a7af0b755c9a598c8e37f237dc024ca0e6879908ccf4cc7b749f78065452504e

Analysis

max time kernel
162s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7af0b755c9a598c8e37f237dc024ca0e6879908ccf4cc7b749f78065452504e.exe
Size

12.5MB
MD5

01069b81c9f161318890cc6471c5f03c
SHA1

c12e56ca5669d71d470800b2cad4fe5614c3e1e2
SHA256

a7af0b755c9a598c8e37f237dc024ca0e6879908ccf4cc7b749f78065452504e
SHA512

0cf5283db81d69ebb4e6ac57823e04351125170deaa9be9b0c45ee5e006f4f08e9a5db75e0667a7fa879d2e2c16380689d578bfd8f22239ae98be5ebdee5cb88
SSDEEP

393216:TfFnxnP45QFNNSHhJbqL0UZgSyFsanTSde1vrDPhr8:Ttn+5QFNN0JSKSyXnGE1nG

Score

9^/10

adware discovery evasion persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\md5dll.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\md5dll.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\md5dll.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\md5dll.dll	acprotect

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Executes dropped EXE 19 IoCs

Processes:

Qxzgrp.exeGoogleUpdate.exeGoogleUpdate.exe48c24f11-5fd5-4cee-ae71-2990796e9c0a-11.exe3a4b289e-3066-4d34-9458-8d0c29e1a7d7.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exe48c24f11-5fd5-4cee-ae71-2990796e9c0a-7.exe48c24f11-5fd5-4cee-ae71-2990796e9c0a-7.exe48c24f11-5fd5-4cee-ae71-2990796e9c0a-6.exe48c24f11-5fd5-4cee-ae71-2990796e9c0a-4.exe48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exeTheTorntv V10-codedownloader.exeTheTorntv V10-codedownloader.exeTheTorntv V10-bg.exe228787e0-8f1d-40e4-ad5b-b9672d6fb859.exe

pid	process
1912	Qxzgrp.exe
4688	GoogleUpdate.exe
4192	GoogleUpdate.exe
4580	48c24f11-5fd5-4cee-ae71-2990796e9c0a-11.exe
3216	3a4b289e-3066-4d34-9458-8d0c29e1a7d7.exe
3780	GoogleUpdate.exe
3800	GoogleUpdate.exe
1728	GoogleUpdate.exe
4204	GoogleUpdate.exe
1276	GoogleUpdate.exe
4788	48c24f11-5fd5-4cee-ae71-2990796e9c0a-7.exe
4672	48c24f11-5fd5-4cee-ae71-2990796e9c0a-7.exe
4036	48c24f11-5fd5-4cee-ae71-2990796e9c0a-6.exe
1996	48c24f11-5fd5-4cee-ae71-2990796e9c0a-4.exe
1852	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
3152	TheTorntv V10-codedownloader.exe
1436	TheTorntv V10-codedownloader.exe
4324	TheTorntv V10-bg.exe
444	228787e0-8f1d-40e4-ad5b-b9672d6fb859.exe

Registers COM server for autorun 1 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331111}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622332211}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331111}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331111}\InprocServer32\ = "C:\\Program Files (x86)\\TheTorntv V10\\TheTorntv V10-bho64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331111}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622332211}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622332211}\InprocServer32\ = "C:\\Program Files (x86)\\TheTorntv V10\\TheTorntv V10-bho64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622332211}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GoogleUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	GoogleUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation = "0"	GoogleUpdate.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\md5dll.dll	upx
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\md5dll.dll	upx
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\md5dll.dll	upx
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\md5dll.dll	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GoogleUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	GoogleUpdate.exe

Loads dropped DLL 64 IoCs

Processes:

a7af0b755c9a598c8e37f237dc024ca0e6879908ccf4cc7b749f78065452504e.exeQxzgrp.exeGoogleUpdate.exeGoogleUpdate.exe

pid	process
2384	a7af0b755c9a598c8e37f237dc024ca0e6879908ccf4cc7b749f78065452504e.exe
2384	a7af0b755c9a598c8e37f237dc024ca0e6879908ccf4cc7b749f78065452504e.exe
2384	a7af0b755c9a598c8e37f237dc024ca0e6879908ccf4cc7b749f78065452504e.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
4688	GoogleUpdate.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
4192	GoogleUpdate.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeGoogleUpdate.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	GoogleUpdate.exe
File opened (read-only)	\??\H:	GoogleUpdate.exe
File opened (read-only)	\??\J:	GoogleUpdate.exe
File opened (read-only)	\??\Z:	GoogleUpdate.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	GoogleUpdate.exe
File opened (read-only)	\??\V:	GoogleUpdate.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	GoogleUpdate.exe
File opened (read-only)	\??\O:	GoogleUpdate.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	GoogleUpdate.exe
File opened (read-only)	\??\E:	GoogleUpdate.exe
File opened (read-only)	\??\F:	GoogleUpdate.exe
File opened (read-only)	\??\S:	GoogleUpdate.exe
File opened (read-only)	\??\W:	GoogleUpdate.exe
File opened (read-only)	\??\T:	GoogleUpdate.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	GoogleUpdate.exe
File opened (read-only)	\??\K:	GoogleUpdate.exe
File opened (read-only)	\??\P:	GoogleUpdate.exe
File opened (read-only)	\??\R:	GoogleUpdate.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	GoogleUpdate.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	GoogleUpdate.exe
File opened (read-only)	\??\Y:	GoogleUpdate.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	GoogleUpdate.exe
File opened (read-only)	\??\U:	GoogleUpdate.exe
File opened (read-only)	\??\X:	GoogleUpdate.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611331111}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611331111}\ = "9ab333d0052b01323ffd0f6cdde3bdb00063311"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611331111}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611331111}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611331111}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611331111}\ = "9ab333d0052b01323ffd0f6cdde3bdb00063311"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611331111}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611331111}	regsvr32.exe

Drops file in Program Files directory 50 IoCs

Processes:

Qxzgrp.exeGoogleUpdate.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\TheTorntv V10\Uninstall.exe	Qxzgrp.exe
File created	C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe	GoogleUpdate.exe
File opened for modification	C:\Program Files (x86)\TheTorntv V10\bgNova.html	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-4.exe	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-6.exe	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\TheTorntv V10-bho64.dll	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\TheTorntv V10-codedownloader.exe	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\utils.exe	Qxzgrp.exe
File created	C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\goopdate.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\TheTorntv V10\SuperSocket.ClientEngine.Common.dll	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\WebSocket4Net.dll	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\TheTorntv V10-buttonutil64.dll	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\TheTorntv V10.ico	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\SuperSocket.ClientEngine.Core.dll	Qxzgrp.exe
File opened for modification	C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\psuser.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\TheTorntv V10\51f128c8-cc95-4a84-a0ba-2bee3cc91973.crx	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-7.exe	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a.xpi	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-5.exe	Qxzgrp.exe
File created	C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\GoogleUpdateHelper.msi	GoogleUpdate.exe
File created	C:\Program Files (x86)\TheTorntv V10\Interop.IWshRuntimeLibrary.dll	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\Newtonsoft.Json.dll	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\TheTorntv V10-buttonutil.dll	Qxzgrp.exe
File created	C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-3.exe	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-64.exe	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\76dd09cb-64d4-4030-ba45-94fcaf8da28f.dll	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\51f128c8-cc95-4a84-a0ba-2bee3cc91973.dll	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\background.html	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\TheTorntv V10-buttonutil64.exe	Qxzgrp.exe
File created	C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\TheTorntv V10\1293297481.mxaddon	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-11.exe	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\TheTorntv V10-bg.exe	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\TheTorntv V10-buttonutil.exe	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\228787e0-8f1d-40e4-ad5b-b9672d6fb859.exe	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\Uninstall.exe	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\87bfd6ab-6ebb-480d-8063-09f2b94829fa.crx	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a.crx	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\TheTorntv V10-bho.dll	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\bgNova.html	Qxzgrp.exe
File created	C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\goopdateres_en.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\psmachine.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\TheTorntv V10\3a4b289e-3066-4d34-9458-8d0c29e1a7d7.exe	Qxzgrp.exe
File created	C:\Program Files (x86)\TheTorntv V10\SuperSocket.ClientEngine.Protocol.dll	Qxzgrp.exe

Drops file in Windows directory 43 IoCs

Processes:

Qxzgrp.exemsiexec.exeGoogleUpdate.exe

description	ioc	process
File created	C:\Windows\Tasks\3a4b289e-3066-4d34-9458-8d0c29e1a7d7.job	Qxzgrp.exe
File opened for modification	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-4.job	Qxzgrp.exe
File created	C:\Windows\Tasks\temp_48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.job	Qxzgrp.exe
File opened for modification	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-5.job	Qxzgrp.exe
File created	C:\Windows\Tasks\LRMR.job	Qxzgrp.exe
File opened for modification	C:\Windows\Installer\e57e2bf.msi	msiexec.exe
File created	C:\Windows\Tasks\228787e0-8f1d-40e4-ad5b-b9672d6fb859.job	Qxzgrp.exe
File created	C:\Windows\Tasks\globalUpdateUpdateTaskMachineCore.job	GoogleUpdate.exe
File created	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-11.job	Qxzgrp.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Tasks\3a4b289e-3066-4d34-9458-8d0c29e1a7d7.job	Qxzgrp.exe
File created	C:\Windows\Tasks\temp_3a4b289e-3066-4d34-9458-8d0c29e1a7d7.job	Qxzgrp.exe
File created	C:\Windows\Installer\SourceHash{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFD9A.tmp	msiexec.exe
File created	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-6.job	Qxzgrp.exe
File opened for modification	C:\Windows\Tasks\temp_48c24f11-5fd5-4cee-ae71-2990796e9c0a-6.job	Qxzgrp.exe
File created	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-1.job	Qxzgrp.exe
File opened for modification	C:\Windows\Tasks\temp_228787e0-8f1d-40e4-ad5b-b9672d6fb859.job	Qxzgrp.exe
File created	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-5.job	Qxzgrp.exe
File created	C:\Windows\Tasks\globalUpdateUpdateTaskMachineUA.job	GoogleUpdate.exe
File opened for modification	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-6.job	Qxzgrp.exe
File created	C:\Windows\Tasks\temp_48c24f11-5fd5-4cee-ae71-2990796e9c0a-6.job	Qxzgrp.exe
File opened for modification	C:\Windows\Tasks\VTOE.job	Qxzgrp.exe
File created	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.job	Qxzgrp.exe
File created	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-5_user.job	Qxzgrp.exe
File created	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-3.job	Qxzgrp.exe
File opened for modification	C:\Windows\Tasks\temp_3a4b289e-3066-4d34-9458-8d0c29e1a7d7.job	Qxzgrp.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Tasks\temp_228787e0-8f1d-40e4-ad5b-b9672d6fb859.job	Qxzgrp.exe
File opened for modification	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-5_user.job	Qxzgrp.exe
File opened for modification	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-3.job	Qxzgrp.exe
File opened for modification	C:\Windows\Tasks\LRMR.job	Qxzgrp.exe
File created	C:\Windows\Installer\e57e2bf.msi	msiexec.exe
File created	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-7.job	Qxzgrp.exe
File opened for modification	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-1.job	Qxzgrp.exe
File opened for modification	C:\Windows\Tasks\temp_48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.job	Qxzgrp.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-4.job	Qxzgrp.exe
File opened for modification	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.job	Qxzgrp.exe
File opened for modification	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-11.job	Qxzgrp.exe
File opened for modification	C:\Windows\Tasks\48c24f11-5fd5-4cee-ae71-2990796e9c0a-7.job	Qxzgrp.exe
File created	C:\Windows\Tasks\VTOE.job	Qxzgrp.exe
File opened for modification	C:\Windows\Tasks\228787e0-8f1d-40e4-ad5b-b9672d6fb859.job	Qxzgrp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsk2E25.tmp\Qxzgrp.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nsk2E25.tmp\Qxzgrp.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

