orcus | e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
Size

3.9MB
MD5

7185dd04ba69eac4b0c2b269843cfae3
SHA1

47427c2fb4e1a097304f801a9dc6815b84fa1519
SHA256

e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1
SHA512

150a4450de27b0338628a88d66dc595dac942bd2e8dd5aab4c6bd5f340bfaeddc08f38bcc4b1991d67fa29178779718fc19676b65031b992f3db030eba281ce5

Score

10^/10

orcus bootkit evasion persistence rat spyware stealer trojan

Malware Config

Extracted

Family

orcus

dontreachme.ddns.net:3600

dontreachme2.ddns.net:3600

Mutex

637bdf863f424e26ae6741c39d47588d

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%appdata%\Windows Updater\Dupper.exe
reconnect_delay
10000
registry_keyname
WindowsUpdater
taskscheduler_taskname
WindowUpdater
watchdog_path
Temp\Updater.exe

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp98E9.tmp.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\tmp98E9.tmp.exe	disable_win_def
behavioral2/memory/2340-138-0x0000000000E60000-0x0000000000E68000-memory.dmp	disable_win_def
C:\Users\Admin\AppData\Local\Temp\tmpB78D.tmp.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\tmpB78D.tmp.exe	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus Main Payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmpAEC3.tmp.exe	family_orcus
C:\Users\Admin\AppData\Local\Temp\tmpAEC3.tmp.exe	family_orcus
C:\Users\Admin\AppData\Roaming\Windows Updater\Dupper.exe	family_orcus
C:\Users\Admin\AppData\Roaming\Windows Updater\Dupper.exe	family_orcus
C:\Users\Admin\AppData\Roaming\Windows Updater\Dupper.exe	family_orcus

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 3388 created 3640 3388 svchost.exe aswOfferTool.exe
PID 3388 created 2396 3388 svchost.exe aswOfferTool.exe

description	pid	process	target process
PID 3388 created 3640	3388	svchost.exe	aswOfferTool.exe
PID 3388 created 2396	3388	svchost.exe	aswOfferTool.exe

Orcurs Rat Executable 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmpAEC3.tmp.exe	orcus
C:\Users\Admin\AppData\Local\Temp\tmpAEC3.tmp.exe	orcus
behavioral2/memory/3076-150-0x0000000000CC0000-0x0000000000DAC000-memory.dmp	orcus
behavioral2/memory/3616-163-0x0000000000000000-mapping.dmp	orcus
behavioral2/memory/3616-164-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral2/memory/3324-168-0x0000000000400000-0x00000000004EC000-memory.dmp	orcus
C:\Users\Admin\AppData\Roaming\Windows Updater\Dupper.exe	orcus
behavioral2/memory/5076-223-0x0000000000000000-mapping.dmp	orcus
C:\Users\Admin\AppData\Roaming\Windows Updater\Dupper.exe	orcus
C:\Users\Admin\AppData\Roaming\Windows Updater\Dupper.exe	orcus
behavioral2/memory/2208-292-0x0000000000000000-mapping.dmp	orcus

Downloads MZ/PE file

Executes dropped EXE 53 IoCs

Processes:

tmp98E9.tmp.exeNew.exek3lswapdbr0.exek3lswapdbr0.exetmpB78D.tmp.exek3lswapdbr0.exetmpBA9A.tmp.exeWindowsInput.exeNew.exeavast_free_antivirus_setup_online_x64.exeWinInput.exeWindowsInput.exeNew.exeNew.exeNew.exeNew.exeinstup.exeDupper.exeNew.exeNew.exeDupper.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeNew.exeUpdater (1).exeUpdater (1).exeUpdater.exeNew.exeNew.exeNew.exeUpdater.exeUpdater.exeNew.exeUpdater.exeinstup.exeNew.exeNew.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeNew.exeNew.exeNew.exeNew.exe

pid	process
2340	tmp98E9.tmp.exe
3076	New.exe
3172	k3lswapdbr0.exe
3508	k3lswapdbr0.exe
4848	tmpB78D.tmp.exe
3324	k3lswapdbr0.exe
4668	tmpBA9A.tmp.exe
464	WindowsInput.exe
4280	New.exe
5012	avast_free_antivirus_setup_online_x64.exe
892	WinInput.exe
2072	WindowsInput.exe
1724	New.exe
3984	New.exe
3800	New.exe
4540	New.exe
1424	instup.exe
2364	Dupper.exe
5076	New.exe
3748	New.exe
2020	Dupper.exe
5044	Updater.exe
2348	Updater.exe
1864	Updater.exe
556	Updater.exe
5008	New.exe
3572	Updater (1).exe
4448	Updater (1).exe
4792	Updater.exe
4768	New.exe
3076	New.exe
4912	New.exe
4536	New.exe
2100	Updater.exe
4380	Updater.exe
4108	New.exe
3748	New.exe
4980	Updater.exe
3376	instup.exe
3592	New.exe
3596	New.exe
4876	aswOfferTool.exe
5028	aswOfferTool.exe
4540	aswOfferTool.exe
3640	aswOfferTool.exe
2272	aswOfferTool.exe
2396	aswOfferTool.exe
3748	aswOfferTool.exe
2904	aswOfferTool.exe
4328	New.exe
4432	New.exe
1852	New.exe
2208	New.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exek3lswapdbr0.exeNew.exeNew.exee65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exee65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exek3lswapdbr0.exee65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exeNew.exeUpdater (1).exek3lswapdbr0.exeNew.exeDupper.exeUpdater.exeUpdater.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	k3lswapdbr0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	New.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	New.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	k3lswapdbr0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	New.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Updater (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	k3lswapdbr0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	New.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Dupper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Updater.exe

Loads dropped DLL 15 IoCs

Processes:

tmpBA9A.tmp.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exe

pid	process
4668	tmpBA9A.tmp.exe
1424	instup.exe
1424	instup.exe
1424	instup.exe
1424	instup.exe
1424	instup.exe
1424	instup.exe
3376	instup.exe
3376	instup.exe
3376	instup.exe
3376	instup.exe
4540	aswOfferTool.exe
2272	aswOfferTool.exe
3748	aswOfferTool.exe
2904	aswOfferTool.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tmp98E9.tmp.exetmpB78D.tmp.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tmp98E9.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tmpB78D.tmp.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Updater.exeNew.exeNew.exeNew.exee65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exeNew.exeDupper.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Program Files (x86)\\Windows Updater\\Updater.exe\""	Updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscorelib = "\"C:\\ProgramData\\tcpsystem.exe\""	New.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscorelib = "\"C:\\ProgramData\\tcpsystem.exe\""	New.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscorelib = "\"C:\\ProgramData\\tcpsystem.exe\""	New.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscorelib = "\"C:\\ProgramData\\tcpsystem.exe\""	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscorelib = "\"C:\\ProgramData\\tcpsystem.exe\""	New.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater\\Dupper.exe\""	Dupper.exe

Checks for any installed AV software in registry 1 TTPs 31 IoCs

Security Software Discovery

T1063

Processes:

instup.exeinstup.exeavast_free_antivirus_setup_online_x64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

instup.exetmpBA9A.tmp.exeavast_free_antivirus_setup_online_x64.exeinstup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	tmpBA9A.tmp.exe
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe

Drops file in System32 directory 6 IoCs

Processes:

k3lswapdbr0.exeWindowsInput.exeWinInput.exeNew.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WinInput.exe.config	k3lswapdbr0.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WinInput.InstallState	WinInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	New.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	New.exe
File created	C:\Windows\SysWOW64\WinInput.exe	k3lswapdbr0.exe

