003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Size

8.3MB
MD5

37db21ff6e2da13ef7a7bd1432319b4a
SHA1

4dd35dce931f70b3750b58eb5de9257e8fb9c5d1
SHA256

003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917
SHA512

c175783f6065ead5e79db969e4d8301d62ca78af015a68b28a2cb59c4ff0948fc0f4c21ac1aebfc24975bd64958e130d9ae6b57cda05d8b4f9d17672c5052ee5
SSDEEP

98304:htLKp6SMiKcJD3yNRo6a4Mumlf6tqFvzgjzZmcQIetDbB9LmfQQyjrYxAa5IBpVY:htLKp1kcJhlhvzWXCvXLmoQ6qATQpJ

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 9 IoCs

Processes:

pack.exemediabar.exeStarter.exeStarter.exeStarter.exeStarter.exeTorchMTBMediaBar.exeTorchMTBMediaBar.exeTorchMTBMediaBar.exe

pid	process
4700	pack.exe
1452	mediabar.exe
1264	Starter.exe
2940	Starter.exe
4996	Starter.exe
3348	Starter.exe
1744	TorchMTBMediaBar.exe
1708	TorchMTBMediaBar.exe
552	TorchMTBMediaBar.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Sets file execution options in registry 2 TTPs 47 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jumpflip\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroidsservice.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umbrella.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bprotect.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserdefender.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitguard.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst64.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserdefender.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotector.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroids.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umbrella.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitguard.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpsvc.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utiljumpflip.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotector.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browsersafeguard.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings64.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\volaro	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroidsservice.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpsvc.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectedsearch.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectedsearch.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst32.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserprotect.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snapdo.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snapdo.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browsersafeguard.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotection.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings64.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jumpflip	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\volaro\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchinstaller.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bprotect.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst64.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotection.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vonteera\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserprotect.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utiljumpflip.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vonteera	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchinstaller.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroids.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst32.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dprotectsvc.exe	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dprotectsvc.exe\debugger = "tasklist.exe"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe

Loads dropped DLL 40 IoCs

Processes:

003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exeStarter.exeStarter.exeStarter.exeStarter.exeTorchMTBMediaBar.exe

pid	process
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
1264	Starter.exe
2940	Starter.exe
4996	Starter.exe
3348	Starter.exe
1744	TorchMTBMediaBar.exe
1744	TorchMTBMediaBar.exe
1744	TorchMTBMediaBar.exe
1744	TorchMTBMediaBar.exe
1744	TorchMTBMediaBar.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 44 IoCs

Processes:

pack.exe003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe

description	ioc	process
File created	C:\Program Files (x86)\Movies App\Datamngr\x64\mgrldr_u.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\x64\Internet Explorer Settings.exe	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\x64\apcrtldr.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\x64\setmgrc2.cfg	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\DatamngrUI.exe	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\Internet Explorer Settings Update.exe	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\apcrtldr36.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\x64\apcrtldr36.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\IEBHO.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\favicon.ico	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\setmgrc2.cfg	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\mgrldr.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\mgrldr_u.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\x64\mgrldr_u.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\SRToolBar\	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\DatamngrCoordinator.exe	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\Internet Explorer Settings.exe	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\apcrtldr.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\mgrldr_u.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\x64	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\favicon.ico	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\Internet Explorer Settings Update.exe	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\Internet Explorer Settings.exe	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\x64\apcrtldr.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\IEBHO.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\x64\IEBHO.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\mgrldr.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\x64\mgrldr.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\setmgrc2.cfg	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\x64\setmgrc2.cfg	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\x64\apcrtldr36.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\Datamngr.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\x64\IEBHO.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\DatamngrUI.exe	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\x64\Internet Explorer Settings Update.exe	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\x64\mgrldr.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\apcrtldr.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\apcrtldr36.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\x64\Internet Explorer Settings.exe	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\Datamngr.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\x64\Datamngr.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\Datamngr\x64\Datamngr.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\DatamngrCoordinator.exe	pack.exe
File created	C:\Program Files (x86)\Movies App\Datamngr\x64\Internet Explorer Settings Update.exe	pack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\ShowSearchSuggestions = "1"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\URL = "http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=0&systemid=448&v=n13674-3462&apn_uid=1820211574824451&apn_dtid=TCH001&o=APN10648&apn_ptnrs=AGI&q={searchTerms}"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\FaviconPath = "C:\\Program Files (x86)\\Movies App\\Datamngr\\favicon.ico"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\Enabled = "1"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\OpenInForeground = "0"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\DisplayName = "Ask.com"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\URL = "http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=0&systemid=448&v=n13674-3462&apn_uid=1820211574824451&apn_dtid=TCH001&o=APN10648&apn_ptnrs=AGI&q={searchTerms}"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\DisplayName = "Ask.com"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\ShowSearchSuggestions = "1"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\DisplayName = "Ask.com"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\SuggestionsURL_JSON = "http://www.search.ask.com/suggest.php?src=ieb&gct=ds&appid=0&systemid=448&v=n13674-3462&apn_uid=1820211574824451&apn_dtid=TCH001&o=APN10648&apn_ptnrs=AGI&qu={searchTerms}&ft=json"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\Groups = "1"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShowClosedTabs = "1"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\ShowSearchSuggestions = "1"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\SuggestionsURL_JSON = "http://www.search.ask.com/suggest.php?src=ieb&gct=ds&appid=0&systemid=448&v=n13674-3462&apn_uid=1820211574824451&apn_dtid=TCH001&o=APN10648&apn_ptnrs=AGI&qu={searchTerms}&ft=json"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\OpenAllHomePages = "1"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\QuickTabsThreshold = "1"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\ShortcutBehavior = "1"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\Deleted = "0"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\Deleted = "0"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\URL = "http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=0&systemid=448&v=n13674-3462&apn_uid=1820211574824451&apn_dtid=TCH001&o=APN10648&apn_ptnrs=AGI&q={searchTerms}"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\FaviconPath = "C:\\Program Files (x86)\\Movies App\\Datamngr\\favicon.ico"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\Deleted = "0"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\SuggestionsURL_JSON = "http://www.search.ask.com/suggest.php?src=ieb&gct=ds&appid=0&systemid=448&v=n13674-3462&apn_uid=1820211574824451&apn_dtid=TCH001&o=APN10648&apn_ptnrs=AGI&qu={searchTerms}&ft=json"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\UseHomepageForNewTab = "1"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2448}\FaviconPath = "C:\\Program Files (x86)\\Movies App\\Datamngr\\favicon.ico"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShowActivities = "1"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.search.ask.com/?o=APN10648A&gct=hp&d=448-0&v=n13674-3462&t=4"	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe

pid	process
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exeStarter.exesvchost.exeStarter.exeStarter.exeStarter.exe

description	pid	process
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
Token: SeDebugPrivilege	1264	Starter.exe
Token: SeDebugPrivilege	1264	Starter.exe
Token: SeTcbPrivilege	864	svchost.exe
Token: SeTcbPrivilege	864	svchost.exe
Token: SeDebugPrivilege	2940	Starter.exe
Token: SeDebugPrivilege	2940	Starter.exe
Token: SeDebugPrivilege	4996	Starter.exe
Token: SeDebugPrivilege	4996	Starter.exe
Token: SeDebugPrivilege	3348	Starter.exe
Token: SeDebugPrivilege	3348	Starter.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exeStarter.exeStarter.exe

description	pid	process	target process
PID 260 wrote to memory of 4700	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	pack.exe
PID 260 wrote to memory of 4700	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	pack.exe
PID 260 wrote to memory of 4700	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	pack.exe
PID 260 wrote to memory of 1452	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	mediabar.exe
PID 260 wrote to memory of 1452	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	mediabar.exe
PID 260 wrote to memory of 1452	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	mediabar.exe
PID 260 wrote to memory of 1264	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	Starter.exe
PID 260 wrote to memory of 1264	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	Starter.exe
PID 260 wrote to memory of 1264	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	Starter.exe
PID 1264 wrote to memory of 2940	1264	Starter.exe	Starter.exe
PID 1264 wrote to memory of 2940	1264	Starter.exe	Starter.exe
PID 1264 wrote to memory of 2940	1264	Starter.exe	Starter.exe
PID 260 wrote to memory of 4996	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	Starter.exe
PID 260 wrote to memory of 4996	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	Starter.exe
PID 260 wrote to memory of 4996	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	Starter.exe
PID 4996 wrote to memory of 3348	4996	Starter.exe	Starter.exe
PID 4996 wrote to memory of 3348	4996	Starter.exe	Starter.exe
PID 4996 wrote to memory of 3348	4996	Starter.exe	Starter.exe
PID 260 wrote to memory of 1744	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	TorchMTBMediaBar.exe
PID 260 wrote to memory of 1744	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	TorchMTBMediaBar.exe
PID 260 wrote to memory of 1744	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	TorchMTBMediaBar.exe
PID 260 wrote to memory of 1708	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	TorchMTBMediaBar.exe
PID 260 wrote to memory of 1708	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	TorchMTBMediaBar.exe
PID 260 wrote to memory of 1708	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	TorchMTBMediaBar.exe
PID 260 wrote to memory of 552	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	TorchMTBMediaBar.exe
PID 260 wrote to memory of 552	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	TorchMTBMediaBar.exe
PID 260 wrote to memory of 552	260	003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe	TorchMTBMediaBar.exe