GoogleUpdate.exeGoogleUpdate.exe48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exeQxzgrp.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}\Policy = "3"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\AppPath = "C:\\Program Files (x86)\\globalUpdate\\Update\\1.3.25.0"	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26FE2C1C-8DF3-47D9-A725-C2CDA3F0E217}	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cd2ac523-d0e3-49e5-b8f8-b4183740055f}\AppName = "TheTorntv V10-bg.exe"	Qxzgrp.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{95eba557-8039-4f64-b130-100c708aef2a}	Qxzgrp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{95eba557-8039-4f64-b130-100c708aef2a}	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation = "PMIL"	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\DefaultValue = "PMIL"	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\DefaultValue = "PMIL"	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cd2ac523-d0e3-49e5-b8f8-b4183740055f}\AppName = "TheTorntv V10-bg.exe"	Qxzgrp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a6cfecea-a1b4-437c-9aa5-68e0fbc5ea79}\Policy = "3"	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{95eba557-8039-4f64-b130-100c708aef2a}\AppPath = "C:\\Program Files (x86)\\TheTorntv V10"	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26FE2C1C-8DF3-47D9-A725-C2CDA3F0E217}\AppName = "48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe-codedownloader.exe"	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cd2ac523-d0e3-49e5-b8f8-b4183740055f}	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a6cfecea-a1b4-437c-9aa5-68e0fbc5ea79}\AppPath = "C:\\Program Files (x86)\\TheTorntv V10"	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8B12DF80-EA9E-44A2-86C8-16FBA2C3553}\AppPath = "C:\\Program Files (x86)\\TheTorntv V10"	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1500F935-71A2-49F4-9D4C-C3D350186DF4}\AppName = "48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe-buttonutil.exe"	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cd2ac523-d0e3-49e5-b8f8-b4183740055f}	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cd2ac523-d0e3-49e5-b8f8-b4183740055f}\AppName = "TheTorntv V10-bg.exe"	Qxzgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a6cfecea-a1b4-437c-9aa5-68e0fbc5ea79}\AppPath = "C:\\Program Files (x86)\\TheTorntv V10"	Qxzgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a6cfecea-a1b4-437c-9aa5-68e0fbc5ea79}\AppPath = "C:\\Program Files (x86)\\TheTorntv V10"	Qxzgrp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{547293c5-6f11-4d63-a070-642a6ccc05af}	Qxzgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{547293c5-6f11-4d63-a070-642a6ccc05af}\Policy = "3"	Qxzgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{95eba557-8039-4f64-b130-100c708aef2a}\AppPath = "C:\\Program Files (x86)\\TheTorntv V10"	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8B12DF80-EA9E-44A2-86C8-16FBA2C3553}\AppName = "48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe-helper.exe"	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8B12DF80-EA9E-44A2-86C8-16FBA2C3553}\Policy = "3"	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26FE2C1C-8DF3-47D9-A725-C2CDA3F0E217}\Policy = "3"	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a6cfecea-a1b4-437c-9aa5-68e0fbc5ea79}\Policy = "3"	Qxzgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{547293c5-6f11-4d63-a070-642a6ccc05af}\Policy = "3"	Qxzgrp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{547293c5-6f11-4d63-a070-642a6ccc05af}	Qxzgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{95eba557-8039-4f64-b130-100c708aef2a}\AppName = "TheTorntv V10-buttonutil64.exe"	Qxzgrp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1500F935-71A2-49F4-9D4C-C3D350186DF4}	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1500F935-71A2-49F4-9D4C-C3D350186DF4}\Policy = "3"	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA669B4B-4E63-4BDD-9CF9-7FDA53EE4FE}\AppName = "48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe-buttonutil64.exe"	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA669B4B-4E63-4BDD-9CF9-7FDA53EE4FE}\AppPath = "C:\\Program Files (x86)\\TheTorntv V10"	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\Policy = "3"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Qxzgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\CheckedValue = "PMIL"	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a6cfecea-a1b4-437c-9aa5-68e0fbc5ea79}	Qxzgrp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a6cfecea-a1b4-437c-9aa5-68e0fbc5ea79}	Qxzgrp.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{547293c5-6f11-4d63-a070-642a6ccc05af}	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{547293c5-6f11-4d63-a070-642a6ccc05af}\AppName = "TheTorntv V10-buttonutil.exe"	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26FE2C1C-8DF3-47D9-A725-C2CDA3F0E217}\AppPath = "C:\\Program Files (x86)\\TheTorntv V10"	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Approved Extensions	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a6cfecea-a1b4-437c-9aa5-68e0fbc5ea79}	Qxzgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}\Policy = "3"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cd2ac523-d0e3-49e5-b8f8-b4183740055f}\AppPath = "C:\\Program Files (x86)\\TheTorntv V10"	Qxzgrp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cd2ac523-d0e3-49e5-b8f8-b4183740055f}	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cd2ac523-d0e3-49e5-b8f8-b4183740055f}\AppPath = "C:\\Program Files (x86)\\TheTorntv V10"	Qxzgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a6cfecea-a1b4-437c-9aa5-68e0fbc5ea79}\AppName = "TheTorntv V10-codedownloader.exe"	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1500F935-71A2-49F4-9D4C-C3D350186DF4}\AppPath = "C:\\Program Files (x86)\\TheTorntv V10"	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a6cfecea-a1b4-437c-9aa5-68e0fbc5ea79}\AppName = "TheTorntv V10-codedownloader.exe"	Qxzgrp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{95eba557-8039-4f64-b130-100c708aef2a}	Qxzgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{95eba557-8039-4f64-b130-100c708aef2a}\Policy = "3"	Qxzgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}\AppName = "GoogleUpdate.exe"	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA669B4B-4E63-4BDD-9CF9-7FDA53EE4FE}	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{547293c5-6f11-4d63-a070-642a6ccc05af}\AppPath = "C:\\Program Files (x86)\\TheTorntv V10"	Qxzgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}\AppPath = "C:\\Program Files (x86)\\globalUpdate\\Update"	GoogleUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ = "8000"	Qxzgrp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe

Modifies registry class 64 IoCs

Processes:

GoogleUpdate.exeQxzgrp.exeGoogleUpdate.exeregsvr32.exeGoogleUpdate.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}\ProgID\ = "globalUpdateUpdate.CredentialDialogMachine.1.0"	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\263\Url = "http://js.newgenonlinesrv.com/plugins/mins/263.js"	Qxzgrp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}\ = "IGoogleUpdateCore"	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\44\JavaScript = "\nif(typeof appAPI===\"undefined\"){appAPI={};}(function(a){appAPI.dns={};appAPI.dns.resolveIP=function(b){return a.resolveIp(b);};appAPI.fetchUrl=function(b){return a.fetchUrl(b);};appAPI.openURL=function(e,d){var c;if(typeof e===\"object\"){c=e;if(typeof a.openUrlEx!==\"undefined\"){a.openUrlEx(appAPI.JSON.stringify(c));return;}else{d=c.where;e=c.url;}}if(typeof e!==\"string\"){console.error(\"appAPI.openURL - Invalid parameter. Expected string (1st param) but got: \"+(typeof e));return;}if(d!==\"current\"&&d!==\"tab\"&&d!==\"window\"&&d!==\"popup\"){console.error(\"appAPI.openURL - Invalid parameter. Expected current/tab/window (2nd param) but got: \"+d);return;}if(typeof a.openUrlEx!==\"undefined\"){var f=(document&&document.documentElement&&document.documentElement.clientHeight)?document.documentElement.clientHeight+100:100;var h=(document&&document.documentElement&&document.documentElement.clientWidth)?document.documentElement.clientWidth+80:100;var g=(window&&window.screenTop)?((window.screenTop-20)<0?0:(window.screenTop-20)):0;var b=(window&&window.screenLeft)?window.screenLeft+20:0;c={url:e,where:d,focus:true,height:f,width:h,top:g,left:b};a.openUrlEx(appAPI.JSON.stringify(c));}else{a.openUrl(e,d);}};appAPI.isDebugMode=function(){return a.isDebugMode();};appAPI.getStringFromBase64=function(b){if(typeof a.getStringFromBase64!==\"undefined\"){return a.getStringFromBase64(b);}return null;};})(appAPIinternal);\n"	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\226\JavaScript = "\nappAPI.internal.monetization = appAPI.internal.monetization \|\| {};\nif (typeof appAPI.internal.monetization.plugins === \"undefined\") { appAPI.internal.monetization.plugins = {}; }\n\nappAPI.internal.monetization.plugins[226] = function() {\n\tif (appAPI.internal.monetization.loader && appAPI.internal.monetization.loader.setCampaignId && appAPI.internal.monetization.getCampaignId) {\n\t\tif (appAPI.internal.monetization.getCampaignId() == 0) {\n\t\t\tappAPI.internal.monetization.loader.setCampaignId(1026);\n\t\t}\n\t}\n};\n"	Qxzgrp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassSvc\CurVer	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\7	Qxzgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\9ab333d0052b01323ffd0f6cdde3bdb00063311.Sandbox\CLSID\ = "{22222222-2222-2222-2222-220622332211}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}\InprocHandler32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\43\JavaScript = "\nif(typeof appAPI===\"undefined\"){appAPI={};}if(typeof appAPI.internal===\"undefined\"){appAPI.internal={};}if(typeof appAPI.internal.callbacks===\"undefined\"){appAPI.internal.callbacks={};}if(typeof appAPI.internal.message===\"undefined\"){appAPI.internal.message={};}appAPI.internal.message.send=function(b){if(typeof b!==\"object\"){return false;}if(typeof b.eventName!==\"string\"){return false;}b.senderTabId=appAPI.tabId;var c;try{c=appAPI.JSON.stringify(b);}catch(a){console.error(\"appAPI.message error - Caught a JSON exception when trying to stringify the message\");return false;}if(typeof c!==\"string\"){console.error(\"appAPI.message error - Failed to stringify message\");return false;}if(c.length>8192){console.error(\"appAPI.message error - can't send message because content is too long: \"+c.length);return false;}appAPIinternal.msgToAllTabs(c);return true;};appAPI.internal.callbacks.crossBhoEvent=function(b){if(typeof b.msgObj!==\"string\"){return;}try{b=appAPI.JSON.parse(b.msgObj);}catch(c){console.error(\"Failed to parse JSON for incoming message\");return;}var a=b.eventName;if(a!==appAPI.internal.message.EVENT_NAME_USER_MESSAGE){return appAPI.internal.callbacks.genericEvent(b);}if(appAPI.internal.browserEventCode){return;}if(typeof b.iframes!==\"boolean\"){return;}if(typeof b.tabs!==\"string\"){return;}if(typeof b.senderTabId!==\"string\"){return;}if(b.tabs===\"active\"){if(appAPI.isBackground){return;}if(typeof appAPI.isActiveTab===\"undefined\"\|\|!appAPI.isActiveTab()){return;}}else{if(b.tabs===\"background\"){if(typeof appAPI.isBackground===\"undefined\"\|\|!appAPI.isBackground){return;}}else{if(typeof appAPI.isBackground!==\"undefined\"&&appAPI.isBackground){if(b.tabs!==\"background\"){return;}}else{if(b.tabs===\"popup\"){if(appAPI.tabId!==\"POPUP\"){return;}}else{if(appAPI.tabId===\"POPUP\"){if(b.tabs!==\"popup\"){return;}}else{if(b.tabs===\"other\"){if(b.senderTabId===appAPI.tabId){return;}}else{if(b.tabs===\"all\"){}else{if(b.tabs!==appAPI.tabId){return;}if(b.iframes){if(typeof appAPI.dom===\"undefined\"\|\|typeof appAPI.dom.isIframe===\"undefined\"\|\|!appAPI.dom.isIframe()){return;}}}}}}}}}if((typeof appAPI.isBackground===\"undefined\"\|\|!appAPI.isBackground)&&(appAPI.tabId!==\"POPUP\")){if(!b.iframes){if(typeof appAPI.dom===\"undefined\"\|\|typeof appAPI.dom.isIframe===\"undefined\"\|\|appAPI.dom.isIframe()){return;}}}appAPI.internal.callbacks.genericEvent(b);};appAPI.internal.message.EVENT_NAME_USER_MESSAGE=\"userMessage\";appAPI.message={};appAPI.message.addListener=function(a){return appAPI.internal.callbacks.addListener(appAPI.internal.message.EVENT_NAME_USER_MESSAGE,a);};appAPI.message.removeListener=function(a){return appAPI.internal.callbacks.removeListener(appAPI.internal.message.EVENT_NAME_USER_MESSAGE,a);};appAPI.message.toActiveTab=function(b,a){return appAPI.internal.message.send({eventName:appAPI.internal.message.EVENT_NAME_USER_MESSAGE,eventContent:b,iframes:((typeof a===\"boolean\")?a:false),tabs:\"active\"});};appAPI.message.toAllTabs=function(b,a){return appAPI.internal.message.send({eventName:appAPI.internal.message.EVENT_NAME_USER_MESSAGE,eventContent:b,iframes:((typeof a===\"boolean\")?a:false),tabs:\"all\"});};appAPI.message.toAllOtherTabs=function(b,a){return appAPI.internal.message.send({eventName:appAPI.internal.message.EVENT_NAME_USER_MESSAGE,eventContent:b,iframes:((typeof a===\"boolean\")?a:false),tabs:\"other\"});};appAPI.message.toBackground=function(a){return appAPI.internal.message.send({eventName:appAPI.internal.message.EVENT_NAME_USER_MESSAGE,eventContent:a,iframes:false,tabs:\"background\"});};appAPI.message.toCurrentTabIframes=function(a){return appAPI.internal.message.send({eventName:appAPI.internal.message.EVENT_NAME_USER_MESSAGE,eventContent:a,iframes:true,tabs:appAPI.tabId});};appAPI.message.toCurrentTabWindow=function(a){return appAPI.internal.message.send({eventName:appAPI.internal.message.EVENT_NAME_USER_MESSAGE,eventContent:a,iframes:false,tabs:appAPI.tabId});};appAPI.message.toPopup=function(a){return appAPI.internal.message.send({eventName:appAPI.internal.message.EVENT_NAME_USER_MESSAGE,eventContent:a,iframes:false,tabs:\"popup\"});};\n"	Qxzgrp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}\NumMethods\ = "10"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\globalUpdate.OneClickCtrl.10\CLSID\ = "{5645E0E7-FC12-43BF-A6E4-F9751942B298}"	GoogleUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\177\Version = "2"	Qxzgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110611331111}\Implemented Categories\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110611331111}\VersionIndependentProgID\ = "9ab333d0052b01323ffd0f6cdde3bdb00063311"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660666336611}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}\AppID = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachineFallback\CurVer\ = "globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft	Qxzgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\globalUpdate.OneClickProcessLauncherMachine\ = "globalUpdate.OneClickProcessLauncher"	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\36\JavaScript = "\nif(typeof appAPI===\"undefined\"){appAPI={};}if(typeof appAPI.internal===\"undefined\"){appAPI.internal={};}if(typeof appAPI.internal.callbacks===\"undefined\"){appAPI.internal.callbacks={};}appAPI.isBackground=true;appAPI.tabId=\"BG\";appAPI.internal.scope=Consts.SCOPE.BACKGROUND;appAPI.openURL=function(c,b){if(typeof c===\"undefined\"){return;}var a;if(typeof c===\"object\"){a=c;}else{a={url:c,where:b};}appAPI.internal.message.send({eventName:\"openURL\",eventContent:a});};appAPI.internal.runHelper=function(a){if(typeof a!==\"string\"){console.error(\"appAPI.runHelper - Invalid parameter. Expected string (1st param) but got: \"+(typeof a));return;}appAPI.internal.message.send({eventName:\"runHelper\",eventContent:a});};window.alert=function(a){a=(a===null?\"null\":a);a=(typeof a===\"undefined\"?\"undefined\":a);appAPIinternal.alert(a);};appAPI.internal._isMonitorAPISupported_=function(){return(typeof appAPIinternal.supportMonitor!==\"undefined\");};window.open=function(b,a,d,c){appAPI.internal.message.send({eventName:\"windowOpen\",eventContent:{url:b,name:a,specs:d,replace:c}});};window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;(function(){appAPI.internal.callbackCounter=0;function b(f,h,g){var d=appAPI.internal.prefs.getChar(appAPI.appInfo.id,\"Crossrider\\\\\"+f);if(d){d=appAPI.JSON.parse(d);}else{d={};}appAPI.internal.callbackCounter++;d[appAPI.internal.callbackCounter]={code:h.toString(),value:appAPI.JSON.stringify(g)};appAPI.internal.prefs.setChar(appAPI.appInfo.id,appAPI.JSON.stringify(d),\"Crossrider\\\\\"+f);return appAPI.internal.callbackCounter;}function c(f,g){var d=appAPI.internal.prefs.getChar(appAPI.appInfo.id,\"Crossrider\\\\\"+f);if(d===null){return false;}if(typeof g===\"undefined\"){return false;}d=appAPI.JSON.parse(d);if(typeof d[g]===\"object\"){delete d[g];}else{return false;}appAPI.internal.prefs.setChar(appAPI.appInfo.id,appAPI.JSON.stringify(d),\"Crossrider\\\\\"+f);return true;}function a(f,h,g){if(typeof h===\"undefined\"){return false;}var d=appAPI.internal.prefs.getChar(appAPI.appInfo.id,\"Crossrider\\\\\"+f);if(d===null){return false;}d=appAPI.JSON.parse(d);if(typeof d[h]!==\"object\"){return false;}d[h].value=appAPI.JSON.stringify(g);appAPI.internal.prefs.setChar(appAPI.appInfo.id,appAPI.JSON.stringify(d),\"Crossrider\\\\\"+f);return true;}appAPI.webRequest={};appAPI.webRequest.onRequest={};appAPI.internal.prefs.setChar(appAPI.appInfo.id,\"\",\"Crossrider\\\\onRequest\");appAPI.webRequest.onRequest.addListener=function(f,d){if(typeof f!==\"function\"){console.error(\"appAPI.webRequest.onRequest - Invalid parameter. Expected a function but got: \"+(typeof f));return false;}return b(\"onRequest\",f,d);};appAPI.webRequest.onRequest.removeListener=function(d){if(typeof d===\"undefined\"){appAPI.internal.prefs.setChar(appAPI.appInfo.id,\"\",\"Crossrider\\\\onRequest\");return true;}return c(\"onRequest\",d);};appAPI.webRequest.onRequest.updateOpaque=function(f,d){return a(\"onRequest\",f,d);};appAPI.webRequest.onBeforeNavigate={};appAPI.internal.prefs.setChar(appAPI.appInfo.id,\"\",\"Crossrider\\\\onBeforeNavigate\");appAPI.webRequest.onBeforeNavigate.addListener=function(f,d){if(typeof f!==\"function\"){console.error(\"appAPI.onBeforeNavigate - Invalid parameter. Expected a function but got: \"+(typeof f));return false;}return b(\"OnBeforeNavigate\",f,d);};appAPI.webRequest.onBeforeNavigate.removeListener=function(d){if(typeof d===\"undefined\"){appAPI.internal.prefs.setChar(appAPI.appInfo.id,\"\",\"Crossrider\\\\onBeforeNavigate\");return true;}return c(\"OnBeforeNavigate\",d);};appAPI.webRequest.onBeforeNavigate.updateOpaque=function(f,d){return a(\"OnBeforeNavigate\",f,d);};})();appAPI.internal.callbacks.setEventHandler(\"onBgStarting\",function(a){});appAPI.internal.callbacks.setEventHandler(\"onBgClosing\",function(a){});(function(b){if(typeof appAPI.browserAction===\"undefined\"){appAPI.browserAction={};}if(typeof appAPI.internal.browserAction===\"undefined\"){appAPI.internal.browserAction={};}appAPI.browserAction.setIcon=function(f,c,g){if(typeof f!==\"string\"){console.error(\"appAPI.browserAction.setIcon - Invalid parameter. Expected string (1st param) but got: \"+(typeof f));return;}if(typeof c!==\"number\"){c=0;}if(typeof g!==\"number\"){g=0;}if(f.indexOf(\"http\")===0){if(typeof b.setButtonIconByUrl!==\"undefined\"){b.setButtonIconByUrl(f,c,g);}}else{var d=f.indexOf(\",\");if(d!==-1){f=f.substr(d+1);}if(typeof b.setButtonIconByBase64!==\"undefined\"){b.setButtonIconByBase64(f,c,g);}}};appAPI.browserAction.setTitle=function(c){if(typeof c!==\"string\"){console.error(\"appAPI.browserAction.setTitle - Invalid parameter. Expected string but got: \"+(typeof c));return;}if(typeof b.setButtonTooltip!==\"undefined\"){b.setButtonTooltip(c);}};appAPI.internal.callbacks.setEventHandler(\"onButtonClick\",function(h){if(!appAPI.internal.db.get(appAPI.internal.browserAction.POPUP_IS_SET_DB_KEY)){return false;}var j=appAPI.internal.db.set(appAPI.internal.browserAction.POPUP_SIZE_DB_KEY);var g=j.width;var c=j.height;var i=h.left;var f=h.right;if(typeof g!==\"number\"\|\|typeof c!==\"number\"\|\|typeof i!==\"number\"\|\|typeof f!==\"number\"){console.error(\"Invalid size for popup\");return false;}var d=appAPI.internal.db.get(appAPI.internal.browserAction.POPUP_HTML_DB_KEY);if(typeof d!==\"string\"){console.error(\"Invalid popup html, got type: \"+typeof d);return;}if(typeof appAPIinternal.createPopup!==\"undefined\"){appAPIinternal.createPopup(appAPI.JSON.stringify({width:g,height:c,left:i,right:f,html:d}));}return true;});appAPI.browserAction.onClick=function(c){return appAPI.internal.callbacks.addListener(\"onButtonClick\",c);};appAPI.internal.browserAction.currentBadge={};appAPI.internal.browserAction.currentBadge.text=\"\";appAPI.internal.browserAction.currentBadge.fillColor=16711680;function a(d){var h=d[0]&255;var f=d[1]&255;var c=d[2]&255;var g=(h<<16)+(f<<8)+(c);return g;}appAPI.browserAction.setBadgeText=function(d,c){if(typeof d!==\"string\"){console.error(\"appAPI.browserAction.setIcon - Invalid parameter. Expected string (1st param) but got: \"+(typeof d));return;}if(typeof c===\"undefined\"\|\|c===null){c=appAPI.internal.browserAction.currentBadge.fillColor;}else{if(!(c instanceof Array)){console.error(\"appAPI.browserAction.setBadgeText - Invalid parameter. Expected an array (2nd param) but got: \"+(typeof c));return;}else{if(c.length!==4){console.error(\"appAPI.browserAction.setBadgeText - Invalid parameter. Color array (2nd param) should have 4 members (RGBA)\");return;}else{c=a(c);appAPI.internal.browserAction.currentBadge.fillColor=c;}}}if(typeof b.setButtonBadge!==\"undefined\"){b.setButtonBadge(d,c,16777215,0);}appAPI.internal.browserAction.currentBadge.text=d;};appAPI.internal.callbacks.setEventHandler(\"onSetBadgeTextFromPopup\",function(c){if(appAPI.tabId!==\"POPUP\"){appAPI.browserAction.setBadgeText(c.text,c.color);}});appAPI.browserAction.setBadgeBackgroundColor=function(c){if(!(c instanceof Array)){console.error(\"appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Expected an array but got: \"+(typeof c));return;}if(c.length!==4){console.error(\"appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Color array should have 4 members (RGBA)\");return;}var d=a(c);if(typeof b.setButtonBadge!==\"undefined\"){b.setButtonBadge(appAPI.internal.browserAction.currentBadge.text,d,16777215,0);}appAPI.internal.browserAction.currentBadge.fillColor=d;};appAPI.internal.callbacks.setEventHandler(\"onSetBadgeColorFromPopup\",function(c){if(appAPI.tabId!==\"POPUP\"){appAPI.browserAction.setBadgeBackgroundColor(c);}});appAPI.browserAction.removeBadge=function(){appAPI.browserAction.setBadgeText(\"\");};appAPI.internal.browserAction.POPUP_IS_SET_DB_KEY=\"_popup_set_\";appAPI.internal.browserAction.POPUP_HTML_DB_KEY=\"_popup_html_\";appAPI.internal.browserAction.POPUP_SIZE_DB_KEY=\"_popup_size_\";appAPI.browserAction.setPopupHTML=function(d,f,c){appAPI.internal.db.set(appAPI.internal.browserAction.POPUP_IS_SET_DB_KEY,true);appAPI.internal.db.set(appAPI.internal.browserAction.POPUP_HTML_DB_KEY,d);appAPI.internal.db.set(appAPI.internal.browserAction.POPUP_SIZE_DB_KEY,{width:f,height:c});};appAPI.browserAction.clearPopup=function(){appAPI.internal.db.remove(appAPI.internal.browserAction.POPUP_IS_SET_DB_KEY);appAPI.internal.db.remove(appAPI.internal.browserAction.POPUP_HTML_DB_KEY);appAPI.internal.db.remove(appAPI.internal.browserAction.POPUP_SIZE_DB_KEY);};appAPI.browserAction.closePopup=function(){if(typeof appAPIinternal.closePopup!==\"undefined\"){appAPIinternal.closePopup();}};appAPI.webRequest.monitor={};appAPI.webRequest.monitor.onBeforeNavigate={};appAPI.webRequest.monitor.onBeforeNavigate.addListener=function(d){if(typeof appAPI.internal.callbacks.__MONITOR_ON_BEFORE_NAVIGATE__===\"undefined\"\|\|appAPI.internal.callbacks.__MONITOR_ON_BEFORE_NAVIGATE__.numberOflisteners===0){appAPI.internal.db.set(\"monitor.onBeforeNavigate\",true);}var c=appAPI.internal.callbacks.addListener(\"__MONITOR_ON_BEFORE_NAVIGATE__\",d.callback);return c;};appAPI.webRequest.monitor.onBeforeNavigate.removeListener=function(d){var c=appAPI.internal.callbacks.removeListener(\"__MONITOR_ON_BEFORE_NAVIGATE__\",d);if(c){if(typeof appAPI.internal.callbacks.__MONITOR_ON_BEFORE_NAVIGATE__===\"undefined\"\|\|appAPI.internal.callbacks.__MONITOR_ON_BEFORE_NAVIGATE__.numberOflisteners===0){appAPI.internal.db.set(\"monitor.onBeforeNavigate\",false);}}return c;};appAPI.webRequest.monitor.onRedirect={};appAPI.webRequest.monitor.onRedirect.addListener=function(d){if(typeof appAPI.internal.callbacks.__MONITOR_ON_REDIRECT__===\"undefined\"\|\|appAPI.internal.callbacks.__MONITOR_ON_REDIRECT__.numberOflisteners===0){appAPI.internal.db.set(\"monitor.onRedirect\",true);}var c=appAPI.internal.callbacks.addListener(\"__MONITOR_ON_REDIRECT__\",d.callback);return c;};appAPI.webRequest.monitor.onRedirect.removeListener=function(d){var c=appAPI.internal.callbacks.removeListener(\"__MONITOR_ON_REDIRECT__\",d);if(c){if(typeof appAPI.internal.callbacks.__MONITOR_ON_REDIRECT__===\"undefined\"\|\|appAPI.internal.callbacks.__MONITOR_ON_REDIRECT__.numberOflisteners===0){appAPI.internal.db.set(\"monitor.onRedirect\",false);}}return c;};appAPI.webRequest.monitor.onRequest={};appAPI.webRequest.monitor.onRequest.addListener=function(d){if(appAPI.internal._isMonitorAPISupported_()){if(typeof appAPI.internal.callbacks.__MONITOR_ON_REQUEST__===\"undefined\"\|\|appAPI.internal.callbacks.__MONITOR_ON_REQUEST__.numberOflisteners===0){appAPI.internal.db.set(\"monitor.onRequest\",true);}var c=appAPI.internal.callbacks.addListener(\"__MONITOR_ON_REQUEST__\",d.callback);return c;}return appAPI.webRequest.onRequest.addListener(d.callback);};appAPI.webRequest.monitor.onRequest.removeListener=function(d){if(appAPI.internal._isMonitorAPISupported_()){var c=appAPI.internal.callbacks.removeListener(\"__MONITOR_ON_REQUEST__\",d);if(c){if(typeof appAPI.internal.callbacks.__MONITOR_ON_REQUEST__===\"undefined\"\|\|appAPI.internal.callbacks.__MONITOR_ON_REQUEST__.numberOflisteners===0){appAPI.internal.db.set(\"monitor.onRequest\",false);}}return c;}return appAPI.webRequest.onRequest.removeListener(d);};})(appAPIinternal);appAPI.contextMenu={};appAPI.internal.contextMenu={};appAPI.internal.contextMenu.DB_NAME=\"__contextmenu_data__\";appAPI.internal.contextMenu.clearOld=true;appAPI.internal.contextMenu.callbacks={};appAPI.contextMenu.add=function(b,d,f,a){var c=appAPI.internal.db.get(appAPI.internal.contextMenu.DB_NAME);if(!appAPI.utils.isObject(c)\|\|appAPI.internal.contextMenu.clearOld){c={};appAPI.internal.contextMenu.clearOld=false;}if(!appAPI.utils.isArray(c.items)){c.items=[];}appAPI.contextMenu.remove(b);if(typeof f===\"function\"){appAPI.internal.contextMenu.callbacks[b]=f;}if(!appAPI.utils.isArray(a)){a=[\"all\"];}c.items.push({key:b,title:d,context:a});appAPI.internal.db.set(appAPI.internal.contextMenu.DB_NAME,c);};appAPI.contextMenu.addSeparator=function(a){var b=appAPI.internal.db.get(appAPI.internal.contextMenu.DB_NAME);if(!appAPI.utils.isObject(b)\|\|appAPI.internal.contextMenu.clearOld){b={};appAPI.internal.contextMenu.clearOld=false;}if(!appAPI.utils.isArray(b.items)){b.items=[];}appAPI.contextMenu.remove(a);b.items.push({key:a,seperator:true});appAPI.internal.db.set(appAPI.internal.contextMenu.DB_NAME,b);};appAPI.contextMenu.remove=function(b){var c=appAPI.internal.db.get(appAPI.internal.contextMenu.DB_NAME);if(!appAPI.utils.isObject(c)\|\|appAPI.internal.contextMenu.clearOld){c={};appAPI.internal.contextMenu.clearOld=false;}if(!appAPI.utils.isArray(c.items)){c.items=[];}appAPI.internal.contextMenu.callbacks[b]=undefined;var a=[];for(var d=0;d<c.items.length;++d){if(c.items[d].key!==b){a.push(c.items[d]);}}c.items=a;appAPI.internal.db.set(appAPI.internal.contextMenu.DB_NAME,c);};appAPI.contextMenu.removeAll=function(){var a={};a.items=[];appAPI.internal.contextMenu.callbacks={};appAPI.internal.db.set(appAPI.internal.contextMenu.DB_NAME,a);};try{appAPI.contextMenu.removeAll();}catch(e){}appAPI.contextMenu.updateOnClick=function(a,b){appAPI.internal.contextMenu.callbacks[a]=b;};appAPI.contextMenu.updateTitle=function(a,d){var b=appAPI.internal.db.get(appAPI.internal.contextMenu.DB_NAME);if(!appAPI.utils.isObject(b)\|\|appAPI.internal.contextMenu.clearOld){b={};appAPI.internal.contextMenu.clearOld=false;}if(!appAPI.utils.isArray(b.items)){b.items=[];}for(var c=0;c<b.items.length;++c){if(b.items[c].key===a){b.items[c].title=d;}}appAPI.internal.db.set(appAPI.internal.contextMenu.DB_NAME,b);};appAPI.internal.callbacks.setEventHandler(\"onContextMenuClick\",function(a){if(typeof a.key!==\"string\"){return;}if(typeof appAPI.internal.contextMenu.callbacks[a.key]===\"function\"){appAPI.internal.contextMenu.callbacks[a.key](a.data);}});appAPI.tabs={};appAPI.internal.tabs={};appAPI.internal.tabs.activeTabId=\"\";appAPI.internal.tabs.tabsContainer={};appAPI.tabs.getAllTabs=function(c){if(typeof c!==\"function\"){return;}var a=[];for(var b in appAPI.internal.tabs.tabsContainer){if(appAPI.internal.tabs.tabsContainer.hasOwnProperty(b)){a.push({tabId:b,tabUrl:appAPI.internal.tabs.tabsContainer[b].tabUrl});}}c(a);};appAPI.tabs.getActive=function(a){if(appAPI.internal.tabs.activeTabId!==\"\"&&appAPI.internal.tabs.tabsContainer[appAPI.internal.tabs.activeTabId]!==\"undefined\"){a({tabId:appAPI.internal.tabs.activeTabId,tabUrl:appAPI.internal.tabs.tabsContainer[appAPI.internal.tabs.activeTabId].tabUrl});}};appAPI.tabs.create=function(a){appAPI.openURL(a,\"tab\");};appAPI.tabs.onTabSelectionChanged=function(a){return appAPI.internal.callbacks.addListener(\"onTabSelectionChanged\",a);};appAPI.internal.callbacks.setEventHandler(\"onTabSelectionChanged\",function(a){if(appAPI.internal.tabs.activeTabId!==a.tabId){appAPI.internal.tabs.activeTabId=a.tabId;return false;}else{return true;}});appAPI.tabs.onTabCreated=function(a){return appAPI.internal.callbacks.addListener(\"onTabCreated\",a);};appAPI.internal.callbacks.setEventHandler(\"onTabCreated\",function(a){if(typeof appAPI.internal.tabs.tabsContainer[a.tabId]===\"undefined\"){appAPI.internal.tabs.tabsContainer[a.tabId]={tabUrl:a.tabUrl};if(typeof a.tabWindow===\"number\"){appAPI.internal.tabs.tabsContainer[a.tabId].tabWindow=a.tabWindow;}}});appAPI.tabs.onTabUpdated=function(a){return appAPI.internal.callbacks.addListener(\"onTabUpdated\",a);};appAPI.internal.callbacks.setEventHandler(\"onTabUpdated\",function(a){if(typeof appAPI.internal.tabs.tabsContainer[a.tabId]!==\"undefined\"){appAPI.internal.tabs.tabsContainer[a.tabId].tabUrl=a.tabUrl;}});appAPI.tabs.onTabClosed=function(a){return appAPI.internal.callbacks.addListener(\"onTabClosed\",a);};appAPI.internal.callbacks.setEventHandler(\"onTabClosed\",function(a){if(typeof appAPI.internal.tabs.tabsContainer[a.tabId]!==\"undefined\"){delete appAPI.internal.tabs.tabsContainer[a.tabId];}});appAPI.tabs.closeTab=function(a){console.log(\"NOT IMPLEMENTED\");};(function(){function a(){var d=\"__onDocumentStart_script_store__\";var g=\"__onDocumentStart_script__\";var b=\"__USER_CODE_PLACEHOLDER__\";var f=\"__DOCUMENT_START_PLACEHOLDER__\";var l=\"(function (){try {\"+b+\"}catch(e){}}());\";var c=\"if(window && document && document.location && document.location.href && !window.__injected_\"+appAPI.appID+\"__) {window.__injected_\"+appAPI.appID+\"__= function (){};\"+f+\"}\";var p=function(q){return l.replace(b,q);};var h=function(q){return c.replace(f,q);};var j=function(q,r){appAPI.internal.prefs.setChar(q,r,\"background\");};var k=function(q){return appAPI.internal.prefs.getChar(q,\"background\");};var m=function(q){appAPI.internal.prefs.setChar(q,\"\",\"background\");};var i=function(s){if(!s){return;}if(typeof s!==\"object\"&&typeof s!==\"string\"){return;}if(typeof s===\"object\"&&typeof s.js!==\"string\"){return;}var r=typeof s===\"string\"?s:s.js;var q=k(d);q=q\|\|\"\";var t=q+\"\\n\\n\"+p(r);j(d,t);j(g,h(t));};var o=function(q,r){i(q);};(function n(){m(g);m(d);}());return{addJS:o};}appAPI=appAPI\|\|{};appAPI.dom=appAPI.dom\|\|{};appAPI.dom.onDocumentStart=a();}());window.appAPI=appAPI;function __cr__window_onerror(d,c,a){if(typeof console!==\"undefined\"&&console.error!==\"undefined\"){var b=\"???\";if(typeof appAPI!==\"undefined\"&&typeof appAPI.appInfo!==\"undefined\"&&typeof appAPI.appInfo.name!==\"undefined\"){b=appAPI.appInfo.name;}console.error(\"---- JS Exception from: \"+b+\" ----\\r\\nCaught an exception from background.html: \"+d+\"\\r\\n\");}return true;}window.onerror=__cr__window_onerror;\n"	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\220\Name = "icm_base_m"	Qxzgrp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\9ab333d0052b01323ffd0f6cdde3bdb00063311.Sandbox	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\globalUpdateUpdate.CredentialDialogMachine.1.0\ = "GoogleUpdate CredentialDialog"	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Manifest\UninstallerOfferUrl = "NA"	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\177\Name = "crossriderDashboard"	Qxzgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220622332211}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660666336611}\ = "ISandBox"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}\ = "IJobObserver"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331111}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachine.1.0	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Code\NewTabJavaScript	Qxzgrp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220622332211}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331111}\ProgID\ = "9ab333d0052b01323ffd0f6cdde3bdb00063311.BHO.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331111}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}\NumMethods\ = "40"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\LocalServer32	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\177\Url = "http://js.newgenonlinesrv.com/plugins/mins/177.js"	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\1\Url = "http://js.newgenonlinesrv.com/plugins/mins/1.js"	Qxzgrp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622332211}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\221\Name = "icm_downloads_m"	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\93\JavaScript = "\nif (typeof setup2 === 'function') { setup2('MTE2ZTY4NTUwYzFhMTkxYTI1MTQwNjQ2NWI1NzQ2MDYxOTFlMDA1YzQ1NGIxNjAwMTM0MDFlMWYwMDAzMTgwMjA4MDQwYzQwMGUwNTFkNDkxZDE3NGUwNDAyMzEwMDBiMTkwODQ0MGUxMjA3NWIwYTAxMTkxZjEzMTgwNzA0NGEwYzA2MWIxMDFkMGYwMTEzNDcwMjE3MGIxZjIzMTQ1YjBiMDYwMjUxMjczYTI0MmU0ZDM5MzUyNzMzMzgzNzNkM2YyMzM0MjMzODNiMjQyZjMwMmIyMzJlMzUyMjM1MzczNDM1M2IyNzI5MzUyZjQwMWEwNTEzMDMwYTBiMWYwNDExMGIwZjU5M2UyODI3M2MyMjM5MjMzNDIzMjAyNDI1M2IyZjNkM2EyZjI4MmIyOTI0MjgzYjRjNDE2MDc5NDQwMjEwMTUwNzE3M2IxZjA2NTI1YzRhNDYwOTAzMTAxZTFlNTA1ZjQ5MWQxMzE2NTkxNzFiMWQwZjAyMDAwMzE3MDk1OTA3MDEwMDQ1MDcxNTQ1MTcwNzI4MDkwZjA0MDQ1ZTBjMTkxNDVlMTMwODFkMDIxZjAyMDUwZjU5MDkxZjEyMTQwMDAzMWIxMTRjMTExMjEyMTYyNzA5NTcxMTA0MDk0MjIyMjMyZDJhNTAzNTJmMjUzODJiMzIyNDM2MjcyOTJmMjIzOTJmM2MzNTMyMmEyYTI4MmUyZjM1M2YyNjNlM2UyMDMxMzI0YzAwMDcxODEwMGYxMjE2MDAwYzA3MTU1YjM1M2IyMjI1MmIzZDNlMzgzOTIyMmYzNjNlMzYzNDNlMzIyNDMxMmIyZjNiM2U1NTQ4NjQ2NDQ4MDAwYTFmMDMwODE5MmQwYTRmNTA1MDVmNTk2ZTFj', 'jdawdnmjpf'); }\n"	Qxzgrp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660666336611}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331111}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Installer\ErrorsDomain = "http://errors.newgenonlinesrv.com"	Qxzgrp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\39\Version = "5"	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\234\Name = "firstoffer_right_slider_m"	Qxzgrp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachineFallback	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\globalUpdateUpdate.Update3WebMachineFallback.1.0\CLSID	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Crossrider\Bic = "E93FDF71C5D44C63AB2CBFEC457DEAA7IE"	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Code\AppJavaScript = "\nvar exname, version, browser, broType, dataKeys = {}, dbKeys, cnt;\n\nappAPI.ready(function($) {\n\t\n\ttry { innergaqfront.init()} catch (e) {}; // Init for Analytics\n\t\n\tvar j = $ \|\| jQuery;\n\texname = \"trntv9\";\n\tversion = \"9.0\";\n\tbrowser = {\"chrome\": \"ch\", \"firefox\": \"ff\", \"msie\": \"ie\", \"safari\": \"sf\"};\n\tbroType = browser[appAPI.browser.name];\n\tdbKeys = appAPI.db.getList();\n cnt = appAPI.db.get(\"cnt\") \|\| \"\";\n \n for (var i=0; i < dbKeys.length; i++) {\n dataKeys[dbKeys[i].key] = dbKeys[i].value;\n }\n \n\tmz(j);\n\t\n});\n \n"	Qxzgrp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\262	Qxzgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\182\Url = "http://js.newgenonlinesrv.com/plugins/mins/182.js"	Qxzgrp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\64\Version = "3"	Qxzgrp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\TheTorntv V10\Plugins\36\Version = "8"	Qxzgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331111}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622332211}\TypeLib\ = "{44444444-4444-4444-4444-440644334411}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\LocalizedString = "@C:\\Program Files (x86)\\globalUpdate\\Update\\1.3.25.0\\goopdate.dll,-3000"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}\LocalServer32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}\ = "GoogleUpdate CredentialDialog"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\globalUpdateUpdate.CoreClass.1\ = "Google Update Core Class"	GoogleUpdate.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