Suspicious use of SetThreadContext 20 IoCs

Processes:

e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exee65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exek3lswapdbr0.exee65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exek3lswapdbr0.exeNew.exeNew.exeNew.exeNew.exeUpdater.exeNew.exeUpdater.exeNew.exeNew.exeUpdater.exeNew.exeNew.exeNew.exeNew.exe

description	pid	process	target process
PID 4876 set thread context of 4528	4876	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4528 set thread context of 208	4528	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 3172 set thread context of 3508	3172	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 208 set thread context of 3616	208	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 3508 set thread context of 3324	3508	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 4280 set thread context of 1724	4280	New.exe	New.exe
PID 1724 set thread context of 4540	1724	New.exe	New.exe
PID 4540 set thread context of 5076	4540	New.exe	New.exe
PID 3748 set thread context of 5044	3748	New.exe	Updater.exe
PID 5044 set thread context of 1864	5044	Updater.exe	Updater.exe
PID 5008 set thread context of 4912	5008	New.exe	New.exe
PID 4792 set thread context of 4380	4792	Updater.exe	Updater.exe
PID 4912 set thread context of 4108	4912	New.exe	New.exe
PID 4536 set thread context of 3748	4536	New.exe	New.exe
PID 4380 set thread context of 4980	4380	Updater.exe	Updater.exe
PID 4108 set thread context of 3592	4108	New.exe	New.exe
PID 3748 set thread context of 3596	3748	New.exe	New.exe
PID 4328 set thread context of 4432	4328	New.exe	New.exe
PID 4432 set thread context of 1852	4432	New.exe	New.exe
PID 1852 set thread context of 2208	1852	New.exe	New.exe

Drops file in Program Files directory 3 IoCs

Processes:

k3lswapdbr0.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Updater\Updater.exe	k3lswapdbr0.exe
File opened for modification	C:\Program Files (x86)\Windows Updater\Updater.exe	k3lswapdbr0.exe
File created	C:\Program Files (x86)\Windows Updater\Updater.exe.config	k3lswapdbr0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3700 892 WerFault.exe WinInput.exe
840 3592 WerFault.exe New.exe

pid	pid_target	process	target process
3700	892	WerFault.exe	WinInput.exe
840	3592	WerFault.exe	New.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

instup.exeinstup.exeavast_free_antivirus_setup_online_x64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2540 schtasks.exe
3552 schtasks.exe
3156 schtasks.exe
3364 schtasks.exe

pid	process
2540	schtasks.exe
3552	schtasks.exe
3156	schtasks.exe
3364	schtasks.exe

Modifies registry class 64 IoCs

Processes:

instup.exeavast_free_antivirus_setup_online_x64.exeinstup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "54"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "35"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "77"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "96"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "100"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Replacing files"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "41"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instcont_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Main = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "82"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "85"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "30"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "87"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "56"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "62"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "37"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "88"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x86_ais-9d4.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "2"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "66"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "90"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avbugreport_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "81"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "3"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "34"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "73"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avbugreport_x64_ais-9d4.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "8"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x86_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "25"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "75"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "1"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "4"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "14"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "47"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: offertool_x64_ais-9d4.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe"	instup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeavast_free_antivirus_setup_online_x64.exeNew.exeUpdater.exeDupper.exeUpdater (1).exeUpdater.exeNew.exe

pid	process
4664	powershell.exe
4664	powershell.exe
1528	powershell.exe
1528	powershell.exe
5012	avast_free_antivirus_setup_online_x64.exe
5012	avast_free_antivirus_setup_online_x64.exe
1724	New.exe
1724	New.exe
1724	New.exe
1724	New.exe
556	Updater.exe
556	Updater.exe
556	Updater.exe
2364	Dupper.exe
2364	Dupper.exe
2364	Dupper.exe
556	Updater.exe
2364	Dupper.exe
556	Updater.exe
556	Updater.exe
2364	Dupper.exe
2364	Dupper.exe
556	Updater.exe
2364	Dupper.exe
4448	Updater (1).exe
4448	Updater (1).exe
4448	Updater (1).exe
4448	Updater (1).exe
556	Updater.exe
1864	Updater.exe
1864	Updater.exe
1864	Updater.exe
1864	Updater.exe
2364	Dupper.exe
4448	Updater (1).exe
556	Updater.exe
1864	Updater.exe
2364	Dupper.exe
4448	Updater (1).exe
1864	Updater.exe
556	Updater.exe
5008	New.exe
5008	New.exe
5008	New.exe
5008	New.exe
1864	Updater.exe
4448	Updater (1).exe
2364	Dupper.exe
556	Updater.exe
2364	Dupper.exe
4448	Updater (1).exe
1864	Updater.exe
556	Updater.exe
1864	Updater.exe
4448	Updater (1).exe
2364	Dupper.exe
556	Updater.exe
2364	Dupper.exe
4448	Updater (1).exe
1864	Updater.exe
556	Updater.exe
1864	Updater.exe
4448	Updater (1).exe
2364	Dupper.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

powershell.exee65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exepowershell.exeavast_free_antivirus_setup_online_x64.exeNew.exeinstup.exeNew.exeDupper.exeUpdater.exeUpdater.exeUpdater (1).exeUpdater (1).exeUpdater.exeNew.exeUpdater.exeinstup.exeNew.exeNew.exeaswOfferTool.exesvchost.exeaswOfferTool.exeNew.exe

description	pid	process
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	208	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: 32	5012	avast_free_antivirus_setup_online_x64.exe
Token: SeDebugPrivilege	1724	New.exe
Token: 32	1424	instup.exe
Token: SeDebugPrivilege	1424	instup.exe
Token: SeDebugPrivilege	4540	New.exe
Token: SeDebugPrivilege	2364	Dupper.exe
Token: SeDebugPrivilege	2348	Updater.exe
Token: SeDebugPrivilege	556	Updater.exe
Token: SeDebugPrivilege	3572	Updater (1).exe
Token: SeDebugPrivilege	4448	Updater (1).exe
Token: SeDebugPrivilege	1864	Updater.exe
Token: SeDebugPrivilege	5008	New.exe
Token: SeDebugPrivilege	4792	Updater.exe
Token: SeDebugPrivilege	3376	instup.exe
Token: 32	3376	instup.exe
Token: SeDebugPrivilege	4108	New.exe
Token: SeDebugPrivilege	5076	New.exe
Token: SeDebugPrivilege	3640	aswOfferTool.exe
Token: SeImpersonatePrivilege	3640	aswOfferTool.exe
Token: SeTcbPrivilege	3388	svchost.exe
Token: SeTcbPrivilege	3388	svchost.exe
Token: SeBackupPrivilege	3388	svchost.exe
Token: SeRestorePrivilege	3388	svchost.exe
Token: SeBackupPrivilege	3388	svchost.exe
Token: SeRestorePrivilege	3388	svchost.exe
Token: SeDebugPrivilege	2396	aswOfferTool.exe
Token: SeImpersonatePrivilege	2396	aswOfferTool.exe
Token: SeBackupPrivilege	3388	svchost.exe
Token: SeRestorePrivilege	3388	svchost.exe
Token: SeBackupPrivilege	3388	svchost.exe
Token: SeRestorePrivilege	3388	svchost.exe
Token: SeDebugPrivilege	1852	New.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

instup.exeinstup.exe

pid process

1424 instup.exe
3376 instup.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