C:\Users\Admin\AppData\Local\Temp\003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe
"C:\Users\Admin\AppData\Local\Temp\003aa80b440fe56084d15bfbb4d15b15f574b8c42d28d64030edfa83e409d917.exe"
1⤵
- Sets file execution options in registry
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:260

C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\pack.exe
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\pack.exe "-oC:\Program Files (x86)\Movies App\Datamngr" -y
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4700

C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\mediabar.exe
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\mediabar.exe "-oC:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp" -y
2⤵
- Executes dropped EXE
PID:1452

C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Starter.exe
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Starter.exe /hpath=C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp /iesearch={0633EE93-D776-472f-A0FF-E1416B8B2E3A} /restart=yes
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Starter.exe
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Starter.exe /hpath=C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp /iesearch={0633EE93-D776-472f-A0FF-E1416B8B2E3A}
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Starter.exe
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Starter.exe /hpath=C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp /iesearch={0633EE93-D776-472f-A0FF-E1416B8B2E3A} /restart=yes
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996

C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Starter.exe
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Starter.exe /hpath=C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp /iesearch={0633EE93-D776-472f-A0FF-E1416B8B2E3A}
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe /S /appId=0 /sysId=448 /trackId=TCH001 /userGuid=1820211574824451 /FORCELANGUAGE=1033 /d=448-0 /v=n13674-3462 /t=4 /SkipDefaultSearch /trgb=IE /D=C:\PROGRA~2\MOVIES~1\Datamngr\SRTOOL~1
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744

C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe /S /appId=0 /sysId=448 /trackId=TCH001 /userGuid=1820211574824451 /FORCELANGUAGE=1033 /d=448-0 /v=n13674-3462 /t=4 /SkipDefaultSearch /trgb=FF /D=C:\PROGRA~2\MOVIES~1\Datamngr\SRTOOL~1
2⤵
- Executes dropped EXE
PID:1708

C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe /S /appId=0 /sysId=448 /trackId=TCH001 /userGuid=1820211574824451 /FORCELANGUAGE=1033 /d=448-0 /v=n13674-3462 /t=4 /SkipDefaultSearch /trgb=CR /D=C:\PROGRA~2\MOVIES~1\Datamngr\SRTOOL~1
2⤵
- Executes dropped EXE
PID:552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1EC4.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F52.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F72.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F93.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\1FB3.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\1FC3.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\1FE4.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\2071.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\2072.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\2093.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\2094.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\652A.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BE2.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D79.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\703A.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\71E0.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\7378.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\74D0.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\77BF.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\786C.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\78DB.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\8167.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D4D.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7E8.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\F959.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Helper.DLL
Filesize
2.0MB

MD5
70280d60011f745d6c7fadc799cb5318

SHA1
0f8e20feacc8bc287428cc5bb595a7fbd84f6f8d

SHA256
be32f2c56dad95a27184dc18ab9cae9fea767cdd0c4fbe4050657087fbb0fc8c

SHA512
3fccad904d8e64bbfb0032b5a309f281d5ede5e28f2db8577e3333a8293bc5486b1d351dd0fa2b5344d7d4f017efe9b89d112337cc30f16d2954a72d76e30f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Helper.dll
Filesize
2.0MB