3a4b289e-3066-4d34-9458-8d0c29e1a7d7.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb28190f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb0b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a0065006300740029000000090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703086200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d81d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67087e0000000100000008000000000063f58926d701030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46040000000100000010000000a7f2e41606411150306b9ce3b49cb0c920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	3a4b289e-3066-4d34-9458-8d0c29e1a7d7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 5c000000010000000400000000080000040000000100000010000000a7f2e41606411150306b9ce3b49cb0c9030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d467e0000000100000008000000000063f58926d7011d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d86200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703080b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a00650063007400290000000f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	3a4b289e-3066-4d34-9458-8d0c29e1a7d7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	3a4b289e-3066-4d34-9458-8d0c29e1a7d7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb0b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a0065006300740029000000090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703086200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d81d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67087e0000000100000008000000000063f58926d701030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	3a4b289e-3066-4d34-9458-8d0c29e1a7d7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c9030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d467e0000000100000008000000000063f58926d7011d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d86200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703080b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a00650063007400290000000f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	3a4b289e-3066-4d34-9458-8d0c29e1a7d7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Qxzgrp.exeGoogleUpdate.exemsiexec.exeGoogleUpdate.exe

pid	process
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
4688	GoogleUpdate.exe
4688	GoogleUpdate.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
3740	msiexec.exe
3740	msiexec.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
1276	GoogleUpdate.exe
1276	GoogleUpdate.exe
1912	Qxzgrp.exe
1912	Qxzgrp.exe
4688	GoogleUpdate.exe
4688	GoogleUpdate.exe
4688	GoogleUpdate.exe
4688	GoogleUpdate.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