New.exe

pid process

3592 New.exe

pid	process
1424	instup.exe
3376	instup.exe

pid	process
3592	New.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exetmp98E9.tmp.exee65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exee65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exek3lswapdbr0.exetmpB78D.tmp.exek3lswapdbr0.exeNew.exee65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe

description	pid	process	target process
PID 4876 wrote to memory of 4528	4876	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4876 wrote to memory of 4528	4876	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4876 wrote to memory of 4528	4876	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4876 wrote to memory of 4528	4876	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4876 wrote to memory of 4528	4876	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4876 wrote to memory of 4528	4876	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4876 wrote to memory of 4528	4876	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4876 wrote to memory of 4528	4876	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4876 wrote to memory of 2340	4876	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	tmp98E9.tmp.exe
PID 4876 wrote to memory of 2340	4876	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	tmp98E9.tmp.exe
PID 2340 wrote to memory of 4664	2340	tmp98E9.tmp.exe	powershell.exe
PID 2340 wrote to memory of 4664	2340	tmp98E9.tmp.exe	powershell.exe
PID 4528 wrote to memory of 208	4528	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4528 wrote to memory of 208	4528	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4528 wrote to memory of 208	4528	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4528 wrote to memory of 208	4528	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4528 wrote to memory of 208	4528	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4528 wrote to memory of 208	4528	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4528 wrote to memory of 208	4528	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4528 wrote to memory of 208	4528	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4528 wrote to memory of 3076	4528	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	New.exe
PID 4528 wrote to memory of 3076	4528	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	New.exe
PID 4528 wrote to memory of 3076	4528	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	New.exe
PID 208 wrote to memory of 3172	208	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	k3lswapdbr0.exe
PID 208 wrote to memory of 3172	208	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	k3lswapdbr0.exe
PID 208 wrote to memory of 3172	208	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	k3lswapdbr0.exe
PID 3172 wrote to memory of 3508	3172	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 3172 wrote to memory of 3508	3172	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 3172 wrote to memory of 3508	3172	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 3172 wrote to memory of 3508	3172	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 3172 wrote to memory of 3508	3172	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 3172 wrote to memory of 3508	3172	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 3172 wrote to memory of 3508	3172	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 3172 wrote to memory of 3508	3172	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 3172 wrote to memory of 4848	3172	k3lswapdbr0.exe	tmpB78D.tmp.exe
PID 3172 wrote to memory of 4848	3172	k3lswapdbr0.exe	tmpB78D.tmp.exe
PID 208 wrote to memory of 3616	208	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 208 wrote to memory of 3616	208	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 208 wrote to memory of 3616	208	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 208 wrote to memory of 3616	208	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 208 wrote to memory of 3616	208	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 208 wrote to memory of 3616	208	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 208 wrote to memory of 3616	208	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 4848 wrote to memory of 1528	4848	tmpB78D.tmp.exe	powershell.exe
PID 4848 wrote to memory of 1528	4848	tmpB78D.tmp.exe	powershell.exe
PID 208 wrote to memory of 3616	208	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
PID 208 wrote to memory of 2480	208	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	cmd.exe
PID 208 wrote to memory of 2480	208	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	cmd.exe
PID 208 wrote to memory of 2480	208	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	cmd.exe
PID 3508 wrote to memory of 3324	3508	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 3508 wrote to memory of 3324	3508	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 3508 wrote to memory of 3324	3508	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 3508 wrote to memory of 3324	3508	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 3508 wrote to memory of 3324	3508	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 3508 wrote to memory of 3324	3508	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 3508 wrote to memory of 3324	3508	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 3508 wrote to memory of 3324	3508	k3lswapdbr0.exe	k3lswapdbr0.exe
PID 3508 wrote to memory of 4668	3508	k3lswapdbr0.exe	tmpBA9A.tmp.exe
PID 3508 wrote to memory of 4668	3508	k3lswapdbr0.exe	tmpBA9A.tmp.exe
PID 3508 wrote to memory of 4668	3508	k3lswapdbr0.exe	tmpBA9A.tmp.exe
PID 3076 wrote to memory of 464	3076	New.exe	WindowsInput.exe
PID 3076 wrote to memory of 464	3076	New.exe	WindowsInput.exe
PID 3616 wrote to memory of 4280	3616	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	New.exe
PID 3616 wrote to memory of 4280	3616	e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe	New.exe

C:\Users\Admin\AppData\Local\Temp\e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
"C:\Users\Admin\AppData\Local\Temp\e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Users\Admin\AppData\Local\Temp\e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
  "C:\Users\Admin\AppData\Local\Temp\e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
    "C:\Users\Admin\AppData\Local\Temp\e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe"
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\k3lswapdbr0.exe
      "C:\Users\Admin\AppData\Local\Temp\k3lswapdbr0.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3172
    - - C:\Users\Admin\AppData\Local\Temp\k3lswapdbr0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\k3lswapdbr0.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3508
      - C:\Users\Admin\AppData\Local\Temp\k3lswapdbr0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\k3lswapdbr0.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:3324
        
        C:\Windows\SysWOW64\WinInput.exe
        
        "C:\Windows\SysWOW64\WinInput.exe" --install
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:892
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 892 -s 1128
        8⤵
        Program crash
        
        PID:3700
        
        C:\Program Files (x86)\Windows Updater\Updater.exe
        
        "C:\Program Files (x86)\Windows Updater\Updater.exe"
        7⤵
        
        PID:3748
        
        C:\Program Files (x86)\Windows Updater\Updater.exe
        
        "C:\Program Files (x86)\Windows Updater\Updater.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5044
        
        C:\Program Files (x86)\Windows Updater\Updater.exe
        
        "C:\Program Files (x86)\Windows Updater\Updater.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\Updater (1).exe
        
        "C:\Users\Admin\AppData\Local\Temp\Updater (1).exe" /launchSelfAndExit "C:\Program Files (x86)\Windows Updater\Updater.exe" 1864 /protectFile
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\Updater (1).exe
        
        "C:\Users\Admin\AppData\Local\Temp\Updater (1).exe" /watchProcess "C:\Program Files (x86)\Windows Updater\Updater.exe" 1864 "/protectFile"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
      - C:\Users\Admin\AppData\Local\Temp\tmpBA9A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBA9A.tmp.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        
        PID:4668
        
        C:\Windows\Temp\asw.d9cc28bbacda5bd8\avast_free_antivirus_setup_online_x64.exe
        
        "C:\Windows\Temp\asw.d9cc28bbacda5bd8\avast_free_antivirus_setup_online_x64.exe" /ga_clientid:3a6bfe31-03da-41bc-b1a2-ed1a08706e53 /edat_dir:C:\Windows\Temp\asw.d9cc28bbacda5bd8
        7⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
        
        C:\Windows\Temp\asw.960cc651eb57f1e0\instup.exe
        
        "C:\Windows\Temp\asw.960cc651eb57f1e0\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.960cc651eb57f1e0 /edition:1 /prod:ais /cookie:mmm_cbd_dlp_000_119_b /guid:99366505-efc2-48b9-956d-4d6f80808a7a /ga_clientid:3a6bfe31-03da-41bc-b1a2-ed1a08706e53 /ga_clientid:3a6bfe31-03da-41bc-b1a2-ed1a08706e53 /edat_dir:C:\Windows\Temp\asw.d9cc28bbacda5bd8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1424
        
        C:\Windows\Temp\asw.960cc651eb57f1e0\New_1604177b\instup.exe
        
        "C:\Windows\Temp\asw.960cc651eb57f1e0\New_1604177b\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.960cc651eb57f1e0 /edition:1 /prod:ais /cookie:mmm_cbd_dlp_000_119_b /guid:99366505-efc2-48b9-956d-4d6f80808a7a /ga_clientid:3a6bfe31-03da-41bc-b1a2-ed1a08706e53 /edat_dir:C:\Windows\Temp\asw.d9cc28bbacda5bd8 /online_installer
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3376
        