MD5
70280d60011f745d6c7fadc799cb5318

SHA1
0f8e20feacc8bc287428cc5bb595a7fbd84f6f8d

SHA256
be32f2c56dad95a27184dc18ab9cae9fea767cdd0c4fbe4050657087fbb0fc8c

SHA512
3fccad904d8e64bbfb0032b5a309f281d5ede5e28f2db8577e3333a8293bc5486b1d351dd0fa2b5344d7d4f017efe9b89d112337cc30f16d2954a72d76e30f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Helper.dll
Filesize
2.0MB

MD5
70280d60011f745d6c7fadc799cb5318

SHA1
0f8e20feacc8bc287428cc5bb595a7fbd84f6f8d

SHA256
be32f2c56dad95a27184dc18ab9cae9fea767cdd0c4fbe4050657087fbb0fc8c

SHA512
3fccad904d8e64bbfb0032b5a309f281d5ede5e28f2db8577e3333a8293bc5486b1d351dd0fa2b5344d7d4f017efe9b89d112337cc30f16d2954a72d76e30f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Helper.dll
Filesize
2.0MB

MD5
70280d60011f745d6c7fadc799cb5318

SHA1
0f8e20feacc8bc287428cc5bb595a7fbd84f6f8d

SHA256
be32f2c56dad95a27184dc18ab9cae9fea767cdd0c4fbe4050657087fbb0fc8c

SHA512
3fccad904d8e64bbfb0032b5a309f281d5ede5e28f2db8577e3333a8293bc5486b1d351dd0fa2b5344d7d4f017efe9b89d112337cc30f16d2954a72d76e30f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Helper.dll
Filesize
2.0MB

MD5
70280d60011f745d6c7fadc799cb5318

SHA1
0f8e20feacc8bc287428cc5bb595a7fbd84f6f8d

SHA256
be32f2c56dad95a27184dc18ab9cae9fea767cdd0c4fbe4050657087fbb0fc8c

SHA512
3fccad904d8e64bbfb0032b5a309f281d5ede5e28f2db8577e3333a8293bc5486b1d351dd0fa2b5344d7d4f017efe9b89d112337cc30f16d2954a72d76e30f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Helper.dll
Filesize
2.0MB

MD5
70280d60011f745d6c7fadc799cb5318

SHA1
0f8e20feacc8bc287428cc5bb595a7fbd84f6f8d

SHA256
be32f2c56dad95a27184dc18ab9cae9fea767cdd0c4fbe4050657087fbb0fc8c

SHA512
3fccad904d8e64bbfb0032b5a309f281d5ede5e28f2db8577e3333a8293bc5486b1d351dd0fa2b5344d7d4f017efe9b89d112337cc30f16d2954a72d76e30f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Starter.exe
Filesize
125KB

MD5
2ca1628c3d7ee9c1a6e57cc4991858af

SHA1
9a6f2539ee32c96b0979c48c64185556537de642

SHA256
2817371baa97a3bb43c08775bac83f1ad00800cbfea73909f82711d3cc9f2457

SHA512
83380c99154393dc52eefaaa24a006998c6264e1e6bb1cc620da4c366e6e4c45adb3c9ab12e9960a1c04d4afbb383fdbefbde69eab418025025011fd17b42d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Starter.exe
Filesize
125KB

MD5
2ca1628c3d7ee9c1a6e57cc4991858af

SHA1
9a6f2539ee32c96b0979c48c64185556537de642

SHA256
2817371baa97a3bb43c08775bac83f1ad00800cbfea73909f82711d3cc9f2457

SHA512
83380c99154393dc52eefaaa24a006998c6264e1e6bb1cc620da4c366e6e4c45adb3c9ab12e9960a1c04d4afbb383fdbefbde69eab418025025011fd17b42d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Starter.exe
Filesize
125KB

MD5
2ca1628c3d7ee9c1a6e57cc4991858af

SHA1
9a6f2539ee32c96b0979c48c64185556537de642

SHA256
2817371baa97a3bb43c08775bac83f1ad00800cbfea73909f82711d3cc9f2457

SHA512
83380c99154393dc52eefaaa24a006998c6264e1e6bb1cc620da4c366e6e4c45adb3c9ab12e9960a1c04d4afbb383fdbefbde69eab418025025011fd17b42d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Starter.exe
Filesize
125KB