Qxzgrp.exeGoogleUpdate.exemsiexec.exeGoogleUpdate.exe48c24f11-5fd5-4cee-ae71-2990796e9c0a-6.exe

description	pid	process
Token: SeDebugPrivilege	1912	Qxzgrp.exe
Token: SeDebugPrivilege	1912	Qxzgrp.exe
Token: SeDebugPrivilege	1912	Qxzgrp.exe
Token: SeDebugPrivilege	1912	Qxzgrp.exe
Token: SeDebugPrivilege	1912	Qxzgrp.exe
Token: SeDebugPrivilege	1912	Qxzgrp.exe
Token: SeDebugPrivilege	1912	Qxzgrp.exe
Token: SeDebugPrivilege	1912	Qxzgrp.exe
Token: SeDebugPrivilege	1912	Qxzgrp.exe
Token: SeDebugPrivilege	1912	Qxzgrp.exe
Token: SeDebugPrivilege	1912	Qxzgrp.exe
Token: SeDebugPrivilege	1912	Qxzgrp.exe
Token: SeDebugPrivilege	4688	GoogleUpdate.exe
Token: SeShutdownPrivilege	4688	GoogleUpdate.exe
Token: SeIncreaseQuotaPrivilege	4688	GoogleUpdate.exe
Token: SeSecurityPrivilege	3740	msiexec.exe
Token: SeCreateTokenPrivilege	4688	GoogleUpdate.exe
Token: SeAssignPrimaryTokenPrivilege	4688	GoogleUpdate.exe
Token: SeLockMemoryPrivilege	4688	GoogleUpdate.exe
Token: SeIncreaseQuotaPrivilege	4688	GoogleUpdate.exe
Token: SeMachineAccountPrivilege	4688	GoogleUpdate.exe
Token: SeTcbPrivilege	4688	GoogleUpdate.exe
Token: SeSecurityPrivilege	4688	GoogleUpdate.exe
Token: SeTakeOwnershipPrivilege	4688	GoogleUpdate.exe
Token: SeLoadDriverPrivilege	4688	GoogleUpdate.exe
Token: SeSystemProfilePrivilege	4688	GoogleUpdate.exe
Token: SeSystemtimePrivilege	4688	GoogleUpdate.exe
Token: SeProfSingleProcessPrivilege	4688	GoogleUpdate.exe
Token: SeIncBasePriorityPrivilege	4688	GoogleUpdate.exe
Token: SeCreatePagefilePrivilege	4688	GoogleUpdate.exe
Token: SeCreatePermanentPrivilege	4688	GoogleUpdate.exe
Token: SeBackupPrivilege	4688	GoogleUpdate.exe
Token: SeRestorePrivilege	4688	GoogleUpdate.exe
Token: SeShutdownPrivilege	4688	GoogleUpdate.exe
Token: SeDebugPrivilege	4688	GoogleUpdate.exe
Token: SeAuditPrivilege	4688	GoogleUpdate.exe
Token: SeSystemEnvironmentPrivilege	4688	GoogleUpdate.exe
Token: SeChangeNotifyPrivilege	4688	GoogleUpdate.exe
Token: SeRemoteShutdownPrivilege	4688	GoogleUpdate.exe
Token: SeUndockPrivilege	4688	GoogleUpdate.exe
Token: SeSyncAgentPrivilege	4688	GoogleUpdate.exe
Token: SeEnableDelegationPrivilege	4688	GoogleUpdate.exe
Token: SeManageVolumePrivilege	4688	GoogleUpdate.exe
Token: SeImpersonatePrivilege	4688	GoogleUpdate.exe
Token: SeCreateGlobalPrivilege	4688	GoogleUpdate.exe
Token: SeRestorePrivilege	3740	msiexec.exe
Token: SeTakeOwnershipPrivilege	3740	msiexec.exe
Token: SeRestorePrivilege	3740	msiexec.exe
Token: SeTakeOwnershipPrivilege	3740	msiexec.exe
Token: SeRestorePrivilege	3740	msiexec.exe
Token: SeTakeOwnershipPrivilege	3740	msiexec.exe
Token: SeRestorePrivilege	3740	msiexec.exe
Token: SeTakeOwnershipPrivilege	3740	msiexec.exe
Token: SeDebugPrivilege	1276	GoogleUpdate.exe
Token: SeDebugPrivilege	4688	GoogleUpdate.exe
Token: SeDebugPrivilege	4036	48c24f11-5fd5-4cee-ae71-2990796e9c0a-6.exe
Token: SeDebugPrivilege	1912	Qxzgrp.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

a7af0b755c9a598c8e37f237dc024ca0e6879908ccf4cc7b749f78065452504e.exeQxzgrp.exeGoogleUpdate.exeGoogleUpdate.exeregsvr32.exe

description	pid	process	target process
PID 2384 wrote to memory of 1912	2384	a7af0b755c9a598c8e37f237dc024ca0e6879908ccf4cc7b749f78065452504e.exe	Qxzgrp.exe
PID 2384 wrote to memory of 1912	2384	a7af0b755c9a598c8e37f237dc024ca0e6879908ccf4cc7b749f78065452504e.exe	Qxzgrp.exe
PID 2384 wrote to memory of 1912	2384	a7af0b755c9a598c8e37f237dc024ca0e6879908ccf4cc7b749f78065452504e.exe	Qxzgrp.exe
PID 1912 wrote to memory of 4688	1912	Qxzgrp.exe	GoogleUpdate.exe
PID 1912 wrote to memory of 4688	1912	Qxzgrp.exe	GoogleUpdate.exe
PID 1912 wrote to memory of 4688	1912	Qxzgrp.exe	GoogleUpdate.exe
PID 4688 wrote to memory of 4192	4688	GoogleUpdate.exe	GoogleUpdate.exe
PID 4688 wrote to memory of 4192	4688	GoogleUpdate.exe	GoogleUpdate.exe
PID 4688 wrote to memory of 4192	4688	GoogleUpdate.exe	GoogleUpdate.exe
PID 1912 wrote to memory of 4580	1912	Qxzgrp.exe	48c24f11-5fd5-4cee-ae71-2990796e9c0a-11.exe
PID 1912 wrote to memory of 4580	1912	Qxzgrp.exe	48c24f11-5fd5-4cee-ae71-2990796e9c0a-11.exe
PID 1912 wrote to memory of 4580	1912	Qxzgrp.exe	48c24f11-5fd5-4cee-ae71-2990796e9c0a-11.exe
PID 4688 wrote to memory of 3780	4688	GoogleUpdate.exe	GoogleUpdate.exe
PID 4688 wrote to memory of 3780	4688	GoogleUpdate.exe	GoogleUpdate.exe
PID 4688 wrote to memory of 3780	4688	GoogleUpdate.exe	GoogleUpdate.exe
PID 4688 wrote to memory of 3800	4688	GoogleUpdate.exe	GoogleUpdate.exe
PID 4688 wrote to memory of 3800	4688	GoogleUpdate.exe	GoogleUpdate.exe
PID 4688 wrote to memory of 3800	4688	GoogleUpdate.exe	GoogleUpdate.exe
PID 4688 wrote to memory of 1728	4688	GoogleUpdate.exe	GoogleUpdate.exe
PID 4688 wrote to memory of 1728	4688	GoogleUpdate.exe	GoogleUpdate.exe
PID 4688 wrote to memory of 1728	4688	GoogleUpdate.exe	GoogleUpdate.exe
PID 4204 wrote to memory of 1276	4204	GoogleUpdate.exe	GoogleUpdate.exe
PID 4204 wrote to memory of 1276	4204	GoogleUpdate.exe	GoogleUpdate.exe
PID 4204 wrote to memory of 1276	4204	GoogleUpdate.exe	GoogleUpdate.exe
PID 1912 wrote to memory of 4788	1912	Qxzgrp.exe	48c24f11-5fd5-4cee-ae71-2990796e9c0a-7.exe
PID 1912 wrote to memory of 4788	1912	Qxzgrp.exe	48c24f11-5fd5-4cee-ae71-2990796e9c0a-7.exe
PID 1912 wrote to memory of 4788	1912	Qxzgrp.exe	48c24f11-5fd5-4cee-ae71-2990796e9c0a-7.exe
PID 1912 wrote to memory of 4672	1912	Qxzgrp.exe	48c24f11-5fd5-4cee-ae71-2990796e9c0a-7.exe
PID 1912 wrote to memory of 4672	1912	Qxzgrp.exe	48c24f11-5fd5-4cee-ae71-2990796e9c0a-7.exe
PID 1912 wrote to memory of 4672	1912	Qxzgrp.exe	48c24f11-5fd5-4cee-ae71-2990796e9c0a-7.exe
PID 1912 wrote to memory of 1996	1912	Qxzgrp.exe	48c24f11-5fd5-4cee-ae71-2990796e9c0a-4.exe
PID 1912 wrote to memory of 1996	1912	Qxzgrp.exe	48c24f11-5fd5-4cee-ae71-2990796e9c0a-4.exe
PID 1912 wrote to memory of 1996	1912	Qxzgrp.exe	48c24f11-5fd5-4cee-ae71-2990796e9c0a-4.exe
PID 1912 wrote to memory of 5012	1912	Qxzgrp.exe	regsvr32.exe
PID 1912 wrote to memory of 5012	1912	Qxzgrp.exe	regsvr32.exe
PID 1912 wrote to memory of 5012	1912	Qxzgrp.exe	regsvr32.exe
PID 1912 wrote to memory of 2260	1912	Qxzgrp.exe	regsvr32.exe
PID 1912 wrote to memory of 2260	1912	Qxzgrp.exe	regsvr32.exe
PID 1912 wrote to memory of 2260	1912	Qxzgrp.exe	regsvr32.exe
PID 2260 wrote to memory of 4928	2260	regsvr32.exe	regsvr32.exe
PID 2260 wrote to memory of 4928	2260	regsvr32.exe	regsvr32.exe
PID 1912 wrote to memory of 3152	1912	Qxzgrp.exe	TheTorntv V10-codedownloader.exe
PID 1912 wrote to memory of 3152	1912	Qxzgrp.exe	TheTorntv V10-codedownloader.exe
PID 1912 wrote to memory of 3152	1912	Qxzgrp.exe	TheTorntv V10-codedownloader.exe
PID 1912 wrote to memory of 1436	1912	Qxzgrp.exe	TheTorntv V10-codedownloader.exe
PID 1912 wrote to memory of 1436	1912	Qxzgrp.exe	TheTorntv V10-codedownloader.exe
PID 1912 wrote to memory of 1436	1912	Qxzgrp.exe	TheTorntv V10-codedownloader.exe
PID 1912 wrote to memory of 4324	1912	Qxzgrp.exe	TheTorntv V10-bg.exe
PID 1912 wrote to memory of 4324	1912	Qxzgrp.exe	TheTorntv V10-bg.exe
PID 1912 wrote to memory of 4324	1912	Qxzgrp.exe	TheTorntv V10-bg.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{11111111-1111-1111-1111-110611331111} = "1"	48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe

C:\Users\Admin\AppData\Local\Temp\a7af0b755c9a598c8e37f237dc024ca0e6879908ccf4cc7b749f78065452504e.exe
"C:\Users\Admin\AppData\Local\Temp\a7af0b755c9a598c8e37f237dc024ca0e6879908ccf4cc7b749f78065452504e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\nsk2E25.tmp\Qxzgrp.exe
"C:\Users\Admin\AppData\Local\Temp\nsk2E25.tmp\Qxzgrp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\comh.291602\GoogleUpdate.exe
C:\Users\Admin\AppData\Local\Temp\comh.291602\GoogleUpdate.exe /silent /install "appguid={0c2af9dc-66d1-48ae-9090-cebc6474a847}&appname=ea363897-a417-4abd-b083-d6e5dc706b61&needsadmin=True&lang=en"
3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688

C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe
"C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe" /regsvc
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4192

C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe
"C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe" /regserver
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
PID:3780

C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe
"C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuMjUuMCIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9Ins0MUVCOUQzRi02RTg5LTQ4NzItQUMyOS1CMzcxQ0FBMTM0QzV9IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0iezFBQUZGNTlCLUE4QjktNDEyMy04MTZGLUYyQjRGMDY5QjM1Nn0iPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjIiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMjUuMCIgbGFuZz0iZW4iIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PC9hcHA-PC9yZXF1ZXN0Pg==
4⤵
- Executes dropped EXE
PID:3800

C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe
"C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe" /handoff "appguid={0c2af9dc-66d1-48ae-9090-cebc6474a847}&appname=ea363897-a417-4abd-b083-d6e5dc706b61&needsadmin=True&lang=en" /installsource otherinstallcmd /sessionid "{41EB9D3F-6E89-4872-AC29-B371CAA134C5}" /silent
4⤵
- Executes dropped EXE
PID:1728

C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-11.exe
"C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-11.exe" /rawdata=lk24Xwg0X6KEz3VyJMoz72suv8XH3otNTv6jhuVh1cTt6LX5NydRGJhCgN3gAIepKb4cws+/sTrZu78AE/FweXsl4BTdDT3BPi8Csl8Ey5Rp94EfitsNACiKtqwZsjXerm//UKEiIjMczGYgvmPsO32LqZNc/iIvmZHQD6Zc5yOQ4eMInHP1uzEgRUsFcAz+c/jU+6wvuSKQd5Fl1ogcufwf8G65tAJ6y6qLPDMFubj+vzta0GBHaxnZC1qBn3KwlvvZttUb0/PPHToIYknhE+IOFBB3N1L0xWGhJuNrfgwI/X6hgOyDxi6NlsPY1DHW35IGSuXX/mCy9Dcnl2mwKGis7lQ5Zl+eFTrEohWP4A/BnQ+87voiAHzHUVJoiAoDem3BqqVwyHc6iGZseK8UNDa2Jd89miFXjUh9fqCg0NFpxwivC+uwwhaE4/blZhWLnXmxCZZVvyPFuIzg5zjZCI43wgfWh0Od/xeR6VVebcKTbXzGCdFYS/B4Yd8bpPGct5u5hi2TD7Kd3lpLz8EDDEVYCsCUUpQiiW6jfpLXx+8Hj+bFIQFGbD4oemYFXVGnC0dZJbvEoQ92IpH4s+cPSsEtiYdZzHO+6UdLnXPDwSfUoJzfwpEFJNGclvRpIPLBQkfOjjj5YdNrQeOJZSdbJlSPd1h3zaMo5bYM4t3j9DNIhHT5B9njco7XbzvXUycTdLPA8PQd6Bmffc4jjfWFLjRksQGr0ZofIKmzfCfjzntUN79v4c2C8WLS0qpO/111+GX78mEXLYI/p0oa8cXrnneUDqZ11/ye6/8Qg7viK1oVU0eX2RJiS9HzntImcf86iVqeQkD4rjccSyI14duIrscTI0enY625rVTjuxAuj1IfQ06jToD6opYvNHxjER4z2GaKQuVSAvxWkd027d0nHzoYHV6AKqK0XChghGtcuENQUAeLj9475/s/qdv3n5ybmF98+HP3oQt5Fbp16UtPeyu/huWP6ZzZGnsgR1g0aSd/EFK9HZlH/i84PKcM70qkbo02OeffnpQNU+mwVMuRN2bCUbOi0O95uoJeUBGuBpURBexinUO5LFhf6h1CoHJNW0WlfGApBLKYzdVRzAdX/2wxzfZT7lY97ueJEf9Y06YYSBDtxelMb0GAf6/aEKxU7rXsYNrgUqaBMGmc92HmdkMEWt0oVeQOqsRDzi7FkWe1YByIQ5vU9sWa+aN3P8Whn6oq1qY35zh5G+d2qNQuMoiLLwL6SckS/ZOv1wJVPheha8Sfp/+7jhSZfjuqHfyFo3vVzRttBfV5MV+HeBzsJ5jyIuwS71NjJTDBxU/w4Jity2YdnjbFTwGegO+sj3EWFocB1kGIGJscQm2YkzJxPQ0z5MtuW8lLg70Q3NHz/RFhduyj+bVNjtnzf/DgUoPMB1IcVW/+AvxqPz6muWA84/9gZCVcyI6KPw7oStunYLAksU+LEnh/6Zy23P6rIAJAzEPsWCkL/6lwnNDmhgXzfIShEMmBFe6N08o4LRmFoI1MFfF8L3bCdqWzLXqcgIKUS1/gjerQaI41VbholT3DQgnp6WPxU2wC/TIlpn+0Y6KV29dUB6x/yQjNcVangYuzaVUUU0B4K8xzqBZ2lsf/yHNWU6TJ5/8q+6RB9AAYPregJq6oNdu+gB+mcM/wp2pFG2z9vqTt/sbD/suUk8+V/jEQQjPT257s/JgM6NCJFHxqgiBSDl6rRlZc6Q2KP2oVn8TQE+FcRN4C1cOADOTXX+xX/CZUvSgk60Gmk/xsQd+VwLo4nnSU/6gr1nt/ZXe9BY80UNF2Ot/RqGqrSHEt+OmPvLjLsbVVUMAByuaSk4Ukd+2kWiMmuUFDRFwK/Bk0dF5QDPinubfgvBqCuX9q9YtpldtRYonwjssXM+rm0DyhwRc6IF/vY1MQxCFP+zB22EfKJjLncqnZ4WzlRZZBr4MqyAJGgX6ifV0wG7qJCsNxf2fHnOQnm/k5LE6t/zpvrhCQqg/GHdtMf21/lpqGSb5bni5lAkzQZtghbwqIoVXLNSqnnc+hlP5EVGVHYOSDEdqXhxBqXbowooAhOAtCBiH5eKhg9WypaZjfBHCpSJF6A4yx+D9AVkXRupWlgIQfTEhCudQThUFA6G+KT6XaUZkYbGd1j7t6f6ZEl1KM4ryqOKKle+6ITiJWvEqY9xjZEiSNOtieX6q6XC660axF78AWyWQpIk7XhdnjIklhPE6mqKnjiCycMuXmWd6rvdfzUgzb09KZfRYtKDSUirMiUDImOtPC3r50hpRVhxns97Z6B2Ad+US71bMLtmxPZN7oBOX2dwTY/zsht15e6KRSMxVevYwgs574YfmgREjxQQ6M6dTIoF8bo3K1zQ/xbdbYisCugNnW+DDmW2AxBOeH4g==
3⤵
- Executes dropped EXE
PID:4580