        C:\Windows\Temp\asw.960cc651eb57f1e0\New_1604177b\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.960cc651eb57f1e0\New_1604177b\aswOfferTool.exe" -checkGToolbar -elevated
        10⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\Temp\asw.960cc651eb57f1e0\New_1604177b\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.960cc651eb57f1e0\New_1604177b\aswOfferTool.exe" /check_secure_browser
        10⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\Temp\asw.960cc651eb57f1e0\New_1604177b\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.960cc651eb57f1e0\New_1604177b\aswOfferTool.exe" -checkChrome -elevated
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4540
        
        C:\Windows\Temp\asw.960cc651eb57f1e0\New_1604177b\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.960cc651eb57f1e0\New_1604177b\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
        
        C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2272
        
        C:\Windows\Temp\asw.960cc651eb57f1e0\New_1604177b\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.960cc651eb57f1e0\New_1604177b\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3748
        
        C:\Windows\Temp\asw.960cc651eb57f1e0\New_1604177b\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.960cc651eb57f1e0\New_1604177b\aswOfferTool.exe" -checkChrome -elevated
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2904
    - - C:\Users\Admin\AppData\Local\Temp\tmpB78D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB78D.tmp.exe"
        5⤵
        Executes dropped EXE
        Windows security modification
        Suspicious use of WriteProcessMemory
        
        PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
      C:\Users\Admin\AppData\Local\Temp\e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3616
    - - C:\Users\Admin\AppData\Roaming\Update\New.exe
        
        "C:\Users\Admin\AppData\Roaming\Update\New.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4280
      - C:\Users\Admin\AppData\Roaming\Update\New.exe
        
        "C:\Users\Admin\AppData\Roaming\Update\New.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\Update\New.exe
        
        "C:\Users\Admin\AppData\Roaming\Update\New.exe"
        7⤵
        Executes dropped EXE
        
        PID:3984
        
        C:\Users\Admin\AppData\Roaming\Update\New.exe
        
        "C:\Users\Admin\AppData\Roaming\Update\New.exe"
        7⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Users\Admin\AppData\Roaming\Update\New.exe
        
        "C:\Users\Admin\AppData\Roaming\Update\New.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
        
        C:\Users\Admin\AppData\Roaming\Update\New.exe
        
        C:\Users\Admin\AppData\Roaming\Update\New.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn FirefoxUpdate /tr C:\Users\Admin\AppData\Roaming\Update\New.exe /F
        8⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn FirefoxUpdate /tr C:\Users\Admin\AppData\Roaming\Update\New.exe /F
        9⤵
        Creates scheduled task(s)
        
        PID:3552
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn FirefoxUpdate /tr C:\Users\Admin\AppData\Local\Temp\e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe /F
      4⤵
      PID:2480
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn FirefoxUpdate /tr C:\Users\Admin\AppData\Local\Temp\e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe /F
        5⤵
        Creates scheduled task(s)
        
        PID:2540
- - C:\Users\Admin\AppData\Local\Temp\tmpAEC3.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpAEC3.tmp.exe"
    3⤵
    PID:3076
  - - C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:464
  - - C:\Users\Admin\AppData\Roaming\Windows Updater\Dupper.exe
      "C:\Users\Admin\AppData\Roaming\Windows Updater\Dupper.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2364
    - - C:\Users\Admin\AppData\Local\Temp\Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Updater.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\Windows Updater\Dupper.exe" 2364 /protectFile
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
      - C:\Users\Admin\AppData\Local\Temp\Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Updater.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\Windows Updater\Dupper.exe" 2364 "/protectFile"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
- C:\Users\Admin\AppData\Local\Temp\tmp98E9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp98E9.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2072

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 892 -ip 892
1⤵
PID:1856

C:\Users\Admin\AppData\Roaming\Windows Updater\Dupper.exe
"C:\Users\Admin\AppData\Roaming\Windows Updater\Dupper.exe"
1⤵
- Executes dropped EXE
PID:2020

C:\Users\Admin\AppData\Roaming\Update\New.exe
C:\Users\Admin\AppData\Roaming\Update\New.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008
- C:\Users\Admin\AppData\Roaming\Update\New.exe
  "C:\Users\Admin\AppData\Roaming\Update\New.exe"
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Users\Admin\AppData\Roaming\Update\New.exe
  "C:\Users\Admin\AppData\Roaming\Update\New.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3076
- C:\Users\Admin\AppData\Roaming\Update\New.exe
  "C:\Users\Admin\AppData\Roaming\Update\New.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4912
- - C:\Users\Admin\AppData\Roaming\Update\New.exe
    "C:\Users\Admin\AppData\Roaming\Update\New.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:4108
  - - C:\Users\Admin\AppData\Roaming\Update\New.exe
      C:\Users\Admin\AppData\Roaming\Update\New.exe
      4⤵
      Executes dropped EXE
      Suspicious use of UnmapMainImage
      PID:3592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 12
        5⤵
        Program crash
        
        PID:840
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn FirefoxUpdate /tr C:\Users\Admin\AppData\Roaming\Update\New.exe /F
      4⤵
      PID:4280
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn FirefoxUpdate /tr C:\Users\Admin\AppData\Roaming\Update\New.exe /F
        5⤵
        Creates scheduled task(s)
        
        PID:3156

C:\Program Files (x86)\Windows Updater\Updater.exe
"C:\Program Files (x86)\Windows Updater\Updater.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4792
- C:\Program Files (x86)\Windows Updater\Updater.exe
  "C:\Program Files (x86)\Windows Updater\Updater.exe"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Program Files (x86)\Windows Updater\Updater.exe
  "C:\Program Files (x86)\Windows Updater\Updater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4380
- - C:\Program Files (x86)\Windows Updater\Updater.exe
    "C:\Program Files (x86)\Windows Updater\Updater.exe"
    3⤵
    - Executes dropped EXE
    PID:4980

C:\Users\Admin\AppData\Roaming\Update\New.exe
C:\Users\Admin\AppData\Roaming\Update\New.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4536
- C:\Users\Admin\AppData\Roaming\Update\New.exe
  "C:\Users\Admin\AppData\Roaming\Update\New.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3748
- - C:\Users\Admin\AppData\Roaming\Update\New.exe
    "C:\Users\Admin\AppData\Roaming\Update\New.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3592 -ip 3592
1⤵
PID:2112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Users\Admin\AppData\Roaming\Update\New.exe
C:\Users\Admin\AppData\Roaming\Update\New.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4328
- C:\Users\Admin\AppData\Roaming\Update\New.exe
  "C:\Users\Admin\AppData\Roaming\Update\New.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4432
- - C:\Users\Admin\AppData\Roaming\Update\New.exe
    "C:\Users\Admin\AppData\Roaming\Update\New.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:1852
  - - C:\Users\Admin\AppData\Roaming\Update\New.exe
      C:\Users\Admin\AppData\Roaming\Update\New.exe
      4⤵
      Executes dropped EXE
      PID:2208
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn FirefoxUpdate /tr C:\Users\Admin\AppData\Roaming\Update\New.exe /F
      4⤵
      PID:3656
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn FirefoxUpdate /tr C:\Users\Admin\AppData\Roaming\Update\New.exe /F
        5⤵
        Creates scheduled task(s)
        