MD5
2ca1628c3d7ee9c1a6e57cc4991858af

SHA1
9a6f2539ee32c96b0979c48c64185556537de642

SHA256
2817371baa97a3bb43c08775bac83f1ad00800cbfea73909f82711d3cc9f2457

SHA512
83380c99154393dc52eefaaa24a006998c6264e1e6bb1cc620da4c366e6e4c45adb3c9ab12e9960a1c04d4afbb383fdbefbde69eab418025025011fd17b42d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\Starter.exe
Filesize
125KB

MD5
2ca1628c3d7ee9c1a6e57cc4991858af

SHA1
9a6f2539ee32c96b0979c48c64185556537de642

SHA256
2817371baa97a3bb43c08775bac83f1ad00800cbfea73909f82711d3cc9f2457

SHA512
83380c99154393dc52eefaaa24a006998c6264e1e6bb1cc620da4c366e6e4c45adb3c9ab12e9960a1c04d4afbb383fdbefbde69eab418025025011fd17b42d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\System.dll
Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\UserInfo.dll
Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\UserInfo.dll
Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\UserInfo.dll
Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe
Filesize
2.1MB

MD5
6bee4301541f454ca75311cca0e02983

SHA1
0179497002eaf4ba0fb96fc0ce233bb8a81c54c4

SHA256
6f44eecc256222427015ed2da1744329cc241003c37454a7b44cc867f67935e0

SHA512
216c982db798c5a1bf1de5400b74e007f5d26afb64d9cb3e474f0d82c53d70f64e3e52f2ece96fa9399046cb495c5ac1006ac53a419df2b9bdb7abee5d386ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe
Filesize
2.1MB

MD5
6bee4301541f454ca75311cca0e02983

SHA1
0179497002eaf4ba0fb96fc0ce233bb8a81c54c4

SHA256
6f44eecc256222427015ed2da1744329cc241003c37454a7b44cc867f67935e0

SHA512
216c982db798c5a1bf1de5400b74e007f5d26afb64d9cb3e474f0d82c53d70f64e3e52f2ece96fa9399046cb495c5ac1006ac53a419df2b9bdb7abee5d386ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe
Filesize
2.1MB

MD5
6bee4301541f454ca75311cca0e02983

SHA1
0179497002eaf4ba0fb96fc0ce233bb8a81c54c4

SHA256
6f44eecc256222427015ed2da1744329cc241003c37454a7b44cc867f67935e0

SHA512
216c982db798c5a1bf1de5400b74e007f5d26afb64d9cb3e474f0d82c53d70f64e3e52f2ece96fa9399046cb495c5ac1006ac53a419df2b9bdb7abee5d386ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\TorchMTBMediaBar.exe
Filesize
2.1MB

MD5
6bee4301541f454ca75311cca0e02983

SHA1
0179497002eaf4ba0fb96fc0ce233bb8a81c54c4

SHA256
6f44eecc256222427015ed2da1744329cc241003c37454a7b44cc867f67935e0

SHA512
216c982db798c5a1bf1de5400b74e007f5d26afb64d9cb3e474f0d82c53d70f64e3e52f2ece96fa9399046cb495c5ac1006ac53a419df2b9bdb7abee5d386ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\mediabar.exe
Filesize
2.2MB

MD5
2a9d68dbee187f63564c60b4fb39f6f9

SHA1
47ceeb0baf1b685712c96b81502485af1f5fe3ff

SHA256
fe28f4b52ce6cbbcd1ee11f74c3e9cc47e2c65d3f647017be3a9d3147bfdd143

SHA512
499376a9162aa16ceeed958cd8c12b0b781ffec7df2a9512e08a97d03969ad09e5ee30f5cf690af85dff6a63d5567bb79e1cb46f4864485a92878db1702b8a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\mediabar.exe
Filesize
2.2MB

MD5
2a9d68dbee187f63564c60b4fb39f6f9

SHA1
47ceeb0baf1b685712c96b81502485af1f5fe3ff

SHA256
fe28f4b52ce6cbbcd1ee11f74c3e9cc47e2c65d3f647017be3a9d3147bfdd143

SHA512
499376a9162aa16ceeed958cd8c12b0b781ffec7df2a9512e08a97d03969ad09e5ee30f5cf690af85dff6a63d5567bb79e1cb46f4864485a92878db1702b8a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\pack.exe
Filesize
3.5MB