C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-7.exe
"C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-7.exe" /rawdata=FbuRdbVA7+F3krI9wX1i0sR8D0JaHwAVSSPiCjqxtCrVLd1I/+jUzXQJ5/QYCQ2EicECvzXK2BdDFXJyph9XxIYy400LCB7mvNoTkW9ozUn8pmR2e5bMIwdGNmfCJscH7FXZk/ph2VnkbAxz+cUbQTlOCtkGsk3i642Vam4t/sE7bto6daEm1iz1n1Z3jCoX4Red+SF49G/fnJQMD0xpTBCu+X32rIExoBvmslH/Y+wroNEQWxpHJjM9tylQmD6CSmIV6bcQg5/XS/E5v8KBpQtiPzxvtvqx1xH4+mDNVWoQwFPwrv2nYUvN/HJkGm7BMaSgySg0gFvDMK4QU02G8WZ0u2jGAZ9UxqBs/e4Wlphoybvsn+PqiyaNn/9mfKa10/RJoSQIR8OpRB2CSZwk6XysHj5k6cMun3ImHRcx2lRC3mYAtbeu67YGw3IADceA+AoBRtTw0R7clS8Jy3PdDPVWVFRY1MJnyN3CRvKbnkZoHSAX1ujFMsTNZTDTE9rstRi0EOtLlYIAmEfG/vTABWw2oO7bG4hM5GzdNFFYLobzDSv811pSzpkbsHkvYH336iezFwjFsyQ0Bom/Ks8g2BZZ0Fik/TXSMkWEAPOYc50hNzVR1HVpxtfmkjornhveJSRcgdOkpg2ewLfFE4uZNKL8J8pgye6GhEEGdnXpAip1FuNSgZUZkkk9cYHNpe6oJYrP17DORnyYOXq1RXyRk2FT9yWI1pzo94bPCl04y78iZ/5TvGkxJ2BbANwZtRpShJW33OJKrtVbAK0LT2Xd4a7nPnO+CGVKtxOr3r2b3HZVjnGux8u87Ix8dgcTK+4UUyh5Wb+hBjhMPUl9vdP0zak8dQksHBRRC+nrydE5JXhFKXzeWZY7x/hFWyEfRi5gdj0+SIl0VM8kwwP9CcMtt+MDJQ7QDbs0PLKCdiO+CtB/lezTemR/z3GvvHuNl9Mr4fSM/UcFVY5bg5XpVyqMrbyBOEgWkuz/iN751OXvrQ6EcONlyr6TxZA9GCmMnkSam42uuHYunLLpnAIWnx652Mb+CABMB2YM52WBiuCkNTvtOyJItHKfKFnq9zfeSv8lxwAiHOJ7Fwr6sqBnyzSPNhrx31zLuf2yihtuAlNeDcDSr7O5CyQMHxOpcSQD5sVJWJIqmxJ0ZNpA/bT6B/gbzPpWIJhX2Rzk6D1DTmYyNo2/gCrEAWmQ2q3yz7yMZhCz+MquiiiQyV31k6aTXQXBgH62dCobGr8KJnftorZH3A3vkuqdoT2blphH8A4CarTA70px442pbM9LlO29lahAJfxMpFImFicudqNes4awHTZN/uTMnOlVlSJZeRmbBhIqi00LmehOGQvIXmsAl3AJvaunErQocqQnmxcJfxGQzLbquCHk5jZtcRpv3PUvvSiSDjCaGlHM7QNmdZwPWOP+fQGsh/3iwaevYXikFKzZAyoNcJI/X2pL5naR/Uh0HpSsleh0EBhkgVUwnlc6lgXEdcCkGLX86BpyoBE7QDo3eWV72O0JenIfLp9PfZWZtPVHQabtu9f6kuWtJg6bL3HODJpIGoPgxAmqJqtIprSmS+3vNn4PQ0Et4CtZ+lZcmpnP32td337FAZ1pqVE9waJEGNpKchPGbRz/+uEF0jCTmuYQeI2hKkmMYR3Ujwk/r1dhh8TkCPmi0lxyqV8snmMEll65n1I83lCLoXCJ+Ty/suc/XMCCzkJ0mHNjL1uPEwKYHL839H3ujf4Ei4AB1ABTmHXhTofNbXmGrC1mHoZtdfS5CHMOxRh0WjJEFpLEpAI29Cnl5ro2cwMc20zJO0jVR5N7qQeoEn3geIMMvdk248kAN7IygHKyPn86iIKpV0VYRlLzsXxYa4WjUC/tqUcQCg==
3⤵
- Executes dropped EXE
PID:4788

C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-7.exe
"C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-7.exe" /rawdata=KluuCgCpJ88lXhTb3ZC6vfnwxOt1/HYKr88cmhM2n7zxNTqfOWmk1u5Yp5feAOeFGAexVGG3OFiBS5AtaLepiNeOpnSmPXhuI5ZhGd/KLDFdWXOPvM6q7SwbK3JEBaBxLpoql9yvVLpSuFj+rOYxhpxYjX9Bf8JahA9acgStm+qxRb/YATPrUikl6WNX0GBtiXfc/0tb02ROJACXrEtwaDni6mvR/y/Leozf14v2k4qv7Ze7z5TaalrMuQDsfh3JWYvvNJFxfHcLxPLOhI0sd+eK5k53W6PQMFTWwPtKunbsYz0dxidhGDpqoVIe2ozMohBZI3KtIUlUXSn5HotEprDBlGz5/ofv62SaszOLpeojoRlZyjBaPGFEBvJ+nJxSHlBd++Xah94/bEEsGZuDrnReauXV2auEPQ8XK8MhA/vwJYQqRasBdWTXRXMJsNUuyQol+2pU2Kt0Xjs+P0RiIsVDQ+D2B2xaNgmnU//4qk9ydnu+k50aP19i87FTM/JTH3pGpz4KWWUnvsijmSIQ5nH9uIp/bRiAevSa+XThAPugMquTydNSIjB+FW76rw98+GGKJMpapdkGW6npyWcWJ/pym6XyWhZF3K+71wu98+UbANunPuUfdIfBq2xjsLNeyvsJ2t/dyu9BKY7+ORSyJZ00j5Jw2bujwtNVd80wt7+pRe1HxUUtz6GfJbEbwMHTj9UOeD+hYDePyTmA+j2rDxFmSy45FFM8wIAlQ8uheLHqEuxPj5YUh8v9V66lRHaRVCPsZyTPwFqvz2PNfkYjBra2PCCHpRgbLDfonSe0cppB/WAVAeRcg7+s4FIA/yDYsgB4XZPdzME0vavdDATIPFnOuvOv3Nk9G2VuMnVPyYy/VAUCJJdQ6CVvo3m0dIhInGHTtpR7zlFs2mtWWXJWIaWL4i2bAb573NSwK3TsXtidn2lz0BoUYSDxzeUrOOJmrZ3ELiDemyqJd6ZLoTehBzfjxZJzeZOXBvuSwIyIli8imzr1jeUqfvNIn9IksZCWeoWmS/KLqu40UPNMRbiHkcPeUqVi6g8Zn8gBsepIIfLCgfLK1HH7iCDwFZDhT5/fFe+iXE5ONuPW3PdeP6iCyrxZaYk1Fk0u07q8BD70e4GE9RRH/Mt9aPVg4MBJgYO0kT7znSP0rxuZgJ8+dWcBTqt5I2c9cxdxWWeM4JFytm+yZKG8IPRXpAsRr5NEdUKh28v0opl5pLzX192WxUkBQ/QfQQArP/EWwQodX5XALSWZToRAjZ6lIyRZJ7Jrvm1FYN/ABZVQiPbK9J4RDDJRe0cpWmx5k19xHwqQWXBBfAFr7O9WTiX13i8s9IkwKm8IQO9rHzSAQkAGVT9Sr2KaJHxDR/cDoHivzih2Cdjk/UCrDmUxoPB3iWPkkgH4xRfO58dofMGa5qyYy6vSWF/O588UHU+Nc//MyPKwDJ4W9QijxF7HMnkEcrJ2jV5qM3zQaQBnqsFjmu8PTEpYMfETIlyPa4pn5mgvudlvmgVCv2bDMrCv7OTTJmR7FxOlLC2lR6NhoKsei7VxkLUQPuV5sCwXS0gVd36rt9vz9f852cW2gkzhbTsmC10b4SQEwS01Knimf8lgD+wMaZPqzQmS+JKFXFli+tFZWqfN3IYS+Js/R/t63ZVhXGJLlulUgNKVC5V4zaVW9a59h5FSOC5NdP09QKF7fZtLxSeva/gwg1c=
3⤵
- Executes dropped EXE
PID:4672

C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-4.exe
"C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-4.exe" /rawdata=bxAiwZ8ot0RWlRRqkxCtSXYK1EBz32bD8bgjvXOQwnsBm8hpWJeYdS/LOXC/75qYWGpI2dD6umS0/AWDo+Fvyhj81daZGxoTXB81n16RnCd0JV9poqogZpG8D+qB1PUrA2+nQ/WBHBfspxjnUJ5c7B9Jf6l7OEbeNlc4R6p8H8h6kBalBxrCd/h8teA7dfBfgE5P1D0nNlWcUenIbRyuVxfyuD6qQLg6a/efGMLB8aguxgGTcIKJCiaJydfxtTr/LXybFsPa8yFvVjfWCc/HeJmgW1oq3waIIIhMFH75NnXymNEb62T5cp4WSxpWSDab/HB4pdNr+QfqWgAuf6jGqcEwwnk94mQcGcwz020WM++fGzSYd3qkrwEpO0GH6aQc9MW41YlFh9LGUewwbq33TjjMDaC1d0dlhw4MrQI3TtJb15KxsGMfRaK6kAZ6d9G0yqGFGrpxrXn3SzfsE2PJYZ/LS3ycvlemBXM9BReo0VDcqtKMpDBHqsrBoqGlp68ZpipGanrgBLzvoSN8HGrF5HbzK9V77rC7HfyiVYiaoC4E0H+K0TOuDcHtO3dA8qtSU3u9lfhrqYHSmL5PetgeRrC5E1neyhS9wH5S+FDsqceneHv7sGhx2orIAVT3+tDcTwVi6saWQ01vIABvjMiZuMR4WwZRkgoLhSxmTAzdYGZvni5tcIqF3+Lg+UjI5EFLxRFZLlhfB0FKL5vtapicFrAKiB9D7N5ofvvgJVacp/8p/fhYA6+b3ETv0+PjHvgBliDgyHAYqNlumpQQ8md0hhp+WOtjrLVlCqrp+oF1RZ7q0NyASbRolDh5dWDWwaUxKb5XDUnqFg0ga0AIDkYMEDo7OkVJyco4FFgyhKviHpgvAnJFFecATMtEuu+prP1IiI55ZpzJoHxVcS7rlpg9zVkkMjJt60sWjg+bXsGsxVrFYllXL2nGzrF/5aUK7Inokc7Zs193QCa+FazUWlAjmiFsjr2u//iogNaE1BQIDkCqnM6+vBJgEorhOulD8PxjaTPPJNwGcVH7T+21M5ErUFHlr0aNdzpEOLBJxExT+l4K/yol4Fw+E6kwOpuNKDuh3g63G7Pi6r7yRR1YJ52KJiMu4x35DQbeWxPXOkkGg6v7o8eBKplT7uZZDEdXbD8izbI2A/wxwKF6+I5WkB4CXEYz59KMOpt+1sHI4k0lO6swElpfk995dkXwh4iq2iCfdWVpGsUfgpjc4DFmNbG+in9Bet/tuhrxZYBENIPKb7ndNYsTcxG5LGVV2F4AjwBSY7Y0zk+zRBFom+C/pUV6Tq533e0ewXNOIvELpXkASr3OlhS10IZGxHYvVaAnF//1GDgPlQVpNovKW1ey13cUgj+MmApo1Vsz+IbCJhiiJDWYbrcHDz8RWkg/ih76zTBFiiza6+CW+QS8ShCFOG2ENNfdkcZSByTuoWdLZTvJDtXxd55YYDV40moo/hVhbvmMjfj6tpqxbHVM/TMiweIq9JwmesRJezARKY8cyXXG+m9O+rY1KkW15TzSgPbRXUlMnaeNOMBnFKzAbriocQzokOzPEH4H80yK8BjR4kK2g3EJtrxCV04E2YoEMhiDqJEgeZY62oDtclEa4TGJUn7tWaZWYpuSaXkGE1uK+eOlwZNniV+AKY15PuSbSCY+QFrkqdMoRVcKwMdndTIu6i50bX7f8yGyn51FiZf/F0fwIoFjkHNXHaU934DojDIiwar35h+NrMduMJfL3ea4QXxmmxOAd4ebz4c5jYVMXpKdZj+3X4KR+zyku6XdCcU1bKEBeB5+Llpu8mATpGTMdoa+1kYlrG8GREcsn11+p0Gxxor2VGpVqvn/n5WwVRVkQ0qM0Ud+BwYq75Aqi+PROoYdNpqYE4mJtMUw8RDXP3d5uTUhzTbxA4nOBWzxjV/Qkicmo9tjF1xOlQw2sdIkyPXa3RV7+3hNVywqZmxkpNXWeRyPbS2CWRBYFahvqfa/Mkhx2vyMk1BetzO69CTLBlt1dtK+RkvkVJmLmZ8Up5cY54K/cMBoJLZvf3NONNCejOQAHR0pS+Yy6kJtfi31NHRm6zPGqJwiYIASTeHFRuMpPG6meH/7qKCxRf2Ch8bNCVjk2ikF9vaXUK+XNDE+0V+W/dRYx32m5lQQn9bw+uF4XDAO10vi0YSGmNXCVuWBjBS4iKKjFKLDCSCqhgchRVNkuTDViO36ych7EiF4nfJ0BpA=
3⤵
- Executes dropped EXE
PID:1996