        PID:3364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Updater\Updater.exe

Filesize
5.6MB

MD5
b1f83a48685c830a9eefe83ff114e86d

SHA1
7a27f05059673762a4759e75915aa3dacdfea62d

SHA256
cce0cc648ab563887b0fb4bf5087554da0386255c38041edd17dbb6d5d628018

SHA512
d00d1a8b69665d04791cd8986c829c4d4a247a9ff8ae28434d929f96428efa037f0027ddcd1367e716685dcf16543f883c4850c6825de355e9d404579604088c

Download Submit
C:\Program Files (x86)\Windows Updater\Updater.exe

Filesize
5.6MB

MD5
b1f83a48685c830a9eefe83ff114e86d

SHA1
7a27f05059673762a4759e75915aa3dacdfea62d

SHA256
cce0cc648ab563887b0fb4bf5087554da0386255c38041edd17dbb6d5d628018

SHA512
d00d1a8b69665d04791cd8986c829c4d4a247a9ff8ae28434d929f96428efa037f0027ddcd1367e716685dcf16543f883c4850c6825de355e9d404579604088c

Download Submit
C:\Program Files (x86)\Windows Updater\Updater.exe

Filesize
5.6MB

MD5
b1f83a48685c830a9eefe83ff114e86d

SHA1
7a27f05059673762a4759e75915aa3dacdfea62d

SHA256
cce0cc648ab563887b0fb4bf5087554da0386255c38041edd17dbb6d5d628018

SHA512
d00d1a8b69665d04791cd8986c829c4d4a247a9ff8ae28434d929f96428efa037f0027ddcd1367e716685dcf16543f883c4850c6825de355e9d404579604088c

Download Submit
C:\Program Files (x86)\Windows Updater\Updater.exe

Filesize
5.6MB

MD5
b1f83a48685c830a9eefe83ff114e86d

SHA1
7a27f05059673762a4759e75915aa3dacdfea62d

SHA256
cce0cc648ab563887b0fb4bf5087554da0386255c38041edd17dbb6d5d628018

SHA512
d00d1a8b69665d04791cd8986c829c4d4a247a9ff8ae28434d929f96428efa037f0027ddcd1367e716685dcf16543f883c4850c6825de355e9d404579604088c

Download Submit
C:\Program Files (x86)\Windows Updater\Updater.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
3KB

MD5
b235b74007559ea1419e161dce4b85ed

SHA1
1214a9df4daf1ad1516c9b852950a81477127977

SHA256
7ae234e1949623799c8e0352191abee539b448adecf80382333b00715f4be11a

SHA512
b8994e0e92e8f6317eaf9dcbf869db4c5280acd820505057eeb6eff737ea7de80e623cea16eb0ad625e41211bb64b8b1a77a4d556beceab5566ae52607ad987e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New.exe.log

Filesize
617B

MD5
99e770c0d4043aa84ef3d3cbc7723c25

SHA1
19829c5c413fccba750a3357f938dfa94486acad

SHA256
33c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5

SHA512
ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Updater.exe.log

Filesize
617B

MD5
99e770c0d4043aa84ef3d3cbc7723c25

SHA1
19829c5c413fccba750a3357f938dfa94486acad

SHA256
33c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5

SHA512
ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe.log

Filesize
617B

MD5
99e770c0d4043aa84ef3d3cbc7723c25

SHA1
19829c5c413fccba750a3357f938dfa94486acad

SHA256
33c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5

SHA512
ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\k3lswapdbr0.exe.log

Filesize
617B

MD5
99e770c0d4043aa84ef3d3cbc7723c25

SHA1
19829c5c413fccba750a3357f938dfa94486acad

SHA256
33c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5

SHA512
ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater (1).exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater (1).exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater (1).exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater (1).exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\k3lswapdbr0.exe

Filesize
5.6MB

MD5
b1f83a48685c830a9eefe83ff114e86d

SHA1
7a27f05059673762a4759e75915aa3dacdfea62d

SHA256
cce0cc648ab563887b0fb4bf5087554da0386255c38041edd17dbb6d5d628018

SHA512
d00d1a8b69665d04791cd8986c829c4d4a247a9ff8ae28434d929f96428efa037f0027ddcd1367e716685dcf16543f883c4850c6825de355e9d404579604088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\k3lswapdbr0.exe

Filesize
5.6MB

MD5
b1f83a48685c830a9eefe83ff114e86d

SHA1
7a27f05059673762a4759e75915aa3dacdfea62d

SHA256
cce0cc648ab563887b0fb4bf5087554da0386255c38041edd17dbb6d5d628018

SHA512
d00d1a8b69665d04791cd8986c829c4d4a247a9ff8ae28434d929f96428efa037f0027ddcd1367e716685dcf16543f883c4850c6825de355e9d404579604088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\k3lswapdbr0.exe

Filesize
5.6MB

MD5
b1f83a48685c830a9eefe83ff114e86d

SHA1
7a27f05059673762a4759e75915aa3dacdfea62d

SHA256
cce0cc648ab563887b0fb4bf5087554da0386255c38041edd17dbb6d5d628018

SHA512
d00d1a8b69665d04791cd8986c829c4d4a247a9ff8ae28434d929f96428efa037f0027ddcd1367e716685dcf16543f883c4850c6825de355e9d404579604088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\k3lswapdbr0.exe

Filesize
5.6MB

MD5
b1f83a48685c830a9eefe83ff114e86d

SHA1
7a27f05059673762a4759e75915aa3dacdfea62d

SHA256
cce0cc648ab563887b0fb4bf5087554da0386255c38041edd17dbb6d5d628018

SHA512
d00d1a8b69665d04791cd8986c829c4d4a247a9ff8ae28434d929f96428efa037f0027ddcd1367e716685dcf16543f883c4850c6825de355e9d404579604088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98E9.tmp.exe

Filesize
12KB

MD5
38c172779d4e1e0f068ca12d3cc6e2be

SHA1
81d61a9bf67a540b091c6f783f00864e905da0c5

SHA256
4c9476ece1e4f648cc820d1d8b66b99fc8d64d24ebb97a0db6c4845ac22bb480

SHA512
c774a1e266379f10633ddd16ad2402367b6a5372c5aaf92bea9e4b471cd3982cc0b2d6a0b1082eb210943ff8d8f15d58d28421bb484bf54f5d4c81eecfefd5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98E9.tmp.exe

Filesize
12KB

MD5
38c172779d4e1e0f068ca12d3cc6e2be

SHA1
81d61a9bf67a540b091c6f783f00864e905da0c5

SHA256
4c9476ece1e4f648cc820d1d8b66b99fc8d64d24ebb97a0db6c4845ac22bb480

SHA512
c774a1e266379f10633ddd16ad2402367b6a5372c5aaf92bea9e4b471cd3982cc0b2d6a0b1082eb210943ff8d8f15d58d28421bb484bf54f5d4c81eecfefd5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAEC3.tmp.exe

Filesize
919KB

MD5
534c91207fbf2d8704e59f89635f641f

SHA1
baf2394a7fb795dd7f27f7c03615a03aa589a728

SHA256
7180f4b208166abe96390387eb8172426f6087329955a32f84f4d62c7f2ffd27

SHA512
9f16e2b43455da00a9028d8485c66b67ef9395a2ee43d20706736699984af2f380375fa5ccd35b99c789ead48df79ca2ed93b10724d21333e40ec97a2c520518

