750b

Download Submit
\Windows\Temp\nsy2F7E.tmp\NsisCrypt.dll
Filesize
15KB

MD5
a3e9024e53c55893b1e4f62a2bd93ca8

SHA1
aa289e93d68bd15bfcdec3bb00cf1ef930074a1e

SHA256
7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad

SHA512
a124cf63e9db33de10fda6ba0c78cbb366d9cc7ef26f90031dba03c111dfdcd4a9bd378e1075211fd12e63da2beffa973f8c3f5b283be5debb06e820aa02750b

Download Submit
\Windows\Temp\nsy2F7E.tmp\NsisCrypt.dll
Filesize
15KB

MD5
a3e9024e53c55893b1e4f62a2bd93ca8

SHA1
aa289e93d68bd15bfcdec3bb00cf1ef930074a1e

SHA256
7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad

SHA512
a124cf63e9db33de10fda6ba0c78cbb366d9cc7ef26f90031dba03c111dfdcd4a9bd378e1075211fd12e63da2beffa973f8c3f5b283be5debb06e820aa02750b

Download Submit
\Windows\Temp\nsy2F7E.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Windows\Temp\nsy2F7E.tmp\System.dll
Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
\Windows\Temp\nsy2F7E.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Windows\Temp\nsy2F7E.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Windows\Temp\nsy2F7E.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Windows\Temp\nsy2F7E.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Windows\Temp\nsy2F7E.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Windows\Temp\nsy2F7E.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
memory/380-79-0x0000000000000000-mapping.dmp

Download
memory/700-170-0x0000000000000000-mapping.dmp

Download
memory/952-180-0x0000000002C30000-0x0000000003282000-memory.dmp

Filesize
6.3MB

Download
memory/956-166-0x0000000000000000-mapping.dmp

Download
memory/960-121-0x0000000000000000-mapping.dmp

Download
memory/968-119-0x0000000006F70000-0x0000000007058000-memory.dmp

Filesize
928KB

Download
memory/968-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/968-70-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/968-80-0x0000000000400000-0x0000000002633000-memory.dmp

Filesize
34.2MB

Download
memory/976-162-0x0000000003E90000-0x00000000044E2000-memory.dmp

Filesize
6.3MB

Download
memory/976-160-0x0000000000000000-mapping.dmp

Download
memory/992-91-0x0000000000000000-mapping.dmp

Download
memory/1072-171-0x0000000000000000-mapping.dmp

Download
memory/1072-173-0x0000000003FF0000-0x0000000004642000-memory.dmp

Filesize
6.3MB

Download
memory/1108-118-0x0000000000000000-mapping.dmp

Download
memory/1204-177-0x0000000000000000-mapping.dmp

Download
memory/1244-104-0x0000000002B70000-0x0000000002B83000-memory.dmp

Filesize
76KB

Download
memory/1244-99-0x0000000002B40000-0x0000000002B67000-memory.dmp

Filesize
156KB

Download
memory/1244-113-0x0000000005940000-0x0000000005A28000-memory.dmp

Filesize
928KB

Download
memory/1244-114-0x0000000005940000-0x0000000005A28000-memory.dmp

Filesize
928KB

Download
memory/1244-115-0x0000000000400000-0x0000000002633000-memory.dmp

Filesize
34.2MB

Download
memory/1324-61-0x0000000000000000-mapping.dmp

Download
memory/1332-168-0x0000000000000000-mapping.dmp

Download
memory/1424-59-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1424-57-0x0000000000000000-mapping.dmp

Download
memory/1500-86-0x0000000000000000-mapping.dmp

Download
memory/1584-83-0x0000000000000000-mapping.dmp

Download
memory/1628-94-0x0000000073860000-0x0000000073E0B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-92-0x0000000000000000-mapping.dmp

Download
memory/1644-56-0x0000000000000000-mapping.dmp

Download
memory/1668-129-0x0000000000000000-mapping.dmp

Download
memory/1688-82-0x0000000000000000-mapping.dmp

Download
memory/1744-167-0x0000000000000000-mapping.dmp

Download
memory/1836-127-0x0000000000000000-mapping.dmp

Download
memory/1840-87-0x0000000000000000-mapping.dmp

Download
memory/1840-89-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-123-0x0000000000000000-mapping.dmp

Download
memory/1996-125-0x0000000000000000-mapping.dmp

Download
memory/2008-131-0x0000000000000000-mapping.dmp

Download
memory/2016-62-0x0000000000000000-mapping.dmp

Download
memory/2016-65-0x0000000073860000-0x0000000073E0B000-memory.dmp

Filesize
5.7MB

Download