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\TheTorntv V10\TheTorntv V10-bho.dll"
3⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:5012

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\TheTorntv V10\TheTorntv V10-bho64.dll"
3⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\TheTorntv V10\TheTorntv V10-bho64.dll"
4⤵
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:4928

C:\Program Files (x86)\TheTorntv V10\TheTorntv V10-codedownloader.exe
"C:\Program Files (x86)\TheTorntv V10\TheTorntv V10-codedownloader.exe" /rawdata=m9+SLl5YStntuP6H12wTx1VoI+twdl1Hw2OIfXIITD8irq4MVNZwwnYPsrsZL0buinLFgZ7IsI1znKfBYFVcHLMBsSrREtjWYu/AKdCuCZ6dPSIcbmCJs0LXmUIMiuXv3bxKCz0mabrXODgwjLfQQh6Z+hv79USXo0/OIs4mdI12SycL1iUqOSrDj2w5k0ru5OeiGFD6tjRDPcWhmMK5153xKXNPR2ugS78n849ewLmIaqe2/I4kNggc8phiUaoWqqUF11LubV17oxYCEyCkbBUL4BTHwsH6hQPjht4XVmqNLnx4D0o2yIZrrYFRNPORV3gMORufhyQZRGZHJODXoLzcthbzj81dri8j/FeQsC4wb5mWjfvBPCGcEx3EeDivFEVVT2A5v8fGvxMiXNX/gOtEELqAWcV69i/dN4j4hvPmehbE1OW5VB6Poosx67enlIcHdDCVDd51ATynSOL5bmWGHhKGp2+/y/aeGBC52NR1AsD+tg+t4kEQNC5H0YO5oXnLO3vG7GbhmFPRhl0p+O8JAOPnbiRLiUiZZx0rbvyyBYgSLdGSyTCj7Z9Vm6kbFGj71CUjDrpFK/AwypXoLOu59y6rNSv1Q+q7QYleqlNC59Vh0fG9YWQdJzkq7POTNI2r+Bqf35eSXkoSWzCwd4RyomUiLZ6A437TdjEW/jO8KxxZJu0Vy4Wj8844w/eLTLIkEvvbt43hgC1lQfnmeH3Lxqhg1YWE8wQoxyEpxezCrCdh2CUrF61gOUQUo6lCcsdVTTPGbuEBhJ3Ckpmo6s0sbk4OvG0oKvMt+hBWlw6jUpPQ/YkXpgRIrbWaKk7EvUn2aUvPxmy6qO/VUZvfR49J4KmR05EeX9NtneQGvIgdwfXSZ6tBiTZRogkvUJfV+OLezlI/V7unC8d3u6ze/itf/33hbzu+66aC6P2gxQgBZEFL2GBFr56WrjXlabKgzJN79pL2PI8Agf5SCvnR8wb1WfaswtQAQ0kBvaqgcQkj2XZXPidU8OTN+1KwdZ53JVAID8CUxS3FNwwPiA2nfci74HzMmoXAWopTIrYdLGcI29vHcEWokdFd0EIzFZcvhWpmhLdIoJ3ioSntaECX73oqYnXRpCh1wsVMKGft3Zsv/+1rbuoG2t2vrWI97bf84OPCotJihln6khildpwgZRmlbmkn+fQjyGzwAo+9LHJozjWAtYoqid6Lk+Yc7y99o8WaeWKZwHZX4wELtImTxz74KjzHg9Ojlf9CtcamIxWBvHd5mAh10f+XHfg8zaRSks4W+e77UP8fF7Z+rDlqyMVzA7uM1VP+od0oA31XH2VKelFrBPjybXLuX/eS9a0p5C4a5XCvALLG9gWaA5zn3yua+GMdky5HJgeVMnCVtHVjA+yj9XWQugmRgp5rbpL157j6SYN3TFF5E8axHY6zxiACBby8zDDroLarnae/duU32IOjBHZ5tvabsSLPVVrczwaF2gLkiAvN3Qqs+CsrQ5tiD0QgYcRSZI8GiUnpVK1oOXHLgbiURB3BhGg4+XkV
3⤵
- Executes dropped EXE
PID:3152

C:\Program Files (x86)\TheTorntv V10\TheTorntv V10-codedownloader.exe
"C:\Program Files (x86)\TheTorntv V10\TheTorntv V10-codedownloader.exe" /rawdata=UtMLDY52MaRjlcfel874LYI+OLuxEtrnREGJIrxBxynheZ4q858wAe8UMGzWyNoNOoc6sddTjh65XTy+2ZSfekZ/cC+0WDitq2VmMu4RIsdiStrNhRJD8LHDOX2egCho5dte3qHNrhcFh/9OjU+5+2TMKHMVYL2rT3CtqrHp730Gy/HyyzquDAQWYOcR6dAQhr5SZokcasgK6rWypHhLB7yPTwJpQExCQwsnzDJrdTbtzaB2ahManZdpdYviH2bWzerIBfBPxY3lh+t4KvXmpDG7p6w8evcbCPSea2YN3W8HZoGCbTcsjVJXmwBdzCjQsvmKC9/SgdXqof4hfxXNiRXJ70rgBXD9mucPDPWSgLMwT9SpU/f4tsFh4l3sI+oncDddd6QTGbwlscO93RKKJHfsfnqoDJswTxPVMYxrcv14s6u+KpQy2E3Xgd3CH3azyBU6pEFDXa5Zyy1PUYJxzRfVxp2amyfT8815MlfYBtBfAXQfb6Wigxa4d6xReL0jGIdguB7BU5B3sHaZ6pzeemfNN2A3CT4JDGfH/1E2gqdBSmENIy+X1rYQdU/m1ZeiMouvhzJOTN7hM/qbuDpDInKOVof3J0DTlJUthY9XvfHVQZkbGCB9YqxOvy03c1r/X1z6L9edfn8JJVt0HsaRYDgb843da5oz0Va+z7xDuxhpprAV7mNhu/sxBAikh8SGHpgxRD4p995U2i1lkkPIjJvivYilUw7swUDnFfpXCDgG0cwjz0gAfL2GdHeiOG4PX5JoocjFTgPTJf6A1kLXYolSxRuvvVO/bsqFfuTFdAiROA6QC6ZfjUHEm6GOhlV57ncAnFnTNoZABkrpoCxoxTIKuTPZSLTLyJoWlRxRFoGo4z+sLYO4pwOSUqAVV4TIrCotDvFj3mSIzmearofDrk1glacy+yvZ18w1IDT4cl2i1/1ZiGye8X39O73vtSa4odXQ/vUQS94O6cnrT5M9+aXhFdRvU6R23pU6SJ13fM/m2fpqBAXsrnKJUxUD67JIhxvz6c6QkaOpmeTFaKUw7N4OgY8K5+a0Sn94KXjQ0+YCmb7dQmt54W/MeQlf92D/4dthriD8OWyd66eh0aKB+/0/WoUboT7i5I0Sz2D35C5wO4rMb5krIUAIgKnsz8AskcfGiSIlNm14BVRDxA9q73Abm4byaaFWjcoYZkFojbwIH+KbJSQYnUIZiqyfwdWpss7MIJPqn8H9/orBBGGnCTkpgrPuxY79nbWy4DdN97iDkb0BKKBwIb1ic9m6zvOUb+uoI0s7kti4MUNENWrJW1sNJ93BQwJ/kJEd5ECq3gDl9bGBkvkrwV3NZnhcRdKbP27cekh+YbVawA/JxXqc2Q==
3⤵
- Executes dropped EXE
PID:1436

C:\Program Files (x86)\TheTorntv V10\TheTorntv V10-bg.exe
"C:\Program Files (x86)\TheTorntv V10\TheTorntv V10-bg.exe" /executebg /externallog='C:\Users\Admin\AppData\Local\Temp\TheTorntv V10Installer_1669281287.log'
3⤵
- Executes dropped EXE
PID:4324

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Program Files (x86)\TheTorntv V10\3a4b289e-3066-4d34-9458-8d0c29e1a7d7.exe
"C:\Program Files (x86)\TheTorntv V10\3a4b289e-3066-4d34-9458-8d0c29e1a7d7.exe" 001823 E93FDF71C5D44C63AB2CBFEC457DEAA7IE 63311 1669281287 93-0,102-0,104-0,184-0 TheTorntv V10
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3216

C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe
"C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204

C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe
"C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuMjUuMCIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9Ins0MUVCOUQzRi02RTg5LTQ4NzItQUMyOS1CMzcxQ0FBMTM0QzV9IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0ie0U4QTExMERDLTA1ODAtNEJCNS1BOUQyLUU2MjUyOTkzODQwRH0iPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjIiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9InswQzJBRjlEQy02NkQxLTQ4QUUtOTA5MC1DRUJDNjQ3NEE4NDd9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjQ4MDkiIGV4dHJhY29kZTE9IjI2ODQzNTQ1OSIvPjwvYXBwPjwvcmVxdWVzdD4=
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-6.exe
"C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-6.exe" /rawdata=sK2gqhzSjG/0j+xm8/ir5Qp6Y2hyzLAiuiJDNk4UOj4zwC8DL0u8t3YmKnH+D9TUTX2Xb7eIUEf4WdvsFc0BuRs4AkMIf6VTuOP9GpmnWH7jf7tGHgr1ABmHfU9cj3VMkMaCfrBRzhdt8MqvdchWQXZKfXWGiG7VvLV/7Upih2WQOeZVKu/BnOwokym6GUbdepyUDfgJCDucX0QyhU9bvlT0RGSEtDw2cvI95GHrn3tqFa0CUyVqPZvJODV39p4xWw3iwg0f9Q17u7hA0/tRYrz0+2slRiRd5l3elpX4L5iNcHgUd40AI3H5Xv67eFQkuapmFCAHu69M+VGm26yhTwyID86814hP3IdOxj2LwQvBYdIrGiRO9Iqyk2RyjWA1U18UnLz+QWSTeofAXW3CrRUcKzRqobqobpKCVWgAeeNBENpoxmffyBA/bMZubczPBDQPYSrvFI243uWXCKI+Tpjl5QmTKf5D/4szjpXsKHVJirGIAhcZ/J+LtehckUNrVF/a9I2ndNdIFB5iQkWzOy7Lqkl95p59p9ZR7EMnpvnYCbZxSuku1x/fxF4h7hPJmytxlX0q4LKOvXt7BuKlD6pkcz2pKvJqANU5ZdOVRu3Cr2csSBGs9fyqGmWN7kELQhGiPsJGfARMSq1Y4R+i3LsqM3D0W2y+ZHVTb2Wip8Z0L/9H/WNsTljHFf77pGjQhY56iH+iIBtWUHir3Q+LbxCin6KXgWy063M1YKlwrzoxi2wJ96QWgKIikfkXVJn96lAo5SZ+HQjNZv8qGV2TAqZWN9TN5TTg9Bl54NBMYkQsJ5PglCDVNKfASIr8ekvMtBxGjvlq2xv2lLxmTG3Zx1c8AGDEV+9tFJ8C2a5Va5J0ErXu8ttrz4liPb6tcVPsdL5t2srnmxUTPo6DNZ6C42MhUrGixMRqypfrNLn613qHNUTcNnQBRegU9QgkINvlO2o5osHA1U0fWKVHf4W+uxO/4oyOkec+IswhDTcLddQUXdmC1lKlxZy9PgtxOplXt6Vb5f1sd1aR/uNbjHJqqGPgGsxpzuFnCmE9CkjPWVlBDUptl3R9qYERnw71nDmW+Q1KYtbwR0kBWDFB/C8KBOLvGoC/mUEAYb03B40rumcVcE+/gQX64jo2Y7IfE8feA4QdOyUiqLaHHc3tYNFapW8W/sFIOLaTursHA2FpMLCi6pYlLsnre4PlqRqPs5TLuYR0QERDok7F9AJJ457vyD7DIowP0cykBMvpl9brMe0C5bRLxieawkVP1M84WpEdP9nRiEosOADQr+bUTB04EXnjpOKROi+19V+3pMeB0d+47Z9iJK75sky+8XBj/d/xiL5DzreJMPLpspU5oLyU5wbuxLfiX2oXUKkgDxdEwTCeAOQWVv4ovwY38M+sH4Qygl0ddR1MC90xdr3WG2D6DWb2kQt99j6SLARN0V91EXD/yiTwCtRM33ZFEYAV7yCUpTwpKX0poCSIZ1DmmDIbnNvq4h2fhjJcoLcIz8Hk6QBJ1pLIUqn+oG+KtGXpiQ38
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe
"C:\Program Files (x86)\TheTorntv V10\48c24f11-5fd5-4cee-ae71-2990796e9c0a-2.exe" /rawdata=KciFBqZmJlhQI+16VwJT0T9nFwHW1Ejdr9N5csL2zDLAtqOP/+3NgVQJViqI9rzmOsCO6gQyjf2I1aWRVi79yyNWbQxsXeH2SS8KZRYbB4cdQifyJj1os8VbOFuejWDV0VDUtwphiJ1+oOguQtxNajRZ+z36udsxT9U5BjwqA0StBIRV62p/4qB9mVP8eSnFAt4lb6lhPyualAy2vrpNYnNLiYJE3Ngf6lCIQoPw5oWaeiuVsUsFQxyLWX90m4Q4VB0FvyFVzagEvH0whjU6xHsifZkC+WMRqlH35ILTH9ZcGYsElRaNz+bn2tUHrjjXuHRV8bJv6dIBIvPSDyQpyK/SvEuZaf0uTsQih9mPVroioey+hRFJDWzMxu4o/9OSRs4dsQeeJgQd9JWVwf9UojAaGpLlR/NmtHTfm0mqNvsX/NcI8tjoVDmXq0hIQFSX0M5rznBlX7Xkj7G2EHqwByYC7PXG7cqyZ3cld6nczxEsH7JUhAfcJ8fe9CiPGzWaNO7PqpmoQn5n1GLWcdz0ieGC+iq5jYhhrC78LtSmyqh0t1x6uZtRREVJieQPUHQc85AcSUaHXJ013J33hFsSwlR7s0vawfBWC8+yZMaJlWNG6H/n77mTyZdcDQuGKEwbix0du895vSpXAf+2mtUkgI+uPcGZkKbc0p38Z+8BSB3BmY9MKQU/zbqWyJqaO9KzazzB1De8IXLLNhYgTz2rpPEWLCQrGleCWja8582K0gp9uufAI1LPTYqMGxOX7AEu8AGpjLhNkH/2APnkeHHo+1Gf8fAZHOii+bFBxqErTKfExTGYx04b2CoXK0m5HVrhRAZM/tsYWBl3eUK3ASKE9bYol0NVGIHaYP2dOnFI/sKZPuPZZGEtDw7O0+VD0DF9j6BTymqVkuPsMlndnCXe9xSpf3vJSrZ0aqVuVzje2qGu6FNLXiLElYlScBpyty7Ia+y93YOyPKYhRbSNldH1J0aEG7DCxWZv5jsODYTeYjIxd/ns71CHty3Hbsyt3v7H
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- System policy modification
PID:1852