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAEC3.tmp.exe

Filesize
919KB

MD5
534c91207fbf2d8704e59f89635f641f

SHA1
baf2394a7fb795dd7f27f7c03615a03aa589a728

SHA256
7180f4b208166abe96390387eb8172426f6087329955a32f84f4d62c7f2ffd27

SHA512
9f16e2b43455da00a9028d8485c66b67ef9395a2ee43d20706736699984af2f380375fa5ccd35b99c789ead48df79ca2ed93b10724d21333e40ec97a2c520518

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB78D.tmp.exe

Filesize
12KB

MD5
38c172779d4e1e0f068ca12d3cc6e2be

SHA1
81d61a9bf67a540b091c6f783f00864e905da0c5

SHA256
4c9476ece1e4f648cc820d1d8b66b99fc8d64d24ebb97a0db6c4845ac22bb480

SHA512
c774a1e266379f10633ddd16ad2402367b6a5372c5aaf92bea9e4b471cd3982cc0b2d6a0b1082eb210943ff8d8f15d58d28421bb484bf54f5d4c81eecfefd5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB78D.tmp.exe

Filesize
12KB

MD5
38c172779d4e1e0f068ca12d3cc6e2be

SHA1
81d61a9bf67a540b091c6f783f00864e905da0c5

SHA256
4c9476ece1e4f648cc820d1d8b66b99fc8d64d24ebb97a0db6c4845ac22bb480

SHA512
c774a1e266379f10633ddd16ad2402367b6a5372c5aaf92bea9e4b471cd3982cc0b2d6a0b1082eb210943ff8d8f15d58d28421bb484bf54f5d4c81eecfefd5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA9A.tmp.exe

Filesize
207KB

MD5
c5796a194b83d7d9be78ebae3c932adb

SHA1
907fc6a848be5eecc3c358808872f72af824b532

SHA256
ea2a2ba9b9c28b9accc11c1621a69c4b741ea3a9e2d468db6a67ebc54fec4952

SHA512
3c9ed9099ad33985f44e6c841b6102b9b1a584ccd3d6f91312ef24b578e501df3066b5251aa01ac6ed0460b4bf07a7c36ad6cc3d50c0bc4018041563b15949d6

Download Submit
C:\Users\Admin\AppData\Roaming\Update\New.exe

Filesize
3.9MB

MD5
7185dd04ba69eac4b0c2b269843cfae3

SHA1
47427c2fb4e1a097304f801a9dc6815b84fa1519

SHA256
e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1

SHA512
150a4450de27b0338628a88d66dc595dac942bd2e8dd5aab4c6bd5f340bfaeddc08f38bcc4b1991d67fa29178779718fc19676b65031b992f3db030eba281ce5

Download Submit
C:\Users\Admin\AppData\Roaming\Update\New.exe

Filesize
3.9MB

MD5
7185dd04ba69eac4b0c2b269843cfae3

SHA1
47427c2fb4e1a097304f801a9dc6815b84fa1519

SHA256
e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1

SHA512
150a4450de27b0338628a88d66dc595dac942bd2e8dd5aab4c6bd5f340bfaeddc08f38bcc4b1991d67fa29178779718fc19676b65031b992f3db030eba281ce5

Download Submit
C:\Users\Admin\AppData\Roaming\Update\New.exe

Filesize
3.9MB

MD5
7185dd04ba69eac4b0c2b269843cfae3

SHA1
47427c2fb4e1a097304f801a9dc6815b84fa1519

SHA256
e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1

SHA512
150a4450de27b0338628a88d66dc595dac942bd2e8dd5aab4c6bd5f340bfaeddc08f38bcc4b1991d67fa29178779718fc19676b65031b992f3db030eba281ce5

Download Submit
C:\Users\Admin\AppData\Roaming\Update\New.exe

Filesize
3.9MB

MD5
7185dd04ba69eac4b0c2b269843cfae3

SHA1
47427c2fb4e1a097304f801a9dc6815b84fa1519

SHA256
e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1

SHA512
150a4450de27b0338628a88d66dc595dac942bd2e8dd5aab4c6bd5f340bfaeddc08f38bcc4b1991d67fa29178779718fc19676b65031b992f3db030eba281ce5

Download Submit
C:\Users\Admin\AppData\Roaming\Update\New.exe

Filesize
3.9MB

MD5
7185dd04ba69eac4b0c2b269843cfae3

SHA1
47427c2fb4e1a097304f801a9dc6815b84fa1519

SHA256
e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1

SHA512
150a4450de27b0338628a88d66dc595dac942bd2e8dd5aab4c6bd5f340bfaeddc08f38bcc4b1991d67fa29178779718fc19676b65031b992f3db030eba281ce5

Download Submit
C:\Users\Admin\AppData\Roaming\Update\New.exe

Filesize
3.9MB

MD5
7185dd04ba69eac4b0c2b269843cfae3

SHA1
47427c2fb4e1a097304f801a9dc6815b84fa1519

SHA256
e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1

SHA512
150a4450de27b0338628a88d66dc595dac942bd2e8dd5aab4c6bd5f340bfaeddc08f38bcc4b1991d67fa29178779718fc19676b65031b992f3db030eba281ce5

Download Submit
C:\Users\Admin\AppData\Roaming\Update\New.exe

Filesize
3.9MB

MD5
7185dd04ba69eac4b0c2b269843cfae3

SHA1
47427c2fb4e1a097304f801a9dc6815b84fa1519

SHA256
e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1

SHA512
150a4450de27b0338628a88d66dc595dac942bd2e8dd5aab4c6bd5f340bfaeddc08f38bcc4b1991d67fa29178779718fc19676b65031b992f3db030eba281ce5

Download Submit
C:\Users\Admin\AppData\Roaming\Update\New.exe

Filesize
3.9MB

MD5
7185dd04ba69eac4b0c2b269843cfae3

SHA1
47427c2fb4e1a097304f801a9dc6815b84fa1519

SHA256
e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1

SHA512
150a4450de27b0338628a88d66dc595dac942bd2e8dd5aab4c6bd5f340bfaeddc08f38bcc4b1991d67fa29178779718fc19676b65031b992f3db030eba281ce5

Download Submit
C:\Users\Admin\AppData\Roaming\Update\New.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Updater\Dupper.exe

Filesize
919KB

MD5
534c91207fbf2d8704e59f89635f641f

SHA1
baf2394a7fb795dd7f27f7c03615a03aa589a728

SHA256
7180f4b208166abe96390387eb8172426f6087329955a32f84f4d62c7f2ffd27

SHA512
9f16e2b43455da00a9028d8485c66b67ef9395a2ee43d20706736699984af2f380375fa5ccd35b99c789ead48df79ca2ed93b10724d21333e40ec97a2c520518

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Updater\Dupper.exe

Filesize
919KB

MD5
534c91207fbf2d8704e59f89635f641f

SHA1
baf2394a7fb795dd7f27f7c03615a03aa589a728

SHA256
7180f4b208166abe96390387eb8172426f6087329955a32f84f4d62c7f2ffd27

SHA512
9f16e2b43455da00a9028d8485c66b67ef9395a2ee43d20706736699984af2f380375fa5ccd35b99c789ead48df79ca2ed93b10724d21333e40ec97a2c520518

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Updater\Dupper.exe

Filesize
919KB

MD5
534c91207fbf2d8704e59f89635f641f

SHA1
baf2394a7fb795dd7f27f7c03615a03aa589a728

SHA256
7180f4b208166abe96390387eb8172426f6087329955a32f84f4d62c7f2ffd27

SHA512
9f16e2b43455da00a9028d8485c66b67ef9395a2ee43d20706736699984af2f380375fa5ccd35b99c789ead48df79ca2ed93b10724d21333e40ec97a2c520518