MD5
24d00e1361b0813cfb8cd519557be3eb

SHA1
bb027aa1846e965beff05c5ee5aa0376bf20e4a8

SHA256
72a32c1e2b4f5e34e479f8aced984df7f5fd51ecb52234fa42ca3ebd8d146f26

SHA512
ad122844e36c338e918f536cdcc38ee001dacfca7cdada2948e896a346f40876892ea77fa8829b10cff522cd32f61e2ddff273e3cd1775092c06e0c326dc9540

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\nsw6529.tmp\pack.exe
Filesize
3.5MB

MD5
24d00e1361b0813cfb8cd519557be3eb

SHA1
bb027aa1846e965beff05c5ee5aa0376bf20e4a8

SHA256
72a32c1e2b4f5e34e479f8aced984df7f5fd51ecb52234fa42ca3ebd8d146f26

SHA512
ad122844e36c338e918f536cdcc38ee001dacfca7cdada2948e896a346f40876892ea77fa8829b10cff522cd32f61e2ddff273e3cd1775092c06e0c326dc9540

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspFA46.tmp\registry.dll
Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst681D.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst681D.tmp\UAC.dll
Filesize
16KB

MD5
0d422e0c03a7d9428c6c02175d7dc9f8

SHA1
5e13d49521cfbbe52cd74de8e1682789f0268969

SHA256
9f47ec720d74e538bbc8d0c1118efcbc52e52050dbe98c27029fc35329996f7c

SHA512
2edf47b24c4201e082841824d6ad9047a06e9a877d799e87befaf5d54179c924849d2e608cf9f60a1480828edcd98e19f3d139d19bdb4b96ee4939fe58bf0887

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst681D.tmp\UAC.dll
Filesize
16KB

MD5
0d422e0c03a7d9428c6c02175d7dc9f8

SHA1
5e13d49521cfbbe52cd74de8e1682789f0268969

SHA256
9f47ec720d74e538bbc8d0c1118efcbc52e52050dbe98c27029fc35329996f7c

SHA512
2edf47b24c4201e082841824d6ad9047a06e9a877d799e87befaf5d54179c924849d2e608cf9f60a1480828edcd98e19f3d139d19bdb4b96ee4939fe58bf0887

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst681D.tmp\xml.dll
Filesize
26KB

MD5
fbda05aa26e02d38effb82294e83ea69

SHA1
aa2291ace177515173315668480c74442e21549d

SHA256
565e439a6262cbe6c8164312ad330930738efa8d4defcbcdcc1eeb752fdb75b3

SHA512
3fd4dcbe059df3078f7709b2b9edbe30744ad7ff6e4cd1c494b40bb796a31838d5c9761fe9db860c38bd929c364df4767435fb85dc4e4115e361dd9d640c256f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst681D.tmp\xml.dll
Filesize
26KB

MD5
fbda05aa26e02d38effb82294e83ea69

SHA1
aa2291ace177515173315668480c74442e21549d

SHA256
565e439a6262cbe6c8164312ad330930738efa8d4defcbcdcc1eeb752fdb75b3

SHA512
3fd4dcbe059df3078f7709b2b9edbe30744ad7ff6e4cd1c494b40bb796a31838d5c9761fe9db860c38bd929c364df4767435fb85dc4e4115e361dd9d640c256f

Download Submit
memory/552-192-0x0000000000000000-mapping.dmp

Download
memory/1264-169-0x0000000000000000-mapping.dmp

Download
memory/1452-166-0x0000000000000000-mapping.dmp

Download
memory/1708-190-0x0000000000000000-mapping.dmp

Download
memory/1744-196-0x0000000002120000-0x0000000002128000-memory.dmp

Filesize
32KB

Download
memory/1744-189-0x0000000002121000-0x0000000002125000-memory.dmp

Filesize
16KB

Download
memory/1744-183-0x0000000000000000-mapping.dmp

Download
memory/2940-174-0x0000000000000000-mapping.dmp

Download
memory/3348-180-0x0000000000000000-mapping.dmp

Download
memory/4700-163-0x0000000000000000-mapping.dmp

Download
memory/4996-177-0x0000000000000000-mapping.dmp

Download