C:\Program Files (x86)\TheTorntv V10\228787e0-8f1d-40e4-ad5b-b9672d6fb859.exe
"C:\Program Files (x86)\TheTorntv V10\228787e0-8f1d-40e4-ad5b-b9672d6fb859.exe" /agentregpath='TheTorntv V10' /appid=63311 /srcid='001823' /subid='0' /zdata='0' /bic=E93FDF71C5D44C63AB2CBFEC457DEAA7IE /verifier=0e26d4beaa43e8fe1a8ca6662b96a1fc /installerversion=1_35_09_29 /installationtime=1669281287 /statsdomain=http://stats.newgenonlinesrv.com /errorsdomain=http://errors.newgenonlinesrv.com /extensionname='Information' /torpedoiesleeps=1000 /torpedoieplugins=93-0,102-0,104-0,184-0 /monetizationdomain=http://logs.newgenonlinesrv.com
1⤵
- Executes dropped EXE
PID:444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\comh.291602\GoogleCrashHandler.exe
Filesize
71KB

MD5
03114dadbd9977fc823f95b21fb987e7

SHA1
0e7cc420b0be38296ef8516dc3786361119f1f5f

SHA256
9ee9cfe293a8c2aa59ac8b65ba93f47c5ed4134793bc0f8102870d63cbb7a68b

SHA512
dcd85d7ee439a00827fba3cb2d5c8c24a5a508dd359699a43178c6cfa122d0128659392a29283945757ba8853a0e6a270a2aee003424973c3e4d598cd7635d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\comh.291602\GoogleUpdate.exe
Filesize
67KB

MD5
d858ba2ee718b1db1ced20646e641d08

SHA1
01c53fbc0030066fe9032fec431d9ea26b5811cc

SHA256
9e63f6d3ab97d53924b975ed233cf595efaedca94ab513398cb892684c8027f1

SHA512
08bd015cf63062be24878026a01d07562a5ba5f4eb4f06f2674e13b92d24c31d38580974f23713f67f713c9098c1847b5b1cc49bb89c1c93d8fad2c73d237a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\comh.291602\GoogleUpdate.exe
Filesize
67KB

MD5
d858ba2ee718b1db1ced20646e641d08

SHA1
01c53fbc0030066fe9032fec431d9ea26b5811cc

SHA256
9e63f6d3ab97d53924b975ed233cf595efaedca94ab513398cb892684c8027f1

SHA512
08bd015cf63062be24878026a01d07562a5ba5f4eb4f06f2674e13b92d24c31d38580974f23713f67f713c9098c1847b5b1cc49bb89c1c93d8fad2c73d237a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\comh.291602\GoogleUpdateHelper.msi
Filesize
140KB

MD5
fc7a2f466f7a0f3e873077505719c1a1

SHA1
f729c4cdf49744729357319e10da2514ec40cb03

SHA256
5588dfe6fbe9eed8fd7e207cf91cf355979788360e1e27bfc0f0e3208ebeedb4

SHA512
43cbbd39e6f02dec5a0df026ba38953587a1c16e2a7a7e898c6ac508ff94fa127264c45ab9e3aaeadbd270666591306970d7718f03a8898bd5f2e6f83cd7f96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\comh.291602\goopdate.dll
Filesize
744KB

MD5
f38f35c16bf1aee3d289aa4ce7a4e50a

SHA1
caaacba5c6e91fc4cd34f17925e780cb810f9fd3

SHA256
893ecb00e836ab59c062b23a778b5851f75834ad3f0bbb4b4614e2744fd9d5fd

SHA512
ec32bea6eaf869ce6e2ed885d4fdc5eb969daa56c8035528547031b921c3526a629f36b08fadcf90baf3bccdb3376af8a4f8b3263fad6aedab3bbfe14bd54dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\comh.291602\goopdate.dll
Filesize
744KB

MD5
f38f35c16bf1aee3d289aa4ce7a4e50a

SHA1
caaacba5c6e91fc4cd34f17925e780cb810f9fd3

SHA256
893ecb00e836ab59c062b23a778b5851f75834ad3f0bbb4b4614e2744fd9d5fd

SHA512
ec32bea6eaf869ce6e2ed885d4fdc5eb969daa56c8035528547031b921c3526a629f36b08fadcf90baf3bccdb3376af8a4f8b3263fad6aedab3bbfe14bd54dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\comh.291602\goopdateres_en.dll
Filesize
26KB

MD5
774ab1b133da59008bd91eb7c6253224

SHA1
5e3c51eb46a11ef91b84f3ac7dbdc91a8264cce5

SHA256
24c30e11da859a8b69c5bd165402bb9ac543779d8a147eeed0c0d3128b6c096a

SHA512
ea29afa8e4d18eb969f4f57dd726978553fa221cb18f8d5b19e36b5d0b6c8a6990dd10bd2ec6510c3d127097fd37ce03eb71c13804c7de8d343fa2f19c93f075

Download Submit
C:\Users\Admin\AppData\Local\Temp\comh.291602\psuser.dll
Filesize
152KB

MD5
8d90bb3a36521b50d0e512a781e36871

SHA1
399ce73fbd27eabb303fd899656e3c66c55b3f29

SHA256
9901c1fb64c2b0c23f60b754f8d6a57a257a694ea880a7e36836c2043dde214d

SHA512
62478dab27233e1180cee87eccf3b74bd48d5b2fe022f83a03a131341621f311666397dd6fc75db72c9bda75b80ad391bb40d12141e8380d899731625978b711

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils.dll
Filesize
789KB

MD5
3fe6b8adda54874e06afa97b4125918a

SHA1
f032019744fa22a542ba190c9faae4f19fc5e61b

SHA256
c6267a88c24eb9e704ae0f631d04ea54612a374b2231c290c2230e0e7b9826e6

SHA512
02b958716e88331600f8f84f6b1a5ddf954fc59e4560643d7017b80d66218a2e8ac96021a2cb91b3c04c17286cd3d87d2d5afee6b2e988de6296c3594e1a4075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\InstallerUtils2.dll
Filesize
93KB

MD5
08996ccbcd95a8ac131c6a81a28e39fa

SHA1
96c024b47c08462361e0d275d6b24f0594952699

SHA256
681f5430bc03031c39a425ed850c651bf5c477176b9807eb0b326b3d4ee07438

SHA512
f3d352fb2ad1b53ea37271dc9a2c849b83d20058664c4d9b01840bf35c8bbf6914463b83454c61364eddbf4cea38729ad8071589c35e60bbbad49a84d47eada6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\StdUtils.dll
Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\UserInfo.dll
Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\UserInfo.dll
Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\inetc.dll
Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\inetc.dll
Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\md5dll.dll
Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\md5dll.dll
Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\md5dll.dll
Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\md5dll.dll
Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\nsisos.dll
Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C71.tmp\nsisos.dll
Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk2E25.tmp\Qxzgrp.exe
Filesize
12.4MB

MD5
09927eb59ad77c35e3826b8651d81291

SHA1
e41cbf86b735857a5f010796957fd35fafdc5b96

SHA256
98239f79135b27b1664f2facdb7e8e8c0e84e94e1a4341a2b28e68ff46904b1d

SHA512
2a80a80df44ac61d4ed0bc6fa68400942d858e4e91b4d76b4f52edb9f636fc78411976734d95f3279c0ba5d0dda69b0c32eee16505e332fea64da3f7e6e015f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk2E25.tmp\Qxzgrp.exe
Filesize
12.4MB

MD5
09927eb59ad77c35e3826b8651d81291

SHA1
e41cbf86b735857a5f010796957fd35fafdc5b96

SHA256
98239f79135b27b1664f2facdb7e8e8c0e84e94e1a4341a2b28e68ff46904b1d

SHA512
2a80a80df44ac61d4ed0bc6fa68400942d858e4e91b4d76b4f52edb9f636fc78411976734d95f3279c0ba5d0dda69b0c32eee16505e332fea64da3f7e6e015f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk2E25.tmp\StdUtils.dll
Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk2E25.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk2E25.tmp\WrapperUtils.dll
Filesize
58KB

MD5
848346db7685b957203dc120d861e244

SHA1
46f11b5d869e8520e54478d151c31c1881a99e5c

SHA256
1d38c41b536217d4e03d0bc6bbd23c883d07c28116cc622b5c3aeb24cf8db286

SHA512
c410bf5ff5c7e65dc719737417f527a9ab8b8a88ff0c3cde81a5b4e32b6791fec66db1811afccbeaec570efd8af74f685143073441aca5422e3728d0e2e1087b

Download Submit
memory/1276-226-0x0000000000000000-mapping.dmp

Download
memory/1436-249-0x0000000000000000-mapping.dmp

Download
memory/1728-219-0x0000000000000000-mapping.dmp

Download
memory/1912-187-0x0000000003590000-0x0000000003599000-memory.dmp

Filesize
36KB

Download
memory/1912-236-0x0000000006AD0000-0x0000000006BFD000-memory.dmp

Filesize
1.2MB

Download
memory/1912-188-0x0000000003590000-0x0000000003599000-memory.dmp

Filesize
36KB

Download
memory/1912-135-0x0000000000000000-mapping.dmp

Download
memory/1912-185-0x0000000003590000-0x0000000003599000-memory.dmp

Filesize
36KB

Download
memory/1912-186-0x0000000003590000-0x0000000003599000-memory.dmp

Filesize
36KB

Download
memory/1912-154-0x0000000003590000-0x0000000003599000-memory.dmp

Filesize
36KB

Download
memory/1912-240-0x0000000006C00000-0x0000000006D2D000-memory.dmp

Filesize
1.2MB

Download
memory/1912-207-0x00000000060F0000-0x0000000006294000-memory.dmp

Filesize
1.6MB

Download
memory/1912-235-0x0000000006AD1000-0x0000000006B92000-memory.dmp

Filesize
772KB

Download
memory/1912-213-0x0000000006231000-0x00000000062F2000-memory.dmp

Filesize
772KB

Download
memory/1912-214-0x0000000006230000-0x000000000635D000-memory.dmp

Filesize
1.2MB

Download
memory/1912-231-0x00000000069A0000-0x0000000006B39000-memory.dmp

Filesize
1.6MB

Download
memory/1912-161-0x0000000004F21000-0x0000000004F24000-memory.dmp

Filesize
12KB

Download
memory/1912-220-0x0000000006360000-0x000000000648D000-memory.dmp

Filesize
1.2MB

Download
memory/1912-230-0x00000000069A1000-0x0000000006AC0000-memory.dmp

Filesize
1.1MB

Download
memory/1912-155-0x0000000003590000-0x0000000003599000-memory.dmp

Filesize
36KB

Download
memory/1996-229-0x0000000000000000-mapping.dmp

Download
memory/2260-246-0x0000000000000000-mapping.dmp

Download
memory/3152-248-0x0000000000000000-mapping.dmp

Download
memory/3216-225-0x00007FFFEB170000-0x00007FFFEBBA6000-memory.dmp

Filesize
10.2MB

Download
memory/3780-212-0x0000000000000000-mapping.dmp

Download
memory/3800-218-0x0000000000000000-mapping.dmp

Download
memory/4192-205-0x0000000000000000-mapping.dmp

Download
memory/4324-250-0x0000000000000000-mapping.dmp

Download
memory/4580-206-0x0000000000000000-mapping.dmp

Download
memory/4672-228-0x0000000000000000-mapping.dmp

Download
memory/4688-193-0x0000000000000000-mapping.dmp

Download
memory/4788-227-0x0000000000000000-mapping.dmp

Download
memory/4928-247-0x0000000000000000-mapping.dmp

Download
memory/5012-245-0x0000000000000000-mapping.dmp

Download