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Updater\Dupper.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Windows\SysWOW64\WinInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WinInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WinInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Windows\Temp\asw.960cc651eb57f1e0\HTMLayout.dll

Filesize
3.8MB

MD5
8efe673846243ee42afdce930640f8b6

SHA1
6f1203f5e7479acf9006aa392a352e94900f33ff

SHA256
969b429edbdcaa1792f82119855ad7395b789d6622bda450579897677233a821

SHA512
9c2627326263eb1c53fe98467391705afb805160950d0455df157fdb2ac471094c07b2cca7b884069254680cc3dcd1314623084de9bdfdcb9c1dac35d792ec29

Download Submit
C:\Windows\Temp\asw.960cc651eb57f1e0\HTMLayout.dll

Filesize
3.8MB

MD5
8efe673846243ee42afdce930640f8b6

SHA1
6f1203f5e7479acf9006aa392a352e94900f33ff

SHA256
969b429edbdcaa1792f82119855ad7395b789d6622bda450579897677233a821

SHA512
9c2627326263eb1c53fe98467391705afb805160950d0455df157fdb2ac471094c07b2cca7b884069254680cc3dcd1314623084de9bdfdcb9c1dac35d792ec29

Download Submit
C:\Windows\Temp\asw.960cc651eb57f1e0\HTMLayout.dll

Filesize
3.8MB

MD5
8efe673846243ee42afdce930640f8b6

SHA1
6f1203f5e7479acf9006aa392a352e94900f33ff

SHA256
969b429edbdcaa1792f82119855ad7395b789d6622bda450579897677233a821

SHA512
9c2627326263eb1c53fe98467391705afb805160950d0455df157fdb2ac471094c07b2cca7b884069254680cc3dcd1314623084de9bdfdcb9c1dac35d792ec29

Download Submit
C:\Windows\Temp\asw.960cc651eb57f1e0\HTMLayout.dll

Filesize
3.8MB

MD5
8efe673846243ee42afdce930640f8b6

SHA1
6f1203f5e7479acf9006aa392a352e94900f33ff

SHA256
969b429edbdcaa1792f82119855ad7395b789d6622bda450579897677233a821

SHA512
9c2627326263eb1c53fe98467391705afb805160950d0455df157fdb2ac471094c07b2cca7b884069254680cc3dcd1314623084de9bdfdcb9c1dac35d792ec29

Download Submit
C:\Windows\Temp\asw.960cc651eb57f1e0\Instup.dll

Filesize
19.9MB

MD5
85823a773312168e62398e735709b1ad

SHA1
b876b8a4f3350b410260b3515df6cc1eddeb0190

SHA256
5ee331e28b60b136b510a9dcd378d5d61333fb316798a56c34b1848f1364daa6

SHA512
8f4d733f631ab8f4953e2d6b1a94d772f3e1951bcfedc03ea3eab1e15f89ae15eb1c87a6396b5a64b997597f91aa7919b1413f174a565bc42b6b84864701dcf3

Download Submit
C:\Windows\Temp\asw.960cc651eb57f1e0\Instup.dll

Filesize
19.9MB

MD5
85823a773312168e62398e735709b1ad

SHA1
b876b8a4f3350b410260b3515df6cc1eddeb0190

SHA256
5ee331e28b60b136b510a9dcd378d5d61333fb316798a56c34b1848f1364daa6

SHA512
8f4d733f631ab8f4953e2d6b1a94d772f3e1951bcfedc03ea3eab1e15f89ae15eb1c87a6396b5a64b997597f91aa7919b1413f174a565bc42b6b84864701dcf3

Download Submit
C:\Windows\Temp\asw.960cc651eb57f1e0\Instup.exe

Filesize
3.3MB

MD5
aab5a2908dec13e7fdccec04917719b7

SHA1
2a1c4364b82c8a077d7d408cd08714d6d043a247

SHA256
c4c47ad7fe4f45fb2cb5aeeaafdfbfb2ce29c2a588e7554987d4d25dff6357ba

SHA512
632411fef54f04d7eae2fe34a357993b473a75f16c137780745858c922d2fd3b3ee134ce314a4db4033a3ea1f7cc9454bd9f60bd4bbf070bc27f9ca7e795ef3f

Download Submit
C:\Windows\Temp\asw.960cc651eb57f1e0\config.def

Filesize
24KB

MD5
5dd2a67c4ad956a6da2a7be8cc7c2321

SHA1
c5e1ff0137f07c24fa753f8337fa3325a6a1bc36

SHA256
76d9bcc2404e78ac02fdb98ff256cddb40d19b063176cda72a9790e61c5f440e

SHA512
3c9a10faf2167bcb16be44a75c8010b4087a98a678e4ff2f6a3d0bb831ac7dad6855334ca29db9b5fb2b7911393e59f95c6b912642fda3426a3a457ddc3e3dc9

Download Submit
C:\Windows\Temp\asw.960cc651eb57f1e0\servers.def

Filesize
29KB

MD5
20714ded3b1f222571b6b01f1709b550

SHA1
34b08d08c0b778497a1c3c978e023dad1cfa32b0

SHA256
aa8cd36bedb3c390fc15c9fa938a01c4a39ee718078ca5913b708fc3959a2338

SHA512
416813f717a18a60d8842ddf2f56e3216d8b4e8bc80fd37c692c7fd41e72c1e3892aaf8c19cdbd40036bfc32c487ddd3a4e494a7bae6fb2a43a164ff67552008

Download Submit
C:\Windows\Temp\asw.d9cc28bbacda5bd8\avast_free_antivirus_setup_online_x64.exe

Filesize
9.0MB

MD5
813ce294cde985d23e702feb83583398

SHA1
12c37bd0af867cc782a755a0978a782c411ab470

SHA256
ea9f4109c72336ed73dd4e7ad7dd788a9c639bda5bd462b3fc85a09c0caa3fc9

SHA512
8a8352919c19c3549b1e86fabb6644d1cb27c66f5bab95f9a379e6883802c28b526fd5d7a2f9e0d35c0f5a5665aace7695f8875d99bc66c745083072beaf1e62

Download Submit
C:\Windows\Temp\asw.d9cc28bbacda5bd8\avast_free_antivirus_setup_online_x64.exe

Filesize
9.0MB

MD5
813ce294cde985d23e702feb83583398

SHA1
12c37bd0af867cc782a755a0978a782c411ab470

SHA256
ea9f4109c72336ed73dd4e7ad7dd788a9c639bda5bd462b3fc85a09c0caa3fc9

SHA512
8a8352919c19c3549b1e86fabb6644d1cb27c66f5bab95f9a379e6883802c28b526fd5d7a2f9e0d35c0f5a5665aace7695f8875d99bc66c745083072beaf1e62

Download Submit
C:\Windows\Temp\asw.d9cc28bbacda5bd8\avast_free_antivirus_setup_online_x64.exe

Filesize
9.0MB

MD5
813ce294cde985d23e702feb83583398

SHA1
12c37bd0af867cc782a755a0978a782c411ab470

SHA256
ea9f4109c72336ed73dd4e7ad7dd788a9c639bda5bd462b3fc85a09c0caa3fc9

SHA512
8a8352919c19c3549b1e86fabb6644d1cb27c66f5bab95f9a379e6883802c28b526fd5d7a2f9e0d35c0f5a5665aace7695f8875d99bc66c745083072beaf1e62

Download Submit
C:\Windows\Temp\asw.d9cc28bbacda5bd8\ecoo.edat

Filesize
21B

MD5
771e513ebce674f41884e0a15a5a1ade

SHA1
6ae2a0172b8c4de66e9835c837a749a922fa8961

SHA256
1b2eb0068936a5d999352cb6772f7372f2bdd5e0d26b8cff3fc52a2661dbd827

SHA512
f44497052d9dd55e6e4e530e79486080817dd513f3ce7f6f94a92512e220f71625da9294629110d40ce3d9397278b860f6fbbd8d470927c93cbf4abe0cebe744

Download Submit
memory/208-140-0x0000000000000000-mapping.dmp

Download
memory/208-141-0x0000000000400000-0x00000000006E4000-memory.dmp

Filesize
2.9MB

Download
memory/208-143-0x0000000005730000-0x00000000057C2000-memory.dmp

Filesize
584KB

Download
memory/464-178-0x0000000000F10000-0x0000000000F1C000-memory.dmp

Filesize
48KB

Download
memory/464-185-0x00000000016E0000-0x000000000171C000-memory.dmp

Filesize
240KB

Download
memory/464-174-0x0000000000000000-mapping.dmp

Download
memory/464-184-0x0000000001680000-0x0000000001692000-memory.dmp

Filesize
72KB

Download
memory/464-188-0x00007FFAB2740000-0x00007FFAB3201000-memory.dmp

Filesize
10.8MB

Download
memory/556-247-0x0000000000000000-mapping.dmp

Download
memory/892-189-0x0000000000000000-mapping.dmp

Download
memory/892-199-0x00007FFAB2740000-0x00007FFAB3201000-memory.dmp

Filesize
10.8MB

Download
memory/1424-205-0x0000000000000000-mapping.dmp

Download
memory/1528-173-0x00007FFAB2740000-0x00007FFAB3201000-memory.dmp

Filesize
10.8MB

Download
memory/1528-161-0x0000000000000000-mapping.dmp

Download
memory/1724-195-0x0000000000000000-mapping.dmp

Download
memory/1852-290-0x0000000000000000-mapping.dmp

Download
memory/1864-244-0x0000000000000000-mapping.dmp

Download
memory/2072-201-0x00007FFAB2740000-0x00007FFAB3201000-memory.dmp

Filesize
10.8MB

Download
memory/2072-215-0x000000001AF80000-0x000000001B08A000-memory.dmp

Filesize
1.0MB

Download
memory/2100-264-0x0000000000000000-mapping.dmp

Download
memory/2208-292-0x0000000000000000-mapping.dmp

Download
memory/2272-284-0x0000000000000000-mapping.dmp

Download
memory/2340-138-0x0000000000E60000-0x0000000000E68000-memory.dmp

Filesize
32KB

Download
memory/2340-135-0x0000000000000000-mapping.dmp

Download
memory/2340-144-0x00007FFAB2740000-0x00007FFAB3201000-memory.dmp

Filesize
10.8MB

Download
memory/2348-243-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/2348-238-0x0000000000000000-mapping.dmp

Download
memory/2364-234-0x0000000006410000-0x000000000641A000-memory.dmp

Filesize
40KB

Download
memory/2364-219-0x0000000000000000-mapping.dmp

Download
memory/2396-285-0x0000000000000000-mapping.dmp

Download
memory/2404-227-0x0000000000000000-mapping.dmp

Download
memory/2480-166-0x0000000000000000-mapping.dmp

Download
memory/2540-183-0x0000000000000000-mapping.dmp

Download
memory/2904-287-0x0000000000000000-mapping.dmp

Download
memory/3076-150-0x0000000000CC0000-0x0000000000DAC000-memory.dmp

Filesize
944KB

Download
memory/3076-162-0x0000000005B90000-0x0000000005BB2000-memory.dmp

Filesize
136KB

Download
memory/3076-261-0x0000000000000000-mapping.dmp

Download
memory/3076-147-0x0000000000000000-mapping.dmp

Download
memory/3156-279-0x0000000000000000-mapping.dmp

Download
memory/3172-151-0x0000000000000000-mapping.dmp

Download
memory/3172-154-0x0000000000D30000-0x0000000000E66000-memory.dmp

Filesize
1.2MB

Download
memory/3324-167-0x0000000000000000-mapping.dmp

Download
memory/3324-168-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3364-295-0x0000000000000000-mapping.dmp

Download
memory/3376-273-0x0000000000000000-mapping.dmp

Download
memory/3508-156-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/3508-155-0x0000000000000000-mapping.dmp

Download
memory/3552-233-0x0000000000000000-mapping.dmp

Download
memory/3572-251-0x0000000000000000-mapping.dmp

Download
memory/3592-274-0x0000000000000000-mapping.dmp

Download
memory/3596-276-0x0000000000000000-mapping.dmp

Download
memory/3616-163-0x0000000000000000-mapping.dmp

Download
memory/3616-164-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3640-283-0x0000000000000000-mapping.dmp

Download
memory/3656-294-0x0000000000000000-mapping.dmp

Download
memory/3748-269-0x0000000000000000-mapping.dmp

Download
memory/3748-228-0x0000000000000000-mapping.dmp

Download
memory/3748-286-0x0000000000000000-mapping.dmp

Download
memory/3800-207-0x0000000000000000-mapping.dmp

Download
memory/3984-202-0x0000000000000000-mapping.dmp

Download
memory/4108-267-0x0000000000000000-mapping.dmp

Download
memory/4280-278-0x0000000000000000-mapping.dmp

Download
memory/4280-179-0x0000000000000000-mapping.dmp

Download
memory/4380-265-0x0000000000000000-mapping.dmp

Download
memory/4432-288-0x0000000000000000-mapping.dmp

Download
memory/4448-255-0x0000000000000000-mapping.dmp

Download
memory/4528-134-0x0000000000400000-0x00000000007D6000-memory.dmp

Filesize
3.8MB

Download
memory/4528-133-0x0000000000000000-mapping.dmp

Download
memory/4540-282-0x0000000000000000-mapping.dmp

Download
memory/4540-209-0x0000000000000000-mapping.dmp

Download
memory/4664-145-0x00007FFAB2740000-0x00007FFAB3201000-memory.dmp

Filesize
10.8MB

Download
memory/4664-139-0x0000000000000000-mapping.dmp

Download
memory/4664-146-0x0000026FC25A0000-0x0000026FC25C2000-memory.dmp

Filesize
136KB

Download
memory/4668-171-0x0000000000000000-mapping.dmp

Download
memory/4768-260-0x0000000000000000-mapping.dmp

Download
memory/4848-165-0x00007FFAB2740000-0x00007FFAB3201000-memory.dmp

Filesize
10.8MB

Download
memory/4848-157-0x0000000000000000-mapping.dmp

Download
memory/4876-132-0x0000000005EB0000-0x0000000006454000-memory.dmp

Filesize
5.6MB

Download
memory/4876-280-0x0000000000000000-mapping.dmp

Download
memory/4876-130-0x0000000000700000-0x0000000000AE8000-memory.dmp

Filesize
3.9MB

Download
memory/4876-131-0x00000000056C0000-0x000000000575C000-memory.dmp

Filesize
624KB

Download
memory/4912-262-0x0000000000000000-mapping.dmp

Download
memory/4980-271-0x0000000000000000-mapping.dmp

Download
memory/5012-187-0x0000000000000000-mapping.dmp

Download
memory/5028-281-0x0000000000000000-mapping.dmp

Download
memory/5044-235-0x0000000000000000-mapping.dmp

Download
memory/5076-223-0x0000000000000000-mapping.dmp

Download